The Windows wilderness: a look on malware

SPI2009Kaido Kikkas

Computers and knives

A knife has two very different uses: tosave someone's life (when used by a doctor) to kill someone (used by a killer)

So does the computer Again we hit the paradigm of well-equipped

fools...

Some clarification Virus – a piece of software capable of self-

propagation by either infecting files or certain parts of data carriers

Trojan horse – a piece of malicious software posing as legitimate. No self-replication abilities

Worm – a piece of software that propagates itself over networks via various software vulnerabilities. User intervention is not needed

Rootkit – a piece of software used to hide tracks of some other software. NB! Exist for all systems

Today's malware may have all these combined

In ancient times

Greeks built a wooden horse and cheated on Trojans

Already in early computing, the same concept came into use – before there were viruses, there were Trojan horses: Internet proper was an elite thing (but first malware

concept was introduced on Multics in 1974) ordinary users had only Fidonet: no chance for heavy

traffic. So they had to create small and nasty stuff like PKZ Trojan horse (pretended to be an utility)

Virus vs Bill

First case: Elk Cloner, AppleDOS 3.3 – so no Microsoft at all...

But it changed soon – viruses became nearly synonymous with IBM PC compatible computers and Microsoft systems

The following is a brief tour ...

The Pakistani Brain

1986; aka Lahore, Pakistani Flu, UIUC Written by Basit and Amjad Farooq Alvi, two

Pakistani brothers, to prevent copying of their software. Soon, they had to regret it

Boot sector virus Simple stealth capabilities No destructive payload, more an annoyance

Lehigh

1987 First to attack COMMAND.COM, the core file of

DOS (in fact, attacked only this file) First TSR (Terminate and Stay Resident) virus After a number of infections, messed up the disk Could be defeated by making COMMAND.COM

read-only

Jerusalem

1987 TSR, but did NOT infect COMMAND.COM (to

hide from detection) Slowdown, on Friday the 13th destroyed all

programs that were run

Stoned

1989-91, Australia and New Zealand First widespread boot sector virus “Your PC is now stoned.”

The Morris worm

Black Thursday, 2nd of November 1988 Regarded as the birthday of computer security Hit the REAL Internet machines Robert Morris, Cornell University Security holes, weak passwords; 6000 machines Miscalculation of speed – 10 times faster 3 years of probation, 400 hours of community

service, $10 050 fine Remained a single case

Yankee Doodle

1989, Bulgaria Many variants, very widespread (also in Estonia,

whole computer labs were singing...) Notable effect of playing the title song from

speakers (otherwise relatively harmless)

Cascade

Around 1988, former Yugoslavia; a.k.a. Falling Letters

Very colourful visual effect – letters fell from screen to a pile below. While otherwise harmless, it greatly disrupted the work

Dark Avenger

1989, Bulgaria; a.k.a. Eddie TSR file infector, could infect also by reading One of the most destructive early viruses – every

16th infection destroyed a random sector on disk, slowly causing permanent, serious damage

In 1992, the same author introduced the Mutation Engine – a virus library designed to create self-changing (stealth) viruses

Dir II

1991, Bulgaria or India (sources differ) A TSR virus which changed the information

structure on disk – booting from a clean disk rendered the files unusable

Michelangelo

1991, a derivative of Stoned One of the biggest hypes among viruses – created

a huge media bubble in the beginning of 1992 as it was to activate on March 6. Actual damage was negligible

CIH

1998, Russia(?); a.k.a. SpaceFiller, Chernobyl Wrote over the beginning of the disk as well as

some of the BIOS upon activation (the latter did not work in some BIOSes)

Was designed for Windows 9x – did not work on NT family

The age of macro viruses

Viruses which resided on MS Office environment. Success reasons include: wide spread of Windows and MS Office permeating nature of Visual Basic for Applications in

MS Office, allowing deep access stretched further by unintended privilege escalation cases

proprietary systems => only Microsoft knew the internals

Most stress was on Word (.doc files)

Melissa

March 26, 1999 New Jersey First successful virus+worm combo – after

infection, used a worm-like spreading method, clogging up a large share of networks

Needed Word 97 or 2000 to work and Outlook 97 or 98 to spread – yet there was more than enough of them

1999 Linux Timeline: “Melissa creates difficulties worldwide. Linux users yawn.”...

ILoveYou

2000, Philippines; a.k.a. LoveLetter, Love Bug Similar to Melissa, mostly a worm caused estimated financial loss of 10 bln USD Outlined the problems with file extension hiding

and double extensions in Windows

Hijackers

a class of (typically) client-server applications used to remote control Windows machines Back Orifice 1998 NetBus 1998 SubSeven 1999

The case of Magnus Eriksson in 1999 Netbus-originating child pornography in his PC lost his job at Lund University law school had to flee the country after his name was published

Code Red

2001 China Attacked only MS IIS web servers, but made

attempts on all (did not check the type) Attempted DOS attacks from conquered

machines MS reacted in a week (a rare case) “Hacked by Chinese” became a slogan...

Nimda

September 2001 “Administered” (“admin” backwards) the

conquered machine enabled sharing guest account with admin privileges

Infected web servers contagiated visitors using IE

Blaster

August 2003; a.k.a. Lovesan Infected more than 8 mln computers DOSsed MS update service

MyDoom

January 2004, the fastest spread to date DOSsed the SCO website – alleged 'open-source

revenge' (later overturned) In July, stopped all main search engines for a day

Sasser

April 2004 Massive swamping attacks on different online

services, lots of downtime (mostly in Europe) Authored by Sven Jasschan, a German student –

received 21 months of probation but was later employed by a security company

Zotob

August 2005 One of the first “mercenary worms” apparently

ordered by spyware industry – helps to forward different malware

Estimated damage – 97 000$ + 80 hours of work per company infected. On August 16, CNN Live went down due to Zotob, other big hits were Boeing, ABC News, Homeland Security...

The next year, two men named Farid Essabar and Achraf Bahloul were sentenced in Morocco – but finally just for a year

Samy

A.k.a. JS.Spacehero, October 2005 MySpace XSS (cross-site scripting) worm Used MySpace vulnerabilities (e.g. JavaScript

code injection via CSS) Spread onto the pages of > 1 mln users in 20

hours, arguably the fastest spreading malware The author, Samy Kamkar, got 3 years on

probation, 90 days of community services and unknown amout of fines

Monkey business, Sony-style

October 2005 Sony BMG released 102 titles of CD-s equipped

with XCP and MediaMax - two “copy protection” systems which were actually rootkits, interfering with the system and opening new security holes in Windows machines

First, a “removal tool” was issued which actually made thing worse (brushed under the carpet). The second one was no better

Finally recalled all the CD-s in question

Storm

January 2007 A worm used to build one of the largest botnets

to date Initially spread 'the old way' via mail attachments The botnet at the largest contained about 1-50

mln computers (different estimates), the current estimated size is 5 000 - 40 000. Another estimate is it forming 8% of all malware

Possible traces to RBN and cyber-attacks

Conficker

A.k.a. Downadup or Kido - the latest hit from October 2008

Exploits Windows server vulnerabilities (all versions from 2000 upwards)

January 9 estimate: ~ 9 mln Windows Pcs Hit the UK Ministry of Defense, a number of

Royal Navy warships, about 800 computers in Sheffield hospitals...

Two notables

January 2001 – Ramen, a single brief appearance of a Linux worm. Was limited to Red Hat 6.2 and 7.0, used their security holes. In principle was similar to the Morris worm

August 2003 – Weichia, a helpful wormAttempted to update Windows, removed Blaster and was supposed to kill itself in 120 days

Also, two cases are known for MacOS X - Leap/Oompa in February 2006 and the currently active iServices.A trojan horse (~20 000 infected Macs)

Stages in malware motivation

Hacker'y exploration (“What's in there?”) Clueless experimentation (“What happens if”) Expression of frustration (“I'll show you all!”) Expression of politics (“Free X or suffer!”) Malware as a weapon Malware as a business model

Still – why Windows?

A number of factors, including largest market share (but not the dominating factor

as Microsoft wants to believe) the chronic security problems in Microsoft products the most clueless user base by far the security industry which has created its shadow

counterpart in malware industry The only way to get rid of it is to destroy the

roots – has been unsuccessful to date

Conclusion

Malware has greatly evolved over time The diversity is great The resilience lies in economic incentives One of the easiest solutions against it is to change

the platform – Microsoft needs to 100% redesign its systems to decrease the threat

That's it!