Malicious Code

1
Malicious Code
CS 419 Computer Information Security Kati
Reiland Wed. March 5, 2003
2
What Ill Cover

• Short Timeline of Malicious Code
• Definition of Malicious Code
• Closer Look at Viruses and Worms
• A Specific Look at the LoveBug Virus

3
Timeline

• 1949 John Von Neumann researches the theory of
  self-replicating programs
• 1960 ATT introduces the first commercial modem
• 1969 ATT develop UNIX, the first multitasking
  operating system and launch ARPANET.
• 1979 Xerox researchers implement a worm that
  searches the network for idle processors.

4
Timeline

• 1983 Virus is first used to describe software
  that affects other programs by modifying
  themselves to include a copy of the software.
• 1988 Robert Morris creates a worm that attacks
  ARPANET, disabling over 6,000 computers by
  flooding their memory with copies of itself.
• 1991 Symantec releases the first version of
  Norton Anti-virus, it is still the 1 PC security
  product.
• 1995 Microsoft releases Windows 95.

5
Timeline

• 1999 The Melissa virus infects thousands of
  computers.
• 2000 The I Love You virus infects millions of
  computers in 24 hours. The author was a Filipino
  student The Philippines have no laws against
  hacking or other computer crimes, so he goes
  without punishment. European Unions global
  Cybercrime Treaty is created.
• 2001 The Code Red worm infects Windows NT and
  2000 servers causing 2 billion in damages.
• 2001 Nimda attacks using 5 different methods of
  infecting systems and replicating itself.

6
Timeline

• 2002 Melissa author David L Smith is
  sentenced to 20 months in federal prison.
• 2003 The Sapphire Slammer worm infects
  thousands of computers in 3 hours.

7
Malicious Code

• Also called Malware
• Generally, any unwanted, uninvited, potentially
  dangerous program or set of programs. (2002,
  Norman Book on Computer Viruses)
• General Categories
• Virus
• A program that replicates itself infecting boot
  sectors, programs, or data files.
• Worm
• A program that has the ability to spread.
• Trojan Horse/Backdoors
• A program that looks to be a useful or benign
  file/program.
• Denial-of-Service
• Software that doesnt harm the host but uses the
  host to disrupt other networked computers.

8

• Hacking Tools
• Assists the author in the creation of a
  virus/worm. Does not cause any harm by itself.
• Bugs/Logic Bombs/Time Bombs
• Malfunctions within otherwise useable code.
• Hoax
• Generally a chain letter by email advising the
  removal of a needed system file. Does not
  actually replicate but cons the person to send
  it on believing that they are doing good.
• A combination of any or all of the above
• Most malicious code falls into this category
• Ex. ILoveYou virus

9
Why are these a security risk?

• Data Loss (viruses, worms)
• Downtime
• Loss of Confidentiality (stolen data)

10
Viruses and Worms

• Types
• Binary File Viruses/Worms
• Ex. W95/CIH otherwise known as Chernobyl
• Binary Stream Worms
• Ex. Code Red
• Script File Viruses/Worms
• Ex. ILoveYou
• Macro Viruses
• Ex. Melissa
• Boot Viruses
• Ex. AntiWin
• Multipartite Viruses
• Ex. Civil

Security Stats, 2002
11
Binary File Virus

• A virus that attaches its code to a useable
  program file.
• Six basic ways of attaching itself companion,
  link, overwrite, insert, prepend and append.
• Companion
• Usually done by creating a program.com file in
  the same folder as the program.exe.
• Link
• Changes the workings of the file system so the
  program name will then refer to the virus instead
  of the program.
• Overwrite
• Insert
• Prepend
• Append

12
Script File Viruses

• Viruses that are pure text instructions that are
  interpreted by some associated program.
• Examples of scripts
• Visual Basic Script
• Many of Microsofts programs and OS functions can
  be manipulated, thus highly used
• JavaScript
• Doesn't affect the file system, so there are not
  many viruses using this.
• Jscript
• Not as often used as VBS, but just as dangerous
• DOS BAT Language / UNIX Shell Script
• Allows command line commands on DOS / UNIX
  machines (respectively) without actually typing
  the commands
• IRC Scripts
• Scripts support the automatic sending of files to
  other members.
• Many others

13
Macro Viruses

• Take advantage of the many applications that
  contain/use macro programming languages
• WordBasic (early versions of MS Word)
• Visual Basic for Applications (VBA)
• Can be used to control almost anything on a
  Windows computer
• The first set of viruses that affect the
  reliability of the information in data files.
• Sometimes used to create and/or execute other
  traditional viruses.
• Highly dangerous.
• As newer versions of Microsoft products are
  introduced, so were new versions of VBA, thus
  older viruses could not affect newer versions of
  the product.

14
Boot Viruses

• Viruses that infect System Boot Sectors (SBS) and
  Master Boot Sectors (MBS).
• MBS vs. SBS
• Floppy disks have only an SBS.
• THE BOOT PROCESS
• BIOS (Basic Input/Output System)
• POST (Power On Self Test)
• Attempts to boot from floppy
• Loads OS
• A boot virus generally infects the SBS of a
  floppy disk and when the attempt to boot is made,
  the virus goes to memory and runs active,
  infecting the system areas of the hard drive.
• Up until a couple of years ago, boot viruses were
  the most common viruses.

15
ILoveYou The Love Letter Virus

• May 4-8, 2000 CERT announces over 500,000
  reported PCs infected.
• Most commonly through an email attachment
  (LOVE-LETTER-FOR-YOU.txt.vbs) but also through
  IRC, Windows file sharing, and USENET news.
• Overwrites all files with the extensions of
  .vbs, .vbe, .doc, .txt, .js, .jse, .css,
  .wsh, .sct, .hta, .jpg, .jpeg, .mp3, .mp2
  and others with a copy of itself and changes the
  file extension but keeps the file name.

16
VBS/ILOVEYOU LoveBug

• Any up-to-date anti-virus product should catch
  it.
• Disable Windows Scripting Host and IEs Active
  Scripting, though this disables other
  functionalities also.
• There are currently 82 known variants to the
  original. (Symantec Corp.)
• Some variants attempt to download a
  password-stealing trojan from a webpage.

17
What it does

• Sets the Windows Scripting Host timeout to zero
• Attempts to send out an email with Microsoft
  Outlook.
• Subject ILOVEYOU
• Body kindly check the attached LOVELETTER coming
  from me
• Attachment LOVE-LETTER-FOR-YOU.TXT.vbs
• Searches all network and local drives for a
  variety of the previously listed file extensions.
• Overwrites these files with a copy of itself

18
What it does, cont.

• Places a file (a copy of itself) in the Windows
  System Directory
• May be named mskernel32.vbs, win32dll.vbs, or
  love-letter-for-you.txt.vbs
• Changes IE Homepage to a url beginning with
  http//www.skyinet.net/
• If mIRC is installed, it will overwrite the
  script.ini file.
• Attempts to create an HTML file with the VBS
  script embedded.

19
References

• About Viruses. Panda Software. http//www.pandasof
  tware.com/virus_info/about_virus/
• Anti-virus round-up (January-June 2000). Sophos
  Antivirus. July 2000. http//www.sophos.com/virusi
  nfo/articles/roundup162000.html
• Antivirus Software Ratings. Consumer Reports.
  June 2002.
• CERT Love Letter Advisory. http//www.cert.org/adv
  isories/CA-2000-04.html
• Computer Virus Timeline. http//www.infoplease.com
  /spot/virustime1.html
• Cyberspace Invaders. Consumer Reports. June 2002.
  
• History of Computer Viruses. Discovery Channel.
  http//www.exn.ca/Nerds/20000504-55.cfm
• Kaliciak, Paul. ILOVEYOU Email Virus Floods
  Internet. Discovery Channel. http//www.exn.ca/Ner
  ds/20000504-56.cfm
• Kaspersky, Eugene. Computer Viruses.
  http//www.viruslist.com/eng/viruslistbooks.html?i
  d3
• McAfee Antivirus. http//www.mcafee.com/
• Norman Book of Computer Viruses. Norman ASA. Oct
  2001. http//www.norman.com/papers.shtml
• Sophos Antivirus. http//www.sophos.com/
• Stupid Virus Tricks. Comsumer Reports. June 2002.
  
• Symantec Corporation. www.symantec.com
• Virus Encyclopedia. http//www.viruslist.com/
• Virus Related Statistics. http//www.securitystats
  .com/virusstats.asp