The Windows wilderness: a look on malware

1
The Windows wilderness a look on malware

• SPI2009
• Kaido Kikkas

2
Computers and knives

• A knife has two very different uses
• tosave someone's life (when used by a doctor)?
• to kill someone (used by a killer)?
• So does the computer
• Again we hit the paradigm of well-equipped
  fools...

3
Some clarification

• Virus a piece of software capable of
  self-propagation by either infecting files or
  certain parts of data carriers
• Trojan horse a piece of malicious software
  posing as legitimate. No self-replication
  abilities
• Worm a piece of software that propagates itself
  over networks via various software
  vulnerabilities. User intervention is not needed
• Rootkit a piece of software used to hide tracks
  of some other software. NB! Exist for all systems
• Today's malware may have all these combined

4
In ancient times

• Greeks built a wooden horse and cheated on
  Trojans
• Already in early computing, the same concept came
  into use before there were viruses, there were
  Trojan horses
• Internet proper was an elite thing (but first
  malware concept was introduced on Multics in
  1974)?
• ordinary users had only Fidonet no chance for
  heavy traffic. So they had to create small and
  nasty stuff like PKZ Trojan horse (pretended to
  be an utility)?

5
Virus vs Bill

• First case Elk Cloner, AppleDOS 3.3 so no
  Microsoft at all...
• But it changed soon viruses became nearly
  synonymous with IBM PC compatible computers and
  Microsoft systems
• The following is a brief tour ...

6
The Pakistani Brain

• 1986 aka Lahore, Pakistani Flu, UIUC
• Written by Basit and Amjad Farooq Alvi, two
  Pakistani brothers, to prevent copying of their
  software. Soon, they had to regret it
• Boot sector virus
• Simple stealth capabilities
• No destructive payload, more an annoyance

7
Lehigh

• 1987
• First to attack COMMAND.COM, the core file of DOS
  (in fact, attacked only this file)?
• First TSR (Terminate and Stay Resident) virus
• After a number of infections, messed up the disk
• Could be defeated by making COMMAND.COM read-only

8
Jerusalem

• 1987
• TSR, but did NOT infect COMMAND.COM (to hide from
  detection)?
• Slowdown, on Friday the 13th destroyed all
  programs that were run

9
Stoned

• 1989-91, Australia and New Zealand
• First widespread boot sector virus
• Your PC is now stoned.

10
The Morris worm

• Black Thursday, 2nd of November 1988
• Regarded as the birthday of computer security
• Hit the REAL Internet machines
• Robert Morris, Cornell University
• Security holes, weak passwords 6000 machines
• Miscalculation of speed 10 times faster
• 3 years of probation, 400 hours of community
  service, 10 050 fine
• Remained a single case

11
Yankee Doodle

• 1989, Bulgaria
• Many variants, very widespread (also in Estonia,
  whole computer labs were singing...)?
• Notable effect of playing the title song from
  speakers (otherwise relatively harmless)?

12
Cascade

• Around 1988, former Yugoslavia a.k.a. Falling
  Letters
• Very colourful visual effect letters fell from
  screen to a pile below. While otherwise harmless,
  it greatly disrupted the work

13
Dark Avenger

• 1989, Bulgaria a.k.a. Eddie
• TSR file infector, could infect also by reading
• One of the most destructive early viruses every
  16th infection destroyed a random sector on disk,
  slowly causing permanent, serious damage
• In 1992, the same author introduced the Mutation
  Engine a virus library designed to create
  self-changing (stealth) viruses

14
Dir II

• 1991, Bulgaria or India (sources differ)?
• A TSR virus which changed the information
  structure on disk booting from a clean disk
  rendered the files unusable

15
Michelangelo

• 1991, a derivative of Stoned
• One of the biggest hypes among viruses created
  a huge media bubble in the beginning of 1992 as
  it was to activate on March 6. Actual damage was
  negligible

16
CIH

• 1998, Russia(?) a.k.a. SpaceFiller, Chernobyl
• Wrote over the beginning of the disk as well as
  some of the BIOS upon activation (the latter did
  not work in some BIOSes)?
• Was designed for Windows 9x did not work on NT
  family

17
The age of macro viruses

• Viruses which resided on MS Office environment.
  Success reasons include
• wide spread of Windows and MS Office
• permeating nature of Visual Basic for
  Applications in MS Office, allowing deep access
  stretched further by unintended privilege
  escalation cases
• proprietary systems gt only Microsoft knew the
  internals
• Most stress was on Word (.doc files)?

18
Melissa

• March 26, 1999 New Jersey
• First successful virusworm combo after
  infection, used a worm-like spreading method,
  clogging up a large share of networks
• Needed Word 97 or 2000 to work and Outlook 97 or
  98 to spread yet there was more than enough of
  them
• 1999 Linux Timeline Melissa creates
  difficulties worldwide. Linux users yawn....

19
ILoveYou

• 2000, Philippines a.k.a. LoveLetter, Love Bug
• Similar to Melissa, mostly a worm
• caused estimated financial loss of 10 bln USD
• Outlined the problems with file extension hiding
  and double extensions in Windows

20
Hijackers

• a class of (typically) client-server applications
  used to remote control Windows machines
• Back Orifice 1998
• NetBus 1998
• SubSeven 1999
• The case of Magnus Eriksson in 1999
• Netbus-originating child pornography in his PC
• lost his job at Lund University law school
• had to flee the country after his name was
  published

21
Code Red

• 2001 China
• Attacked only MS IIS web servers, but made
  attempts on all (did not check the type)?
• Attempted DOS attacks from conquered machines
• MS reacted in a week (a rare case)?
• Hacked by Chinese became a slogan...

22
Nimda

• September 2001
• Administered (admin backwards) the conquered
  machine
• enabled sharing
• guest account with admin privileges
• Infected web servers contagiated visitors using IE

23
Blaster

• August 2003 a.k.a. Lovesan
• Infected more than 8 mln computers
• DOSsed MS update service

24
MyDoom

• January 2004, the fastest spread to date
• DOSsed the SCO website alleged 'open-source
  revenge' (later overturned)?
• In July, stopped all main search engines for a day

25
Sasser

• April 2004
• Massive swamping attacks on different online
  services, lots of downtime (mostly in Europe)?
• Authored by Sven Jasschan, a German student
  received 21 months of probation but was later
  employed by a security company

26
Zotob

• August 2005
• One of the first mercenary worms apparently
  ordered by spyware industry helps to forward
  different malware
• Estimated damage 97 000 80 hours of work per
  company infected. On August 16, CNN Live went
  down due to Zotob, other big hits were Boeing,
  ABC News, Homeland Security...
• The next year, two men named Farid Essabar and
  Achraf Bahloul were sentenced in Morocco but
  finally just for a year

27
Samy

• A.k.a. JS.Spacehero, October 2005
• MySpace XSS (cross-site scripting) worm
• Used MySpace vulnerabilities (e.g. JavaScript
  code injection via CSS)?
• Spread onto the pages of gt 1 mln users in 20
  hours, arguably the fastest spreading malware
• The author, Samy Kamkar, got 3 years on
  probation, 90 days of community services and
  unknown amout of fines

28
Monkey business, Sony-style

• October 2005
• Sony BMG released 102 titles of CD-s equipped
  with XCP and MediaMax - two copy protection
  systems which were actually rootkits, interfering
  with the system and opening new security holes in
  Windows machines
• First, a removal tool was issued which actually
  made thing worse (brushed under the carpet). The
  second one was no better
• Finally recalled all the CD-s in question

29
Storm

• January 2007
• A worm used to build one of the largest botnets
  to date
• Initially spread 'the old way' via mail
  attachments
• The botnet at the largest contained about 1-50
  mln computers (different estimates), the current
  estimated size is 5 000 - 40 000. Another
  estimate is it forming 8 of all malware
• Possible traces to RBN and cyber-attacks

30
Conficker

• A.k.a. Downadup or Kido - the latest hit from
  October 2008
• Exploits Windows server vulnerabilities (all
  versions from 2000 upwards)?
• January 9 estimate 9 mln Windows Pcs
• Hit the UK Ministry of Defense, a number of Royal
  Navy warships, about 800 computers in Sheffield
  hospitals...

31
Two notables

• January 2001 Ramen, a single brief appearance
  of a Linux worm. Was limited to Red Hat 6.2 and
  7.0, used their security holes. In principle was
  similar to the Morris worm
• August 2003 Weichia, a helpful wormAttempted
  to update Windows, removed Blaster and was
  supposed to kill itself in 120 days
• Also, two cases are known for MacOS X -
  Leap/Oompa in February 2006 and the currently
  active iServices.A trojan horse (20 000 infected
  Macs)?

32
Stages in malware motivation

• Hacker'y exploration (What's in there?)?
• Clueless experimentation (What happens if)?
• Expression of frustration (I'll show you all!)?
• Expression of politics (Free X or suffer!)?
• Malware as a weapon
• Malware as a business model

33
Still why Windows?

• A number of factors, including
• largest market share (but not the dominating
  factor as Microsoft wants to believe)?
• the chronic security problems in Microsoft
  products
• the most clueless user base by far
• the security industry which has created its
  shadow counterpart in malware industry
• The only way to get rid of it is to destroy the
  roots has been unsuccessful to date

34
Conclusion

• Malware has greatly evolved over time
• The diversity is great
• The resilience lies in economic incentives
• One of the easiest solutions against it is to
  change the platform Microsoft needs to 100
  redesign its systems to decrease the threat

35
That's it!