400 likes | 405 Views
Learn about early personal computer models, virus attack methods, and the motivation behind the initial spread of viruses through bulletin board systems.
E N D
Assignment One • Available on class website. • http://www.cs.albany.edu/~rennie/csi124x • Assignment is due Wednesday Feb. 20 at the start of class. • You must submit hard copy.
Basic Attack TypesViruses • A viruses are malicious sections of machine code attached to another program • The malicious code is run when; • You execute a program or script infected with a virus (e.g. an email attachment). • Setup or install a program with the virus.
Basic Attack TypesViruses • Email attachments are a classic way of spreading viruses. • The attached file masquerades as something the user wants to run. Essentially a Trojan horse. • A game • A video file (some video files contain executable code) • An image (ditto) • The payload of the Trojan Horse is the virus
Basic Attack TypesViruses • Viruses can also be spread by freeware downloaded from the net • Often the person offering the download is unaware of the infection. • Viruses can be spread on removable media. • This is originally the only way viruses were spread.
Basic Attack TypesViruses • The term virus is apt, because the virus itself attaches to other programs on the victim computer. • It is activated when the program is run. • The virus code executes first. • It takes actions to spread itself • E.g. scours the computer for email addresses, using them to send out more emails with virus attachments.
Virus History • Viruses, though present on early mainframes, are mostly correlated with the rise of the personal computer • Virus attacks predate the networking of computers • Programs and data where passed from machine to machine on removable media, almost always floppy disks.
Early Personal Computers • Apple II • Probably the first low cost widely used PC. • Original versions had one or two floppy drives • Angered many users with first versions of copy protection • IBM PC • Mass marketed in the Mid 80’s • Tried for and obtained the Home and Small Business Markets very quickly.
Early Personal Computers • Apple Mac • Original Versions had a single floppy drive twice the size of the IBM PC floppy • First Graphical User Interface on a PC • Use of Mouse and Icon’s • WYSIWUG word processing • Aimed at home user, and various types of commercial artists
Early Attacks • Elk Cloner for the Apple II • 1982 • First wide scale attack • Boot virus • Written to the boot sector of the disk • Executed when the computer was booted • Displayed a poem on every 50th boot • Infected other floppy disks when inserted in computer
Early Viruses • Note: • The purpose of the virus is mostly to demonstrate it is there. • Its like graffitti, it displays the fact the user accessed somewhere he wasn’t supposed to access and left a mark • This is common in early viruses
Early Viruses • Brain or Pakistani Flu – 1986 • First IBM PC virus in the wild • Boot sector virus • Left a message and phone numbers in boot sector • Tied up 3 kilobytes of boot disk in bad sectors • Tied up 7 kilobytes of memory • No other real impact
Early Viruses • Note: • Again the implementer is primarily concerned with leaving a mark, proving what he can do • Note: it was a he, and the virus came out of pakistan
Early Viruses • Jerusalem Virus – IBM PC • 1987 • First detected in Jerusalem • When the program the virus is attached to is executed, two things can happen • The virus attaches itself to every program file it can find. • Beginning in 1988, on Friday the 13th, deletes all program files on the machine
Early Viruses • Note: • We see here the element of Vandalism, which is common in Viruses of this period • Given there was no way to exploit infected computers as there was no network, there is no reason not to vandalize the machine • This attitude is still found in modern viruses
Early Viruses – Attack Vectors • Removable media • Most machines in this period either booted from floppies or used floppies as their primary mechanism for transfering data • Machines were often infected by floppies. • Once a machine was infected, all floppies created or altered on the machine could be infected • Often it was not even safe to read a floppy on an infected machine
Early Viruses – Attack Vectors • Bulletin Board Systems • BBS’s were machines attached to modems • Members of the BBS would dial up the machine using their modems • This gave them access to • Email – primitive but free • Forums • Files • Provided by BBS owner • Uploaded by other members
Early Viruses – Attack Vector’s • Often infected programs were accidentally or intentionally uploaded to BBS systems • Users would download the programs, and infect their systems • Often users would unintentionally spread infections by downloading a file from one bulletin board, and then uploading it to another
Early Viruses -- Motivations • Primary motivations are hard to determine • Financial • No real financial motive is clear. • Payloads either did nothing or were highly and non-specifically destructive • Social • Almost no one ever came forward and claimed credit for a virus attack. To this day, the authors are unknown • Outside of a very small group, one could not claim bragging rights
Early Viruses -- Motivations • Its likely that the motivations were highly personal. Simply the knowledge that an attack was possible and the satisfaction of successfully implementing it, might have been important.
Contrast to Modern Viruses • Viruses became less important than worms as more and more computers were networked. • Worm are easier to write • Viruses are easier to detect • Alter the program they are attached to • Virus detection software can detect that the file was modified, or that the size of the file has changed. • Contain detectable patterns of code or messages that virus checking software can detect
Modern Viruses • Viruses are no longer a demonstration of great programming skill • Virus kits are available • Viruses now break down into families New viruses are modifications of old viruses
Modern Viruses -- Motivations • Modern viruses can be instances of Vandalism • More likely • Virus used to implant some form of malware that; • Creates a zombie • Extracts saleable data
Of Interest to Mac People • The FIRST OS X virus appeared last year. • Its still the only one • It’s a “test of concept” with no payload
Basic Attack TypesViruses • Various viruses can attach to different kinds of program or documents • For example, Microsoft Word documents as scripts/macros. • Special code run when a CD is inserted, or a disk is accessed.
Basic Attack TypesVirus Writer’s Goals • For a virus to be successful, its author has several goals for the code: • A virus should be hard to detect. • It should not be easily destroyed or deactivated. • It should spread it's infection widely and quickly. • It should re-infect its home program or other programs if they are disinfected. • It should be easy to create. • It should ideally be machine and OS independent. • This one is (thankfully) not found too often.
Modern Viruses • The Love Bug virus. • In May of 2000 the Love Bug virus spread emails across the Internet. • The email • Frequently came from someone you knew, • came with the subject “I LOVE YOU”, and • iInside was the text “kindly check the attached LOVELETTER coming from me.” • The attachment was a program written in the HLL Visual Basic.
Modern Viruses • If the user double-clicked on the attachment, the program ran. • The virus used Internet Explorer to download another program, which it ran to complete the attack. • It installed the virus on the computer. • It searched Outlook for email addresses, which it then used to send a copy of the email/attachment. • It installed itself in copies of images, Visual Basic programs, etc. on the computer.
The Really Bad News • Viruses can be created by programmers with minimal skills. • Kits are available that contain code to breach security. Hackers then add the payload, the code that serves their purpose. • People that create viruses from kits are called “script kiddies”
Protection against Viruses • Virus scanning software. • Compares files to patterns to detect viruses in the files. • Also looks in memory for executing code containing viruses
Protection against Viruses • Virus scanning software. • When virus is detected, the program can; • Clean the virus • Remove the virus code and restore the program file to its original condition • This is not always possible.
Protection against Viruses • Virus scanning software. • When virus is detected, the program can; • Quarantine the file • Move it to a special directory • Later it is typically removed • Note: in this case we have last the program file unless it is backed up in some way
Protection against Viruses • Virus scanning software. • Modern anti virus software also looks for other threats, such as worms • It can be set to scan executable files, just before they are executed. • This handles the situation where a file has been infected since the last scan. • Most virus scanners also scan Email
Vendors • Norton Antivirus • http://www.symantec.com/ • Oldest, most respected company • For the Windows OS • Also Sells other security products
Vendors • Macafee • http://www.macafee.com • Also for Microsoft OS • Also highly respected
Vendors • AVG • http://free.grisoft.com • Free version has fewer features • Still well thought of. • Also for Microsoft OS • Also has a version for Linux • Debian and Ubuntu distributions • Hard to find on site, but its there
Vendors • ClamAV • http://www.clamav.org • Open Source • Handles all Unix like platforms • Linux • Solaris • HP-UX • Free, but tricky to maintain
Vendors • ClamXav • Max OS X front end for Clamav engine • http://www.clamxav.com • Free • Again, like ClamAv a little trickier to configure • No tech support
Finally • Virus Scanners need to have their pattern files updated, DAILY. • Its best to leave them on autoupdate if your bandwidth allows. • As many are free, there is no reason to be without one.
Have a good break Goodbye