Malicious Code

1. Malicious Code CS 419: Computer Information Security Kati Reiland Wed. March 5, 2003

2. What I’ll Cover • Short Timeline of Malicious Code • Definition of Malicious Code • Closer Look at Viruses and Worms • A Specific Look at the LoveBug Virus

3. Timeline • 1949:John Von Neumann researches the theory of self-replicating programs • 1960:AT&T introduces the first commercial modem • 1969:AT&T develop UNIX, the first multitasking operating system and launch ARPANET. • 1979:Xerox researchers implement a “worm” that searches the network for idle processors.

4. Timeline • 1983:“Virus” is first used to describe software that affects other programs by modifying themselves to include a copy of the software. • 1988:Robert Morris creates a worm that attacks ARPANET, disabling over 6,000 computers by flooding their memory with copies of itself. • 1991:Symantec releases the first version of Norton Anti-virus, it is still the #1 PC security product. • 1995:Microsoft releases Windows 95.

5. Timeline • 1999:The “Melissa” virus infects thousands of computers. • 2000:The “I Love You” virus infects millions of computers in 24 hours.The author was a Filipino student; The Philippines have no laws against hacking or other computer crimes, so he goes without punishment. European Union’s global “Cybercrime Treaty” is created. • 2001:The Code Red worm infects Windows NT and 2000 servers causing $2 billion in damages. • 2001:Nimda attacks using 5 different methods of infecting systems and replicating itself.

6. Timeline • 2002:“Melissa” author David L Smith is sentenced to 20 months in federal prison. • 2003:The “Sapphire Slammer” worm infects thousands of computers in 3 hours.

7. Also called “Malware” Generally, “any unwanted, uninvited, potentially dangerous program or set of programs”.(2002, Norman Book on Computer Viruses) General Categories Virus A program that replicates itself infecting boot sectors, programs, or data files. Worm A program that has the ability to spread. Trojan Horse/Backdoors A program that looks to be a useful or benign file/program. Denial-of-Service Software that doesn’t harm the host but uses the host to disrupt other networked computers. Malicious Code

8. Hacking Tools • Assists the author in the creation of a virus/worm. Does not cause any harm by itself. • Bugs/Logic Bombs/Time Bombs • Malfunctions within otherwise useable code. • Hoax • Generally a chain letter by email advising the removal of a needed system file. Does not actually replicate but “cons” the person to send it on believing that they are doing good. • A combination of any or all of the above • Most malicious code falls into this category • Ex. “ILoveYou” virus

9. Why are these a security risk? • Data Loss (viruses, worms) • Downtime • Loss of Confidentiality (stolen data)

10. Viruses and Worms • Types: • Binary File Viruses/Worms • Ex. W95/CIH otherwise known as “Chernobyl” • Binary Stream Worms • Ex. Code Red • Script File Viruses/Worms • Ex. ILoveYou • Macro Viruses • Ex. Melissa • Boot Viruses • Ex. AntiWin • Multipartite Viruses • Ex. Civil Security Stats, 2002

11. Binary File Virus • A virus that attaches it’s code to a useable program file. • Six basic ways of attaching itself: companion, link, overwrite, insert, prepend and append. • Companion • Usually done by creating a program.com file in the same folder as the program.exe. • Link • Changes the workings of the file system so the program name will then refer to the virus instead of the program. • Overwrite • Insert • Prepend • Append

12. Script File Viruses • Viruses that are pure text instructions that are interpreted by some associated program. • Examples of scripts: • Visual Basic Script • Many of Microsoft’s programs and OS functions can be manipulated, thus highly used • JavaScript • Doesn't affect the file system, so there are not many viruses using this. • Jscript • Not as often used as VBS, but just as dangerous • DOS BAT Language / UNIX Shell Script • Allows command line commands on DOS / UNIX machines (respectively) without actually typing the commands • IRC Scripts • Scripts support the automatic sending of files to other members. • Many others

13. Macro Viruses • Take advantage of the many applications that contain/use macro programming languages • WordBasic (early versions of MS Word) • Visual Basic for Applications (VBA) • Can be used to control almost anything on a Windows computer • The first set of viruses that affect the reliability of the information in data files. • Sometimes used to create and/or execute other traditional viruses. • Highly dangerous. • As newer versions of Microsoft products are introduced, so were new versions of VBA, thus older viruses could not affect newer versions of the product.

14. Boot Viruses • Viruses that infect System Boot Sectors (SBS) and Master Boot Sectors (MBS). • MBS vs. SBS • Floppy disks have only an SBS. • THE BOOT PROCESS • BIOS (Basic Input/Output System) • POST (Power On Self Test) • Attempts to boot from floppy • Loads OS • A boot virus generally infects the SBS of a floppy disk and when the attempt to boot is made, the virus goes to memory and runs active, infecting the system areas of the hard drive. • Up until a couple of years ago, boot viruses were the most common viruses.

15. ILoveYou: The Love Letter Virus • May 4-8, 2000: CERT announces over 500,000 reported PCs infected. • Most commonly through an email attachment (LOVE-LETTER-FOR-YOU.txt.vbs) but also through IRC, Windows file sharing, and USENET news. • Overwrites all files with the extensions of *.vbs, *.vbe, *.doc, *.txt, *.js, *.jse, *.css, *.wsh, *.sct, *.hta, *.jpg, *.jpeg, *.mp3, *.mp2 and others with a copy of itself and changes the file extension but keeps the file name.

16. VBS/ILOVEYOU: “LoveBug” • Any up-to-date anti-virus product should catch it. • Disable Windows Scripting Host and IE’s Active Scripting, though this disables other functionalities also. • There are currently 82 known variants to the original.(Symantec Corp.) • Some variants attempt to download a password-stealing trojan from a webpage.

17. What it does • Sets the Windows Scripting Host timeout to zero • Attempts to send out an email with Microsoft Outlook. • Subject: ILOVEYOU • Body: kindly check the attached LOVELETTER coming from me” • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs • Searches all network and local drives for a variety of the previously listed file extensions. • Overwrites these files with a copy of itself

18. What it does, cont. • Places a file (a copy of itself) in the Windows System Directory • May be named mskernel32.vbs, win32dll.vbs, or love-letter-for-you.txt.vbs • Changes IE Homepage to a url beginning with http://www.skyinet.net/ • If mIRC is installed, it will overwrite the script.ini file. • Attempts to create an HTML file with the VBS script embedded.

19. References About Viruses. Panda Software. http://www.pandasoftware.com/virus_info/about_virus/ Anti-virus round-up (January-June 2000). Sophos Antivirus. July 2000. http://www.sophos.com/virusinfo/articles/roundup162000.html Antivirus Software Ratings. Consumer Reports. June 2002. CERT Love Letter Advisory. http://www.cert.org/advisories/CA-2000-04.html Computer Virus Timeline. http://www.infoplease.com/spot/virustime1.html Cyberspace Invaders. Consumer Reports. June 2002. History of Computer Viruses. Discovery Channel. http://www.exn.ca/Nerds/20000504-55.cfm Kaliciak, Paul. ILOVEYOU Email Virus Floods Internet. Discovery Channel. http://www.exn.ca/Nerds/20000504-56.cfm Kaspersky, Eugene. Computer Viruses.http://www.viruslist.com/eng/viruslistbooks.html?id=3 McAfee Antivirus. http://www.mcafee.com/ Norman Book of Computer Viruses. Norman ASA. Oct 2001. http://www.norman.com/papers.shtml Sophos Antivirus. http://www.sophos.com/ Stupid Virus Tricks. Comsumer Reports. June 2002. Symantec Corporation. www.symantec.com Virus Encyclopedia.http://www.viruslist.com/ Virus Related Statistics. http://www.securitystats.com/virusstats.asp