Outlines

 Mobile malcode Overview

 Viruses
 Worms
Mobile Malcode Overview
 Malicious programs which spread from
machine to machine without the consent of
the owners/operators/users
 Windows Automatic Update is (effectively)
consensual
 Many strains possible
 Viruses
 Worms
 Compromised Auto-updates
• No user action required, very dangerous
Malicious Software
Trapdoors (Back doors)
 Secret entry point into a program
 Allows those who know access bypassing
usual security procedures, e.g.,
authentications
 Have been commonly used by developers
 A threat when left in production programs
allowing exploited by attackers
 Very hard to block in O/S
 Requires good s/w development & update
Logic Bomb
 One of oldest types of malicious software
 Code embedded in legitimate program
 Activated when specified conditions met
 E.g., presence/absence of some file
 Particular date/time
 Particular user
 Particular series of keystrokes

 When triggered typically damage system

 Modify/delete files/disks
 Trojan Horse

 Programs that appear to have one

function but actually perform
another.
 Modern Trojan Horse: resemble a
program that the user wishes to
run - usually superficially attractive
 E.g., game, s/w upgrade etc
 When run performs some additional
tasks
 Allows attacker to indirectly gain access
they do not have directly
 Often used to propagate a
virus/worm or install a backdoor
 Or simply to destroy data
Zombie
 Program which secretly takes over
another networked computer
 Then uses it to indirectly launch attacks
 Often used to launch distributed denial
of service (DDoS) attacks
 Exploits known flaws in network
systems
Outlines
 Mobile malcode Overview
 Viruses
 Worms
 Denial of Services Attacks
 Viruses
 Definition from RFC 1135: A virus is a piece of
code that inserts itself into a host, including
operating systems, to propagate. It cannot
run independently. It requires that its host
program be run to activate it.
 On execution
 Search for valid target files
• Usually executable files
• Often only infect uninfected files
 Insert a copy into targeted files
• When the target is executed, the virus starts running
 Only spread when contaminated files are
moved from machine to machine
 Mature defenses available
 Virus Growth

60000
50000
40000
30000
20000
10000
0
1988 1990 1993 1999
 1988: Less than 10 known viruses
 1990: New virus found every day
 1993: 10-30 new viruses per week
 1999: 45,000 viruses and variants
Source: McAfee
Virus Operation
 virus phases:
 dormant – waiting on trigger event
 propagation – replicating to programs/disks
 triggering – by event to execute payload
 execution – of payload

 details usually machine/OS specific

 exploiting features/weaknesses
Anatomy of a Virus
 Two primary components
 Propagation mechanism
 Payload

 Propagation
 Method by which the virus spreads itself.
 Old days: single PC, transferred to other
hosts by ways of floppy diskettes.
 Nowadays: Internet.
Structure of A Virus
Virus() {
infectExecutable();
if (triggered()) {
doDamage();
}
jump to main of infected program;
}

void infectExecutable() {
file = choose an uninfected executable file;
prepend V to file;
}

void doDamage() { ... }

int triggered() { return (some test? 1 : 0); }
Virus Compression
 Virus Infectables I -- Macros
 Usually executable files: .com, .exe, .bat
 Macro code attached to some data file
 Interpreted by program using file
 E.g., Word/Excel macros
 Especially using auto command & command macros

 Code is now platform independent

 Is a major source of new viral infections
 Blur distinction between data and program files
 Classic trade-off: "ease of use" vs "security”
 Have improving security in Word etc
 Are no longer dominant virus threat
 Virus Infectables (cont’d)
 System sector viruses
 Infect control sectors on a disk
• DOS boot sectors
• Partition (MBR) sectors
 System sector viruses spread easily via floppy disk
infections
 Companion viruses
 Create a .com files for each .exe files
 DOS runs COM files before EXE files
 Relatively easy to find and eliminate

 Cluster viruses
 Change the DOS directory info so that directory
entries point to the virus code instead of the real
program
 Even though every program on the disk may be
Variable Viruses
 Polymorphic viruses
 Change with each infection
• Executables virus code changing (macros: var name,
line spacing, etc.)
• Control flow permutations (rearrange code with goto’s)
 Attempt to defeat scanners
 Virus writing tool kits have been created to
"simplify" creation of new viruses
 Current tool kits create viruses that can be
detected easily with existing scanner
technology
 But just a matter of time …
 Virus Detection/Evasion
 Look for changes in  Compression of virus
size and target code
 Check time stamp on  Modify time stamp to
file original
 Look for bad behavior  Do bad thing
 False alarm prone insidiously
 Look for patterns  Change patterns –
(byte streams) in polymorphism
virus code that are  Rearrange data in the
unique file
 Look for changes in  Disable anti-virus
file checksum programs
 More on Virus Detection
 Scanning
 Depend on prior knowledge of a virus
 Check programs before execution
 Need to be regularly updated

 Integrity Checking
 Read entire disk and record integrity data that
acts as a signature for the files and system
sectors
 Use cryptographic computation technique
instead of simple checksum
 More on Virus Detection
 Interception
 Monitoring for system-level routines that perform
destructive acts
 Good for detecting logic bomb and Trojan horse
 Cannot depend entirely upon behavior monitors
as they are easily bypassed.
 Combination of all three techniques can
detect most viruses
Virus Recovery
 Extricate the virus from the infected file to
leave the original behind
 Remove the redirection to the virus code
 Recover the file from backup
 Delete the files and move on with life
History of Viruses
First Wild Viruses Apple I/II/III: 1981
 Three viruses for the Apple machines
emerged in 1981
 Boot sector viruses
 Floppies of that time had the disk operating
system (DOS) on them by default
 Wrote it without malice
First PC Virus: Pakistani Brain Virus
(1986)
 Written by Pakistani brothers to protect their
copyright
 Claim: infect only machines that had an
unlicensed copy of their software
 Boot sector, memory resident
 Printed

“Welcome to the Dungeon (c) 1986 Basit * Amjad

(pvt) Ltd. BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN
PHONE :430791,443248,280530.
Beware of this VIRUS.... Contact us for
vaccination ............. !!"
 Destructive Virus: Chernobyl
(1998)
 Designed to inflict harm
 Flash BIOS: would cause permanent hardware
damage to vulnerable motherboards
 Also overwrote first 2K sectors of each disk
• Typically resulted in a loss of data and made it
unbootable
 Previously believed that being benign was
necessary for virus longevity
 Chernobyl provided evidence to the contrary
Early Macro Virus: Melissa (1999)
 Microsoft Word 97 Macro virus
 Target first 50 entries in Outlook’s address
book
 Adjusted subject “Important messages
from ______”
 Points to attachment as a document
requested
 Contains a list of porn sites
 Macro security was greatly increased with
Melissa
Outlines
 Mobile malcode Overview
 Viruses
 Worms
Worms
 Autonomous, active code that can replicate
to remote hosts without any triggering
 Replicating but not infecting program
 Because they propagate autonomously,
they can spread much more quickly than
viruses!
 Speed and general lack of user interaction
make them the most significant threats
+
Activation
Target
Attacker
Discovery

Payload

Carrier

Worm Overview
 Target
Discovery

• Port Scanning
• Sequential: working through an address block
• Random

•Target Lists
• Externally generated through Meta servers
• Internal target list
• Passive worms
 External Target Lists:
Metaserver Worms
 Many systems use a "metaserver", a
server for information about other
Metaserver
servers
 Games: Use as a matchmaker for local
Server Server
servers
 Google: Query google to find web servers
 Windows Active Directory: Maintains the Server Server
"Network Neighborhood"
 Worm can leverage these services Server Server
 Construct a query to find new targets
 Each new victim also constructs queries Server Server
• Creates a divide-and-conquer infection
strategy
 Original strategy, not yet seen
 How Fast Are
Metaserver Worms?
 Game Metaserver: Use to attack a small population
(eg, all Half-Life servers)
 ~1 minute to infect all targets
 Google: Use to enhance a scanning web worm
 Each worm conducts initial queries to find URLs

100%

80%
Percent Infected

60% No Acceleration
40%
Metaserver Acceleration
20%

0%
0 1 2 3 4 5 6

Time (Hours)
Internal Target Lists:
Topological Information
 Look for local information to find new
targets
 URLs on disk and in caches
 Mail addresses
 .ssh/known_hosts

 Ubiquitous in mail worms

 More recent mail worms are more
aggressive at finding new addresses
 Basis of the Morris worm (1988)
 Address space was too sparse for scanning
to work
 How Fast are
Topological Worms?
 Depends on the topology G =
(V, E)
 Vulnerable machines are vertices,
edges are local information
 Time to infect is a function of the
shortest paths from the initial point
of infection
 Power law or similar graph
(KaZaA)
 Depends greatly on the
parameters,
but generally very, VERY fast
 Passive Worms
 Wait for information about other targets
E.g., CRclean, an anti-CodeRed II worm
 Waitfor Code Red, respond with counterattack
 Remove Code Red II and install itself on the
machine
 Speed is highly variable
 Depends on normal communication traffic

 Very high stealth

 Have to detect the act of infection, not target
selection
 Carrier
• Self-Carried
Transmit itself as part of the infection process
• Second Channel
E.g. blaster worm use RPC to exploit, but use TFTP to
download the whole virus body
Activation
 Activation
 Human Activation
 Needs social engineering, especially for email
worms
• Melissa – “Attached is an important message for you!”
• Iloveyou – “Open this message to see who loves you!”
 Human activity-based activation
 E.g. logging in, rebooting (Nimda’s secondary
propagation)
 Scheduled process activation
 E.g. updates, backup etc.
 Self Activation
 E.g. Code Red exploit the IIS web servers
Payload
 Payloads
 None/nonfunctional
 Most common
 Still can have significant effects through traffic and
machine load (e.g., Morris worm)
 Internet Remote Control
 Code Red II open backdoor on victim machines:
anyone with a web browser can execute arbitrary
code
 Internet Denial of Service (DOS)
 E.g., Code Red, Yaha
 Data Collection
 Data Damage: Chernobyl , Klez

 Attacker

• Experimental Curiosity, e.g., I Love You worm

• Pride and Power
• Commercial Advantage
• Extortion and Criminal Gain
• Terrorism
• Cyber Warfare
 Some Major Worms
Worm Yea Strategy Victims Other Notes
r
Morris 198 Topological 6000 First major autonomous
8 worm. Attacked multiple
vulnerabilities.
Code Red 200 Scanning ~300,000 First recent "fast" worm, 2nd
1 wave infected 360,000
servers in 14 hours
CRClean 200 Passive none Unreleased Anti-Code-Red
1 worm.
Nimda 200 Scanning ~200,000 Local subnet scanning.
1 IIS, Code Effective mix of techniques
Red 2
backdoor,
etc
Scalper 200 Scanning <10,000 Released 10 days after
2 vulnerability revealed
The Spread of the
Sapphire/Slammer SQL Worm
 How Fast
was Slammer?
 Infected ~75,000
machines
in 10 minutes
 Full scanning rate in
~3 minutes
 >55 Million IPs/s
 Initial doubling rate
was about every 8.5
seconds
 Local saturations
occur in <1 minute
 Why Was Sapphire Fast: A
Bandwidth-Limited Scanner
 Code Red's scanner is latency-limited
 In many threads: send SYN to random address,
wait for response or timeout
 Code Red  ~6 scans/second,
• population doubles about every 40 minutes
 Every Sapphire copy sent infectious packets at
maximum rate
 1 Mb upload bandwidth 
280 scans/second
 100 Mb upload bandwidth 
28,000 scans/second
 Any reasonably small TCP worm can spread like
Sapphire
 Needs to construct SYNs at line rate, receive ACKs in a
separate thread
Backup Slides
 Fred Cohen’s Work: 1983
 First documented work with viruses
 Cohen’s PhD advisor, Leo Adelman, coined the
term “virus”
 Virus: “a program that can infect other programs
by modifying them to include a … version of
itself”
 Viruses can quickly (~30 min) spread through a
networked file system
 Dissertation (1986) conclusion: "universal"
detection of a virus is undecidable
 No 100% guaranteed detection for virus/worm
Early Mail Virus: Happy99
(1999)
 One of the earliest viruses that propagated
automatically when an infected attachment
is executed
 Did not infect files, only email user
accounts
 Email sent from infected person to others
in address book (novelty at the time)
Morris Worm
 best known classic worm
 released by Robert Morris in 1988
 targeted Unix systems
 using several propagation techniques
 simple password cracking of local pw file
 exploit bug in finger daemon
 exploit debug trapdoor in sendmail daemon

 if any attack succeeds then replicated

self