The Windows wilderness a look on malware SPI

The Windows wilderness: a look on malware SPI 2009 Kaido Kikkas

Computers and knives A knife has two very different uses: tosave someone's life (when used by a doctor) to kill someone (used by a killer) So does the computer Again we hit the paradigm of well-equipped fools. . .

Some clarification Virus – a piece of software capable of selfpropagation by either infecting files or certain parts of data carriers Trojan horse – a piece of malicious software posing as legitimate. No self-replication abilities Worm – a piece of software that propagates itself over networks via various software vulnerabilities. User intervention is not needed Rootkit – a piece of software used to hide tracks of some other software. NB! Exist for all systems Today's malware may have all these combined

In ancient times Greeks built a wooden horse and cheated on Trojans Already in early computing, the same concept came into use – before there were viruses, there were Trojan horses: Internet proper was an elite thing (but first malware concept was introduced on Multics in 1974) ordinary users had only Fidonet: no chance for heavy traffic. So they had to create small and nasty stuff like PKZ Trojan horse (pretended to be an utility)

Virus vs Bill First case: Elk Cloner, Apple. DOS 3. 3 – so no Microsoft at all. . . But it changed soon – viruses became nearly synonymous with IBM PC compatible computers and Microsoft systems The following is a brief tour. . .

The Pakistani Brain 1986; aka Lahore, Pakistani Flu, UIUC Written by Basit and Amjad Farooq Alvi, two Pakistani brothers, to prevent copying of their software. Soon, they had to regret it Boot sector virus Simple stealth capabilities No destructive payload, more an annoyance

Lehigh 1987 First to attack COMMAND. COM, the core file of DOS (in fact, attacked only this file) First TSR (Terminate and Stay Resident) virus After a number of infections, messed up the disk Could be defeated by making COMMAND. COM read-only

Jerusalem 1987 TSR, but did NOT infect COMMAND. COM (to hide from detection) Slowdown, on Friday the 13 th destroyed all programs that were run

Stoned 1989 -91, Australia and New Zealand First widespread boot sector virus “Your PC is now stoned. ”

The Morris worm Black Thursday, 2 nd of November 1988 Regarded as the birthday of computer security Hit the REAL Internet machines Robert Morris, Cornell University Security holes, weak passwords; 6000 machines Miscalculation of speed – 10 times faster 3 years of probation, 400 hours of community service, $10 050 fine Remained a single case

Yankee Doodle 1989, Bulgaria Many variants, very widespread (also in Estonia, whole computer labs were singing. . . ) Notable effect of playing the title song from speakers (otherwise relatively harmless)

Cascade Around 1988, former Yugoslavia; a. k. a. Falling Letters Very colourful visual effect – letters fell from screen to a pile below. While otherwise harmless, it greatly disrupted the work

Dark Avenger 1989, Bulgaria; a. k. a. Eddie TSR file infector, could infect also by reading One of the most destructive early viruses – every 16 th infection destroyed a random sector on disk, slowly causing permanent, serious damage In 1992, the same author introduced the Mutation Engine – a virus library designed to create selfchanging (stealth) viruses

Dir II 1991, Bulgaria or India (sources differ) A TSR virus which changed the information structure on disk – booting from a clean disk rendered the files unusable

Michelangelo 1991, a derivative of Stoned One of the biggest hypes among viruses – created a huge media bubble in the beginning of 1992 as it was to activate on March 6. Actual damage was negligible

CIH 1998, Russia(? ); a. k. a. Space. Filler, Chernobyl Wrote over the beginning of the disk as well as some of the BIOS upon activation (the latter did not work in some BIOSes) Was designed for Windows 9 x – did not work on NT family

The age of macro viruses Viruses which resided on MS Office environment. Success reasons include: wide spread of Windows and MS Office permeating nature of Visual Basic for Applications in MS Office, allowing deep access stretched further by unintended privilege escalation cases proprietary systems => only Microsoft knew the internals Most stress was on Word (. doc files)

Melissa March 26, 1999 New Jersey First successful virus+worm combo – after infection, used a worm-like spreading method, clogging up a large share of networks Needed Word 97 or 2000 to work and Outlook 97 or 98 to spread – yet there was more than enough of them 1999 Linux Timeline: “Melissa creates difficulties worldwide. Linux users yawn. ”. . .

ILove. You 2000, Philippines; a. k. a. Love. Letter, Love Bug Similar to Melissa, mostly a worm caused estimated financial loss of 10 bln USD Outlined the problems with file extension hiding and double extensions in Windows

Hijackers a class of (typically) client-server applications used to remote control Windows machines Back Orifice 1998 Net. Bus 1998 Sub. Seven 1999 The case of Magnus Eriksson in 1999 Netbus-originating child pornography in his PC lost his job at Lund University law school had to flee the country after his name was published

Code Red 2001 China Attacked only MS IIS web servers, but made attempts on all (did not check the type) Attempted DOS attacks from conquered machines MS reacted in a week (a rare case) “Hacked by Chinese” became a slogan. . .

Nimda September 2001 “Administered” (“admin” backwards) the conquered machine enabled sharing guest account with admin privileges Infected web servers contagiated visitors using IE

Blaster August 2003; a. k. a. Lovesan Infected more than 8 mln computers DOSsed MS update service

My. Doom January 2004, the fastest spread to date DOSsed the SCO website – alleged 'open-source revenge' (later overturned) In July, stopped all main search engines for a day

Sasser April 2004 Massive swamping attacks on different online services, lots of downtime (mostly in Europe) Authored by Sven Jasschan, a German student – received 21 months of probation but was later employed by a security company

Zotob August 2005 One of the first “mercenary worms” apparently ordered by spyware industry – helps to forward different malware Estimated damage – 97 000$ + 80 hours of work per company infected. On August 16, CNN Live went down due to Zotob, other big hits were Boeing, ABC News, Homeland Security. . . The next year, two men named Farid Essabar and Achraf Bahloul were sentenced in Morocco – but finally just for a year

Samy A. k. a. JS. Spacehero, October 2005 My. Space XSS (cross-site scripting) worm Used My. Space vulnerabilities (e. g. Java. Script code injection via CSS) Spread onto the pages of > 1 mln users in 20 hours, arguably the fastest spreading malware The author, Samy Kamkar, got 3 years on probation, 90 days of community services and unknown amout of fines

Monkey business, Sony-style October 2005 Sony BMG released 102 titles of CD-s equipped with XCP and Media. Max - two “copy protection” systems which were actually rootkits, interfering with the system and opening new security holes in Windows machines First, a “removal tool” was issued which actually made thing worse (brushed under the carpet). The second one was no better Finally recalled all the CD-s in question

Storm January 2007 A worm used to build one of the largest botnets to date Initially spread 'the old way' via mail attachments The botnet at the largest contained about 1 -50 mln computers (different estimates), the current estimated size is 5 000 - 40 000. Another estimate is it forming 8% of all malware Possible traces to RBN and cyber-attacks

Conficker A. k. a. Downadup or Kido - the latest hit from October 2008 Exploits Windows server vulnerabilities (all versions from 2000 upwards) January 9 estimate: ~ 9 mln Windows Pcs Hit the UK Ministry of Defense, a number of Royal Navy warships, about 800 computers in Sheffield hospitals. . .

Two notables January 2001 – Ramen, a single brief appearance of a Linux worm. Was limited to Red Hat 6. 2 and 7. 0, used their security holes. In principle was similar to the Morris worm August 2003 – Weichia, a helpful worm Attempted to update Windows, removed Blaster and was supposed to kill itself in 120 days Also, two cases are known for Mac. OS X Leap/Oompa in February 2006 and the currently active i. Services. A trojan horse (~20 000 infected Macs)

Stages in malware motivation Hacker'y exploration (“What's in there? ”) Clueless experimentation (“What happens if”) Expression of frustration (“I'll show you all!”) Expression of politics (“Free X or suffer!”) Malware as a weapon Malware as a business model

Still – why Windows? A number of factors, including largest market share (but not the dominating factor as Microsoft wants to believe) the chronic security problems in Microsoft products the most clueless user base by far the security industry which has created its shadow counterpart in malware industry The only way to get rid of it is to destroy the roots – has been unsuccessful to date

Conclusion Malware has greatly evolved over time The diversity is great The resilience lies in economic incentives One of the easiest solutions against it is to change the platform – Microsoft needs to 100% redesign its systems to decrease threat

That's it!