Computer Virus:“A program that can infect other programs by modifying them to include a version of itself” -- Dr Fred Cohen

Compare to an office clerk making two copies of a piece of paper.

30 seconds to copy

30 seconds to pass on

In one hour= 1 x 1018 copies

Computer Virus

• Small piece of software that piggybacks on real programs

• Passes from computer to computer by producing copies of itself

• Have been around since 1986• When it is running in the memory

it looks for programs to add itself to

Executable and boot sector viruses decline

• Infect boot sector• Not as easy now as most program

comes on a CD• Programs larger• Operating systems better

Who Creates Viruses?• Students and school children who have

recently studied an assembly language• Young people who feel the need to feel

superior• Professional programmers: maybe

inferiority complex or unstable• Explorers-quick witted programmers

who wish to “explore”

© 2004 By Defaulthttp://www.powerpointbackgrounds.com

Brain Virus

rau ins Vi Bi

The Brain Virus

• First PC virus• Written in Pakistan• Infected the boot sector of 360K

floppy disks• “Stealth” virus• Try to get into RAM, stick to files

and sectors, erases files and disks

Other viruses

• 1987 Lehigh virus: “Memory resident file infector”

• 1988 Jerusalem Virus: also memory resident and reinfected already infected files

• 1988: first anti-virus virus was written• 1988 Cascade virus, first encrypted

virus

And more viruses

• Polymorphism - encrypted viruses where the decryption routine code is variable

• Armoring - used to prevent anti-virus researchers from dissembling a virus

• Multipartite - infects both programs and boot sectors.

Email Viruses

• Moves around in an email message• Replicates itself automatically

WormsWormsWorms

Worms• Program that has the ability to

copy itself from machine to machine.

• Small piece of software that uses computer networks and security holes to replicate itself

• Copies to another computers that has the same specific security hole

2001 Code Red Worm

• Slowed down the internet• The worm scanned for Windows NT

or Windows 2000 that didn’t have security patch installed.

• Copied itself to that server and scanned again

Code Red Designed to:

• Replicate itself the first 20 days of each month

• Replace Web pages on infected servers with the page “Hacked by Chinese”

• Overwhelm the White House Server

How does Code Red Work

• Unpatched systems had a “buffer overflow” which allowed embedded code to run.

• It created a sequence of random IP addresses to find other servers.

• Inspect the time clock and wait for appointed time and send 100 connections to www.whitehouse.gov

Morris: Internet Worm

• Infected more than 6000 computer systems, including NASA research

• Used errors inn operating systems to propagate.

• Total losses were 96 million dollars

© 2004 By Defaulthttp://www.powerpointbackgrounds.com

VV II RR UU SSHHOO RR SS EETT RR OO JJ AA NN

Trojan Horses

• A computer program• Claims to do one thing, but does

damage when you run it (could erase your hard drive)

• They do not replicate automatically

1989 Trojan Horse: AIDS

• 20000 copies of diskettes shipped marked “AIDS Information Diskette v2”

• After 90 boot-ups it encrypted all the filenames on your HD, making them invisible and left one file: Send $189 to…

Virus Hoaxes

• 1988 Mike RoChenle uploaded a message to BBS systems describing a virus that spread on 2400 baud connection. Many users switched to 1200 baud.

• Other hoaxes: Goodtimes, Aol4Free

1990 DiskKiller Virus

• PC Today (GB version) shipped diskette with magazine that was infected with DiskKiller

• Over 50000 copies were sold• Who is responsible here?

1992 Michelangelo Virus

• Anti-virus companies made a big deal of this virus, bringing it into the news

• One US anti-virus company announced on March6 data on over 5 million computers will be destroyed

• Reality: about 10000 computers infected

Other Key Dates

• 1992: First Windows Virus released• 1994: Virus gets on master disk of

CD when preparing a batch of CDs-can only destroy the CDs.

• 1994: “OneHalf” a popular Russian virus

Latest Viruses

• W32.Zafi.B.Iworm

• W32.Sasser.A.Worm

And so it continues

• 1995: Concept virus for Word• 1996: Windows95 virus• 1996: Excel/Word virus that was

based on Macros (Basic programs)• 1997: Office 97 Viruses• 1997: Homer, first network worm

virus using FTP

• 1998 “Red Team” virus infects Windows EXE-files and sends infected files through email.

• 2000: I love you virus, when opened, sent to everyone in your address book.

Protect Yourself against Viruses

• Run secure OS like UNIX or use virus protection software

• Never run macros unless you know their source.

• Never run executable attachments• Show extensions• Backup

Why do we have viruses?

• Psychology that drive vandals• The thrill of watching things blow-

up• Bragging rights• Started when PCs were common,

then had BBC, then floppy disk, then Internet.

© 2004 By Defaulthttp://www.powerpointbackgrounds.com

Attachments

Virus ProtectionScanning

Backup

Show Extensions

Worms

Latest Version

Integrity Checking

Interception

Source?

DownloadsEmailTrojan Horses

Scanning

• Scanning: looks for know viruses by characteristics similar to existing viruses or signature recognition

• Dangerous to depend on old SW• False alarms• Needs a clean boot

Integrity Checking

• Record information about your system to check against later

• Compares your system to the “base”information to detect changes

Interception

• Pop up warnings when a request is made to install itself as a resident program

• Useful for simple logic bombs and Trojan horses

Sources

• Slade, Robert. Earliest History of Viral Programs. http://www.cknow.com/vtutor/vtsladeearly.htm

• What is a computer virus? http://www.avp.ch/avpve/entry/entry2.htm

• The History of Computer Viruses-A Timeline. http://www.exn.ca/nerds/20000504-55.cfm

• Computer Knowledge Virus Tutorial. http://www.cknow.com/vtutor/index.htm