NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba Czech Republic Computer Viruses and Security of Computer Systems History and Motivation Ivan Zelinka MBCS CIPT, www.bcs.org/ http://www.springer.com/series/10624 Department of Computer Science Faculty of Electrical Engineering and Computer Science, VŠB-TUO 17. listopadu 15 , 708 33 Ostrava-Poruba Czech Republic www.ivanzelinka.eu
Transcript
NAVY Research GroupDepartment of Computer Science
Faculty of Electrical Engineering and Computer Science VŠB-TUO17. listopadu 15
Department of Computer ScienceFaculty of Electrical Engineering and Computer Science, VŠB-TUO
17. listopadu 15 , 708 33 Ostrava-PorubaCzech Republic
www.ivanzelinka.eu
navy.cs.vsb.cz2
Topics
• Motivation by examples
• History and timeline of malware
• Consequences
navy.cs.vsb.cz3
Objectives
The objectives of the lesson are:
• Discuss motivation by examples in important details and mutual relations.
• Give detailed overview of malware history.
• Discuss important consequences and future development and research on malware field.
navy.cs.vsb.cz4
Motivation
navy.cs.vsb.cz5
Crash of the Spanair MD-82, Madrid, 2008
• 2008 air crash of Spanair MD-82 during take off in Madrid
• 154 dead
• The wort tragedy in Spain in last 25 yrs
• Centrálního computer system attacked by Trojan
navy.cs.vsb.cz6
Damages
navy.cs.vsb.cz7
Damages
• Three viruses that spread massively in the last two weeks, infecting millions of computers and, according to data from MessageLabs sent out over the Internet more than a hundred million infected e-mails.
• Given that exposure to infections is not over yet, none of the analytical agency did not disclose the estimate of total damages. The actual virus Blaster / Lovsan yet caused by specialized companies on search agents attack TrueSecure damage in about two billion dollars.
• Internet worm attacks, for example, succumbed to the Canadian airline Air Canada, American transportation company CSX, the central bank in Atlanta or the headquarters of the Swedish telecoms giant TeliaSonera.
• Sobig. F invaded editorial computer system of NY Times, http://virus.wikidot.com/
• Viruses cause this damage totaling in billions of USD.
• Stuxnet – a cybernetic agent. Stuxnet could put a few of centrifuges needed to produce nuclear fuel in a nuclear complex at Natanz and damaged computers at the Bushehr nuclear reactor. According to the Iranians, however, scientists neutralize the virus before he could inflict more damage. According to the US newspaper The New York Times virus developed by American and Israeli experts and two years tested him in the Israeli Dimona nuclear facility. Jalal eight months after the incident admitted that Stuxnet still poses some danger.
navy.cs.vsb.cz11
Espionage - A new computer virus as a tool of international espionage
• The Russian company, specializing in computer security, issued May 28 statement in which it announced that it discovered a new virus, which focuses on international espionage.
• The virus, known as "Flame" is able to collect data, turn on microphones connected to a computer to record any conversations, take screenshots and save the contents of the conversation of instant messangerovýchclients.
• Vitaly Kamluk is the main malware expert at Kaspersky Lab, which caught the virus Flame. According Kamluk suggests the size and complexity of the solution of the virus that may have been created for any government. The virus was apparently designed by the same people who are also behind the Stuxnet worm.
• There are speculation that Stuxnet, which in 2010 attacked the computers associated with Iran's nuclear program, was developed in Israel and the United States.? "We think that this is a relatively rare example of virtual weapons, which shows that there is currently ongoing covert cyber war operations. One of the definitions of cyber warfare is its complete secrecy, it is actually a key characteristic. If disclosure attack, it means that is not successful, "says Vitali Kamluk.
navy.cs.vsb.cz12
Cybernetic war
• Military computer networks, which the Chinese government is making in case of cyber war, pose a serious threat to US military operations in the event of a conflict. It says the March report prepared arms firm Northrop Grumman for the US Congress.
• The study addressed the committee on economic and security issues between the US and China depicts an alarming picture of rapid development of the cyber capabilities of the Chinese People's Army, to whom in recent years. Analysts based on the large amount of work asserts that the Chinese regime is trying to integrate sophisticated computer networks in the broader context of the military and spy.
• It is feared that this modern potential could be used for cyber warfare against the United States and to exclude or damage their military equipment. Danger according to a report consists in the fact that the attack on the American side would have learned to attack itself, not before.
• As highlighted in the report, military-computing options Asian countries are developed with the help of foreign companies, while excluding the use of military cyberwar Chinese side also focused on gaining valuable intellectual property of American companies.
• Bloomberg wrote last December that Chinese hackers attacked 760 companies, while the Wall Street Journal estimates that US companies lost due to theft of intellectual property (including cyber-attacks) by $ 50 billion.
navy.cs.vsb.cz13
Cybernetic war
• Military computer networks, which the Chinese government is making in case of cyber war, pose a serious threat to US military operations in the event of a conflict. It says the March report prepared arms firm Northrop Grumman for the US Congress.
• The study addressed the committee on economic and security issues between the US and China depicts an alarming picture of rapid development of the cyber capabilities of the Chinese People's Army, to whom in recent years. Analysts based on the large amount of work asserts that the Chinese regime is trying to integrate sophisticated computer networks in the broader context of the military and spy.
• It is feared that this modern potential could be used for cyber warfare against the United States and to exclude or damage their military equipment. Danger according to a report consists in the fact that the attack on the American side would have learned to attack itself, not before.
• As highlighted in the report, military-computing options Asian countries are developed with the help of foreign companies, while excluding the use of military cyberwar Chinese side also focused on gaining valuable intellectual property of American companies.
• Bloomberg wrote last December that Chinese hackers attacked 760 companies, while the Wall Street Journal estimates that US companies lost due to theft of intellectual property (including cyber-attacks) by $ 50 billion.
navy.cs.vsb.cz14
Cybernetic war
• Stuxnet malware is heralding a new era of cyber war during Action Council on Foreign Relations held on October 1 Lynn said there will be five pillars of cyber-strategy, of which that first understands the "cyberspace for what it is: a new war zone. Like land, sea, air and space, we have to treat cyberspace as an area in which we operate, we will protect, and with which we will deal in terms of military doctrines. "
• The remaining pillars are devoted to active cyber defense, protect power grids, transportation networks and financial networks, cooperation with allies using the "concept of the Cold War" in terms of intelligence sharing and technology, and management resources to provide the United States with the necessary technical means to defend against attacks of any origin.
• "In the future, any war in the sky, land or sea will also take place in cyberspace," he said in an e-mail correspondence Roel Schouwenberg, senior researcher in the field of malware, anti-virus company Kaspersky Lab.
navy.cs.vsb.cz15
Cyber Veapons
• "I do not think they realize how vital and vulnerable our systems are. Our transportation relies on it, as well as our logistics and supply, "Jonkmansays." Three or four major databases - and you can stop all deliveries of food in the US. "
• According to Jonkman any effective computing strategy will need to be thorough. To fully protect computer systems will therefore need some form of supervision and subject to hardware. He noted that in the past has been found that China is adding viruses to the firmware - the basic software of the device itself.
• "So if you buy hardware from there, anything that comes to the US, may easily change the backdoor, because they [Chinese companies] are under government control. If we really want to protect our nation, we must also build their own hardware, "says Jonkman.
• Whichever Jonkman says "cyber war are not just hackers in one room, attacking the hackers in another room." "It is an attack on the infrastructure and the enormous amount of infrastructure can affect the tiny little things - such as the electric distribution grid, or carting food; or put virus into computer central water supply system in New York who can open and close valves or add or remove chemicals. "
navy.cs.vsb.cz16
What to do?
• In the world of computers are good hackers who use our systems secure and bad hackers who are we trying to hack into systems and destroy data or steal information. The IBM employ so-called White Hat hackers who care about the security of computer systems and software.
• "We must ensure that the system is safe. One way to do this is to make ethical penetration. In doing this, people are actually trying to hack into the system and overcome and circumvent various protective mechanisms that system has, "says Adi Sharabani of Security Architecture & Strategy at IBM.
• Sharabani says that hackers use a variety of methods from automated tools to manual methodology: "Imagine that the system is building. I'll examine doors, windows, roof, every place where I could get inside. And then analyze all the limitations that each of these entry points has. Well, then I'll try to figure out how to overcome these limitations.
navy.cs.vsb.cz17
History
navy.cs.vsb.cz18
History
Late 1960s - early 1970s
• Periodically on the mainframes at that period of time there appeared programs called "the rabbit".
– These programs cloned themselves, occupied system resources, thus lowering the productivity of the system. Most probably "rabbits" did not copy themselves from system to system and were strictly local phenomena - mistakes or pranks by system programmers servicing these computers.
• The first incident which may be well called an epidemic of "a computer virus", happened on the Univax 1108 system. The virus called "Pervading Animal" merged itself to the end of executable files - virtually did the same thing as thousands of modern viruses do.
• The first half of 1970s"The Creeper" virus created under the Tenex operating system used global computer networks to spread itself. The virus was capable of entering a network by itself by modem and transfer a copy of itself to remote system. "The Reeper" anti-virus program was created to fight this virus, it was the first known anti-virus program.
• Early 1980s As a result there appears a huge number of miscellaneous "Trojan horses", programs, doing some kind of harm to the system when started.
navy.cs.vsb.cz19
History
1981
• "Elk Cloner" bootable virus epidemics started on Apple II computers. The virus attached itself to the boot sector of diskettes to which there were calls. It showed itself in many ways - turned over the display, made text displays blink and showed various messages.
• 1986. The first IBM PC virus "Brain" pandemic began. This virus infecting 360 KB diskettes became spread over the world almost momentarily. The secret of a "success" like this late probably in total unpreparedness of computer society to such a phenomenon as computer virus. The "Brain" virus was the first stealth virus, too - if there was an attempt to read the infected sector, the virus substituted it with a clean original one.
• Also in 1986 a programmer named Ralph Burger found out that a program can create copies of itself by adding its code to DOS executables. His first virus called "VirDem" was the demonstration of such a capability. This virus was announced in December 1986 at an underground computer forum, which consisted of hackers, specializing at that time on cracking VAX/VMS systems (Chaos Computer Club in Hamburg).
navy.cs.vsb.cz20
History
1986
• The “Brain" bootable virus
• Brain is the industry standard name for a computer virus that was released in its first form in January 1986, and is considered to be the first computer virus for MS-DOS.
• It infects the boot sector of storage media formatted with the DOS File Allocation Table (FAT) file system.
• Brain was written by two brothers, Basit Farooq Alvi and Amjad Farooq Alvi, from Lahore, Punjab, Pakistan.
navy.cs.vsb.cz21
History
1986
• The “Brain" bootable virus
navy.cs.vsb.cz22
History
1987
• "Vienna" virus appears.
• Some more IBM PC viruses are being written independently in the same year. They are:
– "Lehigh", infecting the COMMAND.COM file only;
– "Suriv-1" a.k.a.
– "April1st", infecting COM files;
– "Suriv-2", infecting (for the first time ever) EXE files; and
– "Suriv-3", infecting both COM and EXE files.
• There also appear several boot viruses ("Yale" in USA, "Stoned" in New Zealand, "PingPong" in Italy), and the first self encrypting file virus "Cascade".
• Non-IBM computers are also not forgotten: several viruses for Apple Macintosh, Commodore Amiga and Atari ST have been detected.
navy.cs.vsb.cz23
History
1987
• In December of 1987 there was the first total epidemics of a network virus called "Christmas Tree", written in REXX language and spreading itself under the VM/CMS operating environments.
• On the ninth of December this virus was introduced into the Bitnet network in one of West German universities, then via gateway it got into the European Academic Research Network (EARN) and then into the IBM Vnet.
• In four days the virus paralyzed the network, which was overflowing with copies of it.
• On start-up the virus output an image of the Christmas tree and then sent copies of itself to all the network users whose addresses were in the corresponding system files NAMES and NETLOG.
navy.cs.vsb.cz24
History
1988
• On Friday the 13, 1988 several companies and universities in many countries of the world "got acquainted" with the "Jerusalem" virus.
• On that day the virus was destroying files which were attempted to be run.
• Probably this is one of the first MS-DOS viruses which caused a real pandemic, there were news about infected computers from Europe, America and the Middle East. Incidentally the virus got its name after one of the places it stroke - the Jerusalem University.
• "Jerusalem" together with several other viruses ("Cascade", "Stoned", "Vienna") infected thousands of computers still being unnoticed - anti-virus programs were not as common then as they are now, many users and even professionals did not believe in the existence of computer viruses.
• It is notable that in the same year the legendary computer guru Peter Norton announced that computer viruses did not exist. He declared them to be a myth of the same kind as alligators in New York sewers. Nevertheless this delusion did not prevent Symantec from starting its own anti-virus project Norton Anti-virus after some time.
navy.cs.vsb.cz25
History
1988
• November 1988: a total epidemic of a network virus of Morris (a.k.a. Internet Worm).
• This virus infected more than 6,000 computer systems in the US (Including NASA research Institute) and paralyzed practically their work.
• Because of erratic code of the virus it sent unlimited copies of itself to other network computers, like the "Christmas Tree" worm virus, and for that reason Completely Paralyzed all the network resources.
• Total LOSSES Caused by the Morris virus Were Estimated at 96 Million of USD. This virus Used errors in operating systems Unix for VAX and Sun Microsystems to propagate. Besides the errors in Unix the virus Utilized Several more original ideas, for example picking up user passwords.
• December 1988: the season of worm viruses Continues this time in DECNet. Worm virus Called HI.COM output and image of spruce and Informed Users That They should "stop computing and have a good time at home !!!"?
• Also There appeared new anti-virus programs for example, Doctors Solomon's Anti-virus Toolkit, being one of the most powerful anti-virus software presently.
navy.cs.vsb.cz26
History
1989
• New viruses "Datacrime", "FuManchu" appear, as do the whole families like "Vacsina" and "Yankee". The first one acted extremely dangerously - from October 13th to December 31st it formatted hard disks. This virus "broke free" and caused total hysteria in the mass media in Holland and Great Britain.
• September 1989: 1 more anti-virus program begins shipping - IBM Anti-virus.
• October 1989: one more epidemic in DECNet, this time it was worm virus called "WANK Worm“.
• December 1989: an incident with a "Trojan horse" called "AIDS".
• 20,000 copies were shipped on diskettes marked as "AIDS Information Diskette Version 2.0".
• After 90 boot-ups the "Trojan" program encrypted all the filenames on the disk, making them invisible (setting a "hidden" attribute) and left only one file readable - bill for $189 payable to the address P.O. Box 7, Panama.
• The author of this program was apprehended and sent to jail.
navy.cs.vsb.cz27
History
1989
• Also in 1989 began a total epidemics of computer viruses in Russia, caused by the same "Cascade", "Jerusalem" and "Vienna", which besieged the computers of Russian users.
• Luckily Russian programmers pretty quickly discovered the principles of their work, and virtually immediately there appeared several domestic anti-viruses, and AVP (named "-V") those time, was one of them.
navy.cs.vsb.cz28
History
1990
• This year brought several notable events. The first one was the appearance of the first polymorphic viruses "Chameleon" (a.k.a. "V2P1", "V2P2", and "V2P6"). Until then the anti-virus programs used "masks" - fragments of virus code - to look for viruses. After "Chameleon"'sappearance anti-virus program developers had to look for different methods of virus detection.
• The second event was the appearance of Bulgarian "virus production factory": enormous amounts of new viruses were created in Bulgaria. Disease wears the entire families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), the modifications of the "Eddie" virus etc.
• In July 1990 there was an incident with "PC Today" computer magazine (Great Britain). It contained a floppy disk infected with "DiskKiller" virus. More than 50,000 copies were sold.
• In the second half of 1990 there appeared two Stealth monsters -"Frodo" and "Whale". Both viruses utilized extremely complicated stealth algorithms; on top of that the 9KB "Whale" used several levels of encrypting and anti-debugging techniques.
navy.cs.vsb.cz29
History
1991
• Computer virus population grows continuously, reaching several hundreds now.
• Anti-viruses also show increasing activity: two software monsters at once (Symantec and Central Point) issue their own anti-virus programs - Norton Anti-virus and Central Point Anti-virus. They are followed by less known anti-viruses from Xtree and Fifth Generation.
• In April a full-scale epidemic broke out, caused by file and boot polymorphic virus called "Tequila", and in September the same kind of story happened with "Amoeba" virus.
• Summer of 1991: "Dir_II" epidemic. It was a link virus using fundamentally new methods of infecting files.
navy.cs.vsb.cz30
History
1992
• Non-IBM PC and non-MS-DOS viruses are virtually forgotten: "holes" in global access network are closed, errors corrected, and network worm viruses lost the ability to spread themselves.
• File-, boot- and file-boot viruses for the most widely spread operating system (MS-DOS) on the most popular computer model (IBM PC) are becoming more and more important.
• The number of viruses increases in geometrical to progression; various virus incidents happen almost every day.
• Miscellaneous anti-virus programs are being developed, dozens of books and several periodic magazines on anti-viruses are being printed. A few things stand out:
• Early 1992: the first polymorphic generator MtE, serving as a base for several polymorphic viruses which follow almost immediately. Mte was also the prototype for a few forthcoming polymorphic generators.
navy.cs.vsb.cz31
History
1992
• March 1992: "Michelangelo" virus epidemics (a.k.a. "March6") and the following hysteria took place. Probably this is the first known case when anti-virus companies made fuss about this virus not to protect users from any kind of danger, but attract attention to their product, that is to create profits. One American anti-virus company actually announced that on the 6th of March the information on over five million computers will be destroyed. As a result of the fuss after that the profits of different anti-virus companies jumped several times; in reality only about 10,000 computers suffered from that virus.
• July 1992: The first virus construction sets were made, VCL and PS-MPC. They made large flow of new viruses even larger. They also stimulated virus makers to create other, more powerful, construction sets, as it was done by MtE in its area.
• Late 1992: The first Windows virus appears, infecting this OS's executables, and starts a new page in virus making.
navy.cs.vsb.cz32
History
1993
• Virus makers are starting to do some serious damage: besides hundreds of mundane viruses which are no different than their counterparts, besides the whole polymorphic generators and construction sets, besides new electronic editions of virus makers there appear more and more viruses, using highly unusual ways of infecting files, introducing themselves into the system etc. The main examples are:
• "PMBS", working in Intel 80386 protected mode."Strange" (or "Hmm") - a "masterpiece" of Stealth technology, however fulfilled on the level of hardware interrupts INT 0Dh and INT 76h.
• "Shadowgard" and "Carbunkle", which widened debt range of algorithms of companion viruses.
• "Emmie", "Metallica", "Bomber", "Uruguay" and "Cruncher" - the use of fundamentally new techniques of "hiding" of its own code inside the infected files.
• In spring of 1993 Microsoft made its own anti-virus MSAV, based on CPAV by Central Point.
navy.cs.vsb.cz33
History
1994
• The problem of CD viruses is getting more important. Having quickly gained popularity CD disks became one of the main means of spreading viruses. There are several simultaneous cases when a virus got to the master disk when preparing the batch CDs. As a result of that a fairly large number (tens of thousands) of infected CDs hit the market. Of course they cannot be cured, they just have to be destroyed.
• Early in that year in Great Britain there popped out two extremely complicated polymorphic viruses, "SMEG.Pathogen" and "SMEG.Queeg”. Their author placed infected files to a BBS, causing real panic and fear of epidemics in mass media.
• Another wave of panic was created by a message about a supposed virus called "GoodTimes", spreading via the Internet and infecting a computer when receiving E-mail. No such virus really existed, but after some time there appeared a usual DOS virus containing text string "Good Times". It was called "GT-Spoof".
• Law enforcement increases its activities: in Summer of 1994 the author of SMEG was "sorted out" and arrested
navy.cs.vsb.cz34
History
1994
• There appear some new unusual enough viruses:January 1994: "Shifter" - the first virus infecting object modules (OBJ files). "Phantom1" - the cause of the first epidemic of polymorphic virus in Moscow.
• April 1994: "SrcVir" -- the virus family infecting program source code (C and Pascal).
• June 1994: "OneHalf" - one of the most popular viruses in Russia so far starts a total epidemics.
• September 1994: "3APA3A" - a boot-file virus epidemic. This virus uses a highly unusual way of incorporating into MS-DOS. No anti-virus was ready to meet such kind of a monster.
• In 1994 (Spring) one of the anti-virus leaders of that time - Central Point -ceased to exist, acquired by Symantec, which by that time managed to "swallow" several minor companies, working on anti- viruses - Peter Norton Computing, Cetus International and Fifth Generation Systems.
navy.cs.vsb.cz35
History
1995
• Nothing in particular among DOS viruses happens, although there appear several complicated enough monster viruses like "NightFall", "Nostradamus", "Nutcracker", also some funny viruses like "bisexual" virus "RMNS" and BAT virus "Winstart". The "ByWay" and "DieHard2" viruses become widespread, with news about infected computers coming from all over the world.
• February 1995: an incident with Microsoft: Windows95 demos disks are infected by "Form". Copies of these disks were sent to beta testers by Microsoft; one of the testers was not that lazy and tested the disks for viruses.
• Spring 1995: two anti-virus companies - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control) announce their alliance. These companies, each making powerful enough anti- viruses, joined efforts and started working on a joint anti-virus system.
• August 1995: one of the turning points in the history of viruses and anti-viruses: there has actually appeared the first "alive" virus for Microsoft Word ("Concept").
navy.cs.vsb.cz36
History
1996
• January 1996: two notable events - the appearance of the first Windows95 virus ("Win95.Boza") and the epidemics of the extremely complicated polymorphic virus "Zhengxi" in St. Petersburg (Russia).
• March 1996: the first Windows 3.x virus epidemic. The name of the virus is "Win.Tentacle". This virus infected a computer network a hospital and in several other institutions in France. This event is especially interesting because this was the FIRST Windows virus on a spree. Before that time all the Windows viruses had been living only in collections and electronic magazines of virus makers, only boot viruses, DOS viruses and macro viruses were known to ride free.
• June 1996: "OS2.AEP" - the first virus for OS/2, correctly infecting EXE files of this operating system. Earlier under OS/2 there existed only the viruses writing themselves instead of file, destroying it or acting as companions.
• July 1996: "Laroux" - the first virus for Microsoft Excel caught live. The idea of "Laroux", like that of Microsoft Word viruses, was based on the presence of so-called macros (or Basic programs) in the files.
navy.cs.vsb.cz37
History
1996
• December 1996: "Win95.Punch" - the first "memory resident" virus for Windows95. It stays in the Windows memory as a VxD driver, hooks file access and infects Windows EXE files that are opened.
• In general the year 1996 is the start of widespread virus intervention into the Windows32 operating system (Windows95 and WindowsNT) and into the Microfoft Office applications.
• During this and the next year several dozens of Windows viruses and several hunsdreds of macro viruses appeared.
• Many of them used new technologies and methods of infection, including stealth and polymorphic abilities. That was the next round of virus evolution.
• During two years they repeated the way of improving similar to DOS viruses. Step by step they started to use the same features that DOS viruses did 10 years beforehand, but on next technological level.
navy.cs.vsb.cz38
History
1997
• February 1997: "Linux.Bliss" - the first virus for Linux (a Unix clone). This way viruses occupied one more "biological" niche.
• February-April 1997: macro viruses migrated to Office97. The first of them turned out to be only "converted" to the format macro viruses for Microsoft Word 6/7, but also virtually immediately there appeared viruses aimed at Office97 documents exclusively.
• March 1997: "ShareFun" - macro-virus hitting Microsoft Word 6/7. It uses is not only standard features of Microsoft Word to propagate but also sends copies of itself via MS-Mail.
• April 1997: "Homer" - the first network worm virus, using File Transfer Protocol (FTP) for propagation.
• June 1997: There appears the first self encrypting virus for Windows95. This virus of Russian origin has been sent to several BBS is in Moscow which caused an epidemic.
navy.cs.vsb.cz39
History
1997
• November 1997: The "Esperanto" virus. This is the first virus that intends to infect not only DOS and Windows32 executable files, but also spreads into the Mac OS (Macintosh). Fortunately, the virus is not able to spread cross the platforms because of bugs.
• December 1997: new virus type, the so-called "mIRC Worms", came into being. The most popular Windows Internet Relay Chat (IRC) utility known as mIRC proved to be "hole" allowing virus scripts to transmit themselves along the IRC-channels. The next IRC version blocked the hole and the mIRC Worms vanished.
navy.cs.vsb.cz40
History
1998
• The virus attack on MS Windows, MS Office and the network applications does not weaken. There arose new viruses employing still more complex strokes while infecting computers and advanced methods of network-to-computer penetration. Besides numerous the so-called Trojans, stealing Internet access passwords, and several kinds of the latent administration utilities came into the computer world. Several incidents with the infected CDs were revealed - Some computer media publishers distributed CIH and Marburg (the Windows viruses) through CDs attached to the covers of their issues, with infected.
• The year beginning: Epidemic of the "Win32.HLLP.DeTroie" virus family, not just infecting Windows32 executed files but also capable to transmit to the "owner" the information on the computer that was infected, shocked the computer world. As the viruses used specific libraries attached only to the French version of Windows, the epidemic has affected just the French speaking countries.
navy.cs.vsb.cz41
History
1998
• February 1998: One more virus type infecting the Excel tables "Excel4.Paix" (aka "Formula.Paix) was detected. This type of a macro virus while rooting into the Excel tables does not employ the usual for the kind of viruses macro area but formulas that proved to be capable of the self-reproduction code accommodation.
• February - March 1998: "Win95.HPS" and "Win95.Marburg" - the first polymorphous Windows32-viruses were detected and furthermore they were "in-the-wild". The anti-virus programs developers had nothing to do but rush to adjust the polymorphous viruses detecting technique, designed so far just for DOS-viruses, to the new conditions.
• March 1998: "AccessiV" - the first Microsoft Access virus was born.
• March 1998: The "Cross" macro-virus, the first virus infecting two different MS Office applications - Access and Word, is detected. Here upon several more viruses transferring their codes from one MS Office application to the other have emerged.
navy.cs.vsb.cz42
History
1998
• May 1998 - The "RedTeam" virus infects Windows EXE-files and
dispatches the infected files through Eudora e-mail.
• June 1998 - The "Win95.CIH" virus epidemic beginning was registered in
Taiwan where some unknown hacker mailed the infected files to local
Internet conferences. There from virus has made the way to USA where
through the staff oversight infected at once several popular Web servers
that started to distribute infected game programs. According to the
"popularity" ratings the virus pushed "Word.CAP" and "Excel.Laroux" to
second cabin. One should also pay attention to the virus dangerous
manifestation - depending on the current date the virus erased Flash BIOS
what in some conditions could kill motherboard.
• August 1998: Nascence of the sensational "BackOrifice" ("Backdoor.BO") -
utility of latent (hacker's) management of remote computers and networks.
After "BackOrifice" some other similar programs - "NetBus", "Phase" and
other - came into being.
navy.cs.vsb.cz43
History
1998
• Also in August the first virus infecting the Java executed files -
"Java.StangeBrew" - was born. The virus was not any danger to the
Internet users as there was no way to employ critical for the virus
replication functions on any remote computer. However it revealed that
even the Web servers browsers could be attacked by viruses.
• November 1998: "VBScript.Rabbit" - The Internet expansion of computer
parasites proceeded by three viruses infecting VisualBasic scripts (VBS
files), which being actively used in Web pages development. As the logical
consequence of VBScript-viruses the full value HTML-virus
("HTML.Internal") was born to life.
• Virus-writers obviously turned their efforts to the network applications and
to the creation of full value Network Worm-Virus that could employ the MS
Windows and Office options, infect remote computers and Web-servers
or/and could aggressively replicate itself through e-mail.
navy.cs.vsb.cz44
The most dangerous viruses
navy.cs.vsb.cz45
The Most Dangerous Viruses
• Viruses beginnings date back to the 70s, when the virus first appeared in ancient ARPA called Creeper. Since then, much has changed and is now in the "wilderness" (internet) emerging viruses, botnets, generating millions, able to wean from the Internet calmly throughout the country.
• Brain, 1986. When the virus Brain started it all. Brain was the first virus discovered in 1986 that was created for the PC. This virus is not in itself destructive, the only thing he did was copied to the boot sector of the disk. Its presence on the disk given ascertain that the listed text:
Welcome to the Dungeon (c) 1986 * Basi Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 Nizam BLOCK Lahore Allam Iqbal TOWN-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS .... Contact us for vaccination ...
navy.cs.vsb.cz46
The Most Dangerous Viruses
• Melissa, 1999. Melissa worm appeared on the Internet in 1999. Theysend itself and its content was set letter.doc, which allegedly contained thepasswords to 80 pornographic websites. Although the worm had no directdestructive tendencies, thanks to its widespread dissemination killed manyhundreds of mail servers around the world who have not mastered theload, and its author was sentenced to 20 months in federal prison and afine of 5,000 USD.
• ILOVEYOU, 2000. One of the first notorious worms. It is a worm thatspreads by email. After infecting your computer is automatically sent to allcontacts in the mail client, and then destroy all the music and movies onthe infected computer. For example, the Pentagon even had to shut downtheir servers to be able to get rid of this virus. The total damage caused bythis worm are estimated at $ 5.5 billion. ILOVEYOU worm created by ayoung student who let school finish their studies because his final workwas judged to be in violation of the law.
navy.cs.vsb.cz47
The Most Dangerous Viruses
• Code Red, 2001 was one of the first viruses that attacked the serversinstead of the client computers. Immediately after the attack as a sufficientnumber of computers began DDoS attack on the well-known sites such asthe White House website. At that time, most users' computers slowconnection (dial-up) to the Internet, and therefore it was moreadvantageous to attack servers. Nowadays, on the contrary, better toattack thousands of user computers, whose performance and the resultingline capacity greatly outperform servers worldwide.
• Nimda, 2001. Nimda functioned much like Code Red, unless directlyattacked servers and user desktops. It used several methods of spreadingthe. It was written so effectively that it took only 22 minutes from the firstappearance to it to become the most common virus on the Internet.
navy.cs.vsb.cz48
The Most Dangerous Viruses
• Klez, 2001. E-mail virus Klez was the first who used false sender.Randomly chose one contact in the contact list of the victim and sentcopies to the other under this name. That became impossible for users todetermine whether it was a spam or not. It was the first example ofexcellent use of social engineering.
• Slammer, 2003 Slammer Virus needed just 10 minutes to enable it toinfect up to 75,000 computers. This fantastic spreading, he managed tosignificantly slow world line and the entire internet and can also shutdownfor tens of thousands of servers.
navy.cs.vsb.cz49
The Most Dangerous Viruses
• MyDoom, 2004. The worm probably know very well. It was the firstmalware that thanks to the excellent use of social engineering hasexpanded at a dizzying number of computers.
– After successfully infected a victim's computer immediately started spamming allcontacts saved in your email client and launched a massive DDoS attack on theservers of The SCO Group, Inc., which became famous actions against Unixdistribution that allegedly contained parts of its source code.
– At a time when MyDoom began to spread, it infects it was very difficult due to thefact that the then automatically open Outlook e-mails, so that after the adoptionof a malicious e-mail, the victim was immediately infected.
– Many ISPs had solved the problem with this worm by disconnecting clients fromthe Internet.
navy.cs.vsb.cz50
The Most Dangerous Viruses
• PoisonIvy, 2005. PoisonIvy is a computer security nightmare; it allowsthe attacker to secretly control the infected user’s computer. Malware likePoisonIvy is known as a “remote access trojan,” because it provides fullcontrol to the perpetrator through a backdoor. Once the virus is installed,the perpetrator can activate the controls of the targeted computer torecord or manipulate its content or even use the computer’s speaker andwebcam to record audio and video. Once thought of as a tool for amateurhackers, PoisonIvy has been used in sophisticated attacks againstdozens of Western firms, including those involved in defense andchemical industries, according to a white paper written by Symantec, thecomputer security firm. The attacks were traced back to China.
navy.cs.vsb.cz51
The Most Dangerous Viruses
• Storm, 2007, Storm is a popular malware.
– It spreads virtually anything - from e-mails to a hacked site.
– After successfully infected computer, plugs it into the network called a botnet.
– Storm botnet, according to expert estimates, during its heyday boasted more than50 million infected computers.
– Storm can be considered a pioneer and founder of a new era, called theCybercrime 2.0.
• MayDay, 2008, Malware, which is due to complete its communicationsand encryption source code shrouded in mystery. Supposedly comes fromthe creators cent. Unidentifiable destructive Cybercrime 3.0.
navy.cs.vsb.cz52
The Most Dangerous Viruses
• Zeus, 2007, There is no shortage of malware kits that target personal
information, but Zeus has become the go-to tool for many of today’s cyber
criminals and is readily available for sale in the cyber crime underworld. It
can be used to pilfer passwords as well as files, helping to create a literal
underground economy for compromised identities that can be bought and
sold for as little 50 cents. In the age of Internet banking and online
shopping, a compromised identity is much more than just a name and social
security number: it’s your address, date of birth, mother’s maiden name,
and even your secret security questions (your first pet, your favorite teacher,
or your best friend from grade school).
navy.cs.vsb.cz53
The Most Dangerous Viruses
• Michelangelo, 1991, Michelangelo is the worst virus, which was written for MS-DOS. Like Brain spread by copying itself to the boot sector of the disk. Quietly spread the moon and then on March 6 rewrote the first sectors of disk to zeros. Although valuable data on the disk remained, but for most ordinary users have been lost forever(remember that at that time there were tools, knowledge, and even online discussions, due to which it might be able to obtain the necessary information on how to reverse this deplorable state).
navy.cs.vsb.cz54
The Most Dangerous Viruses
• Agent.btz, 2008, This piece of malware’s claim to fame is that it temporarily forced the Pentagon to issue a blanket ban on thumb drives and even contributed to the creation of an entirely new military department, U.S. Cyber Command.
– Agent.btz spreads through infected thumb drives, installing malware that steals data.
– When agent.btz was found on Pentagon computers in 2008, officials suspected the work of foreign spies.
– Former Deputy Secretary of Defense William Lynne later wrote that agent.btzcreated “a digital beachhead, from which data could be transferred to servers under foreign control.”
– Though some anti-virus experts have disputed the contention that the virus was the creation of a foreign intelligence agency, its effect was to make cyber war a formal part of U.S. military strategy.
navy.cs.vsb.cz55
The Most Dangerous Viruses
• Conficker Virus, 2009, In 2009, a new computer worm crawled its way into millions of Windows-based PCs around the world, creating a massive botnet army of remotely controlled computers capable of stealing financial data and other information.
– Its complexity made it difficult to stop, and the virus prompted the creation of a coalition of experts dedicated to stopping its spread.
– At its height, the Conficker worm infected millions of computers, leading anti-virus researchers to call it the “super bug,” or “super worm”.
– But the real mystery of Conficker, which still infects a large number of computers, is that no one knows what it was meant to do: the botnet army was never used for any specific purpose, to the best of anyone’s knowledge.
– Conficker’s real purpose still confounds security experts.
navy.cs.vsb.cz56
The Most Dangerous Viruses
• Stuxnet, 2009-2010, Stuxnet is a computer worm discovered in June 2010 by VirusBlokAda Belarusian.
– It is interesting that this is the first known worm, which focuses on industrial control systems.
– He was programmed to attack SCADA systems. It can reprogram programmable logic controllers and hide your changes.
– Specifically, Stuxnet was designed to damage machinery at Iran’s uranium enrichment facility in Natanz.
– Based on the available information, including data from the International Atomic Energy Agency, experts believe Stuxnet caused a large number of Iran’s centrifuges—essentially giant washing machines used to enrich uranium—to spin out of control and self-destruct.
– Though Stuxnet was discovered in 2010, it is believed to have first infected computers in Iran in 2009.
navy.cs.vsb.cz57
The Most Dangerous Viruses
• Stuxnet, 2009-2010
navy.cs.vsb.cz58
The Most Dangerous Viruses
• Stuxnet, 2009-2010
An error is seen on a computer screen of Bushehr nuclear power plant's map in the Bushehr Port on the Persian Gulf, 1,000 kms south of Tehran,Iran on February 25, 2009.
navy.cs.vsb.cz59
The Most Dangerous Viruses
• Gauss, a new "cyber-espionage toolkit, has emerged in the Middle East and is capable of stealing sensitive data such as browser passwords, online banking accounts, cookies and system configurations, according to Kaspersky Lab. Gauss appears to have come from the same nation-state factories that produced Stuxnet.
• According to Kaspersky, Gauss has unique characteristics relative to other malware. Kaspersky said it found Gauss following the discovery of Flame. The International Telecommunications Union has started an effort to identify emerging cyber threats and mitigate them before they spread.
• In a nutshell, Gauss launched around September 2011 and was discovered in June. Gauss, which resembles Flame, had its command and control infrastructure shut down in July, but the malware is dormant waiting for servers to become active.
navy.cs.vsb.cz60
The Most Dangerous VirusesVideo
navy.cs.vsb.cz61
Conclusion
• History of malware
• Malware impact, danger and importance
• Malware history
• Future directions
navy.cs.vsb.cz62
Questions
• Explain why is malware danger and show examples, not mentioned in this presentation
• What is cybernetic war and cybernetic weapon
• Pillars of war zone - explain position and role of malware
• Describe malware history and the most well known malware samples
This didactic material is meant for the personal use of the student only,and is copyrighted. Its reproduction, even for a partial utilization, isstrictly forbidden in compliance with and in force of the law on Authorsrights.
