Chapter 10.

Virus Threats
including Network Viruses,
Worms

7/16/2019 1
 Viruses and Other Malicious
Content
• computer viruses have got a lot of publicity
• one of a family of malicious software
(also called as Malware)
• effects usually obvious
• have figured in news reports, fiction,
movies (often exaggerated)
• getting more attention than deserve
• are a concern though
7/16/2019 2
Taxanomy of Malicious Programs

Malicious
Programs

Need Host Independent

Program

Trapdoors Logic Trojan Viruses Bacteria Worms

Bombs Horses

7/16/2019 3
 Trapdoors
• secret entry point into a program
• allows those who know access bypassing
usual security procedures
• have been commonly used by developers
• a threat when left in production programs
allowing exploited by attackers
• very hard to block
• requires good s/w development & update
7/16/2019 4
 Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• when triggered typically damage system
– modify/delete files/disks
7/16/2019 5
 Trojan Horse
• program with hidden side-effects
• which is usually superficially attractive
– eg game, s/w upgrade etc
• when run performs some additional tasks
– allows attacker to indirectly gain access they
do not have directly
• often used to propagate a virus/worm or
install a backdoor
• or simply to destroy data
7/16/2019 6
Trojan Horses
A trojan horse is malicious code hidden in an
apparently useful host program
When the host program is executed, trojan does
something harmful or unwanted
• User must be tricked into executing the host program
• In 1995, a program distributed as PKZ300B.EXE looked
like a new version of PKZIP… When executed, it
formatted your hard drive.
Trojans do not replicate
• This is the main difference from worms and viruses

7/16/2019 slide 7
Backdoor
A backdoor in a computer system (or
cryptosystem or algorithm) is a method of
bypassing normal authentication or securing
remote access to a computer, while attempting
to remain hidden from casual inspection. The
backdoor may take the form of an installed
program (e.g., Back Orifice or the Sony/BMG
rootkit backdoor installed when any of millions
of Sony music CDs were played on a Windows
computer), or could be a modification to a
legitimate program.

7/16/2019 slide 8
The classic "Trusting Trust"
backdoor problem
 Ken Thompson’s 1983 Turing Award lecture
 "Trusting Trust" was the first major paper to describe black box backdoor issues, and points out
that trust is relative. It described a very clever classic backdoor mechanism based upon the fact
that people only review source (human written) code, and not compiled (machine) code. A
program called a compiler is used to create the second from the first, and that version will
usually be trusted to do an honest job.
 This paper therefore described how a modified version of the UNIX C compiler could be told
specifically to:
 Put an invisible backdoor in the Unix Login command when compiled, and as a twist
 Also add this feature undetectably to future compiler versions upon their compilation as well.
 Because the compiler itself was a compiled program, this extra functionality would not likely be
noticed, and likewise would not be noticed in software created by it. What's worse, in
Thompson's proof of concept implementation, the subverted compiler also subverted the analysis
program (the disassembler), so that anyone who examined the binaries in the usual way would
not actually see the real code that was running, but something else instead. This version was
never released into the wild. It was released to a sibling Bell Labs organization as a test case;
they never found the attack.
 “The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code
from companies that employ people like me).” – Ken Thompson
 In 2005 the paper Countering Trusting Trust through Diverse Double-Compiling was published.
This paper showed how to counter this backdoor, but it requires a second compiler, and it only
becomes apparent if a source and binary correspond bit to bit (humans must still review the
compiler source code).

7/16/2019 slide 9
 Zombie
• program which secretly takes over another
networked computer
• then uses it to indirectly launch attacks
• often used to launch distributed denial of
service (DDoS) attacks
• exploits known flaws in network systems

7/16/2019 10
Viruses
 Virus propagates by infecting other programs
• Automatically creates copies of itself, but to propagate, a human has to
run an infected program
– Self-propagating malicious programs are usually called worms
 Viruses employ many propagation methods
• Insert a copy into every executable (.COM, .EXE)
• Insert a copy into boot sectors of disks
– “Stoned” virus (Stoned is the name of a boot sector computer virus created in
1987, apparantly in New Zealand. It was one of the very first viruses, and was,
along with its many variants, very common and widespread in the early
1990s.When an infected computer started, there was a one in eight probability
that the screen would declare:Your PC is now Stoned! )
– infected PCs booted from infected floppies, stayed in memory and infected
every floppy inserted into PC
• Infect TSR (terminate-and-stay-resident) routines
– By infecting a common OS routine, a virus can always stay in memory and
infect all disks, executables, etc.

7/16/2019 slide 11
 Virus Operation
• virus phases:
– dormant – waiting on trigger event
– propagation – replicating to programs/disks
– triggering – by event to execute payload
– execution – of payload
• details usually machine/OS specific
– exploiting features/weaknesses

7/16/2019 12
 Virus Structure
program V :=
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if some condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}

7/16/2019 13
 Types of Viruses
• can classify on basis of how they attack
• parasitic virus
• memory-resident virus
• boot sector virus
• stealth
• polymorphic virus
• macro virus

7/16/2019 14
Virus Techniques
Stealth viruses
• Infect OS so that infected files appear normal to user
Macro viruses
• A macro is an executable program embedded in a word
processing document (MS Word) or spreadsheet (Excel)
• When infected document is opened, virus copies itself
into global macro file and makes itself auto-executing
(e.g., gets invoked whenever any document is opened)
Polymorphic viruses
• Viruses that mutate and/or encrypt parts of their code
with a randomly generated key
7/16/2019 slide 15
 Macro Virus
• macro code attached to some data file
• interpreted by program using file
– eg Word/Excel macros
– esp. using auto command & command macros
• code is now platform independent
• is a major source of new viral infections
• blurs distinction between data and program files
making task of detection much harder

7/16/2019 16
 Email Virus
• spread using email with attachment
containing a macro virus
– e.g. Melissa (‘ll discuss later)
• triggered when user opens attachment
• or worse even when mail viewed by using
scripting features in mail agent
• usually targeted at Microsoft Outlook mail
agent & Word/Excel documents
7/16/2019 17
 Worms
• replicating but not infecting program
• typically spreads over a network
– e.g. Morris Internet Worm in 1988
– led to creation of CERTs
• using users distributed privileges or by exploiting
system vulnerabilities
• widely used by hackers to create zombie PC's,
subsequently used for further attacks, esp DoS
• major issue is lack of security of permanently
connected systems, esp PC's
7/16/2019 18
 Worm Operation
• worm phases like those of viruses:
– dormant
– propagation
• search for other systems to infect
• establish connection to target remote system
• replicate self onto remote system
– triggering
– execution

7/16/2019 19
Today’s Worm Threat
 “One of the biggest threats to the modern
information infrastructure”
 Characteristics of Modern Worm Threat
 Relatively rare (two a year)
 Extreme rapid propagation
 human vs. machine speed
 Infects millions of systems
 May or may not cause real damage
 Catastrophic situations for many
enterprises
 Example: Blaster and CSX
Viruses vs. Worms
VIRUS WORM
 Propagates by infecting  Propagates automatically
other programs by copying itself to target
systems
 Usually inserted into host  Is a standalone program
code (not a standalone
program)

7/16/2019 slide 21
 Worm Examples
• Morris
• melissa
• Zmist
• Code Red I
• Code Red II
• Nimda
• Slammer
• Blaster
• Witty
• Anna Kournikova

7/16/2019 22
 Morris: Introduction
• The Morris worm or Internet worm was one of
the first computer worms distributed via the
Internet; it is considered the first worm and was
certainly the first to gain significant mainstream
media attention. It was written by a student at
Cornell University, Robert Tappan Morris, and
launched on November 2, 1988 from MIT. The
worm was released from MIT to disguise the fact
that the worm originally came from Cornell.
(Incidentally, Robert Tappan Morris is now an
associate professor at MIT.)
7/16/2019 23
 Morris: Architecture
• According to its creator, the Morris worm was not written
to cause damage, but to gauge the size of the internet.
An unintended consequence of the code, however,
caused it to be more damaging: a computer could be
infected multiple times and each additional process
would slow the machine down to the point of being
unusable. The Morris worm worked by exploiting known
vulnerabilities in Unix sendmail, Finger, rsh/rexec and
weak passwords. The main body of the worm could only
infect DEC VAX machines running BSD 4, and Sun 3
systems. A portable C "grappling hook" component of
the worm was used to pull over the main body, and the
grappling hook could run on other systems, loading them
down and making them peripheral victims.

7/16/2019 24
 Morris: The Mistake
• The critical error that transformed the worm from a potentially
harmless intellectual exercise into a virulent denial of service attack
was in the spreading mechanism. The worm determined whether or
not to invade a new computer by asking if there was already a copy
running. But just doing this would have made it trivially easy to kill;
everyone could just run a process that would answer "yes" when
asked if there was already a copy, and the worm would stay away.
The defense against this was inspired by Michael Rabin's mantra,
"Randomization." To compensate for this possibility, Morris directed
the worm to copy itself anyway, fourteen percent of the time, no
matter the response to the infection-status interrogation. This level
of replication proved excessive and the worm spread rapidly,
infecting some computers multiple times. As Rabin remarked when
he heard of the mistake, "He should have tried it on a simulator
first."

7/16/2019 25
 Morris: Effects
• It is usually reported that around 6,000 major Unix machines were
infected by the Morris worm. Paul Graham has claimed that "I was
there when this statistic was cooked up, and this was the recipe:
someone guessed that there were about 60,000 computers attached
to the Internet, and that the worm might have infected ten percent of
them." The U.S. GAO put the cost of the damage at $10M–100M.
• Gene Spafford created the Phage mailing list to coordinate a
response to the emergency.
• Robert Morris was tried and convicted of violating the 1986
Computer Fraud and Abuse Act. After appeals he was sentenced to
three years' probation, 400 hours of community service, and a fine of
$10,050.
• The Morris worm has sometimes been referred to as the "Great
Worm", because of the devastating effect it had upon the Internet at
that time, both in overall system downtime and in psychological
impact on the perception of security and reliability of the Internet.

7/16/2019 26
 Melissa
• The Melissa worm, also known as "Mailissa", "Simpsons",
"Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus, hence
leading some to classify it as a computer worm.
• First found on March 26, 1999, Melissa shut down Internet mail
systems that got clogged with infected e-mails propagating from the
worm.
• Melissa was first distributed in the Usenet discussion group alt.sex.
The virus was inside a file called "List.DOC," which contained
passwords that allow access into 80 pornographic websites. The
worm's original form was sent via e-mail to many people.
• Melissa was written by David L. Smith in Aberdeen Township, New
Jersey, and named after a lap dancer he encountered in Florida.
• Smith was sentenced to 10 years but served only 20 months in a
federal prison and fined $5,000 United States dollars.

7/16/2019 27
 Melissa: Specifications
• Melissa can spread on word processor Microsoft Word 97 and Word
2000. It can mass-mail itself from e-mail client Microsoft Outlook 97
or Outlook 98. The worm does not work on any other versions of
Word, including Word 95, nor can it mass-mail itself via any other e-
mail client, even Outlook Express.
• If a Word Document containing the virus, either LIST.DOC or
another infected file, is downloaded and opened, then the macro in
the document runs and attempts to mass mail itself.
• When the macro mass-mails, it collects the first 50 entries from the
alias list or address book, and sends it to the e-mail addresses of
those names.
• This is what infected e-mails say:
• From: <name of the infected sender> Subject: Important message
from <name of sender> To: <The recipients, from the 50 names>
Attachment: LIST.DOC Body: Here is that document you asked for
... don't show anyone else ;-)

7/16/2019 28
 Melissa: Variants
• Melissa.I/Empirical
• This variant can send using any of these subject line and body combinations, all of which differ
from Melissa's original form.
• Subject: Question for you...
Body: It's fairly complicated so I've attached it.
• Subject: Check this!!
Body: This is some wicked stuff!
• Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web
• Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've
now got heaps of room.
• Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software
• Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"
• Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.
• Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.

7/16/2019 29
 Melissa: Variants
• Melissa.AO
• This is what the e-mails from this version contain:
• Subject: Extremely URGENT: To All E-Mail User -
<current date> Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please
take note that our E-Mail Server will down and we
recommended you to read the document which attached
with this E-Mail.
• Melissa.AO's payload occurs at 10 a.m. on the 10th day
of each month. The payload consists of the worm
inserting the following string into the document: "Worm!
Let's We Enjoy."

7/16/2019 30
 Zmist
• ZMist (also known as Zombie.Mistfall)
is a metamorphic computer virus
created by Russian virus writer known
as Z0mbie. It was the first virus to use
technique known as "code integration".
In words of Szor and Ferrie
• This virus supports a unique new
technique: code integration. The
Mistfall engine contained in it is
capable of decompiling Portable
Executable files to its smallest
elements, requiring 32 MB of memory.
Zmist will insert itself into the code: it
moves code blocks out of the way,
inserts itself, regenerates code and
data references, including relocation
information, and rebuilds the
executable.

7/16/2019 31
 Code Red I
• The Code Red worm was a computer worm released on the
Internet on July 13, 2001. It attacked computers running Microsoft's
IIS web server. The most in-depth research on the worm was
performed by the programmers at eEye Digital Security. They also
gave the worm its name, a reference to a variety of Mountain Dew
soft drink and the phrase "Hacked By Chinese!" with which the worm
defaced websites. Although the worm had been released on July 13,
the largest group of infected computers was seen on July 19, 2001.
On this day, the infected hosts reached 359,000.
• The worm exploited a vulnerability in the indexing software
distributed with IIS, described in MS01-033, for which a patch had
been available a month earlier.
• The worm spread itself using a common type of vulnerability known
as a buffer overflow. It did this by using a long string of the repeated
character 'N' to overflow a buffer, allowing the worm to execute
arbitrary code and infect the machine.

7/16/2019 32
Code Red I
July 13, 2001: First worm of the modern era
Exploited buffer overflow in Microsoft’s Internet
Information Server (IIS)
 1st through 20th of each month: spread
• Find new targets by random scan of IP address space
– Spawn 99 threads to generate addresses and look for IIS
• Creator forgot to seed the random number generator,
and every copy scanned the same set of addresses 
21st through the end of each month: attack
• Deface websites with “HELLO! Welcome to
http://www.worm.com! Hacked by Chinese!”

7/16/2019 slide 33
Worldwide Code Red
Infections

700,000 machines infected

$2-2.9 billion in damage (Computer Economics)
$200 million in damage per day during attacks
Usurped Exception Handling In IIS
[See Chien and Szor, “Blended Attacks…”]

Overflow in a rarely used URL decoding routine

• A malformed URL is supplied to vulnerable routine…
• … another routine notices that stack has been smashed
and raises an exception. Exception handler is invoked…
• … the pointer to exception handler is located on stack.
It has been overwritten to point to a certain instruction
inside the routine that noticed the overflow…
• … that instruction is CALL EBX. At that moment, EBX is
pointing into the overwritten buffer…
• … the buffer contains the code that finds the worm’s
main body on the heap and executes it!
7/16/2019 slide 35
Code Red II
 Code Red II is a computer worm similar to the Code Red worm. Released two weeks
after Code Red on August 4, 2001, although similar in behaviour to the original,
analysis showed it to be a new worm instead of a variant. The worm was designed to
exploit a security hole in the indexing software included as part of Microsoft's Internet
Information Server (IIS) web server software.
 A typical signature of the Code Red II worm would appear in a web server log as:
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
 Where the original worm tried to infect other computers at random, Code Red II tried
to infect machines on the same subnet as the infected machine.
 Microsoft released a security patch for IIS that fixed the security hole on June 18,
2001.

7/16/2019 slide 36
Code Red II
August 4, 2001: Same IIS vulnerability,
completely different code, kills Code Red I
• Known as “Code Red II” because of comment in code
• Worked only on Windows 2000, crashed NT
Scanning algorithm preferred nearby addresses
• Chose addresses from same class A with probability ½,
same class B with probability 3/8, and randomly from
the entire Internet with probability 1/8
Payload: installed root backdoor in IIS servers for
unrestricted remote access
Died by design on October 1, 2001
7/16/2019 slide 37
Nimda
 Nimda is a computer worm, isolated in September 2001. It is also a file
infector. It quickly spread, eclipsing the economic damage caused by past
outbreaks such as Code Red.
 Nimda affected both user workstations (clients) running Windows 95, 98,
Me, NT, or 2000 and servers running Windows NT and 2000.
 The worm's name spelled backwards is "admin".

Methods of infection
 Nimda was so effective partially because it - unlike other famous malware
like the Morris worm or Code Red - uses 5 different infection vectors:
 via email
 via open network shares
 via browsing of compromised web sites
 exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities
 via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

7/16/2019 slide 38
Nimda
September 18, 2001: Multi-modal worm using
several propagation vectors
• Exploit same IIS buffer overflow as Code Red I and II
• Bulk-email itself as an attachment to email addresses
harvested from infected machines
• Copy itself across open network shares
• Add exploit code to Web pages on compromised sites
to infect visiting browsers
• Scan for backdoors left by Code Red II
Payload: turned-off code deleting all data on hard
drives of infected machines

7/16/2019 slide 39
Signature-Based Defenses Don’t Help
Nimda leaped firewalls!
Many firewalls pass mail untouched, relying on
mail servers to filter out infections
• Most filters simply scan attachments for signatures
(code snippets) of known viruses and worms
Nimda was a brand-new infection with unknown
signature, and scanners could not detect it
Big challenge: detection of zero-day attacks
• When a worm first appears in the wild, signature is not
extracted until minutes or hours later
7/16/2019 slide 40
Slammer
 The SQL slammer worm is a computer worm that
caused a denial of service on some Internet hosts and
dramatically slowed down general Internet traffic,
starting at 05:30 UTC on January 25, 2003. It spread
rapidly, infecting most of its 75,000 victims within ten
minutes. Although titled "SQL slammer worm", the
program did not use the SQL language; it exploited two
buffer overflow bugs in Microsoft's flagship SQL Server
and Desktop Engine database products, for which
patches had been released six months earlier in MS02-
039 and MS02-061. Other names include
W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire
Worm, SQL_HEL, and W32/SQLSlammer.

7/16/2019 slide 41
Slammer
Impact
 Sites monitoring the traffic of the Internet such as Internet Storm Center
reported significant slowdowns globally, resembling the impact of the Code
Red worm in the summer of 2001.
 Yonhap news agency in South Korea reported that Internet services had
been shut down for hours on Saturday, January 25, 2003 nationwide. The
impact was mitigated by the fact that it occurred over the weekend.
 The same attack was reported throughout most of Asia, Europe, and North
America. Anti-virus software maker Symantec estimated that at least
22,000 systems were affected worldwide.
 The Microsoft SQL Server Desktop Engine (MSDE) was affected by the
worm and that increased the number of the systems affected. This,
together with many home users unaware they have MSDE installed,
worsened the impact of this worm. Also, if a computer running MSDE was
infected with this worm via the Internet and then connected to a Virtual
Private Network, the SQL Servers inside the NAT can be infected.

7/16/2019 slide 42
Slammer
 Technical details
 The worm is a small (376 bytes) piece of code that does little other than generate random IP addresses
and send itself out to those addresses. If a selected address happens to belong to a host that is running
an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected
and begins spraying the Internet with more copies of the worm program.
 Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so
small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to
remove. For example, Symantec provides a free removal utility (see external link below), or it can even
be removed by restarting SQL Server (although the machine would likely be immediately reinfected).
 The worm was made possible by a software security vulnerability in SQL Server first reported by
Microsoft on July 24, 2002. A patch had been available from Microsoft for six months prior to the worm's
launch, but many installations had not been patched -- including some at Microsoft.
 The slowdown was caused by the collapse of numerous routers under the burden of extremely high
bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the
routers are supposed to delay or temporarily stop network traffic. Instead, some routers crashed
(became unusable), and the "neighbor" routers would notice that these routers had stopped and should
not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect
to other routers they knew about. The flood of routing table update notices caused some additional
routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them,
causing them to announce their status, leading to another wave of routing table updates. Soon a
significant portion of Internet bandwidth was consumed by routers communicating with each other to
update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether.
Ironically because the SQL slammer worm was so small in size, sometimes it was able to get through
and legitimate traffic was not.
 SQL Slammer was the first observed example of a "Warhol worm" -- a fast-propagating Internet
infection of the sort first hypothesized in 2002 in a paper by Nicholas Weaver. Two key aspects
contributed to SQL Slammer's rapid propagation. The worm infected new hosts over UDP, and the entire
worm (only 376 bytes) fit inside a single packet. As a result, no connection was necessary for an
infected host to attempt to infect another machine. Each infected host could instead simply "fire and
forget" packets as rapidly as possible (generally hundreds per second).

7/16/2019 slide 43
Slammer (Sapphire) Worm
January 24/25, 2003: UDP worm exploiting buffer
overflow in Microsoft’s SQL Server
• Overflow was already known and patched by
Microsoft… but not everybody installed the patch
Entire code fits into a single 404-byte UDP packet
• Worm binary followed by overflow pointer back to itself
Classic buffer overflow combined with random
scanning: once control is passed to worm code, it
randomly generates IP addresses and attempts to
send a copy of itself to port 1434
• MS-SQL listens at port 1434

7/16/2019 slide 44
Slammer Propagation
Scan rate of 55,000,000 addresses per second
• Scan rate = rate at which worm generates IP
addresses of potential targets
• Up to 30,000 single-packet worm copies per second
Initial infection was doubling in 8.5 seconds (!!)
• Doubling time of Code Red was 37 minutes
Worm-generated packets saturated carrying
capacity of the Internet in 10 minutes
• 75,000 SQL servers compromised
• And that’s in spite of broken pseudo-random number
generator used for IP address generation

7/16/2019 slide 45
05:29:00 UTC, January 25, 2003
[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

7/16/2019 slide 46
30 Minutes Later
[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

Size of circles is logarithmic in

the number of infected machines
7/16/2019 slide 47
Slammer Impact
$1.25 Billion of damage
Temporarily knocked out many elements of
critical infrastructure
• Bank of America ATM network
• Entire cell phone network in South Korea
• Five root DNS servers
• Continental Airlines’ ticket processing software
The worm did not even have malicious payload…
simply bandwidth exhaustion on the network and
resource exhaustion on infected machines
7/16/2019 slide 48
Secret of Slammer’s Speed
Old-style worms (Code Red) spawn a new thread
which tries to establish a TCP connection and, if
successful, send a copy of itself over TCP
• Limited by latency of the network
Slammer was a connectionless UDP worm
• No connection establishment, simply send 404-byte
UDP packet to randomly generated IP addresses
• Limited only by bandwidth of the network
A TCP worm can scan even faster
• Dump zillions of 40-byte TCP-SYN packets into link
layer, send worm copy only if SYN-ACK comes back

7/16/2019 slide 49
Blaster
 The Blaster worm (also known as Lovsan or Lovesan) was a computer worm that spread on
computers running the Microsoft operating systems, Windows XP and Windows 2000, during
August 2003.
 The worm was first noticed and started spreading in the wild on August 11. The rate that it
spread increased until the number of infections peaked on August 13. Filtering by ISPs and
widespread publicity about the worm curbed the spread of Blaster.
 The worm was programmed to start a SYN flood on August 15 against port 80 of
windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the
site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead
of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the
targeted site to minimize potential effects from the worm.
 The worm spread by exploiting a buffer overflow in the DCOM RPC service on the affected
operating systems, for which a patch had been released one month earlier in MS03-026 and later
in MS03-039.
 The worm contains two messages hidden in strings. The first:
 I just want to say LOVE YOU SAN!! is why the worm is sometimes called the Lovesan worm. The
second:
 billy gates why do you make this possible ? Stop making money and fix your software!! is an
apparent message to Bill Gates, the co-founder of Microsoft, and the target of the worm.
 On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested
for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to
an 18-month prison term in January 2005.

7/16/2019 slide 50
Blaster: Side effects
 Side effects
 Although the worm can only spread on systems running
Windows 2000 and Windows XP (32 bit), it can cause
instability in the RPC service on systems running
Windows NT, Windows XP (64 bit), and Windows Server
2003. If the worm detects a connection to the Internet
(regardless of dial-up or broadband), this can even lead
to the system becoming so unstable that it displays the
following message and then restarts (usually after 60
seconds):
 Windows must now restart because the Remote
Procedure Call (RPC) Service terminated unexpectedly.

7/16/2019 slide 51
Blaster: Mitigation
 Mitigation
 This error message and the Windows restart can be avoided by changing the properties of the
Shutdown service, buying an infected user enough time to remove the virus from their system
and install a patch removing the vulnerability. The procedure is done as follows:
 Go to Start->Run
 Type "services.msc" and press Enter
 Find the "Remote Procedure Call" service (not RPC Locator), right-click, and select Properties
 Select the Recovery tab, and set all failure actions to "Take no Action"
 Select OK
 Because the Remote Procedure Call is an integral part of Windows, the failure actions should be
reset to "Restart the Computer" as soon as the Blaster worm is removed.
 Another method to stop the computer from restarting is as follows:
 Go to Start->Run
 Type "shutdown -a" and press Enter
 If run as an Administrator, this will stop the reboot (-a stands for "Abort").
 The above procedure must be done within the time limit displayed in the shutdown notice. The
"shutdown.exe" file is not available within Windows 2000 unless you extract it from the Windows
2000 resource kit.

7/16/2019 slide 52
Witty
 The Witty worm is a computer worm that attacks the firewall and
other computer security products written by a particular company,
Internet Security Systems (ISS). It was the first worm to take
advantage of vulnerabilities in the very pieces of software designed
to enhance network security, and carried a destructive payload,
unlike previous worms. It is so named because the phrase "(^.^)
insert witty message here (^.^)" appears in the worm's payload.
 The Witty worm incident was unique in that the worm spread very
rapidly after announcement of the ISS vulnerability (a day later),
and infected a much smaller and presumably harder-to-infect
(because the administrators had taken security measures) host
population than previous worms.

7/16/2019 slide 53
Witty
 Propagation
 On 19 March 2004, the 'Witty' worm began infecting hosts connected to
the Internet (and running the vulnerable ISS software) from a "seed"
population, probably of previously compromised computers. Within a half-
hour it infected 12,000 computers and was generating 90 Gb/s (gigabits
per second) of UDP traffic.

 Effect of worm
 Once Witty infects a computer by exploiting a vulnerability in the ISS
software packages (RealSecure Network, RealSecure Server Sensor,
RealSecure Desktop, and BlackICE), it attempts to infect other computers
using the same vulnerability.
 Witty launches these attacks as fast as possible, attacking random IP
addresses as quickly as allowed by the computer's Internet connection. It
repeats these attacks in groups of 20,000, alternately launching attacks
and overwriting sections of the computer's hard disk(s).

7/16/2019 slide 54
Anna Kournikova Worm
 The new worm, vbs.sst, masquerades as an image of Anna
Kournikova, a Russian tennis player. vbs.sst attaches itself as a file
(AnnaKournikova.jpg.vbs) to an email message whose subject
reads, "Here you have, ;0)". The Visual Basic (VB)-based worm
works by taking advantage of a quirk in an email client where
filenames containing more than one dot are truncated.
 For example, affected mail clients show the user a filename of
AnnaKournikova.jpg, truncating the .vbs extension. The worm
spreads by sending a copy of itself to everyone listed in the user's
address book. In addition, the worm attempts to open a Web
connection to a site in the Netherlands when the computer's date is
January 26.

7/16/2019 slide 55
How to Build a Super-Worm?
[from “How to 0wn the Internet in Your Spare Time”]

Objective: Warhol worm

• Worm that reaches saturation (infection of all
potentially vulnerable targets) in 15 minutes
• Faster than any possible human-mediated response
Previous worms suffered from suboptimal design
• Slammer copies ended competing with themselves for
bandwidth
– 30% of randomly generated IP addresses are unused
– This causes routing table misses, ICMP (router error) traffic
• Broken address generation algorithms
• Buggy payloads (premature death, failed DDoS, etc.)
7/16/2019 slide 56
Better Target Address Generation
Pre-compute hit-list of vulnerable hosts
• Very slow, stealthy scan for known vulnerabilities over
several months prior to worm release
– To cover your tracks, do it from hacked “zombie” machines
• Web-crawling spiders
• Listen for responses to other attacks
– E.g., every IIS infected with Code Red announced its presence
by dumping large amounts of traffic to random addresses
Even imperfect hit-list will greatly speed up initial
infection (slowest part of worm propagation)
• Start with a single host; every time the worm divides,
7/16/2019
it “outsources” half of its hit-list to the new copy slide 57
Coordinated Scanning
Random address generation is inefficient
• Many addresses are probed multiple times, worm
copies flood the bandwidth
Permutation scan: each copy starts to scan from
a random point in IP address space; if encounters
another copy, randomly picks another point
• Worm needs to recognize its own presence on the
target machine
Divide-and-conquer: split target address space in
half each time a new copy is created
• Probably can infect 1,000,000 hosts in 2 seconds
7/16/2019 slide 58
Exploit Existing Networks
Use network topology
• Morris worm looked for new targets in hosts.equiv
• Peer-to-peer networks are perfect targets
– Instead of generating random addresses, just spread to peers
Get initial hit-list from meta-servers
• Use online directories to find potential victims
• Paxson’s example: Google for “powered by phpbb” to
find websites running PHP
Piggyback on existing network traffic
• E.g., worm inserts itself into Kazaa or BitTorrent traffic
• Virtually undetectable (no unusual network activity!)
7/16/2019 slide 59
 Anna Kournikova Worm
• The new worm, vbs.sst, masquerades as an image of
Anna Kournikova, a Russian tennis player. vbs.sst
attaches itself as a file (AnnaKournikova.jpg.vbs) to an
email message whose subject reads, "Here you have,
;0)". The Visual Basic (VB)-based worm works by taking
advantage of a quirk in an email client where filenames
containing more than one dot are truncated.
• For example, affected mail clients show the user a
filename of AnnaKournikova.jpg, truncating the .vbs
extension. The worm spreads by sending a copy of itself
to everyone listed in the user's address book. In addition,
the worm attempts to open a Web connection to a site in
the Netherlands when the computer's date is January
26.

7/16/2019 60
Reading Assignment
Staniford’s The Worm FAQ
“Slammed!” from the Wired magazine
Optional: “How to 0wn the Internet in Your Spare
Time” by Staniford, Paxson, and Weaver

7/16/2019 slide 61
 Virus Countermeasures
• viral attacks exploit lack of integrity control
on systems
• to defend need to add such controls
• typically by one or more of:
– prevention - block virus infection mechanism
– detection - of viruses in infected system
– reaction - restoring system to clean state

7/16/2019 62
 Antivirus Approaches
1st Generation, Scanners: searched files for any of a
library of known virus “signatures.” Checked
executable files for length changes.

2nd Generation, Heuristic Scanners: looks for more

general signs than specific signatures (code
segments common to many viruses). Checked files
for checksum or hash changes.

3rd Generation, Activity Traps: stay resident in

memory and look for certain patterns of software
behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of

the techniques above.
7/16/2019 63
 Advanced Anti-Virus Techniques
• generic decryption
– use CPU simulator to check program
signature & behavior before actually running it
• digital immune system (IBM)
– general purpose emulation & virus detection
– any virus entering org is captured, analyzed,
detection/shielding created for it, removed

7/16/2019 64
 Behavior-Blocking Software
• integrated with host O/S
• monitors program behavior in real-time
– e.g. file access, disk format, executable
modules, system settings changes, network
access
• for possibly malicious actions
– if detected can block, terminate, or seek ok
• has advantage over scanners
• but malicious code runs before detection
7/16/2019 65
 Summary
• have considered:
– various malicious programs
– trapdoor, logic bomb, trojan horse, zombie
– viruses
– worms
– countermeasures

7/16/2019 66
 Recommended Reading and
WEB Sites
• Denning, P. Computers Under Attack:
Intruders, Worms, and Viruses. Addison-
Wesley, 1990
• CERT Coordination Center (WEB Site)
• AntiVirus Online (IBM’s site)

7/16/2019 67