The Evolution of
Computer Viruses
Cornell University
27 June 2002
• Perspective
• Evolution Process
• Evolutionary Timeline
• Mitigation Strategies
• Future Expectations
• Summary
June 2002 2
What is Malware?
• Any piece of hardware, software or
firmware that is intentionally included
or introduced into a computer system
for unauthorized purposes usually
without the knowledge or consent of
the user
• Includes
– Viruses
– Trojan horse programs
– Worms
– Hoaxes
– Logic bombs
– Joke programs
June 2002 3
Where Are We Today?
June 2002 4
Profile of Recent Event – Code Red
• Actions
– Probes random IP addresses looking for hosts
vulnerable IIS exploit
– Infection, attack and dormant phases
– In less than 14 hours, more than 350,000
servers were compromised
– Attempted a Denial of Service attack against
whitehouse.gov using IP address instead of
domain name
– Many hosts were re-infected during attempts
to patch them
– Widespread media coverage
• Lessons Learned?
June 2002 5
Profile of Recent Event -
SirCam
• Actions
– Copies itself to the WINDOWS SYSTEM directory
(SCam32.exe)
– Creates a new recycle bin
– Modifies registry to load itself automatically
– Creates and stores 2 files in the WINDOWS SYSTEM
directory
– Performs mass mailing with an attachment from
victim’s MY DOCUMENTS folder
– May infect other systems using open network shares
– Talks directly to SMTP server to send mail
– Overloads email systems
– Can delete files on 16 October
• Lessons Learned?
June 2002 6
Profile of Recent Event – Klez
• Actions
– Acts as a dropper for a virus (Elkern)
– Infects system and network shares
– Performs mass mailing with infected
attachments
– Uses its own internal SMTP server to send
email
– Spoofs FROM email address
– Use random subjects and attachments
• Lessons Learned?
June 2002 7
Evolution Process
• Means
• Opportunity
– Availability
– Portability
– Mobility
• Motive
– Research
– Peer acceptance
– Ego
– Destruction
– Revenge
– Profit
• Intent
June 2002 8
Nuisance to …
Brain - Concept
Boot Morris’
Internet Worm Macro Laroux
sector Michelangelo Junkie Virus
virus
1/1987 1/1988 1/1989 1/1990 1/1991 1/1992 1/1993 1/1994 1/1995 1/1996 1/1997
1/1986 12/1997
Lehigh – Wazzu
File Virus Ripper
Cascade
June 2002 9
…Netspionage
Continued
Nuisance Siphons, Senders, and Attackers
Klez
Network Aware
June 2002 10
Axioms
Axiom Reality
Only programs can be Nearly all file types today can
infected carry malware
Document files are safe Office automation includes
macros and other executable
code within documents
Email messages are safe Many email messages include
executable code
Only be suspicious of Social engineering and
things from people you propagation techniques mean
don’t know that most malware comes to
you from people you do know
June 2002 11
Keys to Survival
• Adaptation
– Social Engineering
– Evolution
• Propagation
– Social Engineering
– Technology
June 2002 12
How Fast Do They Spread?
June 2002 13
Damage Caused
June 2002 14
Impact
June 2002 15
Mitigating the Risk
June 2002 16
Mitigating the Risk
• Be prepared
• Culture
• Targets
• Goals
• Damage
June 2002 19
Summary
June 2002 20
Some Information Resources
June 2002 21
Additional Resources
Questions?
June 2002 23