Survival of the Fittest

The Evolution of
Computer Viruses

Cornell University
27 June 2002

Christine M. Orshesky, CISSP, CQA

 Topics for Discussion

• Perspective
• Evolution Process
• Evolutionary Timeline
• Mitigation Strategies
• Future Expectations
• Summary

June 2002 2
 What is Malware?
• Any piece of hardware, software or
firmware that is intentionally included
or introduced into a computer system
for unauthorized purposes usually
without the knowledge or consent of
the user
• Includes
– Viruses
– Trojan horse programs
– Worms
– Hoaxes
– Logic bombs
– Joke programs

June 2002 3
 Where Are We Today?

• Computer Security Institute/FBI 2002

Computer Crime and Security Survey

• ICSA Virus Prevalence Survey

• Virus Tracking Statistics from Trend

Micro
http://wtc.trendmicro.com/wtc/report.html
– Last 30 days
• over 5 million virus infected files in North
America
– Last 24 hours
• Over 140,000 infected files in North America

June 2002 4
 Profile of Recent Event – Code Red

• Actions
– Probes random IP addresses looking for hosts
vulnerable IIS exploit
– Infection, attack and dormant phases
– In less than 14 hours, more than 350,000
servers were compromised
– Attempted a Denial of Service attack against
whitehouse.gov using IP address instead of
domain name
– Many hosts were re-infected during attempts
to patch them
– Widespread media coverage
• Lessons Learned?

June 2002 5
 Profile of Recent Event -
SirCam

• Actions
– Copies itself to the WINDOWS SYSTEM directory
(SCam32.exe)
– Creates a new recycle bin
– Modifies registry to load itself automatically
– Creates and stores 2 files in the WINDOWS SYSTEM
directory
– Performs mass mailing with an attachment from
victim’s MY DOCUMENTS folder
– May infect other systems using open network shares
– Talks directly to SMTP server to send mail
– Overloads email systems
– Can delete files on 16 October
• Lessons Learned?
June 2002 6
 Profile of Recent Event – Klez

• Actions
– Acts as a dropper for a virus (Elkern)
– Infects system and network shares
– Performs mass mailing with infected
attachments
– Uses its own internal SMTP server to send
email
– Spoofs FROM email address
– Use random subjects and attachments
• Lessons Learned?

June 2002 7
 Evolution Process

• Means
• Opportunity
– Availability
– Portability
– Mobility
• Motive
– Research
– Peer acceptance
– Ego
– Destruction
– Revenge
– Profit
• Intent
June 2002 8
 Nuisance to …

Brain - Concept
Boot Morris’
Internet Worm Macro Laroux
sector Michelangelo Junkie Virus
virus

1/1987 1/1988 1/1989 1/1990 1/1991 1/1992 1/1993 1/1994 1/1995 1/1996 1/1997
1/1986 12/1997

Lehigh – Wazzu
File Virus Ripper

Cascade

June 2002 9
 …Netspionage

Continued
Nuisance Siphons, Senders, and Attackers

Class VBSWG sadmindGoner

macro Melissa LoveLetter (Anna K.) Code Red Perrun
virus Marker Subseven Hybris Coolnow
DDoS

CIH 1/1999 1/2000 1/2001 1/2002

1/1998
ExploreZip Kak Palm SirCam 12/2002
Back Lion
Virus
Orifice Remote Bubbleboy NIMDA
BadTrans
Sharp
Explorer

Klez
Network Aware

June 2002 10
 Axioms

Axiom Reality
Only programs can be Nearly all file types today can
infected carry malware
Document files are safe Office automation includes
macros and other executable
code within documents
Email messages are safe Many email messages include
executable code
Only be suspicious of Social engineering and
things from people you propagation techniques mean
don’t know that most malware comes to
you from people you do know

June 2002 11
 Keys to Survival

• Adaptation
– Social Engineering
– Evolution
• Propagation
– Social Engineering
– Technology

June 2002 12
 How Fast Do They Spread?

Malware Type Year Time to #1

Form Boot Sector 1990 3 years

Concept Word Macro 1995 4 months

Melissa E-mail enabled 1999 4 days

word macro

LoveLetter E-mail enabled 2000 5 hours

script
NIMDA E-mail enabled 2001 22 minutes
script
Source: ICSA/TruSecure

June 2002 13
 Damage Caused

Malware Type Year Damage Done

Introduced

Form Boot Sector 1990 $50M over 5 years

Concept Word Macro 1995 $50M

Melissa E-mail enabled 1999 $93M to $385M

word macro

LoveLetter E-mail enabled 2000 $700M

script
NIMDA Email enabled 2001 $590M
script
Source: ICSA/TruSecure and Computer Economics

June 2002 14
 Impact

• Compromise or Loss • Data Manipulation

of Data • Loss of Credibility
• Loss of Productivity • Loss of Revenue
• Denial of Service • Embarrassment

June 2002 15
Mitigating the Risk

• Establish and maintain a

protection strategy –
“Defense in Depth”
– Layered protection
– At each point of entry
– Inbound as well as outbound

June 2002 16
 Mitigating the Risk

• Integrate with other network

resources and security products

• Keep systems current (patches

and updates)

• Keep up with threats and

technology

• Control Access and Configurations

June 2002 17
 Mitigating the Risk

• Educate your users continuously

• Be prepared

• Backups, backups, backups and

contingency plans

• Know how to respond and where to

get help
June 2002 18
 Expectations for the Future

• Culture
• Targets
• Goals
• Damage

June 2002 19
 Summary

• There is no 100% solution or

panacea
• Takes more than technology to
have a solution
– Policy
– Procedures
– Education

June 2002 20
 Some Information Resources

• Anti-virus vendors • Virus Hoax Web Site

• NIPC and other CERTS http://www.vmyths.com
http://www.nipc.gov • European Institute for
http://www.cert.org Computer Anti-Virus
http://www.fedcirc.gov Research (EICAR)
http://www.sans.org http://www.eicar.org
• Virus Bulletin • Anti-Virus Information
http://www.virusbtn.com Exchange Network
• The Wildlist Organization (AVIEN)
http://www.wildlist.org http://www.avien.net

June 2002 21
 Additional Resources

• “The Generic Virus Writer” and other

papers by Sarah Gordon
http://www.badguys.org/
• Short Course on Computer Viruses, 2nd
Edition by Fred Cohen
• “Free Macro Protection Techniques” by
Chengi Jimmy Kuo, Network Associates
http://download.nai.com/products/media/vil/
pdf/free_AV_tips_techniques.pdf
• Computer Viruses Demystified
http://www.sophos.com/sophos/docs/eng/re
fguide/viru_ben.pdf
• Viruses Revealed by Robert Slade,
David Harley, et al.
June 2002 22
 End of Presentation

Questions?

June 2002 23