Your SlideShare is downloading. ×
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

M

1,542

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,542
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. As the Internet becomes more and more integrated into everyday lives, we must learn how todefend ourselves against new types of online attacks.While viruses remain a threat, todays hackers commonly use vicious multi-layered attacks, such as aworm in a chat message that displays a link to a Web page infected with a Trojan horse. “Worms”have been found that tunnel though programs, uncovering new vulnerabilities and reporting themback to hackers. The hackers then quickly assemble malware (malicious software) from pre-madecomponents, exploiting the vulnerability before the majority of people can download a fix.Below you will find the best tips that you can employ to protect yourself against these emergingsophisticated, multi-faceted threats.What Can Malware Do to My PC?Malware opens up backdoors on infected systems, giving hackers direct access to the hijacked PC. Inthis scenario, a hacker can use the infected PC to upload personal information to a remote system,or to turn the PC into a remotely controlled bot used in criminal activity.Hackers are designing their attacks to target specific high-value victims instead of simply launchingmass-mailing worms and viruses. These programs are being created specifically for data theft.What About P2P?Peer-to-peer (P2P) networking has become a launching pad for viruses. Attackers incorporatespyware, viruses, Trojan horses, and worms into their free downloads. One of the most dangerousfeatures of many P2P programs is the “browse host” feature that allows others to directly connect toyour computer and browse through file shares.P2P can accidentally give access to logins, user IDs and passwords; Quicken files and credit reports;personal information such as letters, chat logs, cookies, and emails; and medical records youaccidentally house in accessible folders on your PC. As with email and instant messages, viruses inP2P files are capable of weaving their way through as many users as they can, stealing informationand delivering it to cybercriminals who forge identities and commit fraud.Best Tips to Defend Against Viruses and Worms.You must safeguard your PC. Following these basic rules will help you protect you and your familywhenever you go online. 1. Protect your computer with strong security software and keep it updated. McAfee Total Protection for Small Business provides proven PC protection from Trojans, hackers, and spyware. Its integrated anti-virus, anti-spyware, firewall, anti-spam, anti-phishing, and backup technologies work together to combat todays advanced multi-faceted attacks. It scans disks, email attachments, files downloaded from the Web, and documents generated by word processing and spreadsheet programs. 2. Use a security-conscious Internet service provider (ISP) that implements strong anti-spam and anti-phishing procedures. 3. Enable automatic Windows® updates or download Microsoft® updates regularly to keep your operating system patched against known vulnerabilities. Install patches from other software
  • 2. manufacturers as soon as they are distributed. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.4. Use caution when opening attachments. Configure your anti-virus software to automatically scan all email and instant message attachments. Make sure your email program doesnt automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. Never open unsolicited emails, or attachments that youre not expecting—even from people you know.5. Be careful when engaging in peer-to-peer (P2P) file-sharing. Trojans hide within file-sharing programs waiting to be downloaded. Use the same precautions when downloading shared files that you do for email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and cmd.6. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the beginning stages, but will become more common as more people access mobile multimedia services and Internet content directly from their phones. Always use a PIN code on your cell phone, and never install or download mobile software from an unknown source.7. Configure your instant messaging application correctly. Make sure it does not open automatically when you fire up your computer.8. Beware of spam-based phishing schemes. Dont click on links in emails or IM.9. Back up your files regularly and store the backups somewhere besides your PC. If you fall victim to a virus attack, you can recover photos, music, movies, and personal information like tax returns and bank statements.10. Stay aware of current virus news by checking sites like McAfee® Avert® Threat Center.2.3.4.5. top-10 worst ISPs in this category—consider this when making your choice.6. Enable automatic Windows updates, or download Microsoft updates regularly, to keep your operating system patched against known vulnerabilities. Install patches from other software manufacturers as soon as they are distributed. A fully patched computer behind a firewall is the best defense against Trojan and spyware installation.7. Use great caution when opening attachments. Configure your anti-virus software to automatically scan all email and instant message attachments. Make sure your email program doesn’t automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. Never open unsolicited emails, or attachments that you’re not expecting—even from people you know.8. Be careful when using P2P file sharing. Trojans hide within file-sharing programs waiting to be downloaded. Use the same precautions when downloading shared files that you do for email and instant messaging. Avoid downloading files with the extensions .exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and .cmd.9. Use security precautions for your PDA, cell phone, and Wi-Fi devices. Viruses and Trojans arrive as an email/IM attachment, are downloaded from the Internet, or are uploaded along with other data from a desktop. Cell phone viruses and mobile phishing attacks are in the beginning stages, but will become more common as more people access mobile multimedia services and Internet content directly from their phones. Mobile Anti-Virus software for a selected devices is available for free with some McAfee PC products. Always use a PIN code on your cell phone and never install or download mobile software from a un-trusted source.
  • 3. 10. Configure your instant messaging application correctly. Make sure it does not open automatically when you fire up your computer. 11. Beware of spam-based phishing schemes. Don’t click on links in emails or IM. 12. Back up your files regularly and store the backups somewhere besides your PC. If you fall victim to a virus attack, you can recover photos, music, movies, and personal information like tax returns and bank statements. 13. Stay aware of current virus news by checking sites like McAfee Labs Threat Center.Back to topBookmark & ShareFavoritesemail Blinklist del.icio.us Digg Furl Google Facebook MySpace Yahoo Buzz LiveMore Advice on this Topic 8 Tips on How to Protect Yourself Online 13 Ways to Protect Your System Anti-virus Tips Tips for a More Secure Internet Experience How to Protect Your Computer Against Virus and Worm Attacks Hardware vs. Software Firewalls PassphrasesFind a term you don’t recognize? Look up definitions in our Glossary.Free Security Newsletter Sign Up for Security News and Special Offers: Email AddreThe Ultimate Security:McAfee Total ProtectionUltimate. The most effective protection against virus, online and network threats.$89.99$59.99Save $30PC Infected? Get Expert Help Now!
  • 4. McAfee Virus Removal ServiceConnect to one of our security experts by phone. Have your PC fixed remotely – while youwatch!$89.95Available daily, 24x7.A macro virus is a computer virus that "infects" a Microsoft Word or similar application and causes asequence of actions to be performed automatically when the application is started or something elsetriggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is theundesired insertion of some comic text at certain points when writing a line. A macro virus is oftenspread as an e-mail virus. A well-known example in March, 1999 was the Melissa virus virus.Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, whenopened, disables a number of safeguards in Word 97 or Word 2000, and, if the user has theMicrosoft Outlook e-mail program, causes the virus to be resent to the first 50 people in eachof the users address books. While it does not destroy files or other resources, Melissa has thepotential to disable corporate and other mail servers as the ripple of e-mail distributionbecomes a much larger wave. On Friday, March 26, 1999, Melissa caused the MicrosoftCorporation to shut down incoming e-mail. Intel and other companies also reported beingaffected. The U. S. Department of Defense-funded Computer Emergency Response Team(CERT) issued a warning about the virus and developed a fix.How Melissa WorksMelissa arrives in an attachment to an e-mail note with the subject line "Important Messagefrom ]the name of someone[," and body text that reads "Here is that document you askedfor...dontLearn More Security Resources Malware, Viruses, Trojans and Spywareshow anyone else ;-)". The attachment is often named LIST.DOC. If the recipient clicks on orotherwise opens the attachment, the infecting file is read to computer storage. The file itselforiginated in an Internet alt.sex newsgroup and contains a list of passwords for various Websites that require memberships. The file also contains a Visual Basic script that copies thevirus-infected file into the normal.dot template file used by Word for custom settings anddefault macros. It also creates this entry in the Windows registry:
  • 5. What is Identity Theft?Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces ofpersonal information, such as Social Security or drivers license numbers, in order to pose assomeone else. The information can be used to obtain credit, merchandise, and services usingthe victims‘ name. Identity theft can also provide a thief with false credentials forimmigration or other applications. One of the biggest problems with identity theft is that veryoften the crimes committed by the identity theft expert are oftenattributed to the victim. Buy it NowThere are two main types of identity theft – account takeover and truename theft. Account takeover identity theft refers to the type ofsituation where an imposter uses the stolen personal information togain access to the person‘s existing accounts. Often the identity thiefwill use the stolen identity to acquire even more credit products bychanging your address so that you never see the credit card bills thatthe thief runs up.True name identity theft means that the thief uses personalinformation to open new accounts. The thief might open a new creditcard account, establish cellular phone service, or open a newchecking account in order to obtain blank checks. The Internet has made it easier for anidentity thief to use the information theyve stolen because transactions can be made withoutany real verification of someone‘s identity. All a thief really needs today is a series of correctnumbers to complete the crime. Companies like LifeLock can monitor if a thief has gottenaccess to and used any of your personal information."trojanIn the IT world, a Trojan horse is used to enter a victim‘s computer undetected, granting theattacker unrestricted access to the data stored on that computer and causing great damage tothe victim. A Trojan can be a hidden program that runs on your computer without yourknowledge, or it can be ‗wrapped‘ into a legitimate program meaning that this program maytherefore have hidden functions that you are not aware of.How a Trojan worksTrojans typically consist of two parts, a client part and a server part. When a victim(unknowingly) runs a Trojan server on his machine, the attacker then uses the client part ofthat Trojan to connect to the server module and start using the Trojan. The protocol usuallyused for communications is TCP, but some Trojans functions use other protocols, such asUDP, as well. When a Trojan server runs on a victim‘s computer, it (usually) tries to hidesomewhere on the computer; it then starts listening for incoming connections from theattacker on one or more ports, and attempts to modify the registry and/or use some otherauto-starting method.It is necessary for the attacker to know the victim‘s IP address to connect to his/her machine.Many Trojans include the ability to mail the victim‘s IP and/or message the attacker via ICQor IRC. This system is used when the victim has a dynamic IP, that is, every time he connectsto the Internet, he is assigned a different IP (most dial-up users have this). ADSL users have
  • 6. static IPs, meaning that in this case, the infected IP is always known to the attacker; thismakes it considerably easier for an attacker to connect to your machine.Most Trojans use an auto-starting method that allows them to restart and grant an attackeraccess to your machine even when you shut down your computer. Trojan writers areconstantly on the hunt for new auto-starting methods and other such tricks, making it hard tokeep up with their new discoveries in this area. As a rule, attackers start by ―joining‖ theTrojan to some executable file that you use very often, such as explorer.exe, and then proceedto use known methods to modify system files or the Windows Registry.For an in-depth look at the different types of Trojans, why they pose a danger to corporatenetworks, and how to protect your network against them, please click here.Get the latest SPAM news at AllSpammedUp.com!Trojan Horse AttacksIf you were referred here, you may have been "hacked" by a Trojan horse attack. Its crucialthat you read this page and fix yourself immediately. Failure to do so could result in beingdisconnected from the IRC network, letting strangers access your private files, or worst yet,allowing your computer to be hijacked and used in criminal attacks on others.by Joseph Lo aka Jolo, with much help from countless othersThis page is part of IRChelp.orgs security section at http://www.irchelp.org/irchelp/security/updated Feb 5, 2006Contents: I. What is a Trojan horse? II. How did I get infected? III. How do I avoid getting infected in the future? IV. How do I get rid of trojans?!? AppendicesI. What is a Trojan horse?Trojan horse attacks pose one of the most serious threats to computer security. If you werereferred here, you may have not only been attacked but may also be attacking othersunknowingly. This page will teach you how to avoid falling prey to them, and how to repairthe damage if you already did. According to legend, the Greeks won the Trojan war by hidingin a huge, hollow wooden horse to sneak into the fortified city of Troy. In todays computerworld, a Trojan horse is defined as a "malicious, security-breaking program that is disguisedas something benign". For example, you download what appears to be a movie or music file,but when you click on it, you unleash a dangerous program that erases your disk, sends yourcredit card numbers and passwords to a stranger, or lets that stranger hijack your computer to
  • 7. commit illegal denial of service attacks like those that have virtually crippled the DALnetIRC network for months on end.The following general information applies to all operating systems, but by far most of thedamage is done to/with Windows users due to its vast popularity and many weaknesses.(Note: Many people use terms like Trojan horse, virus, worm, hacking and cracking allinterchangeably, but they really dont mean the same thing. If youre curious, heres a quickprimer defining and distinguishing them. Lets just say that once you are "infected", trojansare just as dangerous as viruses and can spread to hurt others just as easily!)II. How did I get infected?Trojans are executable programs, which means that when you open the file, it will performsome action(s). In Windows, executable programs have file extensions like "exe", "vbs","com", "bat", etc. Some actual trojan filenames include: "dmsetup.exe" and "LOVE-LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts,be sure to unhide your extensions so that you see it). More information on risky fileextensions may be found at this Microsoft document.Trojans can be spread in the guise of literally ANYTHING people find desirable, such as afree game, movie, song, etc. Victims typically downloaded the trojan from a WWW or FTParchive, got it via peer-to-peer file exchange using IRC/instant messaging/Kazaa etc., or justcarelessly opened some email attachment. Trojans usually do their damage silently. The firstsign of trouble is often when others tell you that you are attacking them or trying to infectthem!III. How do I avoid getting infected in the future?You must be certain of BOTH the source AND content of each file you download! Inother words, you need to be sure that you trust not only the person or file server that gave youthe file, but also the contents of the file itself.Here are some practical tips to avoid getting infected (again). For more general securityinformation, please see our main security help page. 1. NEVER download blindly from people or sites which you arent 100% sure about. In other words, as the old saying goes, dont accept candy from strangers. If you do a lot of file downloading, its often just a matter of time before you fall victim to a trojan. 2. Even if the file comes from a friend, you still must be sure what the file is before opening it, because many trojans will automatically try to spread themselves to friends in an email address book or on an IRC channel. There is seldom reason for a friend to send you a file that you didnt ask for. When in doubt, ask them first, and scan the attachment with a fully updated anti-virus program. 3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To reduce the chances of being tricked, unhide those pesky extensions. 4. NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything which is extremely reckless. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every
  • 8. single file you get manually. Likewise, disable the preview mode in Outlook and other email programs. 5. Never blindly type commands that others tell you to type, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to trojan infection or other serious harm. 6. Dont be lulled into a false sense of security just because you run anti-virus programs. Those do not protect perfectly against many viruses and trojans, even when fully up to date. Anti-virus programs should not be your front line of security, but instead they serve as a backup in case something sneaks onto your computer. 7. Finally, dont download an executable program just to "check it out" - if its a trojan, the first time you run it, youre already infected!IV. How do I get rid of trojans?!?Here are your many options, none of them are perfect. I strongly suggest you read through allof them before rushing out and trying to run some program blindly. Remember - thats howyou got in this trouble in the first place. Good luck! 1. Clean Re-installation: Although arduous, this will always be the only sure way to eradicate a trojan or virus. Back up your entire hard disk, reformat the disk, re-install the operating system and all your applications from original CDs, and finally, if youre certain they are not infected, restore your user files from the backup. If you are not up to the task, you can pay for a professional repair service to do it. 2. Anti-Virus Software: Some of these can handle most of the well known trojans, but none are perfect, no matter what their advertising claims. You absolutely MUST make sure you have the very latest update files for your programs, or else they will miss the latest trojans. Compared to traditional viruses, todays trojans evolve much quicker and come in many seemingly innocuous forms, so anti-virus software is always going to be playing catch up. Also, if they fail to find every trojan, anti-virus software can give you a false sense of security, such that you go about your business not realizing that you are still dangerously compromised. There are many products to choose from, but the following are generally effective: AVP, PC-cillin, and McAfee VirusScan. All are available for immediate downloading typically with a 30 day free trial. For a more complete review of all major anti-virus programs, including specific configuration suggestions for each, see the HackFix Projects anti-virus software page [all are ext. links]. When you are done, make sure youve updated Windows with all security patches [ext. link]. 3. Anti-Trojan Programs: These programs are the most effective against trojan horse attacks, because they specialize in trojans instead of general viruses. A popular choice is The Cleaner, $30 commercial software with a 30 day free trial. To use it effectively, you must follow hackfix.orgs configuration suggestions [ext. link]. When you are done, make sure youve updated Windows with all security patches [ext. link], then change all your passwords because they may have been seen by every "hacker" in the world. 4. IRC Help Channels: If youre the type that needs some hand-holding, you can find trojan/virus removal help on IRC itself, such as EFnet #dmsetup or DALnet #NoHack. These experts will try to figure out which trojan(s) you have and offer you advice on how to fix it. The previous directions were in fact adapted from advice
  • 9. given by EFnet #dmsetup. (See our networks page if you need help connecting to those networks.)Appendices:These files were referred to in the text above, and provide additional information. IRChelp.org Security Page Hacker / Cracker / Trojan / Virus? - A Primer on Terminology How to unhide Windows file extensionsWhy Use A Rootkit?A rootkit allows someone, either legitimate or malicious, to maintain command and control over acomputer system, without the the computer system user knowing about it. This means that theowner of the rootkit is capable of executing files and changing system configurations on the targetmachine, as well as accessing log files or monitoring activity to covertly spy on the users computerusage.Is A Rootkit Malware?That may be debatable. There are legitimate uses for rootkits by law enforcement or even byparents or employers wishing to retain remote command and control and/or the ability to monitoractivity on their employees / childrens computer systems. Products such as eBlaster or Spector Proare essentially rootkits which allow for such monitoring.However, most of the media attention given to rootkits is aimed at malicious or illegalrootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkitmight somehow be installed on a system through the use of a virus or Trojan of some sort, therootkit itself is not really malware.Detecting A RootkitDetecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelfproduct to magically find and remove all of the rootkits of the world like there is for viruses orspyware.There are various ways to scan memory or file system areas, or look for hooks into thesystem from rootkits, but not many of them are automated tools, and those that are oftenfocus on detecting and removing a specific rootkit. Another method is just to look for bizarreor strange behavior on the computer system. If there are suspicious things going on, youmight be compromised by a rootkit. Of course, you might also just need to clean up yoursystem using tips from a book like Degunking Windows.In the end, many security experts suggest a complete rebuild of a system compromised by arootkit or suspected of being compromised by a rootkit. The reason is, even if you detect filesor processes associated with the rootkit, it is difficult to be 100% sure that you have in factremoved every piece of the rootkit. Peace of mind can be found by completely erasing thesystem and starting over.
  • 10. Protecting Yourself From RootkitsAs mentioned above regarding detecting rootkits, there is no packaged application to guard againstrootkits. It was also mentioned above that rootkits, while they may be used for malicious purposesat times, are not necessarily malware.Many malicious rootkits manage to infiltrate computer systems and install themselves bypropagating with a malware threat such as a virus. You can safeguard your system fromrootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software isupdated and running, and that you dont accept files from or open email file attachments fromunknown sources. You should also be careful when installing software and read carefullybefore agreeing to EULAs (end user license agreements), because some may state overtlythat a rootkit of some sort will be installed. [ go back | search | help | send email ]So what does a Rookit do?What it does do, is provide access to all your folders – both private data and system files – toa remote user who, through administrative powers, can do whatever he wants with yourcomputer. Needless to say, every user should be aware of the threat they pose.Rootkits generally go much deeper than the average virus. They may even infect your BIOS –the part of your computer that‘s independent of the Operating System – making them harderto remove. And they may not even be Windows-specific, even Linux or Apple machinescould be affected. In fact, the first rootkit ever written was for Unix!
  • 11. Image by FristleIs this a new phenomenon?No, not at all. The earliest known rootkit is in fact two decades old. However, now that everyhome and every work desk has a computer that is connected to the internet, the possibilitiesfor using the full potential of a rootkit is only just being realized.Possibly the most famous case so far was in 2005, when CDs sold by Sony BMG installedrootkits without user permission that allowed any user logged in at the computer to access theadministrator mode. The purpose of that rootkit was to enforce copy protection (called―Digital Rights Management‖ or DRM) on the CDs, but it compromised the computer it wasinstalled on. This process could easily be hijacked for malicious purposes.What makes it different from a virus?Most often, rootkits are used to control and not to destroy. Of course, this control could beused to delete data files, but it can also be used for more nefarious purposes.More importantly, rootkits run at the same privilege levels as most antivirus programs. Thismakes them that much harder to remove as the computer cannot decide on which programhas a greater authority to shut down the other.
  • 12. So how I might get infected with a rootkit?As mentioned above, a rootkit may piggyback along with software that you thought youtrusted. When you give this software permission to install on your computer, it also inserts aprocess that waits silently in the background for a command. And, since to give permissionyou need administrative access, this means that your rootkit is already in a sensitive locationon the computer.Another way to get infected is by standard viral infection techniques – either through shareddisks and drives with infected web content. This infection may not easily get spotted becauseof the silent nature of rootkits.There have also been cases where rootkits came pre-installed on purchased computers. Theintentions behind such software may be good – for example, anti-theft identification orremote diagnosis – but it has been shown that the mere presence of such a path to the systemitself is a vulnerability.So, that was about what exactly is a rootkit and how does it creep in to computer. In my nextarticle I‘ll discuss how to defend your computer from rootkits – from protection tocleaning up.Previous post: 3 Useful Chrome Extensions to Capture Screenshot of a WebpageNext post: Windows 7 Problem Steps Recorder Makes Troubleshooting Windows ErrorsEasier 5 Cool Latest Posts o How to Create a Picture Password in Windows 8 o How to Add Computer Icon to Windows 8 Start Menu, Desktop & Windows Explorer o 4 Useful Tools to Delete Locked Files In Windows o How to Open Word, Excel (.doc, .docx, xlsx etc) Files Without MS Office Installed o How to Personalize the New Windows 8 Charm Bar D AILY ILY EMAIL UP DAT ES:What is the difference between viruses, worms, and Trojans? What is a virus? A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria: It must execute itself. It often places its own code in the path of execution of another program. It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike. Some viruses are programmed to damage the computer by damaging programs,
  • 13. deleting files, or reformatting the hard disk. Others are not designed to do anydamage, but simply to replicate themselves and make their presence known bypresenting text, video, and audio messages. Even these benign viruses can createproblems for the computer user. They typically take up computer memory used bylegitimate programs. As a result, they often cause erratic behavior and can result insystem crashes. In addition, many viruses are bug-ridden, and these bugs may lead tosystem crashes and data loss.Five recognized types of virusesFile infector viruses File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.Boot sector viruses Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.Master boot record Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sectorviruses viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.Multipartite viruses Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.Macro viruses These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsofts Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another programs internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.What is a Trojan horse?Trojan horses are impostors—files that claim to be something desirable but, in fact,are malicious. A very important distinction between Trojan horse programs and trueviruses is that they do not replicate themselves. Trojan horses contain malicious codethat when triggered cause loss, or even theft, of data. For a Trojan horse to spread,you must invite these programs onto your computers; for example, by opening anemail attachment or downloading and running a file from the Internet. Trojan.Vundois a Trojan horse.
  • 14. What is a worm?Worms are programs that replicate themselves from system to system without the useof a host file. This is in contrast to viruses, which requires the spreading of aninfected host file. Although worms generally exist inside of other files, often Word orExcel documents, there is a difference between how worms and viruses use the hostfile. Usually the worm will release a document that already has the "worm" macroinside the document. The entire document will travel from computer to computer, sothe entire document should be considered the worm W32.Mydoom.AX@mm is anexample of a wormWhat is a virus hoax?Virus hoaxes are messages, almost always sent by email, that amount to little morethan chain letters. Following are some of the common phrases that are used in thesehoaxes: If you receive an email titled [email virus hoax name here], do not open it! Delete it immediately! It contains the [hoax name] virus. It will delete everything on your hard drive and [extreme and improbable danger specified here]. This virus was announced today by [reputable organization name here]. Forward this warning to everyone you know!Most virus hoax warnings do not deviate far from this pattern. If you are unsure if avirus warning is legitimate or a hoax, additional information is available at theSymantec Security Response online database.What is not a virus?Because of the publicity that viruses have received, it is easy to blame any computerproblem on a virus. The following are not likely to be caused by a virus or othermalicious code:Hardware problems No viruses can physically damage computer hardware, such as chips, boards, and monitors.The computer beeps at startup with no This is usually caused by a hardware problem during the boot process. Consult your computerscreen display documentation for the meaning of the beep codes.The computer does not register 640 KB This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those forof conventional memory the monitor or SCSI card can use some of this memory. Consult with your computer manufacturer or hardware vendor to determine if this is the case.You have two antivirus programs This might be a virus, but it can also be caused by one antivirus program detect the otherinstalled and one of them reports a programs signatures in memory. For additional information, see Should you run more than onevirus antivirus program at the same time?Microsoft Word warns you that a This does not mean that the macro is a virus.document contains a macroYou cannot open a particular document This is not necessarily an indication of a virus. Try opening another document or a backup of the document in question. If other documents open correctly, the document may be damaged.
  • 15. The label on a hard drive has changed Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label command of from within Windows.When you run ScanDisk, Norton For instructions on what to do, read Alert: "Virus Like Activity detected. The application . . . isAntiVirus Auto-Protect reports virus-like attempting to write to the file . . . What would you like to do?activityAdditional informationFor the most up-to-date information on viruses, go to the Symantec SecurityResponse online database.To submit a file or disk that you suspect is infected with a virus, please read one ofthe following documents: Submitting a file to Symantec Security Response over the Internet or on a floppy disk Submitting a file to Symantec Security Response using Scan and Deliver What is safe computing? With all the hype, it is easy to believe that viruses lurk in every file, every email, every Web site. However, a few basic precautions can minimize your risk of infection. Practice safe computing and encourage everyone you know to do so as well. General precautions Do not leave a floppy disk in the floppy disk drive when you shut down or restart the computer. Write-protect your floppy disks after you have finished writing to them. Be suspicious of email attachments from unknown sources. Verify that attachments have been sent by the author of the email. Newer viruses can send email messages that appear to be from people you know. Do not set your email program to "auto-run" attachments. Obtain all Microsoft security updates. Back up your data frequently. Keep the write-protected media in a safe place— preferably in a different location than your computer. Specific to Norton AntiVirus Make sure that you have the most recent virus definitions. We recommend that you run LiveUpdate at least once per week. Symantec Security Response updates virus definitions in response to new virus threats. For additional information, please see How to Run LiveUpdate. Make sure that you have set Norton AntiVirus to scan floppy disks on access and at shutdown. Please see your Users Guide for information on how to do this in your version of Norton AntiVirus. Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response now strongly recommends that you have Norton AntiVirus set to scan all files, not just program files.
  • 16. Scan all new software before you install it. Because boot sector viruses spread by floppy disks and bootable CDs, every floppy disk and CD should be scanned for viruses. Shrink-wrapped software, demo disks from suppliers, and trial software are not exempt from this rule. Viruses have been found even on retail software. Scan all media that someone else has given you. Use caution when opening email attachments. Email attachments are a major source of virus infections. Microsoft Office attachments for Word, Excel, and Access can be infected by Macro viruses. Other attachments can contain file infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for viruses as you open or detach them. We recommend that you enable email scanning, which will scan email attachments before the email message is sent to your email program.« Source : Stopping Anti Virus/Desktop Firewall processes and servicesSource : Binder stub »Nine ways how hackers propagate malware (1 of 2)Mar 24th, 2009 by carrumbaMalware propagation is one of the most fascinating parts of the attackers activities and isattracting, besides the anger of the affected people, the most attention. It is the part where allthe magic of infection and intrusion happens, where attackers release the malicious softwareto the wild and try to infect new victim systems as quickly or as targeted as possible; theirvictims are left wondering how the heck that could have happened.The goal of this article is to give you an overview how and where attackers release malware.It will show you an overview about the common infection points where people get in firstcontact with malware and what action the software has to execute to initiate the infectionprocess.Method 1 : Sending the Trojan horse as email attachmentOne of the oldest but still very effective ways people get infected is via email, by opening anattached file. Email is the most used way people communicate over the Internet. Almosteveryone owns an email address and is using it regularly. It is easy to use, it‘s accessible fromeverywhere where you have Internet access. Today, most email services are for free too.As already mentioned sending malware as an email attachment was already a propagationmethod in the early days. The attacker prepared the Trojan horse, sent it to all the recipientson his list and waited until the infected systems connected back. Simple and straightforward.The only thing the recipient (the victim) had to do was to double-click the attachment toinitiate the infection process. Back in the days anti virus software was not that wide spread as
  • 17. it is nowadays, the people were not that cautious and sensitised to this kind of threat. Manyemail users were only a double-click away from the infection.Today as AV software is installed on virtually every computer and people are aware of thethreat, that way of propagation still works surprisingly well. But things turn out slightly moredifficult. An AV software doesn‘t accept *.exe *.com *.bat or *.pif files anymore and it alsochecks archives like *.zip or *.rar files for executable files. If they contain files withsuspicious file name extensions it rises a warning and interrupts the execution. But becausethere is still a big mass of potential victims among the email users that are obstinatelyignoring any kind of warnings the infection rate is still high and for an attacker this archaicmeans is still promising and valuable.Method 2 : Infection via browser bugsThe browser is doubtlessly the most used application on a computer. We use it to surf theInternet, to check our mails of course, to chat and many programs people had once installedlocally on the computer is now loaded into the browser and ready to use, as for example textprocessing programs or spreadsheets. Browsers have a big importance and over the yearstheir functionality and extensions grew and changed its usage enormously. With its quickdevelopment and the possibility to install plugins also the attack vector grew. Code reviewswere conducted more often and not only on the browsers but also on the plugins whatrevealed many critical and also not so critical bugs. These circumstances also attracted theattackers attention and allowed them new ways to spread their malware. By leading a victimto a site that contains malicious HTML, scripting or plugin code an attacker can force thevictims browser to execute hidden actions, force it to download and install the damageroutine of the Trojan horse and to infect the system that way.This is much more convenient than the variant with the infected attachment. An emailcontaining a simple link to a homepage doesn‘t seem suspicious and additionally it is a one-click-infection (instead of a double-click).Method 3 : Removable data storage devicesThere was once a time where the classic computer viruses propagation happened by sharinginfected floppy discs and executing program files. To share and to execute was simply theonly method. Even if floppy disks are not in use as data storage device anymore (maybeyou‘re still using it as boot device) the method itself is still in use. In the meantime CD-ROMs and USB memory sticks replaced the floppy discs almost completely and Microsoftintroduced the Autorun feature that executes commands automatically when a newlyconnected data storage device is connected. This combination of removable storage devicesand autoexecution revived the ancient propagation method and the USB memory sticks andCD-ROMs/DVDs served beside being data storage medium also as host to infect computerswith malware.Here is an example how the file autorun.inf has to look like :
  • 18. [autorun]open=installMegapanzer.exeicon=myIcon.icoThis way of malware propagation was used a lot in the past and Microsoft and also otherinstalled 3rd party software will trigger an alert if a data storage device is using the autorunfeature. So this method is not that reliable anymore and has its restrictions.Additionally and worth mentioning: A Trojan horse itself can, once running on a victimssystem, infect other writable USB data storage devices and so propagate in the old knownmanner as it happened with the floppy disks. Ancient but proven.Method 4 : File sharing networksAnother common way to propagate malware is using the different internet based filesharingnetworks like Bittorrent, Emule, Limewire etc. An attacker tries to get hold of a new releaseof a popular software and injects his malicious code into the genuine software packet. Afterthe initial infection the attacker offers the infected file to other users for download.There are two advantages coming with this method: If a victim downloads the infected file he’s “expecting” an executable file and doesn’t become suspicious just because of its file extension. He “will” execute it after downloading. Once the file is downloaded by the first victim the availability of the file doubled. Two people offer the infected file now for download. What the attacker has to do is only to make sure he is using a popular software and the propagation will advance in a fast pace.What’s coming up in the second articleThe goal of the first part was to describe the methods how attackers propagate their malwareby distributing it in an active way, by sending ―something‖ to the victims expecting they haveexecute an action with this ―something‖. These ways are well known to all of us because themedia permanently informs about the threats we are exposed to, the latest incidents thathappend and is giving us the relevant background information. In the next article I will giveyou an understanding of how to inject the malware in a victims browsing session by takingover and controlling his data stream. More subliminal, more stateData-stealing malware is a web threat that divest victims of personal and proprietaryinformation with the purpose of monetizing stolen data through direct use or undergrounddistribution. Content security threats that fall under this umbrella include keyloggers, screenscrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such asspam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in filedownload or direct installation, as most hybrid attacks do, files that act as agents to proxyinformation will fall into the data-stealing malware category.[edit] Characteristics of data-stealing malwareDoes not leave traces of the event The malware is typically stored in a cache that is routinely flushed The malware may be installed via a drive-by-download process The website hosting the malware as well as the malware is generally temporary or rogue
  • 19. Frequently changes and extends its functions It is difficult for antivirus software to detect final payload attributes due to the combination(s) of malware components The malware uses multiple file encryption levelsThwarts Intrusion Detection Systems (IDS) after successful installation There are no perceivable network anomalies The malware hides in web traffic The malware is stealthier in terms of traffic and resource useThwarts disk encryption Data is stolen during decryption and display The malware can record keystrokes, passwords, and screenshotsThwarts Data Loss Prevention (DLP) Leakage protection hinges on metadata tagging, not everything is tagged Miscreants can use encryption to port data[edit] Examples of data-stealing malware Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information. Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads. LegMir, spyware that steals personal information such as account names and passwords related to online games. Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions.[edit] Data-stealing malware incidents Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the firms targeted were BJs Wholesale Club, TJX, DSW Shoes, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.[19] A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc’s job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users’ PCs.[20] Customers of Hannaford Bros. Co., a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits.[21] The Torpig Trojan has compromised and stolen login credentials from approximately 250,000 online bank accounts as well as a similar number of credit and debit cards. Other
  • 20. information such as email, and FTP accounts from numerous websites, have also beencompromised and stolen.The trends appear quite similar to the month prior: the most popular encyclopediaentry is still Bancos, and we still have several Vundo pages in the list. We coveredVundo last month, so Ill go into a little more detail about the Bancos trojan.Bancos is a password stealing trojan that originally targeted Brazilian on-line bankingusers. Its a relatively old and diverse family- weve been detecting it for several yearsnow and have seen thousands of unique samples. We first added it to MSRT inSeptember 2006. Weve seen Bancos distributed via virtually all the usual propagationvectors: spam emails, browser exploits, p2p, irc, disguised as other software, droppedby other malware, just to name a few.Bancos exhibits a wide variety of behaviors- however essentially all variants attemptto steal banking or financial passwords using one (or several) common techniques.Some examples of these techniques include redirecting users to fake pages,monitoring keystrokes, interfering with browsers, searching for cached passwords,etc.After it has started, Bancos typically will search the system for cached passwords andthen remain memory resident waiting for a browser window with a title that its beeninstructed to look for. If a victim visits a page with a page title that the trojan islooking for, it will typically either capture data or present the user with a false versionof the page enabling it to capture the victims credentials.Once found, credentials are transmitted back to the distributor (often via email or ftp).Weve seen quite a few samples using mail servers belonging to large web-mailproviders being used to send the stolen credentials, often to yet another web-based e-mail account.The bottom line is: change your passwords regularly. Particularly after finding (andremoving) any malware running on your system. Even if the threat is removed, yourpasswords may have already been leaked. :(The trends appear quite similar to the month prior: the most popular encyclopediaentry is still Bancos, and we still have several Vundo pages in the list. We coveredVundo last month, so Ill go into a little more detail about the Bancos trojan.Bancos is a password stealing trojan that originally targeted Brazilian on-line bankingusers. Its a relatively old and diverse family- weve been detecting it for several yearsnow and have seen thousands of unique samples. We first added it to MSRT inSeptember 2006. Weve seen Bancos distributed via virtually all the usual propagationvectors: spam emails, browser exploits, p2p, irc, disguised as other software, droppedby other malware, just to name a few.Bancos exhibits a wide variety of behaviors- however essentially all variants attemptto steal banking or financial passwords using one (or several) common techniques.Some examples of these techniques include redirecting users to fake pages,monitoring keystrokes, interfering with browsers, searching for cached passwords,etc.After it has started, Bancos typically will search the system for cached passwords andthen remain memory resident waiting for a browser window with a title that its beeninstructed to look for. If a victim visits a page with a page title that the trojan islooking for, it will typically either capture data or present the user with a false versionof the page enabling it to capture the victims credentials.Once found, credentials are transmitted back to the distributor (often via email or ftp).Weve seen quite a few samples using mail servers belonging to large web-mail
  • 21. providers being used to send the stolen credentials, often to yet another web-based e- mail account. The bottom line is: change your passwords regularly. Particularly after finding (and removing) any malware running on your system. Even if the threat is removed, your passwords may have already been leaked. :( CharactersticsMalware is multi-functional and modular: there are many kinds of malware that can be used togetheror separately to achieve a malicious actor‟ s goal. New features and additional capabilities are easilyadded to malware to alter and ―improve‖ its functionality and impact.12 Malware can insert itself into asystem, compromise the system, and then download additional malware from the Internet thatprovides increased functionality. Malware can be used to control an entire host13 or network, it canbypass security measures such as firewalls and anti-virus software, and it can use encryption to avoiddetection or conceal its means of operation. Malware is available and user-friendly: malware is available online at a nominal cost thus making itpossible for almost anyone to acquire. There is even a robust underground market for its sale andpurchase. Furthermore, malware is user-friendly and provides attackers with a capability to launchsophisticated attacks beyond their skill level.Malware is part of a broader cyber attack system: malware is being used both as a primary form ofcyber attack and to support other forms of malicious activity and cybercrime such as spam andphishing. Conversely, spam and phishing can be used to further distribute malwareHow does malware workMalware is able to compromise information systems due to a combination of factors that includeinsecure operating system design and related software vulnerabilities. Malware works by running orinstalling itself on an information system manually or automatically.17 Software may containvulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperlyconfigured, have functionality turned off, be used in a manner not compatible with suggested uses orimproperly configured with other software.Many types of malware such as viruses or trojans require some level of user interaction to initiate theinfection process such as clicking on a web link in an e-mail, opening an executable file attached to ane-mail or visiting a website where malware is hosted. Once security has been breached by the initialinfection, some forms of malware automatically install additional functionality such as spyware (e.g.keylogger), backdoor, rootkit or any other type of malware, known as the payload.18Social engineering,19 in the form of e-mail messages that are intriguing or appear to be from legitimateorganisations, is often used to convince users to click on a malicious link or download malware. Forexample, users may think they have received a notice from their bank, or a virus warning from thesystem administrator, when they have actually received a mass-mailing worm. Other examplesinclude e-mail messages claiming to be an e-card from an unspecified friend to persuade users to openthe attached ―card‖ and download the malware. Malware can also be downloaded from web pagesunintentionally by users. A recent study by Google that examined several billion URLs and includedan in-depth analysis of 4.5 million found that, of that sample, 700 000 seemed malicious and that 450000 were capable of launching malicious downloads.20 Another report found that only about one infive websites analysed were malicious by design. This has led to the conclusion that about 80% of allweb-based malware is being hosted on innocent but compromised websites unbeknownst to theirowners.21
  • 22. Stealing informationOver the past five years, information theft, and in particular online identity (ID) theft,50 has been anincreasing concern to business, governments, and individuals. Although malware does not alwaysplay a direct role,51 ID theft directly using malware has become increasingly common with the rise ofbackdoor trojans and other stealthy programmes that hide on a computer system and captureinformation covertly.50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or inconnection with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to convince theuser to necessarily disclose information to what they assume is a trusted source. This technique, known asPhishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails andfraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT(2006) p.19-20.As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multipleInternet servers to distribute spam and malware, compromise users‟ information systems, and thenlog the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mailaccount. Generally, the attacker operates under multiple domain names and multiple IP addresses foreach domain name and rapidly rotates them over the life of the attack (for example see botnet hostedmalware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots(and their associated IP addresses) is designed to increase the time available for capturing thesensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers areable to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent weband logging sites operating under a particular domain.54 The effect is that as one IP address is closeddown, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.For example, in a recent case IP addresses operating under a single domain name changed on anautomated basis every 30 minutes and newer DNS services have made it possible to reduce this timeto five minutes or less. Attackers may use legitimate existing domains to host their attacks, or registerspecially created fraudulent domains. The only viable mitigation response to the latter situation is
  • 23. Figure 1. Online ID theft attack system involving malware56Stealing informationOver the past five years, information theft, and in particular online identity (ID) theft,50 has been anincreasing concern to business, governments, and individuals. Although malware does not alwaysplay a direct role,51 ID theft directly using malware has become increasingly common with the rise ofbackdoor trojans and other stealthy programmes that hide on a computer system and captureinformation covertly.50 See DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer, possession, or misuse of personal information with the intent to commit, or inconnection with, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques to convince theuser to necessarily disclose information to what they assume is a trusted source. This technique, known asPhishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mails andfraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNS. 55 AusCERT(2006) p.19-20.As illustrated in Figure 1, online ID theft attacks using malware can be complex and can use multipleInternet servers to distribute spam and malware, compromise users‟ information systems, and thenlog the stolen data to another website controlled by the attacker or send it to the attacker‟ s e–mailaccount. Generally, the attacker operates under multiple domain names and multiple IP addresses foreach domain name and rapidly rotates them over the life of the attack (for example see botnet hostedmalware sites #1 and #2 in Figure 1).52 The use of multiple domain names and multiple hosts or bots(and their associated IP addresses) is designed to increase the time available for capturing thesensitive information and reduce the effectiveness of efforts by affected organisations (such as banks),CSIRTs and ISPs to shut down fraudulent sites. Under the domain name system (DNS) attackers areable to quickly and easily change their DNS tables53 to reassign a new IP addresses to fraudulent weband logging sites operating under a particular domain.54 The effect is that as one IP address is closeddown, it is trivial for the site to remain active under another IP address in the attacker‟ s DNS table.For example, in a recent case IP addresses operating under a single domain name changed on anautomated basis every 30 minutes and newer DNS services have made it possible to reduce this timeto five minutes or less. Attackers may use legitimate existing domains to host their attacks, or registerspecially created fraudulent domains. The only viable mitigation response to the latter situation is toseek deregistration of the domain.55 DSTI/ICCP/REG(2007)5/FINAL 19
  • 24. Figure 1. Online ID theft attack system involving malware5656 AusCERT (2006) at 7.6Captures information exchanged, including for Internet banking, e-tax, e-health, etc.Spam email is sent toSee DSTI/CP(2007)3/FINAL where Identity Theft is defined as the unlawful transfer,possession, or misuse of personal information with the intent to commit, or in connectionwith, a fraud or other crime. 51 Identity theft attacks most often use social engineering techniques toconvince the user to necessarily disclose information to what they assume is a trusted source. This technique,known as Phishing, does not directly rely on the use of malware to work. It uses deceptive or ―spoofed‖ e-mailsand fraudulent websites impersonating brand names of banks, e-retailers and credit card companies to deceiveInternet users into revealing personal information. However, as many phishing attacks are launched from spamemails sent from botnets, malware is indirectly involved as it is used to create botnets which are in turn used tosend the spam e–mail used in phishing attacks. Malware would be directly implicated when the spam e–mailscontained embedded malware or a link to a website where malware would be automatically downloaded. 52 Thisis a technique known as ―fast flux‖. 53 A DNS table provides a record of domain names and matching IPaddresses. 54 See Annex B for a discussion on attacks using the DNS and attacks against the DNSOrigin of malware attackMalware is now spread around the world and rankings60 tend to show that a whole host of countriesacross the developed and the developing world are home to online criminals using malware. Althoughattacks originating from one country may have local targets, the predominant trend is attacks thatoriginate internationally relative to their targets. In addition, geography may play a role depending onthe end goal of the attacker. For example, broadband Internet speeds differ from country to country. Ifan attacker wishes to maximise network damage, he/she may use compromised computers located incountries where broadband is prevalent. If the goal is to degrade service or steal information overtime, the attacker may use compromised computers from a variety of geographical locations.Geographical distribution allows for increased anonymity of attacks and impedes identification,investigation and prosecution of attackers95 See ―Malware: Why should we be concerned?‖ for a discussion of the impacts from malwareBasic economic rationale for malwareE-mail is not at an economic equilibrium between the sender and the recipient because it costsvirtually nothing to send. All the costs of dealing with spam and malware are passed on to the Internetprovider and the ―unwilling‖ recipients, who are charged for protective measures, bandwidth andother connection costs, on top of the costs of repairing the computer or having lost money to scams.At the same time, criminals minimise their costs to the extreme: they pay no tax, escape the cost ofrunning a genuine business, and pay commission only to others in criminal circles worldwide and at acomparatively low price. The cost to malicious actors continues to decrease as freely available emailstorage space increases. Further, the use of botnets makes it easier and even cheaper to send malwarethrough email. Today‟ s criminals often have access to cheap techniques for harvesting emailaddresses as well as easy access to malware and outsourced spamming services. Anti detectiontechniques are constantly evolving to make it cheaper to operate, and malicious actors can easilyswitch ISPs if their activity is detected and their service terminated. Both the malware itself and thecompromised computers being used to further launch malware attacks are a low cost, readily availableand easily renewable resource. High speed Internet connections and increased bandwidth allow for themass creation of compromised information systems that comprise a self sustaining attack system asillustrated by Figure 7. Furthermore, malicious actors can replace compromised information systemsthat have been disconnected or cleaned, and they can expand the number of compromised informationsystems as the demand for resources (namely malware and compromised information systems) forcommitting cybercrime also grows. DSTI/ICCP/REG(2007)5/FINAL 34
  • 25. Figure 7. Self sustaining attack system using malwareNote: this figure shows how malware is used to create a self sustaining resource of compromised computers thatserve as the backbone of malicious online activity and cybercrime. Information systems connected to the Internetcan become infected with malware. Those information systems are then used to scan and compromise otherinformation systems.MALWARE: WHY SHOULD WE BE CONCERNED?The growth of malware, and the increasingly inventive ways in which it is being used to steal personaldata, conduct espionage, harm government and business operations, or deny user access toinformation and services, is a potentially serious threat to the Internet economy, to the ability tofurther e-government for citizen services, to individual‟ s online social activities, and to nationalsecurity.Malware-enabling factorsThe capabilities of malware make it a prevalent ―cybercriminal tool‖. However, broader economicand social factors may contribute to its increased occurrences and the robust state of the malwareeconomy. The following describes some of those factors which, while they bring important benefits tosociety, also facilitate the existence and promulgation of malware.Broadband Internet and its usersIn 2005, the International Telecommunication Union estimated 216 708 600 ―fixed‖ broadbandInternet subscribers in the world.98 Furthermore, it is generally agreed that there are an average of 1000 000 000 Internet users in the world today. As the number of subscribers and users increases, sodoes the number of available targets for malware. The increased prevalence of high speed Internet andthe availability of broadband wireless connections make it easy for malicious actors to successfullycarry out attacks as they can compromise computers at faster rates, use the bandwidth to send massiveamounts of spam and conduct DDoS attacks. Furthermore, these ―always on‖ connections allowmalicious actors to be mobile and to attack from any location including public places such as Internetcafes, libraries, coffee shops or even from a PDA or mobile phone device.99 Operating from publicplaces allows attackers to conduct their activities anonymously thus making it difficult to detect andtrace their activities.98 International Telecommunications Union (ITU) (2007) p. 23. 99 McAfee Inc. (2007) p. 02 and 10. 100 Thiscould be the case for any Internet connection, broadband or otherwise. 101 OECD (2005) E-7.It is important to note that while broadband technologies are an enabling factor, it is the behavioursassociated with these technologies that are problematic. For example, people often fail to adoptappropriate security measures when using broadband technologies and therefore leave theirconnection open without the appropriate security software installed.100Ever more services available on lineMost governments, consumers and businesses depend on the Internet to conduct their daily business.In 2004, the OECD found that, in most OECD countries, over 90% of businesses with 250 or moreemployees had access to the Internet. Firms with 50 to 249 employees also had very high rates ofaccess.101 Home users rely on the Internet for their day to day activities including shopping, bankingor simply exchanging information and conducting e-government and e-commerce transactions. As theamount of these services continues to increase, so does the likely community of users accessing theseservices on line. DSTI/ICCP/REG(2007)5/FINAL 37
  • 26. This in turn increases the available targets for attack or exploitation which provides further incentivefor criminals to conduct malicious activity.Operating system and software vulnerabilitiesThe more vulnerable the technology, the more likely it is to be exploitable through malware. Forexample, the security firm Symantec102 reported a 12% increase in the number of knownvulnerabilities from the first half of 2006 (January – June 2006) to the second half (June – December2006) which they largely attribute to the continued growth of vulnerabilities in web applications.Microsoft also reported an increase of nearly 2 000 disclosed vulnerabilities from 2005 to 2006.103 Theincrease in vulnerabilities corresponds to an increase in incidents. Microsoft reported an increase inthe number of machines disinfected by its Malicious Software Removal Tool from less than 4 millionat the beginning of 2005 to more than 10 million at the end of 2006.104 It is important to note that theabsence of known reported vulnerabilities in a software product does not necessarily make thatproduct more secure than one that has known reported vulnerabilities – it may simply be that similareffort has not been expended to find them. In addition, tools that find and exploit vulnerabilities areimproving; companies are doing more reporting of vulnerabilities and more people or ―researchers‖than ever are probing software to find vulnerabilities. Finally, the greater complexity of software -more interconnecting functions that need to work with an ever growing universe of other software -further increases the potential for vulnerabilities.102 Symantec (2007) p. 38. 103 Microsoft (2006b) p. 8. 104 Microsoft (2006b) p. 20-21. 105 OECD (2007c) p. 33 –34. 106 Brendler, Beau (2007) p. 4. 107 European Commission Eurobarometer (2007) p.89 .Easy to target average Internet userAs the reliance of home users and small to medium sized enterprises (SMEs) on the Internet increases,so do the malware threats they face. Consumers and business are increasingly exposed to a new rangeof complex, targeted attacks that use malware to steal their personal and financial information.Many Internet users are not adequately informed about how they can securely manage theirinformation systems. This lack of awareness and subsequent action or inaction contributes to theincreasing prevalence of malware. Most malware requires some form of user action or acceptance topropagate. Recent surveys from various organisations show that while more users are taking measuresto protect their information systems, a large percentage of the population lacks basic protectivemeasures. For example, a 2005 report commissioned by the Australian Government, Trust andGrowth in the Online Environment, found that only one in seven computers in Australia use a firewalland about one in three use up-to-date virus protection software.105 Furthermore, it is estimated that 59million users in the US have spyware or other types of malware on their computers.106The European Commissions Eurobarometer E-communications Household survey107 observed anincrease in consumer concerns about spam and viruses in 2006. For some EU Member States, up to45% of DSTI/ICCP/REG(2007)5/FINAL 38
  • 27. consumers had experienced significant problems. In 40% of the cases, the computer performancedecreased significantly, in 27% of the cases a breakdown was observed. In the same survey, 19% ofconsumers had no protection system at all on their computers. Other data also suggests that homeusers are the most targeted of all the sectors108 accounting for 93% of all targeted attacks109and thushighlighting that weak user security is one important enabler of malware.125 Denning, Dorothy (2000). 126 Poulsen, Kevin (2003). 127 United States Nuclear Regulatory Commission(2003). 128 United States District Court Northern District Of Illinois Eastern Division (2007). 129 A recent OECDReport: The Development of Policies to Protect the Critical Information Infrastructure highlights this point. SeeDSTI/ICCP/REG(2007)20/FINAL. 130 U.S.-Canada Power System Outage Task Force Final Report p. 131. 131Greene, Tim (2007). 132 OECD (2007c) pg. 7.Challenges to fighting malwareProtecting against, detecting and responding to malware has become increasingly complex as malwareand the underlying criminal activity which it supports are rapidly evolving and taking advantage ofthe global nature of the Internet. Many organisations and individuals do not have the resources, skillsor expertise to prevent and/or respond effectively to malware attacks and the associated secondarycrimes which flow from those attacks such as identity theft, fraud and DDoS. In addition, the scope ofone organisation‟ s control to combat the problem of malware is limited.Many security companies report an inability to keep up with the overwhelming amounts of malwaredespite committing significant resources to analysis. One vendor dedicates 50 engineers to analysingnew malware samples and finding ways to block them, but notes that this is almost an impossible task,with about 200 new samples per day and growing.131 Another company reported it receives an averageof 15 000 files – and as many as 70 000 – per day from their product users as well as CSIRTs andothers in the security community.132 When samples and files are received, security companiesundertake a process to DSTI/ICCP/REG(2007)5/FINAL 44
  • 28. determine if the file is indeed malicious. This is done by gathering data from other vendors,conducting automated analysis, or by conducting manual analysis when other methods fail todetermine the malicious nature of the code. One vendor estimated that each iteration of this cycletakes about 40 minutes and that they release an average of 10 updates per day.133 Furthermore, thereare many security vendors who all have different insights into the malware problem.133 OECD (2007c) pg. 7. 134 Information provided to the OECD by CERT.br, the national CSIRT for Brazil.135 One website provides a survey of cybercrime legislation that documented 77 countries with some existing cybercrime law. Seehttp://www.cybercrimelaw.net/index.html. 136 United States Department of Justice Computer Crime &Intellectual Property Section. 137 Green, Tim(2007a).Most security technologies such as anti-virus or anti-spyware products are signature–based meaningthey can only detect those pieces of malware for which an identifier, known as a ―signature‖ alreadyexists and have been deployed. There is always a time lag between when new malware is released byattackers into the ―wild‖, when it is discovered, when anti-virus vendors develop their signatures, andwhen those signatures are dated onto users and organisations‟ information systems. Attackersactively seek to exploit this period of heightened vulnerability. It is widely accepted that signaturebased solutions such as anti-virus programs are largely insufficient to combat today‟ s complex andprevalent malware. For example, one analysis134 that explores antivirus detection rates for 17 differentanti-virus vendors reveals that, on average, only about 48.16% of malware was detected.Circumstantial evidence such as this indicates that attackers are actively testing new malwarecreations against popular anti-virus programs to ensure they stay undetected.In addition, malicious actors exploit the distributed and global nature of the Internet as well as thecomplications of law and jurisdiction bound by traditional physical boundaries to diminish the risks ofbeing identified and prosecuted. For example, a large portion of data trapped by attackers usingkeyloggers is transmitted internationally to countries where laws against cybercrime are nascent, non-existent or not easily enforceable. Although countries across the globe have recognised theseriousness of cybercrime and many have taken legislative action to help reprimand criminals, not allhave legal frameworks that support the prosecution of cyber criminals.135 The problem however iseven more complicated as information may be compromised in one country by a criminal acting fromanother country through servers located in a third country, all together further complicating theproblem.Law enforcement agencies throughout the world have made efforts to prosecute cyber criminals. Forexample, the Computer Crime and Intellectual Property Section of the US Department of Justice hasreported the prosecution of 118 computer crime cases from 1998 – 2006.136 Although global statisticson arrests are hard to determine, one company estimated worldwide arrests at 100 in 2004, severalhundred in 2005 and then 100 again in 2006.137 While these cases did not necessarily involvemalware, they help illustrate the activities of the law enforcement community. It is important to notethat the individuals prosecuted are usually responsible for multiple attacks. These figures are lowconsidering the prevalence of online incidents and crime. They highlight the complex challengesfaced by law enforcement in investigating cybercrime.Furthermore, the volatile nature of electronic evidence and the frequent lack of logged informationcan often mean that evidence is destroyed by the time law enforcement officers can get the necessarywarrants to recover equipment. The bureaucracy of law enforcement provides good checks andbalances, DSTI/ICCP/REG(2007)5/FINAL 45
  • 29. but is often too slow to cope with the speed of electronic crime. Additionally, incident respondersoften do not understand the needs of law enforcement and accidently destroy electronic evidence.Today, the benefits of malware seem to be greater for attackers than the risks of undertaking thecriminal activity. Cyberspace offers criminals a large number of potential targets and ways to deriveincome from online victims. It also provides an abundant supply of computing resources that can beharnessed to facilitate this criminal activity. Both the malware and compromised information systemsbeing used to launch the attacks have a low cost, are readily available and frequently updated. Highspeed Internet connections and increased bandwidth allow for the mass compromise of informationsystems that renew and expand the self sustaining attack system. By contrast, communities engaged infighting malware face numerous challenges that they cannot always address effectively.DSTI/ICCP/REG(2007)5/FINAL 46
  • 30. MALWARE: WHAT TO DO?Many would agree that the damage caused by malware is significant and needs to be reduced althoughits economic and social impacts may be hard to quantify. That said, several factors should beconsidered in assessing what action to take, and by whom, against malware. These include: the rolesand responsibilities of the various participants,138 the incentives under which they operate as marketplayers as well as the activities already undertaken by those communities more specifically involvedin fighting malware.138 According to the 2002 OECD Guidelines for the Security of Information Systems and Networks: Towards aCulture of Security, ―participants‖ refers to governments, businesses, other organisations and individual userswho develop, own, provide, manage, service and use information systems and networks.Roles of individual, business and government participants - HighlightsMalware affects individuals, business and government in different ways. All those participants canplay a role in preventing, detecting, and responding to malware with varying levels of competence,resource, roles and responsibilities, as called for in the OECD Guidelines for the Security ofInformation Systems and Networks: Towards a Culture of Security (the ―OECD SecurityGuidelines‖). Better understanding the roles and responsibilities of the various participants in relationto malware is important to assessing how to enhance the fight against malware. Among the variousparticipants, those concerned by malware are: Users (home users, sm and medium–sized enterprises (SMEs), public and private sector allorganisations) whose data and information systems are potential targets and who have different levelsof competence to protect them. Software vendors,who have a role in developing trustworthy, reliable, safe and secure software. Anti virus vendors, who have a role in providing security solutions to users (such as updating anti- -virus software with the latest information on malware). Internet Service Providers (ISPs), who have a role in managing the networks to which theaforementioned groups connect for access to the Internet;. Domain name registrars and regulators, who determine if a domain is allowed to be registered andpotentially have the power to deregister a domain that is used to commit fraud or other criminalactivity, including, for example, the distribution of malware. CSIRTs, frequently the national or leading ones (often government), which have a role, forexample, in detecting, responding to and recovering from security incidents and issuing securitybulletins about the latest computer network threats or vulnerabilities associated with malwareDSTI/ICCP/REG(2007)5/FINAL 47
  • 31. attacks; or in co–ordinating nationally and internationally the resolution of computer network attacksaffecting its constituency or emanating from its constituency. Law enforcement entities, which have a mandate to investigate and prosecute cybercrime. Government agencies, which have a role to manage risks to the security of government informationsystems and the critical information infrastructure. Governments and inter -governmental organisations, which have a role in developing national andinternational policies and legal instruments to enhance prevention, detection and response to malwareproliferation and its related crimes.
  • 32. The dynamic nature of malware keeps most security experts constantly on the lookout for new typesof malware and new vectors for attack. Due to the complex technical nature of malware, it is helpfulto examine overall attack trends to better understand how attacks using malware are evolving. Asmentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers areusing increasingly deceptive social engineering techniques to entice users to seemingly legitimate webpages that are actually infected and/or compromised with malware. Figure 2 illustrates the types ofattack that seem to be on the increase, those that are falling out of favour, and those for which thetrend remains unclear or not changed.DSTI/ICCP/REG(2007)5/FINAL 89 ANNEX D - EXAMPLES OF MALWARE PROPAGATIONVECTORS
  • 33. E–mail: Malware can be ―mass mailed‖ by sending out a large number of e–mail messages, withmalware attached or embedded. There are numerous examples of successful malware propagatedthrough mass-mailers largely due to the ability of malicious actors to use social engineering to spreadmalware rapidly across the globe. Web: Attackers are increasingly using websites to distributemalware to potential victims. This relies on spam e–mail to direct users to a website where theattacker has installed malware capable of compromising a computer by simply allowing a browserconnection to the website. If the website is a legitimate and popular site, users will go there of theirown accord allowing their computers to potentially become infected/compromised without the needfor spam e–mail to direct them there. There are two methods of infection via the web: compromiseexisting web site to host malware; or set up a dedicated site to host malware on a domain speciallyregistered for that purpose. Instant messengers: Malware can propagate via instant messaging serviceson the Internet by sending copies of itself through the file transfer feature common to most instantmessenger programmes. Instant messages could also contain web links that direct the user to anothersite hosting downloadable malware. Once a user clicks on a link displayed in an instant messengerdialog box, a copy of the malware is automatically downloaded and executed on the affected system.Removable media: If malware is installed on removable media, such as a USB stick or CD-ROM, itcan infect and/or propagate by automatically executing as soon as it is connected to another computer.Network-shared file systems: A network share is a remotely accessible digital file storage facility on acomputer network. A network share can become a security liability for all network users when accessto the shared files is gained by malicious actors or malware, and the network file sharing facilityincluded within the operating system of a user‟ s computer has been otherwise compromised. P2Pprogrammes: Some malware propagates itself by copying itself into folders it assumes to be shared(such as those with share in its folder name), or for which it activates sharing, and uses aninconspicuous or invisible file name (usually posing as a legitimate software, or as an archivedimage). Internet Relay Chat (IRC): IRC is a form of Internet chat specifically designed for groupcommunications in many topical ―channels,‖ all of which are continuously and anonymouslyavailable from any location on the Internet. Many ―bot masters‖ (as the malefactors who operatenetworks of malware-infected/compromised machines are often called; see the chapter ―The MalwareInternet: Botnets‖) use IRC as the central command and control (C&C) communications channel forco–ordinating and directing the actions of the bot infected/compromised information systems in their―botnet.‖ Bluetooth: Bluetooth is a wireless networking protocol that allows devices like mobilephones, printers, digital cameras, video game consoles, laptops and PCs to connect at very shortdistances, using unlicensed radio spectrum. Because the security mechanisms implemented inBluetooth devices tend to be trivially bypassed, such devices are vulnerable to malware through attacktechniques which have been called ―bluejacking‖ or ―bluesnarfing.‖ A bluetooth device is mostvulnerable to this type of attack when a user‟ s connection is set to "discoverable" which allows it tobe found by other nearby bluetooth devices.
  • 34. 56 AusCERT (2006) at 7.6Captures information exchanged, including for Internet banking, e-tax, e-health, etc.Spam email is sent toMalware attack trendsThe dynamic nature of malware keeps most security experts constantly on the lookout for new typesof malware and new vectors for attack. Due to the complex technical nature of malware, it is helpfulto examine overall attack trends to better understand how attacks using malware are evolving. Asmentioned previously, the use of malware is becoming more sophisticated and targeted. Attackers areusing increasingly deceptive social engineering techniques to entice users to seemingly legitimate webpages that are actually infected and/or compromised with malware. Figure 2 illustrates the types ofattack that seem to be on the increase, those that are falling out of favour, and those for which thetrend remains unclear or not changed.What is Spam?Spam in a general sense is any email you dont want to receive. There are many types ofemail that you may not want e.g. advertisements, newsletters, or questionnaires, howeverthese emails are not what the computer community refers to as spam. What the computercommunity is most concerned with is illegal email spam.My definition of illegal email spam is -- attempts to deceive by falsification of seller identityor email address, and use of other trickery (defrauding), in the hope of gaining monetaryadvantage (stealing) from the email recipient and other parties.The Federal Trade Commissions definition of spam, "Not all UCE is fraudulent, but fraudoperators - often among the first to exploit any technological innovation - have seized on theInternets capacity to reach literally millions of consumers quickly and at a low cost throughUCE. In fact, UCE has become the fraud artists calling card on the Internet. Much of thespam in the Commissions database contains false information about the sender, misleadingsubject lines, and extravagant earnings or performance claims about goods and services.These types of claims are the stock in trade of fraudulent schemes." From Prepared StatementOf The Federal Trade Commission On "Unsolicited Commercial email", November 3, 1999.How does a spammer get your email address?There are many ways a spammer can obtain your email address.
  • 35. a. You can disclose it yourself by posting your email address on auctions, bulletin boards,advertising, or email locators.b. Businesses might sell your email address or other personal information to a spammer(however, legitimate businesses do not do this.)c. Spammers can use software programs to collect email addresses from web sites or they canuse random number generators to send spam out randomly.What is a hacker?A hacker is an individual that attempts to take control over someone elses computer by usingviruses, worms, and other types of Internet attacks. One of their favorite "tricks", is to usehacked computers to bring down a large web site by overloading the targeted site withmillions of transmissions in a "denial of service" (DOS) attack.While hackers were glorified in the early days of the Internet as people standing up for theirrights against big corporations and the Government, hacking is now the hobby of criminalsand thieves. Hackers prey on all citizens of the Internet and they are extremely dangerous toindividuals, corporations, and governments.How does a hacker find your computer?Most hack attempts against personal computers result from viruses and worms running froman infected PC. It is not very difficult for the creator of the hacking program to predeterminethe Internet addresses that his program will attack.There are also amateur hackers, that use software programs, to randomly check for onlinecomputers to attack.What makes Spamming or Hacking Illegal?The U.S. Congress outlawed certain types of spam with the CAN-SPAM Act of 2003. Thelaw, which became effective January 1, 2004, covers email whose primary purpose isadvertising or promoting a commercial product or service, including content on a Web site.However a "transactional or relationship message" – email that facilitates an agreed-upontransaction or updates a customer in an existing business relationship – may not contain falseor misleading routing information, but otherwise is exempt from most provisions of theCAN-SPAM Act.The Federal Trade Commission (FTC), the nations consumer protection agency, isauthorized to enforce the CAN-SPAM Act. CAN-SPAM also gives the Department of Justice(DOJ) the authority to enforce its criminal sanctions. Other federal and state agencies canenforce the law against organizations under their jurisdiction, and companies that provideInternet access may sue violators, as well.All 50 states have also passed anti-spam laws that have various penalties for illegal spammersand hackers. If you dont live in a state with a strong anti-spam law, you are still protectedfrom fraudulent schemes, illegal pornography, and other illegal acts by various state andfederal laws.In addition, if a spammer or hacker causes harm to a Government computer they are subject
  • 36. to the penalties of USC Title 18, Part I, Chapter 47, Sec. 1030. - Fraud and relatedactivity in connection with computers.Now that we have a definition of illegal spam and hacking, lets move on to the practicalmatter of defending your computer against spammers and hackers.Next - Defending your computer against spammers and hackers. Avoiding Spam1. One of the easiest things you can do to avoid spam is to never give out your real emailaddress. Your real email address should only be used with trusted friends and coworkers. Forall other types of email, and for situations that require an email address from you, you shouldsetup and use a junk email account. A junk email account is usually obtained from a free webbased email provider like Hotmail or our InfoHQ.com free email.A junk email account is used for all types of correspondence when the end-user can notbe trusted with your real email address. So use your junk email account for enteringcontests, shopping, registering on web sites etc. When your junk email address becomes sofull of spam that you get tired of managing it, you delete it and get a new email account.Spam problem solved, you start spam free with a new email address.2. Dont open junk email. The safest thing to do with junk email is to delete it.Bad things can happen by opening junk email such as; the impossible to close window scam,resetting of your homepage to the spam site, and loading of unwanted or hostile programs. Note: Some experts are now claiming that you should not have your email "preview pane" open as hostile programs could be started just by the act of the email being previewed. I have never seen a program load from the preview pane, however it is a good practice to close the preview pane when dealing with suspicious email.What is a firewall?Firewall is essentially a filter. It is either a software program or hardware device used incomputer systems to prohibit forbidden information for passing though, while allowingapproved information. The communication which the firewall prevents from passing thoughcould be hackers trying to gain access to your personal information stored on your computer.How do firewalls work?The firewall inspects all the information which is passed over the system and determines if itis a threat or not based upon a variety of factors. It then stops all potential threats frompassing through. The criteria which a firewall uses to determine whether or not information ina threat or not is carefully determined.
  • 37. Do I need a firewall on my personal computer?Firewalls are important for anyone with online security concerns. Firewalls can be used forbusinesses, known as a corporate firewall or by individuals, known as a personal firewall. Ithas long been known the firewalls are a necessity for businesses to protect their networks;however, the demand for personal firewalls has increased dramatically.Hardware & Software FirewallThere are two types of firewalls the Hardware Firewall and the Software Firewall. ASoftware Firewall is a software program and a Hardware Firewall is a piece of hardware.Both have the same objective of filtering communications over a system. Systems can use aHardware Firewall, a Software Firewall, or a combination of both.Code redThis essay contains a description of several famous malicious computer programs (e.g., computerviruses and worms) that caused extensive harm, and it reviews the legal consequences of eachincident, including the nonexistent or lenient punishment of the programs author.It is not my intention to provide information on threats by current malicious programs: this essay isonly a historical document. (You can find information on current threats at websites operated byvendors of anti-virus software.)There are three reasons to understand past malicious programs: Learning how past incidents caused damage may help you protect your computer from future damage. I say may, because new types of threats are continually emerging. Because the law reacts to past events, learning about past harmful incidents shows us how the law should be corrected to respond appropriately to the new crimes of writing and distributing malicious computer programs. In May 2002, the Norton Anti-Virus software for Windows operating systems detected about 61000 malicious programs. Astoundingly, there have been criminal prosecutions and convictions of the author(s) of only five malicious programs, all of which are described below: 1. the Morris worm released in 1988, 2. the author and distributors of the MBDF virus, 3. the author of the Pathogen virus, 4. the author of the Melissa virus, and 5. the author of the Anna worm I hope that when people read this essay and become aware of both the malicious design and great harm caused by computer viruses and worms, readers will urge their legislators: F. to enact criminal statutes against authors of computer viruses and worms, with punishment to reflect the damage done by those authors, and
  • 38. G. to allocate more money to the police for finding and arresting the authors of malicious computer programs.I have not cited a source for each fact mentioned in this essay, because most of these facts havebeen reported at many different sources, and are well known to computer experts who are familiarwith viruses and worms. (I do cite a source for facts that are either not well known or controversial.)Further, this essay is not a formal scholarly document, with numerous citations, but only aninformative review intended for attorneys, legislators, the general public, students, businessmen,etc. Some general sources are mentioned later. Author did not know ....The most common excuse made by criminal defense attorneys who represent authors of computerworms and viruses is that their client did not know how rapidly the worm or virus would spread.Because this excuse occurs in several of the cases presented below, lets discuss it at the beginning.Such an excuse might be plausible to someone who had no understanding of the Internet andcomputer programming. However, it is ridiculous to suggest that a computer programmer whocreates a worm is unaware that it will spread rapidly. Students who major in computer science,mathematics, physics, or engineering learn in mathematics classes about geometric series. There is agood reason why mathematics classes are required for science and engineering students:mathematics is really useful for predicting results of experiments that one should not perform.A good example of a geometric series is the propagation of a computer worm. Consider thefollowing hypothetical example in which each victims computer provides the addresses of four newvictims, and the worm requires one hour to be received by the next wave of victims, to search thenext victims computer and find four new addresses, then to be sent to the four new victims:time in hours number of new victims 1 4 2 16 3 64 4 256 5 1024 6 4096
  • 39. 7 16384 8 65536 9 262144 10 1048576In this hypothetical example, at 24 hours there would be approximately 1014 new victims, which is aridiculous extrapolation, because there are only about 109 people on the planet earth. But thisexample clearly shows the rapid growth of a geometric series and why authors of worms should notbe surprised when their worm rapidly gets out-of-control. Seen in this context, the criminal defenseattorneys statement that his/her client "did not know ...." is not plausible. Actually, the defenseattorneys statement is ludicrous.Even if one ignores the rapid growth of a geometric series, the historical examples of the rapidpropagation of the Chrisma Worm in Dec 1987 and the Morris Worm in Nov 1988 show whathappens when worms are released into computer networks. There is absolutely no need for another"experiment" of this kind, as we already know what will happen. (I put "experiment" in quotationmarks, because the design and release or a computer virus or worm is a crime, not a legitimatescientific experiment.)Other examples of specious defenses for writing or releasing malicious programs are contained inmy essay on Computer Crime.The Melissa virus was released on 26 March 1999 and was designed to infect macros inwordprocessing documents used by the Microsoft Word 97 and Word 2000 programs. Macro viruseswere not new, they had been known since 1995.The innovative feature of the Melissa virus was that it propagated by e-mailing itself to the first fiftyaddresses in the Microsoft Outlook e-mail programs address book. This feature allowed the Melissavirus to propagate faster than any previous virus. The virus arrived at each new victims computerdisguised as e-mail from someone who they knew, and presumedly trusted. (About 11 years earlier,the Christma Worm automatically sent itself to everyone in a victims e-mail address book on an IBMmainframe computer.)The Melissa virus propagated in two different ways: 1. On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used the Outlook program to send an e-mail containing an attachment, with a filename like list.doc. This file contained a Microsoft Word document with a macro, and a copy of the Melissa virus was inside the macro.
  • 40. When this e-mail was received by someone who had Microsoft Word on his/her computer (even if their computer was an Apple Macintosh), and the recipient clicked on the attachment, the document would open and the Melissa virus would automatically infect Words normal.dot template file, thus infecting the recipients computer. While Microsoft Outlook was necessary for the automatic sending of infected documents, the recipient of such e-mail could be infected even if the recipient used a non-Microsoft e- mail program. 2. Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail sent by victim, etc. When such infected documents were opened in Microsoft Word, the Melissa virus would automatically infect Words normal.dot template file, thus infecting the recipients computer.Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign". Thatclaim is not true. There were a number of distinctly different harms caused by Melissa: Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to fifty people by the Melissa virus. Such automatic transmission could release confidential information from the victims computer. When the day number equals the number of minutes in the current time (e.g., at 11:06 on the 6th day of the month), the Melissa virus inserted the following text in whatever document was then being edited in Word on the victims computer: Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Games over. Im outta here. Such an insertion was a deliberate modification of data files on the victims hard drive, an unauthorized tampering with the victims document files. Future victims were most commonly infected by opening an attachment in an e-mail from someone who they knew, and presumedly trusted. Until the workings of the Melissa virus were understood by all the victims, trusted relationships between people could be harmed by this unauthorized sending of e-mail. As with any rapidly propagating virus or worm, e-mail can be delayed, which sometimes has economic consequences (e.g., lost productivity). And, as with all viruses and worms, there was the cost of removing the infection and restoring the computer to normal.The fact that the Melissa virus could have been more destructive (e.g., by deleting data files fromthe victims computer) is hardly praise for the author of the Melissa virus.For more technical details on Melissa, see the CERT advisory and the F-Secure description.
  • 41. Finally, using an Apple Macintosh gives one immunity from most computer viruses and worms.However, Apple computer users who also use Microsoft Word 97 or later are vulnerable to the samemacro viruses that plague Word users on Microsoft Windows 95 or later. However, the Melissa viruscan not automatically transmit itself by e-mail from a computer that uses the Macintosh operatingsystem. Melissa PerpetratorThe Melissa virus was written by David Lee Smith and first released on 26 March 1999 as anattachment to his posting to an alt.sex newsgroup. That posting said the attachment contained alist of passwords for pornographic websites, but the attachment actually contained his virus. Smithnamed his virus "Melissa" after a topless dancer in Florida, who Smith knew.It is obvious that Smith knew what he was doing was wrong, because he used a stolen AOL accountand password to make the initial release to the alt.sex newsgroup. Before his arrest, Smithdiscarded the hard drives that were used to create his virus at his home in New Jersey, then he hidat his brothers house, where David Lee Smith was arrested.Smith was arrested on 1 April 1999. The CNN news report shows the police mugshot of Smith, with asmirking expression. He was charged in federal court with violations of 18 USC § 1030(a)(5)(A) and inNew Jersey state court with violations of NJSA 2C:20-25(a) and 2C:20-26(a).Smith was fired from his job doing computer programming from AT&T. He subsequently worked as acomputer technician at Rutgers University after his arrest. (Rutgers did not know that Smith hadbeen arrested for this crime.) Smith voluntarily quit his job at Rutgers six days before he pled guilty.On 9 Dec 1999, Smith pled guilty in federal court. The plea agreement between prosecutors andSmith had the following features: Smith would cooperate with authorities in thwarting other creators of malicious computer programs. It would be stipulated that the Melissa virus did "more than eighty million dollars of damage". (The actual amount was much, much higher – one estimate was US$ 1100 million. However, the stipulation became a "fact" accepted in court for the purposes of determining Smiths sentence.) Any state and federal prison sentences would run concurrently, and end at the same time.On 1 May 2002, a judge in federal court imposed the following sentence on Smith: 20 months in federal prison, 36 months of "supervised release" (i.e., probation) after his prison term ends, during which time he can access the Internet only with the permission of his probation officer, fined US$ 5100, and ordered to serve 100 hours of "community service" work in the "technological field", perhaps giving lectures in schools about the harmfulness of computer viruses.
  • 42. Apparently, the 29-month interval between Smiths guilty plea and his sentencing (an unusually longinterval) was the result of his cooperation with authorities in investigating other malicious computerprograms. The authorities did not reveal any details of the cooperation, so it is not possible to knowwhat the government got in exchange for more than halving Smiths prison sentence.On 3 May 2002, a judge in New Jersey state court imposed the following sentence on Smith: the maximum allowable sentence of ten years in state prison. However, because of his plea agreement, Smith would serve only the 20 months in federal prison and then be a free man. fined US$ 2500.Some documents in Smiths case have been posted on the Internet: Information filed by the U.S. Attorney for the District of New Jersey, charging David Lee Smith with violation of 18 USC § 1030(a)(5)(A). Letter of 8 Dec 1999 from the U.S. Attorney for New Jersey to the attorney representing David Smith, offering a plea agreement. DoJ press release about Smiths guilty plea. Judgment issued by Judge Greenaway on 1 May 2002. U.S. Attorneys 1 May 2002 press release about Smiths sentence. Another copy is at the DoJ website. weak punishmentIf one accepts the legal stipulation that the Melissa virus did US$ 8 × 107 in damage, and oneconsiders Smith in prison to lose 16 hours/day of freedom (who cares where he sleeps for8 hours/day?) for 20 months, then the effective value of Smiths time in prison is US$ 8330/hour.That is a ridiculously high value for Smiths time.The prosecutors ignored that Smiths virus fraudulently sent e-mails from each victims computer tonew victims who were in previous victims e-mail address book. The new victims opened theattachment in e-mail apparently from someone who they knew, and presumedly trusted, and wereinfected with a copy of Smiths virus. I believe society should express outrage at this kind of fraud. hree worms: CodeRed, Sircam, NimdaThe year 2001 saw the introduction of many serious malicious programs: CodeRed, Sircam, Nimda,BadTrans.B, and Klez. I treat the first three tersely in the following sections. CodeRedThe initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, notcomputers of users. This worm was propagated as an http get request, i.e. a request to get a
  • 43. webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000operating systems, a defect in those operating systems allowed the worm to infect that server.An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but onlyexists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a scanof the hard disk with anti-virus software. Switching the infected computer off, then on, will removethe infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week), unlikecomputers in homes and offices that may be rebooted daily.The CodeRed worm did different things depending on the day of the month. Most versions ofCodeRed used the following schedule: 1. During the first 19 days of each month, the CodeRed worm sent out many http get requests to random IP addresses (i.e., websites and Internet users), seeking webservers to infect. This feature of CodeRed is essentially a port probe, looking for webservers running Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests from CodeRed could mimic a denial-of-service attack on a webserver. 2. During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service attack on the IP address that then corresponded to www.whitehouse.gov. The IP address of the U.S. Presidents website was changed to defeat CodeRed. 3. After the 28th day of the month, CodeRed goes into a sleep state until the next month, although the server is still infected. 4. Under certain circumstances, one early version of CodeRed running on a webserver that uses the English language will intercept requests for a webpage and return its own HTML code: Welcome to http:// www.worm.com ! Hacked by Chinese! After 10 hours, CodeRed again returns the proper requested webpage. The temporary unavailability of some webpages will cause concern to webmasters, then the problem will "magically" disappear, frustrating operators of webservers who are trying to find the problem.A CERT advisory showed that CodeRed infected 2.0 × 105 computers in just five hours on19 July 2001, which was a rapid rate of infection and a good example of geometric series mentionedearlier in this essay. CERT said that "at least 280000 hosts were compromised in the first wave" ofattacks on 19 July 2001. CodeRed IIA new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important newfeature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor into theinfected webserver. After this backdoor is installed, any web surfer can send commands by using any
  • 44. web browser. Such commands could, for example, delete files from the webserver, or upload newfiles to the webserver. The Trojan Horse also disables the system file checker function in Windows,so that the modified operating system files can not be detected.Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate faster,and for a longer time, in webservers that use the Chinese language. Perpetrator of CodeRedTo the best of my knowledge, the author of the CodeRed worm was never identified, so there can beno legal consequences for him. SircamThe initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed firstappeared.The worm arrived at a victims computer in e-mail with the following text: Hi! How are you? [second line: one of four choices below] See you later. ThanksThere are four different versions of the second line of the e-mail text: 1. I send you this file in order to have your advice 2. I hope you can help me with this file that I send 3. I hope you like the file that I sendo you 4. This is the file with the information that you ask forClicking on the attached file infects the victim with the Sircam worm.Note: the text of e-mail containing malicious programs often contains ungrammatical text,punctuation errors (e.g., the missing periods in Sircams text), or misspelled words, because theauthor is a non-native speaker of English. Such mistakes in English text in an e-mail apparently froman English-speaking country should alert the reader to the possibility of e-mail from a forgedaddress.The Sircam worm inflicts several harms on the victim: a 2% chance that the file c:recycledsircam.sys will be created, then text is repeatedly added to this file until there is no more free space on the C: hard disk drive. on computers using the day/month/year date format and when the date is 16 October, there is a 5% chance that Sircam will delete all files and delete all directories on the C: hard disk drive. Sircam automatically sends copies of itself with the victims e-mail address as the From: address. If Sircam can not find the victims e-mail address, then Sircam will forge a From:
  • 45. address from the current username and one of four mail servers (e.g., @prodigy.net.mx). The To: addresses are harvested from the Windows Address Book and also from e-mail addresses found in the web browser cache files. The text of the e-mail was mentioned above. The e-mail has one attachment which contains a copy of the Sircam worm followed by the contents of a file with file type .doc or .zip from the My Documents folder on the victims computer. This document could contain the victims confidential information, which is then sent to numerous addresses. The name of the attachment had a double file extension, which like Melissa and Anna above, is symptomatic of a malicious attachment. The filename and left extension of the attachment was identical to the copied file from the victims machine, Sircam then added a second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment an executable file type. Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear in the users e-mail programs out-box. Thus the user does not know his/her computer is mailing copies of the Sircam worm to other people. The Sircam worm has a length of 137216 bytes. The additional space required by the document from the victims computer makes the attachment even larger, perhaps more than 200000 bytes, which is larger than most webpages and most e-mail messages. This large file size helps Sircam clog the Internet.Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highlyunlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircamapparently intended those harms to occur. Perpetrator of SirCamTo the best of my knowledge, the author of the SirCam worm was never identified, so there can beno legal consequences for him. A copyright notice in the Sircam code says that this worm was madein Mexico, but I have seen no confirmation that this statement is correct.The anti-virus software vendor Trend Micro reported on 10 May 2002 that a total of 1.0 × 106computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos andComputer Associates both reported SirCam as the second most prevalent malicious programinfecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in 2001.On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious program ine-mail.
  • 46. NimdaThe Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.Nimda had two novel features: 1. Nimda could infect a computer when the user read or previewed an e-mail that contained a copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would need to click on an attachment to infect the users computer. 2. Nimda could modify webpages on a webserver, so that accessing those webpages could download a copy of Nimda to the browsers computer.These two novel features represented a significant "advance" in ability to harm victims.The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5. Apatch that repairs this defect had been available from the Microsoft website since 29 March 2001,but most computer users do not bother to install the latest updates. Why did a defect in aweb browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is sent in HTMLformat, the same format used by webpages, and e-mail software (e.g., Microsoft Outlook) usesInternet Explorer web browser to display such e-mail. This vulnerability could be avoided by (1)selecting either Netscape Navigator or Opera as the default browser and (2) using a non-Microsoft e-mail program, such as Eudora.The Nimda worm propagates in several different ways: 1. Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target http get requests, i.e. a request to get a webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating systems allowed the worm to infect that server. The name of the Nimda worm is a reversal of the computer term admin (administrator), which designates a user with the privilege of modifying system files. By exploiting a defect in Windows, the Nimda worm is able to act as an administrator. 2. Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code to webpages on that server with filenames: index, default, or readme and extensions: .html, .htm, or .asp. Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver. Depending on the settings on the users computer regarding Javascript, when the user accessed one of these altered webpages, the users web browser might: o automatically download readme.eml and execute the Nimda worm, thus infecting the users computer, o display a prompt to ask whether the user wanted to download the file readme.eml, or o automatically refuse to download the file.
  • 47. 3. Once every ten days, Nimda searches the hard drive of an infected computer to harvest e- mail addresses from the following sources: o in-boxes for the users e-mail program (e.g., Microsoft Outlook) o *.HTML and *.HTM files in the users web browser cache (also called the Temporary Internet Files folder). After harvesting e-mail addresses, Nimda selects one of these addresses as the From: address and the remainder as To: addresses, and sends copies of Nimda in an apparently blank e-mail. Note that the infected computer is not used as the From: address, so there is no easy way for the recipient of e-mail to determine whose computer sent the copy of Nimda. Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do not appear in the users e-mail programs out-box. Thus the user does not know his/her computer is mailing copies of the Nimda worm to other people. As mentioned above, Nimda can infect the recipients machine when the recipient either reads or previews the e-mail, without needing to click on an attachment. 4. Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are sometimes transferred to other computers, which will spread the Nimda infection.On 11 Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses thatappeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forgedsource addresses, whether a deliberate act or whether a random occurrence caused by execution ofa malicious program, damages the reputation of innocent people. (I elaborate on this point later inthis essay, in discussing the Klez program.)For more technical details on Nimda, see the CERT advisory and the F-Secure description.The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared tomany webpages and e-mail messages. This large file size helps Nimda clog the Internet.I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do notexist on the server that hosts my website, as that server runs the Unix operating system.) Thewebhosting service that I use reported on 18 Sep 2001 that they were receiving approximately8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-serviceattack on a webserver. Perpetrator of Nimda
  • 48. To the best of my knowledge, the author of the Nimda worm was never identified, so there can beno legal consequences for him. The code for the Nimda contains a copyright notice stating that itoriginated in communist China, but I have seen no confirmation that this statement is correct.The anti-virus software vendor Trend Micro reported on 14 May 2002 that a total of 1.2 × 106computers worldwide had been infected with Nimda. The anti-virus software vendor Sophosreported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for27% of the reports to Sophos.The anti-virus software vendor Trend Micro reported on 16 May 2002 that a total of 2.1 × 105computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number ofcomputers that TrendMicro reported as infected with Sircam or Nimda, which also appeared in theyear 2001. However, the anti-virus software vendor Computer Associates reported BadTrans.B asthe most prevalent malicious program in the year 2001. On 2 Dec 2001, MessageLabs filteredBadTrans.B from one in every 57 e-mails, the second-highest daily infection rate seen byMessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B worm was the all-time third-most-common malicious program in e-mail. KlezThe original Klez program appeared on 26 October 2001. A number of variants appeared later, ofwhich the most significant were the E variant that first appeared on 17 January 2002 and theH variant that first appeared on 17 April 2002. The H variant caused an epidemic from about20 April 2002 through June 2002, and became the most widespread malicious program in the historyof the Internet.Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website calls a"blended threat".There are a number of varieties of the Klez program and they each do slightly different harms to thevictims computer. Among these harms are: deposit a copy of an ElKern computer virus in the victims computer. The early versions of this virus destroy information in all files on the victims computer on 13 March and 13 September of each year. the Klez program is released when the victim reads or previews e-mail with Microsoft Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the Nimda and BadTrans worms. send copies of the Klez program via e-mail from the victims computer, as discussed in more detail below. attempts to disable many common anti-virus programs by modifying the Windows registry file. on the 6th day of each odd-numbered month, attempts to overwrite many different files on the victims hard drive with a pattern of all zeroes, thus destroying data in those files.
  • 49. hree worms: CodeRed, Sircam, NimdaThe year 2001 saw the introduction of many serious malicious programs: CodeRed, Sircam, Nimda,BadTrans.B, and Klez. I treat the first three tersely in the following sections. CodeRedThe initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, notcomputers of users. This worm was propagated as an http get request, i.e. a request to get awebpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000operating systems, a defect in those operating systems allowed the worm to infect that server.An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but onlyexists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a scanof the hard disk with anti-virus software. Switching the infected computer off, then on, will removethe infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week), unlikecomputers in homes and offices that may be rebooted daily.The CodeRed worm did different things depending on the day of the month. Most versions ofCodeRed used the following schedule: 1. During the first 19 days of each month, the CodeRed worm sent out many http get requests to random IP addresses (i.e., websites and Internet users), seeking webservers to infect. This feature of CodeRed is essentially a port probe, looking for webservers running Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests from CodeRed could mimic a denial-of-service attack on a webserver. 2. During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service attack on the IP address that then corresponded to www.whitehouse.gov. The IP address of the U.S. Presidents website was changed to defeat CodeRed. 3. After the 28th day of the month, CodeRed goes into a sleep state until the next month, although the server is still infected. 4. Under certain circumstances, one early version of CodeRed running on a webserver that uses the English language will intercept requests for a webpage and return its own HTML code: Welcome to http:// www.worm.com ! Hacked by Chinese! After 10 hours, CodeRed again returns the proper requested webpage. The temporary unavailability of some webpages will cause concern to webmasters, then the problem will "magically" disappear, frustrating operators of webservers who are trying to find the problem.A CERT advisory showed that CodeRed infected 2.0 × 105 computers in just five hours on19 July 2001, which was a rapid rate of infection and a good example of geometric series mentioned
  • 50. earlier in this essay. CERT said that "at least 280000 hosts were compromised in the first wave" ofattacks on 19 July 2001. CodeRed IIA new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important newfeature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor into theinfected webserver. After this backdoor is installed, any web surfer can send commands by using anyweb browser. Such commands could, for example, delete files from the webserver, or upload newfiles to the webserver. The Trojan Horse also disables the system file checker function in Windows,so that the modified operating system files can not be detected.Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate faster,and for a longer time, in webservers that use the Chinese language. Perpetrator of CodeRedTo the best of my knowledge, the author of the CodeRed worm was never identified, so there can beno legal consequences for him. SircamThe initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed firstappeared.The worm arrived at a victims computer in e-mail with the following text: Hi! How are you? [second line: one of four choices below] See you later. ThanksThere are four different versions of the second line of the e-mail text: 1. I send you this file in order to have your advice 2. I hope you can help me with this file that I send 3. I hope you like the file that I sendo you 4. This is the file with the information that you ask forClicking on the attached file infects the victim with the Sircam worm.Note: the text of e-mail containing malicious programs often contains ungrammatical text,punctuation errors (e.g., the missing periods in Sircams text), or misspelled words, because theauthor is a non-native speaker of English. Such mistakes in English text in an e-mail apparently froman English-speaking country should alert the reader to the possibility of e-mail from a forgedaddress.The Sircam worm inflicts several harms on the victim:
  • 51. a 2% chance that the file c:recycledsircam.sys will be created, then text is repeatedly added to this file until there is no more free space on the C: hard disk drive. on computers using the day/month/year date format and when the date is 16 October, there is a 5% chance that Sircam will delete all files and delete all directories on the C: hard disk drive. Sircam automatically sends copies of itself with the victims e-mail address as the From: address. If Sircam can not find the victims e-mail address, then Sircam will forge a From: address from the current username and one of four mail servers (e.g., @prodigy.net.mx). The To: addresses are harvested from the Windows Address Book and also from e-mail addresses found in the web browser cache files. The text of the e-mail was mentioned above. The e-mail has one attachment which contains a copy of the Sircam worm followed by the contents of a file with file type .doc or .zip from the My Documents folder on the victims computer. This document could contain the victims confidential information, which is then sent to numerous addresses. The name of the attachment had a double file extension, which like Melissa and Anna above, is symptomatic of a malicious attachment. The filename and left extension of the attachment was identical to the copied file from the victims machine, Sircam then added a second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment an executable file type. Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear in the users e-mail programs out-box. Thus the user does not know his/her computer is mailing copies of the Sircam worm to other people. The Sircam worm has a length of 137216 bytes. The additional space required by the document from the victims computer makes the attachment even larger, perhaps more than 200000 bytes, which is larger than most webpages and most e-mail messages. This large file size helps Sircam clog the Internet.Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highlyunlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircamapparently intended those harms to occur. Perpetrator of SirCamTo the best of my knowledge, the author of the SirCam worm was never identified, so there can beno legal consequences for him. A copyright notice in the Sircam code says that this worm was madein Mexico, but I have seen no confirmation that this statement is correct.The anti-virus software vendor Trend Micro reported on 10 May 2002 that a total of 1.0 × 106computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos andComputer Associates both reported SirCam as the second most prevalent malicious program
  • 52. infecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in 2001.On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious program ine-mail. NimdaThe Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.Nimda had two novel features: 1. Nimda could infect a computer when the user read or previewed an e-mail that contained a copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would need to click on an attachment to infect the users computer. 2. Nimda could modify webpages on a webserver, so that accessing those webpages could download a copy of Nimda to the browsers computer.These two novel features represented a significant "advance" in ability to harm victims.The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5. Apatch that repairs this defect had been available from the Microsoft website since 29 March 2001,but most computer users do not bother to install the latest updates. Why did a defect in aweb browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is sent in HTMLformat, the same format used by webpages, and e-mail software (e.g., Microsoft Outlook) usesInternet Explorer web browser to display such e-mail. This vulnerability could be avoided by (1)selecting either Netscape Navigator or Opera as the default browser and (2) using a non-Microsoft e-mail program, such as Eudora.The Nimda worm propagates in several different ways: 1. Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target http get requests, i.e. a request to get a webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating systems allowed the worm to infect that server. The name of the Nimda worm is a reversal of the computer term admin (administrator), which designates a user with the privilege of modifying system files. By exploiting a defect in Windows, the Nimda worm is able to act as an administrator. 2. Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code to webpages on that server with filenames: index, default, or readme and extensions: .html, .htm, or .asp. Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver. Depending on the settings on the users computer regarding Javascript, when the user accessed one of these altered webpages, the users web browser might:
  • 53. o automatically download readme.eml and execute the Nimda worm, thus infecting the users computer, o display a prompt to ask whether the user wanted to download the file readme.eml, or o automatically refuse to download the file. 3. Once every ten days, Nimda searches the hard drive of an infected computer to harvest e- mail addresses from the following sources: o in-boxes for the users e-mail program (e.g., Microsoft Outlook) o *.HTML and *.HTM files in the users web browser cache (also called the Temporary Internet Files folder). After harvesting e-mail addresses, Nimda selects one of these addresses as the From: address and the remainder as To: addresses, and sends copies of Nimda in an apparently blank e-mail. Note that the infected computer is not used as the From: address, so there is no easy way for the recipient of e-mail to determine whose computer sent the copy of Nimda. Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do not appear in the users e-mail programs out-box. Thus the user does not know his/her computer is mailing copies of the Nimda worm to other people. As mentioned above, Nimda can infect the recipients machine when the recipient either reads or previews the e-mail, without needing to click on an attachment. 4. Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are sometimes transferred to other computers, which will spread the Nimda infection.On 11 Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses thatappeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forgedsource addresses, whether a deliberate act or whether a random occurrence caused by execution ofa malicious program, damages the reputation of innocent people. (I elaborate on this point later inthis essay, in discussing the Klez program.)For more technical details on Nimda, see the CERT advisory and the F-Secure description.The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared tomany webpages and e-mail messages. This large file size helps Nimda clog the Internet.I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do notexist on the server that hosts my website, as that server runs the Unix operating system.) Thewebhosting service that I use reported on 18 Sep 2001 that they were receiving approximately
  • 54. 8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-serviceattack on a webserver. Perpetrator of NimdaTo the best of my knowledge, the author of the Nimda worm was never identified, so there can beno legal consequences for him. The code for the Nimda contains a copyright notice stating that itoriginated in communist China, but I have seen no confirmation that this statement is correct.The anti-virus software vendor Trend Micro reported on 14 May 2002 that a total of 1.2 × 106computers worldwide had been infected with Nimda. The anti-virus software vendor Sophosreported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for27% of the reports to Sophos. BadTrans.B wormThe BadTrans.B worm was discovered on 24 Nov 2001. There was an epidemic from lateNovember 2001 through early January 2002.This worm did the following things to a victims computer: installs a Trojan Horse program to record the victims keystrokes that are typed into any window with a title that begins PAS[sword], LOG[on], or four similar words that indicate an attempt to logon to some service. This program later e-mailed the collected keystrokes (e.g., including username and password) to an e-mail address specified in the Trojan Horse. finds yet unread e-mail in Microsoft Outlook on the victims machine and replies to those unread e-mails with a copy of the BadTrans worm in an attachment to the reply. This novel feature of the BadTrans worm increased the chances of propagation, since the recipient was expecting a reply from the victim. The From: address will be the victims e-mail address if the worm can find that information in the victims computer, otherwise the From: address will be chosen from a list of 15 addresses, mostly with female names, contained in the worm. These 15 addresses connected to real people, who were selected by the author of the BadTrans worm. One of them, Joanna Castillo, posted a webpage about her experience. Also, the now-defunct Newsbytes website had an article about the "e-mail hell" experienced by Castillo and one other victim of the forged From: addresses. Before sending copies with the victims From: address, the worm adds the underline character (i.e., _) to the beginning of that From: e-mail address. Such an additional character will prevent warnings from the recipient from reaching the victim. Also, any returned copies of the worm (e.g., because the worm replied to spam that had an invalid, forged address) will not reach the victim and inform him/her of the unauthorized sending from his/her computer. Some variants of the BadTrans worm also sent copies of the worm to e-mail addresses found
  • 55. in previously read e-mail in the victims inbox or to addresses contained in files of types *.htm, *.html, and *.asp in documents downloaded from the Internet. exploits a defect in Microsoft Internet Explorer that allows the worm to be launched without the victim opening an attachment. The same defect was exploited earlier by the Nimda worm. BadTrans.B PerpetratorTo the best of my knowledge, the author of the BadTrans worm was never identified, so there canbe no legal consequences for him.The anti-virus software vendor Trend Micro reported on 16 May 2002 that a total of 2.1 × 105computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number ofcomputers that TrendMicro reported as infected with Sircam or Nimda, which also appeared in theyear 2001. However, the anti-virus software vendor Computer Associates reported BadTrans.B asthe most prevalent malicious program in the year 2001. On 2 Dec 2001, MessageLabs filteredBadTrans.B from one in every 57 e-mails, the second-highest daily infection rate seen byMessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B worm was the all-time third-most-common malicious program in e-mail. KlezThe original Klez program appeared on 26 October 2001. A number of variants appeared later, ofwhich the most significant were the E variant that first appeared on 17 January 2002 and theH variant that first appeared on 17 April 2002. The H variant caused an epidemic from about20 April 2002 through June 2002, and became the most widespread malicious program in the historyof the Internet.Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website calls a"blended threat".There are a number of varieties of the Klez program and they each do slightly different harms to thevictims computer. Among these harms are: deposit a copy of an ElKern computer virus in the victims computer. The early versions of this virus destroy information in all files on the victims computer on 13 March and 13 September of each year. the Klez program is released when the victim reads or previews e-mail with Microsoft Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the Nimda and BadTrans worms. send copies of the Klez program via e-mail from the victims computer, as discussed in more detail below. attempts to disable many common anti-virus programs by modifying the Windows registry file.
  • 56. on the 6th day of each odd-numbered month, attempts to overwrite many different files on the victims hard drive with a pattern of all zeroes, thus destroying data in those files. randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to append to the attachment containing the Klez program, thus possibly sending confidential information from the victim to future victims.This long list of harms shows that the author of Klez had a truly malicious intent. sending copies The Klez program propagated by sending e-mail that contains Klez in an attachment. The subject line, body of the e-mail, and name of the attachment were randomly selected from a long list of possibilities contained in the Klez program. (This is unlike the Anna worm discussed above, where the attachment always had the same name and could be easily recognized by someone who had been warned by the news media.) randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to append to the attachment containing the Klez program, thus possibly sending confidential information from the victim to future victims.This long list of harms shows that the author of Klez had a truly malicious intent. sending copies The Klez program propagated by sending e-mail that contains Klez in an attachment. The subject line, body of the e-mail, and name of the attachment were randomly selected from a long list of possibilities contained in the Klez program. (This is unlike the Anna worm discussed above, where the attachment always had the same name and could be easily recognized by someone who had been warned by the news media.)Vital information resourse under siege. • Moves around in e-mail messages • Usually replicate itself by automatically mailing itself to dozens of people in the victim’s email address book.Example “MELISSA VIRUS – Type of virus – File infector virus • Infect program files – Boot sector virus • Infect the system area of a disk – Master boot record virus
  • 57. – • infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. – Multi-partite virus • infect both boot records and program files – Macro virus • infect data files. Examples: Microsoft Office Word, Excel, PowerPoint and Access files  Melissa virus 1999Melissa virus spread in Microsoft Word documents sent via e-mail.How it works ? • Created the virus as word document • Uploaded to an internet newsgroup • Anyone who download the document and opened it would trigger the virus. • Send friendly email messages to first 50 people in person’s address book. CODE RED WORM • Code Red made huge headlines in 2001 • It slowed down internet traffic when it began to replicate itself. • Each copy of the worm scanned the internet for Windows NT or Windows 2000 that don’t have security patch installed.Each time it found an unsecured server, the worm copied itself to that serverIn computer terminology, polymorphic code is code that uses a polymorphic engine tomutate while keeping the original algorithm intact. That is, the code changes itself each timeit runs, but the function of the code (its semantics) will not change at all. This technique issometimes used by computer viruses, shellcodes and computer worms to hide theirpresence.[1]Encryption is the most common method to hide code. With encryption, the main body of thecode (also called its payload) is encrypted and will appear meaningless. For the code tofunction as before, a decryption function is added to the code. When the code is executed thisfunction reads the payload and decrypts it before executing it in turn.
  • 58. Encryption alone is not polymorphism. To gain polymorphic behavior, theencryptor/decryptor pair are mutated with each copy of the code. This allows differentversions of some code while all function the same.[2]Contents[show][edit] Malicious codeMost anti-virus software and intrusion detection systems (IDS) attempt to locate maliciouscode by searching through computer files and data packets sent over a computer network. Ifthe security software finds patterns that correspond to known computer viruses or worms, ittakes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult forsuch software to recognise the offending code because it constantly mutates.Malicious programmers have sought to protect their encrypted code from this virus-scanningstrategy by rewriting the unencrypted decryption engine (and the resulting encryptedpayload) each time the virus or worm is propagated. Anti-virus software uses sophisticatedpattern analysis to find underlying patterns within the different mutations of the decryptionengine, in hopes of reliably detecting such malware.Emulation may be used to defeat polymorphic obfuscation by letting the malware demangleitself in a virtual environment before utilising other methods, such as traditional signaturescanning. Such virtual environment is sometimes called a sandbox. Polymorphism does notprotect the virus against such emulation, if the decrypted payload remains the same regardlessof variation in the decryption algorithm. Metamorphic code techniques may be used tocomplicate detection further, as the virus may execute without ever having identifiable codeblocks in memory that remain constant from infection to infection.The first known polymorphic virus was written by Mark Washburn. The virus, called 1260,was written in 1990. A more well-known polymorphic virus was created in 1992 by thehacker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition fromantivirus software. A common and very virulent polymorphic virus is the file infecter Virut.In computer terminology, polymorphic code is code that uses a polymorphic engine tomutate while keeping the original algorithm intact. That is, the code changes itself each timeit runs, but the function of the code (its semantics) will not change at all. This technique issometimes used by computer viruses, shellcodes and computer worms to hide theirpresence.[1]Encryption is the most common method to hide code. With encryption, the main body of thecode (also called its payload) is encrypted and will appear meaningless. For the code to
  • 59. function as before, a decryption function is added to the code. When the code is executed thisfunction reads the payload and decrypts it before executing it in turn.Encryption alone is not polymorphism. To gain polymorphic behavior, theencryptor/decryptor pair are mutated with each copy of the code. This allows differentversions of some code while all function the same.[2].Most anti-virus software and intrusion detection systems (IDS) attempt to locate maliciouscode by searching through computer files and data packets sent over a computer network. Ifthe security software finds patterns that correspond to known computer viruses or worms, ittakes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult forsuch software to recognise the offending code because it constantly mutates.Malicious programmers have sought to protect their encrypted code from this virus-scanningstrategy by rewriting the unencrypted decryption engine (and the resulting encryptedpayload) each time the virus or worm is propagated. Anti-virus software uses sophisticatedpattern analysis to find underlying patterns within the different mutations of the decryptionengine, in hopes of reliably detecting such malware.Emulation may be used to defeat polymorphic obfuscation by letting the malware demangleitself in a virtual environment before utilising other methods, such as traditional signaturescanning. Such virtual environment is sometimes called a sandbox. Polymorphism does notprotect the virus against such emulation, if the decrypted payload remains the same regardlessof variation in the decryption algorithm. Metamorphic code techniques may be used tocomplicate detection further, as the virus may execute without ever having identifiable codeblocks in memory that remain constant from infection to infection.The first known polymorphic virus was written by Mark Washburn. The virus, called 1260,was written in 1990. A more well-known polymorphic virus was created in 1992 by thehacker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition fromantivirus software. A common and very virulent polymorphic virus is the file infecter Virut Understanding encryption and polymorphism Escalation is a good word to use here. Virus programmers may encrypt messages so they can not be easily seen. In the same way many viruses contain encrypted code to hide what they do. Before there were virus scanners, there were programs written to detect possible Trojans. One such program was written by Andy Hopkins in 1984 and was called CHK4BOMB. When you used it to check out a program, it would alert you to anything suspicious in the program, like direct disk writes and formatting, as well as print out any messages it found. Obviously, a fully encrypted program, even one that did and said
  • 60. nasty things, would look safe on examination.Yet, encrypted viruses are not complete encrypted. Encrypted code is no longerexecutable code--it simply wont run. For an encrypted virus to actually run, it hasto decrypt its code and data. The portion that does this decryption is not encryptedbecause it has to run. This portion is refered to as a decryptor. Encryption techniquesSome viruses use very simple encryption techniques such as incrementing, decrementing,or rotating each byte in the code. They may also negate or logically not each byte. Suchencryption does not require an encryption key--a additional value used in encrypting eachbyte or word (two bytes). Techniques that use a key include adding, subtracting andxoring. A key value can also be used in rotating a byte. Additionally, keys themselves comein three types.A static key is one that doesnt change as the virus uses it--it is a set value. Virusesusing a static key might add 128 to each byte, rotate each byte 3 places to the right,or xor each word with 0F8F8h.A variable key is where the key value varies in some way. This key starts as a staticvalue and is then modified during the decryption. The key may itself beincremented, decremented, xored, rotated, etc.Both static and changing keys produce predictable results. Specifically, theresulting encrypted code looks the same in every replication of the virus. Therefore,if you used a simple string scanner with a string from within the encrypted portionof the virus, you would still detect all its parents and progeny. Such encryptionpresents no problem to the antivirus industry. But the third type of key does.A random key is one that changes from infection to infection. Cascade, forexample, bases its key on the size of the host file--which obviously changes a lot.Other viruses use a pseudo-random key, such as fetching, storing, and using thecurrent timer tick count, or the current 100ths of a second value. Any of theseapproaches produces a virtually random and unpredictable key.This causes problems for those write programs that detect viruses. Since the codeand data in such a virus changes radically, string scanning product developers mustchose a string from the the only part of the virus that doesnt change--the decryptor.Early on this lead to two major problems in the industry.The first problem involved false alarms. Early grunt scanners (scanners thatexamine an entire file) that used the same string for Cascade would detect eachother as being infected. This problem was solved by encrypting strings.The second problem involved copyright. Some early product developers claimedcopyright on their scan strings, which, when you think about it, means they werecopyrighting fragments of another programmers code--the virus programmerscode. Ross Greenburg, the developer of Flu-Shot and VirexPC, had a request out
  • 61. for virus strings. As Ross tells it, someone downloaded a bunch of strings, sentthem to him, and he used them. Unfortunatly, those strings had been extracted fromMcAfees scanner. McAfee threatened a lawsuit, but never carried out the threat.Herein lies the problem. What then about a randomly encrypted virus with a shortdecryptor? In the Fish virus, for example, there are only 14 usable bytes. So stringscanning products virtually have to use the same pattern, do they not? How then canone company claim a copyright on a string many others are forced to use also?Virus Bulletin regularly publishes search strings and the Fish virus byte pattern canbe found in the July, 1991 issue. Here it is reprinted:E800 005B 81EB A90D B958 0D2E 8037By the way, I did not ask permission to reprint this. So is my printing this pattern aviolation of VB copyright?Virus Bulletin itself answers "No" and points how ludicrous this idea is:"Some misunderstandings have arisen in the past about the copyright notice whichappears at the foot of each page of the bulletin; does this notification apply equallyto hexadecimal search patterns? The answer, of course, is an empahtic NO - searchpatterns are not intellectual property or original material and are beyond copyright.There have been incidents in the United States of software developers threateninglawsuits against other software developers on the basis that search patterns havebeen stolen."The VB Table of Known IBM PC Viruses is designed to be actively used; thepatterns are supplied to help systems engineers with diagnosis but may also be usedin the development of comprehensive scanning software. Use of these patterns ispositively to be encouraged."But encryption, even random key encryption and short decryptors are truely not aproblem to antivirus developers when it comes to detection. The real problem ispolymorphism. PolymorphismSince a string scanner can only detect randomly encrypted viruses by using theirdecryptor, what happens if the decryptor itself changes with each infection?"Scanning cant find all viruses." Was reportedly the premise of two virusresearchers in the United States.According to sources such as Virus Bulletin, in January of 1990 each of these mensent out a virus to prove their claim. Patrick Toulome sent his Virus-101 to thedeveloper of a scan product. Mark Washburn sent out his V2P1 or Chameleonvirus. These were the first two polymorphic viruses.
  • 62. When Toulomes virus went beyond the researcher he sent it to, he didnt appreciate it. He stopped making viruses. Washburn, on the other hand, made and released several more--each progressively more polymorphic. The general meaning of polymorphic is "having many forms" and could thus be applied to any randomly encrypted virus--since they indeed have many forms. However, the use of this word in antivirus research and product development, as well as our use here, is more specific. A polymorphic virus is a randomly encrypted virus that is also programmed to randomly vary its decryption routine. Thus the decryptor itself has "many forms"-- is polymorphic. Before February of 1991 there were several terms used to describe these viruses: mutating, garbling, self-modifying, variably decrypting, and such. In that month, however, Fridrik Skulason and Alan Solomon coined "polymorphic" as it is applied to these viruses. The term caught on quickly. Now that weve explained the the definition and history of the term, polymorphic, were going to look at what it really means. But be warned. This portion of our discussion of viruses gets more analytical in nature and thus, necessarily, more technical. During 1990 four polymorphic viruses were developed by Dark Avenger, based on his V800 virus. In an interview with Sarah Gordon, Dark Avenger said "Proud, Evil, Phoenix,are variants of one virus." This may mean that the fourth, Phoenix.1226, was the first programmed. None of these are in the wild, but well use the 1226 version here as an example of polymorphism. The decryption routine for phoenix.1226 is 32 bytes long. Within that 32 byte routine, 18 bytes are variable. This variation is accomplished in two ways. First off, two of the bytes can each have one of two values, these bytes represent to two conditional jumps that can either be a jns (jump if not sign) instruction, with a byte value of 79h, or jge (jump if greater than or equal) instruction, with a byte value of 7Dh. The remainder of the variability is more complex. There are five processor registers used in the decryptor. The first two used have to be pointer registers since they are used in indirect memory addressing. This limits the available registers to bx, di, and si (bp is not used). The other three registers are used for storage and may be selected from ax, bx, cx, or dx. Also, if bx was used as a pointer than either di or si, whichever is available, can be used.• program V:=• {goto main:• 1234567;• subroutine infect-executable :=
  • 63. • {loop: • file:= get-random-executable-file; • if (first-line-of-file = 1234567) • then goto loop • else prepend V to file;} • subroutine do–damage := • {whatever damage is to be done} • subroutine trigger-pulled := • {return true if some condition holds} • main: main-program := • {infect-executable; • if trigger-pulled then do-damage; • goto next;}next:How can I prevent malware from entering my PC?It is important not to open any emails which come from senders you don’t know. Many of thoseemails have luring titles like “You have won a lottery” or “Happy birthday, I have a present for you”and so on. Never open any attachments coming with such emails, as it is likely that in such cases youwill install a virus or a worm in your PC. As a rule, you should never open an attachment that hasbeen sent to you by someone you don’t know.Install an anti-virus software on your PC. This will protect your computer against viruses and othermalware threats.You can also install a firewall, which will keep watch on all files that go in and out of your computer.Try to avoid suspicious websites, and if you accidentally enter one which seems strange, leave itimmediately. If pop-up windows alert you or ask you to agree to anything, immediately close themand never click on any button inside themWhat is a firewall?A device or software designed to prevent or stop unauthorised people from accessing yourcomputer via the internet without permission. A firewall controls all the files that go in and out ofyour computer. If there is a suspicious file, it will take care of it for you and keep your computer safe.What is spyware?It is a program that can be secretly attached to files you download from the internet. As soon as it is
  • 64. downloaded it installs itself in your PC without your knowledge, and starts to monitor your internetactivity. The monitored information is then transmitted to a third party, in most cases to companieswhich are interested in creating your personal profile. Later on, it will start sending you advertisingor other data.

×