Security and Privacy in a Networked World/The World of Malware

From Wikiversity

Note: Wikipedia pointers are used for quick further reference. Please see the references of the articles to find primary sources!


Bad stuff[edit]

Malware, or malicious software, is actually a combination of different factors. Historically, it combined passion for challenge and discovering new things ("Is it possible to write a self-duplicating program?") with playful pranking on others ("Arf arf, got you!") - both featured in the traditional hacker culture. However, later additions were remarkably more unpleasant - starting with anger of disgruntled individuals, moving on to hacktivism and cyberterror (making a political point with online attacks) and finally coming to cyber-weaponry and crime (of which more common are theft, sabotage of competitors' systems and extortion). For the latter, an increasing role is played by 'hired hands", i.e. using paid services of professional crackers. And of course, once again we run into PIBKAC - ignorance and negligence on users' side plays a major role in the success of malware.

Types[edit]

There are different types/elements of malware:

  • Virus - a piece of software capable of self-propagation by either infecting files or certain parts of data carriers (e.g. DVD-s or USB disks). While the most popular and known term, not all malware are viruses - in fact, viruses in their pure form are getting rare. Also, not all viruses as such are malicious (although even a harmless virus may become a nuisance by tying up system resources). Pure viruses are very rare outside the Microsoft platform.
  • Trojan horse - a piece of malicious software posing as a legitimate application. In its pure form, has no self-replication abilities, relying solely on social engineering and deception to propagate. Therefore, they work disregarding platforms and systems - no matter how secure the system is, the weak point is again between the keyboard and the chair.
  • Worm - a piece of software that propagates itself over networks via various software vulnerabilities. User intervention is not needed. Worms are also most common on Microsoft platform, but they do exist elsewhere too.
  • Rootkit - a piece of software used to hide tracks of some other software. Rootkits are a bit different from others, being used reactively, after a successful attack. They exist on all popular platforms.
  • Spyware - a piece of software (or part of a larger malware) that tracks the user's activities and reports it to its owner. While the line between legitimate and illegitimate use can be blurry, there is an increasing number of examples of serious violations of privacy.
  • Keylogger - a piece of software (or part of a larger malware) to record the keys pressed by the user in order to collect and forward sensitive information (passwords etc).
  • Logic bomb - usually not a separate category, but rather a mechanism of viruses, Trojan horses and worms to launch the attack on compromised systems in a delayed manner, on some predetermined condition (a popular one used to be Friday the 13th).
  • Redirector - a piece of software or a part of a larger malware to redirect traffic with malicious intent. Examples include dialers into expensive premium numbers in dial-up networks, DNS redirection to phishing websites etc


Note: today's malware may contain any combination of these elemehts.

From early days to Stuxnet and CryptoLocker[edit]

Already in early computing, before there were viruses, there were Trojan horses:

  • Internet proper was an elite thing (but the first malware concept was introduced on Multics in 1974)
  • for some time, ordinary users had only access to modem-based Fidonet: no chance for heavy traffic. So they had to create small and nasty stuff like PKZ300 Trojan horse (pretended to be a new version of ZIP compression utility)

The first personal computer virus recorded was the Elk Cloner on AppleDOS 3.3 (thus not on Microsoft platform!). But soon, viruses became nearly synonymous with IBM PC compatible computers and Microsoft systems.

Some of the notable early viruses were

  • The Pakistani Brain (1986) - aka Lahore, Pakistani Flu, UIUC. Written by Basit and Amjad Farooq Alvi, two Pakistani brothers, to prevent copying of their software. A boot sector virus with simple stealth capabilities and no destructive payload, more an annoyance.
  • Lehigh (1987) - the first virus to attack COMMAND.COM, the core file of DOS (in fact, attacked only this file) as well as the first TSR (Terminate and Stay Resident - the virus loaded itself into the RAM and infected all data carriers used) virus. After a number of infections, it messed up the disk, thus being likely the first destructive virus. It was possible to avoid Lehigh by making COMMAND.COM read-only.
  • Jerusalem (1987) - TSR, but did NOT infect COMMAND.COM (to hide from detection). The main effect was slowing down the system, but on Friday the 13th it destroyed all programs that were run.
  • Stoned (1989-91) - the first widespread boot sector virus that informed the user with the message "Your PC is now stoned."
  • Yankee Doodle (1989) - a virus with many variants, once extremely common (also in Estonia, the whole computer labs were singing...). Had a notable effect of playing the title song from speakers (other than that, it was relatively harmless).
  • Cascade (around 1988) aka Falling Letters - the virus featured a very colourful visual effect in letters falling from screen to a pile below. While otherwise harmless, working with the computer was profoundly disrupted. The virus was also notable for being the first to use encryption to avoid detection.
  • Dark Avenger (1989) aka Eddie - a TSR file infector, was able to infect files even by reading (most others needed a program launched). One of the most destructive early viruses - every 16th infection destroyed a random sector on disk, slowly causing permanent, serious damage. In 1992, the same author introduced the Mutation Engine - a virus library designed to create self-changing (stealth) viruses.
  • Dir II (1991) - a TSR virus that changed the information structure on disk - booting from a clean disk rendered the files unusable (thus being a distant ancestor of today's CryptoLocker).
  • Michelangelo (1991) - a derivative of Stoned that resulted in one of the biggest hypes in the history of malware - it created a huge media bubble in the beginning of 1992 as it was to activate on March 6. The actual damage was negligible.
  • CIH (1998) aka SpaceFiller or Chernobyl - another very destructive virus that wrote over the beginning of the disk as well as some of the BIOS upon activation (the latter did not work in some BIOSes). As CIH was designed for Windows 9x, it did not work on the NT family and died out with Windows 2000 going mainstream.

The Morris Worm[edit]

A separate notion should be made on the Morris worm, launched on what was later known as Black Thursday, 2nd of November 1988 - the day has since been regarded as the birthday of computer security. A rare example of an actual early Internet worm (similar effects became widespread only two decades later). It used a combination of known security holes and exploitation of weak passwords to propagate. The author was a Cornell University student Robert Tappan Morris Jr, who later confessed having been misjudged the speed of his creation by ten times, ending up infecting more than 6000 machines. Morris was subjected to 3 years of probation, 400 hours of community service and a $10 050 fine for the feat - fortunately, he went on to become a successful computer scientist afterwards.


The age of macro viruses[edit]

These were the viruses that resided on MS Office environment and appeared in late 90s after Microsoft had cemented its domination on desktop systems by controlling the operating system, the office software as well as the web browser (Internet Explorer). Their success relied on (besides the wide spread of the Microsoft software) the permeating nature of Visual Basic for Applications in MS Office (especially Word and .doc files), allowing deep access stretched further by unintended privilege escalation cases (this was one of the many "flexibility vs security" dilemmas that Microsoft got wrong).

The most known viruses of that time were

  • Melissa (March 26, 1999) - The first successful virus+worm combo; after infecting one computer, used a worm-like spreading method, clogging up a large share of networks. Melissa needed Word 97 or 2000 to work and Outlook 97 or 98 to spread - yet there was more than enough of them.
  • ILoveYou (2000), aka LoveLetter or Love Bug - a virus-worm combo similar to Melissa, caused estimated financial loss of 10 billion USD. Outlined the problems with file extension hiding and double extensions in Windows - for some reason, Windows opted for hiding file extensions, allowing deceptive combinations like myfile.jpg.vbs (the .vbs extension got hidden, leaving the impression of a JPG picture file, while actually being a Visual Basic script).


Remote controllers[edit]

A class of (typically) client-server applications used to remote control Windows machines - the server part was smuggled to target computers using either social engineering (sometimes also by direct planting), e-mail attachments or other malware. The three most widespread ones were

Netbus was also the cause of a large child porn scandal in Sweden in 1999 - an academic of Lund University was accused of having illicit pictures in his computer, later promptly fired from the university and harassed by media until he left the country. About five years later, Netbus was found in the computer, suggesting his computer having been controlled by someone else.


The New Millennium[edit]

While Microsoft started to pay more attention to security in the new century (introducing new solutions like the User Access Control or Security Essentials) the track record did not change. The reasons for this are several - the largest market share (mostly pointed out by Microsoft itself) is complemented by largely "security through obscurity" model (only selected partners receive access to source code to effectively create countermeasures), rumoured continued covert use of insecure legacy code in its software and above all, the largest share of ignorant users compared to other systems.

The large outbreaks have included

  • Code Red (2001) - while it attacked only MS IIS web servers, but made attempts on all (did not check the type), creating a lot of extra traffic. DOS attacks were then attempted from conquered machines. As a laudable effort, MS reacted in just a week - but "Hacked by Chinese" (the worm had Chinese origins) became still a slogan in tech culture.
  • Nimda (2001) - "administered" (the name being "admin" backwards) the conquered machine - enabled sharing, set the guest account up with admin privileges and infected web servers, whose visitors using IE were also infected.
  • Blaster (2003), aka Lovesan - a worm that infected more than 8 million computers. Among other effects, the infrected machines DOSsed MS update service.
  • MyDoom (2004) - one of the fastest-spreading malware to date. As it DOSsed the SCO website, an 'open-source revenge' was alleged (as SCO was behind the campaign against Linux), but the claims were later overturned. In July that year, MyDoom managed to stop all main search engines for a day.
  • Sasser (2004) - launched massive swamping attacks on different online services, causing lots of downtime (mostly in Europe). The author, a German student, received 21 months of probation but was later employed by a security company.
  • Zotob (2005) - one of the first "mercenary worms" apparently having been ordered by spyware industry (to forward different malware). Estimated damage was 97 000$ + 80 hours of work per company infected. On August 16, CNN Live went down due to Zotob, other big hits were Boeing, ABC News, Homeland Security...
  • Samy (2005) aka JS.Spacehero - a MySpace XSS (cross-site scripting) worm that used MySpace vulnerabilities (e.g. JavaScript code injection via CSS). Spread onto the pages with more than 1 mln users in 20 hours, arguably the fastest-spreading malware. The author, Samy Kamkar, got 3 years on probation, 90 days of community services and an unknown amount of fines.
  • Storm (2007) - a worm used to build one of the largest botnets to date. Initially spread 'the old way' via mail attachments. The botnet at the largest contained about 1-50 million computers (different estimates). Studies have pointed towards Russian organized crime as its origin.
  • Koobface (2007) - a botnet-building malware that used social networks to spread and one of the rare cases, was also capable of infecting some Linux computers (being Java-based). However, the infection was half-accidental and did not survive next reboot.
  • Zeus (2007) - a stealthy botnet-building malware used for a number of different bank-related frauds in the U.S. At its heyday, it had infected millions of computers (estimated 3.6 million in the U.S. only). The botnet was largely taken down in 2011. As a rarely seen gesture, the source code of Zeus was made available on GitHub in 2013.
  • Conficker (2008) aka Downadup or Kido - exploited Windows server vulnerabilities (all versions from 2000 upwards). Hit the UK Ministry of Defense, a number of Royal Navy warships, about 800 computers in Sheffield hospitals... Microsoft managed to react in a month, patching the vulnerability in December.


Stuxnet[edit]

Notable as one of the first dedicated cyber-weapons, the Stuxnet Trojan horse was probably launched by the U.S. and Israel to attack Iran's nuclear capabilities. The malware seeked a specific brand of programmable logic controllers used to control Iranian centrifuges - upon infection, it changed the speed of the centrifuges, greatly shortening their lifespan.


Recent years[edit]

  • Flame (2012), aka Skywiper - possibly a Stuxnet-like cyberweapon used mostly for espionage in Middle East. Notable for being huge for malware - the full size has been reported to about 20 megabytes.
  • CryptoLocker (2013) - the first widely spread ransomware. It encrypts files on hard disks (especially documents) and offers the users to pay a certain sum to its authors to decrypt the files.


Some other interesting cases[edit]

  • January 2001 - Ramen, a single brief appearance of a Linux worm. Was limited to Red Hat 6.2 and 7.0, used their security holes. In principle was similar to the Morris worm.
  • August 2003 - Welchia, a helpful worm that attempted to update Windows, removed Blaster and was supposed to kill itself in 120 days. Alas, it was buggy...
  • October 2005 - The Sony rootkit scandal. Sony BMG released 102 titles of CD-s equipped with XCP and MediaMax - two "copy protection" systems that were actually rootkits, interfering with the system and opening new security holes in Windows machines. First, a removal tool was issued which made things worse by creating a placebo effect rather than actual cure. The second one was no better, and Sony finally recalled all the CD-s in question.


The recent target: OS X[edit]

For some time, Apple OS X users were relatively protected from malware thanks to the system's Unix roots, the main threats being social engineering and subsequent installs of suspicious software. However, the risks have increased during the last decade:

  • Leap (2006), aka Oompa-Loompa, was worm that spread via the iChat messaging system. However, the infection was only possible via local networks, not over Internet, and only applications installed by hand by a user were vulnerable. Also, the infection needed the use of Bonjour protocol which was not the default choice.
  • RSPlug (2007) - a Trojan horse that mostly spread posing as a video codec available from some pornographic websites (i.e. the user had to be tricked to install it). After infection, the user's web browser was redirected to phishing sites. The malware spread rather widely - the investigation after the Operation Ghost Click in 2009 suggested the numbers at about 4 million OS X machines.
  • MacDefender (2011) - a fake security program (actually a Trojan horse) distributing users' information and demanding payments.
  • Flashback (2011) - probably the most serious of the OS X malware to this date, a botnet-builder that exploited a hole in Java, resulting in about 600 000 infections worldwide (and in January 2014, it was suggested that about 22 000 computers were still infected).

While OS X likely remains a remarkaby more secure choice in near future, it is vulnerable to socially engineered Trojan horse attacks as well as security problems in third-party software. Also, a fake sense security is often seen at Mac users, making them easy targets.

Note: most of the same threats also apply to Linux distros.

Evolution of motives[edit]

As stated above, the stages in malware motivation can be outlined as follows:

  • Hackerly exploration (“What's in there?”)
  • Clueless experimentation (“What happens if”)
  • Expression of frustration (“I'll show you all!”)
  • Expression of politics (“Free X or suffer!”)
  • Malware as a weapon
  • Malware as a business model

The biggest problems persists in the proliferation of the last two - the 'cyberworld arms race' is a reality for a number of countries (most of all, China, Russia and the U.S.), and there has been next to no success in making cybercrime less profitable. Secondary reasons include the continuing efforts to create Microsoft monoculture - and of course, PIBKAC.


Additional reading and links[edit]

Study & Blog[edit]

  • Compare a case of malware from the 80s/90s to a recent one from the 00s/10s (motives, methods of propagation, payloads/effects, technology used etc).


Back to the main course page