Archive for January, 2010
Wednesday, January 13th, 2010
I decided to delve a little into computer viruses to look at them from not just a technical perspective but from the perspective of what made them unique and/or effective. This is a commonly used list of top viruses, but again with a different spin as I briefly look at what seems to be innovative about each one. I have also included a deep link to a more thorough explanation of what we know about each of the viruses. Many of these viruses will be very familiar to you. In fact given that they are so prominent it is highly likely that you will have encountered at least one of these firsthand. Yes, I believe that we can learn from just about anything including computer viruses so without further ado let’s get started.
- Storm Worm (aka Peacomm, Nuwar) – This virus burst onto the scene in 2006/2007 and hit the Internet like a nuclear warhead. It was distributed via an email with the subject “230 dead as storm batters Europe.” The writers of the virus definitely made it look like a news brief that peaked a lot of interest and they altered the subject and news to be timely enough to get the user’s attention. At it’s peak more than 200 million emails had been infected with this virus which created a massive spam email botnet. The innovation here was in the thought that went into the usage of current events to lure its victims (social engineering).
- Leap-A/Oompa-A – This 2006 virus showed us that all systems can be attacked if a hacker puts effort into it. This was an attack on Apple’s OS X operating system that came pre-installed with an application called iChat for chatting with others over various chat networks (like AOL’s IM). This leveraged a flaw in iChat to infect the MAC with a relatively harmless virus and then used the buddy list in iChat to spread. The main negative impact is that infected applications would no longer launch. The innovation with this virus is really just the platform that it chose to infect.
- Sasser and Netsky – These were the brainchild of a 17 year-old from Germany, Sven Jaschan. Here it appears that Mr. Jaschan reversed a Microsoft security update to reveal the bug and then leveraged the bug to create a DoS botnet. The unique thing about this virus is that it spreads without user interaction by scanning IP addresses looking for computers that are vulnerable (those that have not been patched). Once it finds a victim it forces the victim to download the virus and then starts using it to scan for more victims. Sasser was responsible for many systems being brought to their knees including Delta Airlines and multiple hospitals in Europe. The innovation here is the reversing of a security patch to find a method of spreading the virus that didn’t require an action from the user.
- MyDoom – This worm became active in 2004 and was an attempt by email spammers to send junk emails (spam) through its victims. MyDoom gets transmitted via email and uses subject lines that seem to indicate an error has occurred that requires an action by the user “Error”, “Mail Transaction Failed”, etc. It spreads via peer-to-peer networks like Kazaa as well. The target of this virus was very focused, it was the servers that were running sco.com. The innovation here was in the focused target coupled with the email spamming. It recently resurfaced for another round in July of 2009.
- SQL Slammer – This virus started in January of 2003 and began quickly spreading at a rate of 7,500 victims per minute. It exploited a buffer overflow bug in Microsoft’s SQL Server and Desktop Engine (SQL Server variant). The worm spread over the UDP protocol and was very compact fitting inside a single packet enabling its rapid release. This virus brought down Bank of America’s ATM system and reportedly caused $1 billion worth of damages. The innovation with this worm is around the use of UDP and how it was deliverable in a single packet.
- Nimda – This worm spread five different ways and that caused it become in 22 minutes after it’s known release, the #1 target of anti-virus companies. Nimda (admin backwards) impacted all version of the Microsoft Windows operating system (servers and client editions). It spread via email, open network shares, browsing to a compromised website, via an IIS exploit, and via backdoors left behind by the Red Code II virus. The innovation with this worm was around the multiple methods with which it infected its victims.
- Code Red – Code Red and Code Red II came out in July of 2001 and leveraged a vulnerability in IIS’s (Microsoft’s web server) indexing software. It resulted in defacing the sites hosted by IIS and forcing them to display the message “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” The worm spread by exploiting a buffer overflow and simply searched the web by IP looking for targets and tried to attack literally everything (it didn’t look for IIS specifically). The innovation here was in the payload and the fact that it was setup to target a short list of IP addresses with a DoS attack including the U.S. White House.
- Klez – This virus originates in 2001 and is a variation of a fairly common theme. It spreads via email however it took advantage of Microsoft Outlook’s Trident layout engine and default HTML view of emails to inject itself thus not requiring the user to do anything but flip through their emails. It used an IFRAME trick to cause Trident to inject the user and then spread via the typical address book fashion to other machines. The innovative portion of this virus was its use of the HTML preview inside of Outlook to luanch itself.
- ILOVEYOU – This worm came into being in 2000 and wiggled its way into the World by using a social engineering trick. It spread via an email with the subject of “I LOVE YOU.” Well who doesn’t want to read that and click on anything inside of it? The second aspect was that they executed a vbscript from an attachment that looked like a standard text document. The innovation was in the social engineering aspect of the email coupled with leveraging Microsoft’s built-in scripting language.
- Melissa – This is probably one of the most well known virses (next to ILOVEYOU) it was a mass-mailing virus as well. It originally wasn’t written to cause harm and really all it did was bog down email servers which did cause significant problems. Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called “List.DOC”, which contained passwords that allow access into 80 pornographic websites. The author David Smith was sentenced to 20 months in a Federal prison and fined $5,000. The innovation here was in its simplicity and it was one of what many refer to as the “kiddy scripts” which were simple yet effective worms.