The Windows wilderness: a look on malware - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

The Windows wilderness: a look on malware

Description:

Massive swamping attacks on different online services, lots of downtime (mostly in Europe) ... Expression of politics ('Free X or suffer!')? Malware as a weapon ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 36
Provided by: kaidok
Category:

less

Transcript and Presenter's Notes

Title: The Windows wilderness: a look on malware


1
The Windows wilderness a look on malware
  • SPI2009
  • Kaido Kikkas

2
Computers and knives
  • A knife has two very different uses
  • tosave someone's life (when used by a doctor)?
  • to kill someone (used by a killer)?
  • So does the computer
  • Again we hit the paradigm of well-equipped
    fools...

3
Some clarification
  • Virus a piece of software capable of
    self-propagation by either infecting files or
    certain parts of data carriers
  • Trojan horse a piece of malicious software
    posing as legitimate. No self-replication
    abilities
  • Worm a piece of software that propagates itself
    over networks via various software
    vulnerabilities. User intervention is not needed
  • Rootkit a piece of software used to hide tracks
    of some other software. NB! Exist for all systems
  • Today's malware may have all these combined

4
In ancient times
  • Greeks built a wooden horse and cheated on
    Trojans
  • Already in early computing, the same concept came
    into use before there were viruses, there were
    Trojan horses
  • Internet proper was an elite thing (but first
    malware concept was introduced on Multics in
    1974)?
  • ordinary users had only Fidonet no chance for
    heavy traffic. So they had to create small and
    nasty stuff like PKZ Trojan horse (pretended to
    be an utility)?

5
Virus vs Bill
  • First case Elk Cloner, AppleDOS 3.3 so no
    Microsoft at all...
  • But it changed soon viruses became nearly
    synonymous with IBM PC compatible computers and
    Microsoft systems
  • The following is a brief tour ...

6
The Pakistani Brain
  • 1986 aka Lahore, Pakistani Flu, UIUC
  • Written by Basit and Amjad Farooq Alvi, two
    Pakistani brothers, to prevent copying of their
    software. Soon, they had to regret it
  • Boot sector virus
  • Simple stealth capabilities
  • No destructive payload, more an annoyance

7
Lehigh
  • 1987
  • First to attack COMMAND.COM, the core file of DOS
    (in fact, attacked only this file)?
  • First TSR (Terminate and Stay Resident) virus
  • After a number of infections, messed up the disk
  • Could be defeated by making COMMAND.COM read-only

8
Jerusalem
  • 1987
  • TSR, but did NOT infect COMMAND.COM (to hide from
    detection)?
  • Slowdown, on Friday the 13th destroyed all
    programs that were run

9
Stoned
  • 1989-91, Australia and New Zealand
  • First widespread boot sector virus
  • Your PC is now stoned.

10
The Morris worm
  • Black Thursday, 2nd of November 1988
  • Regarded as the birthday of computer security
  • Hit the REAL Internet machines
  • Robert Morris, Cornell University
  • Security holes, weak passwords 6000 machines
  • Miscalculation of speed 10 times faster
  • 3 years of probation, 400 hours of community
    service, 10 050 fine
  • Remained a single case

11
Yankee Doodle
  • 1989, Bulgaria
  • Many variants, very widespread (also in Estonia,
    whole computer labs were singing...)?
  • Notable effect of playing the title song from
    speakers (otherwise relatively harmless)?

12
Cascade
  • Around 1988, former Yugoslavia a.k.a. Falling
    Letters
  • Very colourful visual effect letters fell from
    screen to a pile below. While otherwise harmless,
    it greatly disrupted the work

13
Dark Avenger
  • 1989, Bulgaria a.k.a. Eddie
  • TSR file infector, could infect also by reading
  • One of the most destructive early viruses every
    16th infection destroyed a random sector on disk,
    slowly causing permanent, serious damage
  • In 1992, the same author introduced the Mutation
    Engine a virus library designed to create
    self-changing (stealth) viruses

14
Dir II
  • 1991, Bulgaria or India (sources differ)?
  • A TSR virus which changed the information
    structure on disk booting from a clean disk
    rendered the files unusable

15
Michelangelo
  • 1991, a derivative of Stoned
  • One of the biggest hypes among viruses created
    a huge media bubble in the beginning of 1992 as
    it was to activate on March 6. Actual damage was
    negligible

16
CIH
  • 1998, Russia(?) a.k.a. SpaceFiller, Chernobyl
  • Wrote over the beginning of the disk as well as
    some of the BIOS upon activation (the latter did
    not work in some BIOSes)?
  • Was designed for Windows 9x did not work on NT
    family

17
The age of macro viruses
  • Viruses which resided on MS Office environment.
    Success reasons include
  • wide spread of Windows and MS Office
  • permeating nature of Visual Basic for
    Applications in MS Office, allowing deep access
    stretched further by unintended privilege
    escalation cases
  • proprietary systems gt only Microsoft knew the
    internals
  • Most stress was on Word (.doc files)?

18
Melissa
  • March 26, 1999 New Jersey
  • First successful virusworm combo after
    infection, used a worm-like spreading method,
    clogging up a large share of networks
  • Needed Word 97 or 2000 to work and Outlook 97 or
    98 to spread yet there was more than enough of
    them
  • 1999 Linux Timeline Melissa creates
    difficulties worldwide. Linux users yawn....

19
ILoveYou
  • 2000, Philippines a.k.a. LoveLetter, Love Bug
  • Similar to Melissa, mostly a worm
  • caused estimated financial loss of 10 bln USD
  • Outlined the problems with file extension hiding
    and double extensions in Windows

20
Hijackers
  • a class of (typically) client-server applications
    used to remote control Windows machines
  • Back Orifice 1998
  • NetBus 1998
  • SubSeven 1999
  • The case of Magnus Eriksson in 1999
  • Netbus-originating child pornography in his PC
  • lost his job at Lund University law school
  • had to flee the country after his name was
    published

21
Code Red
  • 2001 China
  • Attacked only MS IIS web servers, but made
    attempts on all (did not check the type)?
  • Attempted DOS attacks from conquered machines
  • MS reacted in a week (a rare case)?
  • Hacked by Chinese became a slogan...

22
Nimda
  • September 2001
  • Administered (admin backwards) the conquered
    machine
  • enabled sharing
  • guest account with admin privileges
  • Infected web servers contagiated visitors using IE

23
Blaster
  • August 2003 a.k.a. Lovesan
  • Infected more than 8 mln computers
  • DOSsed MS update service

24
MyDoom
  • January 2004, the fastest spread to date
  • DOSsed the SCO website alleged 'open-source
    revenge' (later overturned)?
  • In July, stopped all main search engines for a day

25
Sasser
  • April 2004
  • Massive swamping attacks on different online
    services, lots of downtime (mostly in Europe)?
  • Authored by Sven Jasschan, a German student
    received 21 months of probation but was later
    employed by a security company

26
Zotob
  • August 2005
  • One of the first mercenary worms apparently
    ordered by spyware industry helps to forward
    different malware
  • Estimated damage 97 000 80 hours of work per
    company infected. On August 16, CNN Live went
    down due to Zotob, other big hits were Boeing,
    ABC News, Homeland Security...
  • The next year, two men named Farid Essabar and
    Achraf Bahloul were sentenced in Morocco but
    finally just for a year

27
Samy
  • A.k.a. JS.Spacehero, October 2005
  • MySpace XSS (cross-site scripting) worm
  • Used MySpace vulnerabilities (e.g. JavaScript
    code injection via CSS)?
  • Spread onto the pages of gt 1 mln users in 20
    hours, arguably the fastest spreading malware
  • The author, Samy Kamkar, got 3 years on
    probation, 90 days of community services and
    unknown amout of fines

28
Monkey business, Sony-style
  • October 2005
  • Sony BMG released 102 titles of CD-s equipped
    with XCP and MediaMax - two copy protection
    systems which were actually rootkits, interfering
    with the system and opening new security holes in
    Windows machines
  • First, a removal tool was issued which actually
    made thing worse (brushed under the carpet). The
    second one was no better
  • Finally recalled all the CD-s in question

29
Storm
  • January 2007
  • A worm used to build one of the largest botnets
    to date
  • Initially spread 'the old way' via mail
    attachments
  • The botnet at the largest contained about 1-50
    mln computers (different estimates), the current
    estimated size is 5 000 - 40 000. Another
    estimate is it forming 8 of all malware
  • Possible traces to RBN and cyber-attacks

30
Conficker
  • A.k.a. Downadup or Kido - the latest hit from
    October 2008
  • Exploits Windows server vulnerabilities (all
    versions from 2000 upwards)?
  • January 9 estimate 9 mln Windows Pcs
  • Hit the UK Ministry of Defense, a number of Royal
    Navy warships, about 800 computers in Sheffield
    hospitals...

31
Two notables
  • January 2001 Ramen, a single brief appearance
    of a Linux worm. Was limited to Red Hat 6.2 and
    7.0, used their security holes. In principle was
    similar to the Morris worm
  • August 2003 Weichia, a helpful wormAttempted
    to update Windows, removed Blaster and was
    supposed to kill itself in 120 days
  • Also, two cases are known for MacOS X -
    Leap/Oompa in February 2006 and the currently
    active iServices.A trojan horse (20 000 infected
    Macs)?

32
Stages in malware motivation
  • Hacker'y exploration (What's in there?)?
  • Clueless experimentation (What happens if)?
  • Expression of frustration (I'll show you all!)?
  • Expression of politics (Free X or suffer!)?
  • Malware as a weapon
  • Malware as a business model

33
Still why Windows?
  • A number of factors, including
  • largest market share (but not the dominating
    factor as Microsoft wants to believe)?
  • the chronic security problems in Microsoft
    products
  • the most clueless user base by far
  • the security industry which has created its
    shadow counterpart in malware industry
  • The only way to get rid of it is to destroy the
    roots has been unsuccessful to date

34
Conclusion
  • Malware has greatly evolved over time
  • The diversity is great
  • The resilience lies in economic incentives
  • One of the easiest solutions against it is to
    change the platform Microsoft needs to 100
    redesign its systems to decrease the threat

35
That's it!
Write a Comment
User Comments (0)
About PowerShow.com