Professional Documents
Culture Documents
Annual Revenue : Apr. 2006- Mar. 2007 – 155.09 million Indian Rupees
Quick Heal Technologies is leading provider of AntiVirus and Internet Security tools and is leader in Anti-
Virus Technology in India. A privately held company, Quick Heal Technologies Pvt. Ltd. (formerly known
as Cat Computer Services (P) Ltd.) was founded in 1993 and has been actively involved in Research and
Development of anti-virus software since then.
Serving more than million users worldwide, Quick Heal Technologies employs more than 200 people in
sixteen branches and its headquarters is in Pune, India. Quick Heal an award-winning anti-virus product
is installed in corporate, small business and consumers' homes, protecting their PCs from viruses and
other malicious threats.
Quick Heal Technologies was formed for catering the demand of highly reliable anti-virus software, which
would successfully tackle the growing number of virus problems. Quick Heal Technologies (P) Ltd. was
founded by Mr. Kailash Katkar and Mr. Sanjay Katkar in the year 1993.
Note:
The Informaion collected in this book from “globle resources” reserched by several authors.
All information collected are from various organasitation’s web site only with intence to
gather helpful informaioon for TechnicaL Support & traning of and induidual.
1
The Threat – Worm
Content:
Contents:
• 1 Payloads Page 11
• 2 Worms with good intent Page 12
• 3 Protecting against dangerous computer worms Page 12
• 4 Mitigation techniques Page 13
W32/Lovsan.worm.a
• Manual Removal Instructions
2
The Threat – Trojan horse
Content:
Type of Trojan horse:-
The Difference between a Computer Virus, Worm and Trojan horse Page 20
3
The Threat – Malware
Content:
What is a Malware? Page 31
Contents
• 1 Purposes Page 33
• 2 Infectious malware: viruses and worms Page 34
o 2.1 Capsule history of viruses and worms
• 3 Concealment: Trojan horses, rootkits, and backdoors Page 35
o 3.1 Trojan horses
o 3.2 Rootkits
o 3.3 Backdoors
• 4 Malware for profit: spyware, botnets, keystroke loggers, and dialers Page 36
• 5 Data-stealing malware Page 37
• 6 Characteristics of data-stealing malware Page 37
• 7 Examples of data-stealing malware Page 38
• 8 Data-stealing malware incidents Page 38
• 9 Vulnerability to malware Page 39
o 9.1 Eliminating over-privileged code
• 10 Anti-malware programs Page 41
• 11 Academic research on malware: a brief overview Page 41
• 12 Grayware Page 42
• 13 Web and spam Page 43
o 13.1 Wikis and blogs
o 13.2 Targeted SMTP threats
o 13.3 HTTP and FTP
4
Information about Malwares
• CoolWebSearch
• Internet Optimizer
• Zango
• Movieland
5
The Threat – Backdoor
Content:-
What is a Backdoor Virus? Page 51
What they are, how they are used to invade a computer network or a personal computer.
INFORMATION BACKDOOR
6
The Threat – Rootkits
Contents:
7
The Threat – BOT
Content:
8
The Threat – Worm
Content:
What Is a Worm?
Contents:
• 1 Payloads
• 2 Worms with good intent
• 3 Protecting against dangerous computer worms
• 4 Mitigation techniques
• 5 References
• 6 External links
W32/Lovsan.worm.a
• Manual Removal Instructions
9
The Threat – Worm
What Is a Worm?
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without
any human action. A worm takes advantage of file or information transport features on your
system, which is what allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so rather
than your computer sending out a single worm, it could send out hundreds or thousands of
copies of itself, creating a huge devastating effect. One example would be for a worm to
send a copy of itself to everyone listed in your e-mail address book. Then, the worm
replicates and sends itself out to everyone listed in each of the receiver's address book, and
the manifest continues on down the line.
Due to the copying nature of a worm and its capability to travel across networks the end
result in most cases is that the worm consumes too much system memory (or network
bandwidth), causing Web servers, network servers and individual computers to stop
responding. In recent worm attacks such as the much-talked-about Blaster Worm, the worm
has been designed to tunnel into your system and allow malicious users to control your
computer remotely.
10
Computer worm definition from Wikipedia
A computer worm is a self-replicating computer program. It uses a network to send copies of
itself to other nodes (computers on the network) and it may do so without any user intervention.
Unlike a virus, it does not need to attach itself to an existing program. Worms almost always
cause at least some harm to the network, if only by consuming bandwidth, whereas viruses
almost always corrupt or devour files on a targeted computer.
Contents:
• 1 Payloads
• 2 Worms with good intent
• 3 Protecting against dangerous computer worms
• 4 Mitigation techniques
• 5 References
• 6 External links
Payloads Worm
Many worms that have been created are only designed to spread, and don't attempt to alter
the systems they pass through. However, as the Morris worm and Mydoom showed, the
network traffic and other unintended effects can often cause major disruption. A "payload"
is code designed to do more than spread the worm - it might delete files on a host system
(e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send
documents via e-mail. A very common payload for worms is to install a backdoor in the
infected computer to allow the creation of a "zombie" under control of the worm author -
Sobig and Mydoom are examples which created zombies. Networks of such machines are
often referred to as botnets and are very commonly used by spam senders for sending junk
email or to cloak their website's address.[1] Spammers are therefore thought to be a source
of funding for the creation of such worms,[2][3] and worm writers have been caught selling
lists of IP addresses of infected machines.[4] Others try to blackmail companies with
threatened DOS attacks.[5]
11
Worms with good intent
Beginning with the very first research into worms at Xerox PARC there have been attempts
to create useful worms. The Nachi family of worms, for example, tried to download and
install patches from Microsoft's website to fix vulnerabilities in the host system – by
exploiting those same vulnerabilities. In practice, although this may have made these
systems more secure, it generated considerable network traffic, rebooted the machine in
the course of patching it, and did its work without the consent of the computer's owner or
user.
Some worms, such as XSS worms, have been written for research to determine the factors
of how worms spread, such as social activity and change in user behavior, while other
worms are little more than a prank, such as one that sends the popular image macro of an
owl with the phrase "O RLY?" to a print queue in the infected computer.
Most security experts regard all worms as malware, whatever their payload or their writers'
intentions.
Worms spread by exploiting vulnerabilities in operating systems. All vendors supply regular
security updates[6] (see "Patch Tuesday"), and if these are installed to a machine then the
majority of worms are unable to spread to it. If a vendor acknowledges a vulnerability, but
has yet to release a security update to patch it, a zero day exploit is possible. However,
these are relatively rare.
Users need to be wary of opening unexpected email,[7] and should not run attached files or
programs, or visit web sites that are linked to such emails. However, as with the
ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it
remains possible to trick the end-user into running a malicious code.
Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new
pattern files at least every few days. The use of a firewall is also recommended.
12
Protection with Mitigation techniques
• TCP Wrapper/libwrap enabled network service daemons
• ACLs in routers and switches
• Packet-filters
• Nullrouting
TCP Wrapper is a host-based Networking ACL system, used to filter network access to
Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows
host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on
which to filter for access control purposes.
Access control list….With respect to a computer filesystem, an access control list (ACL)
is a list of permissions attached to an object. The list specifies who or what is allowed to
access the object and what operations are allowed to be performed on the object. In a
typical ACL, each entry in the list specifies a subject and an operation: for example, the
entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.
Packet-filters
1. Packet filter: Looks at each packet entering or leaving the network and accepts or rejects
it based on user-defined rules. Packet filtering is fairly effective and transparent to users,
but it is difficult to configure. In addition, it is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as FTP
and Telnet servers. This is very effective, but can impose a performance degradation.
13
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is
established. Once the connection has been made, packets can flow between the hosts
without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server
effectively hides the true network addresses.
Nullrouting
In computer networking, a null route (blackhole route) is a network route (routing table
entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded,
acting as a kind of very limited firewall. The act of using null routes is often called blackhole
filtering. The rest of this article deals with null routing in the Internet Protocol (IP).
Null routes are typically configured with a special route flag, but can also be implemented
by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.
Null routing has an advantage over classical firewalls since it is available on every potential
network router (including all modern operating systems), and adds virtually no performance
impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher
throughput than conventional firewalls. For this reason, null routes are often used on high-
performance core routers to mitigate large-scale denial-of-service attacks before the
packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although
the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused
by malicious attackers on compromised routers to filter out traffic destined to a certain
address.
However, routing typically only works on the Internet Protocol layer and is very limited in
packet classification. It is bound to be stateless due to the nature of IP routers. Typically,
classification is limited to the destination IP address prefix, source IP address and incoming
network interface.
14
The Threat – Worm-Example
W32/Lovsan.worm.a
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm
scans the local class C subnet, or other random subnets, on port 135. Discovered systems
are targeted. Exploit code is sent to those systems, instructing them to download and
execute the file MSBLAST.EXE from a remote system via TFTP.
Normally that means that an exploit would only target a single OS - for example, Windows
XP or Windows 2000, as the location of certain files in memory on each platform is usually
slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit
(with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it
"guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will
crash your machine!
The author didn't code anything for Windows NT 4, so therefore it will only crash this
platform!
This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80
for the purpose of preventing users from patching their systems via Windows Update. The
source IP address is spoofed on each packet, using a random local CLASS B IP.
15
Computers that have up-to-date antivirus software will detect the worm executable
(msblast.exe) upon download and prevent that machine from becoming a host for
W32/Lovsan.
However, unless the system has been (MS03-026) patched, it is susceptible to the buffer
overflow attack from an infected host machine. An infected machine (running msblast.exe)
will send out malformed packets across the local subnet to the RPC service running on port
135. When these packets are received by any unpatched system, it will create a buffer
overflow and crash the RPC service on that system. All this can occur without the worm
actually being on the machine. This means that the remote shell will still get created on TCP
port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.
• inability to cut/paste
• inability to move icons
• Add/Remove Programs list empty
• dll errors in most Microsoft Office programs
• generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing,
in-turn solving these symptoms. It is very important that the machine is rebooted
after the patch has been installed. The machine can then be updated to the latest
dats/engine/config and an on-demand scan run to pick up msblast.exe, IF it exists. All of
these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan
running locally. Msblast.exe may not be present at all.
16
Information about the Threat – Worm
Disinfection Example
• Finding the Sample Files
• Download Method
• Execution Method
17
Trojan Virus Information
The term comes from the a Greek story of the Trojan War, in which the Greeks give a giant
wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the
Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow
belly and open the city gates, allowing their compatriots to pour in and capture Troy.
Trojan horses are broken down in classification based on how they breach systems and the
damage they cause. The seven main types of Trojan horses are:
18
Abbreviated as RATs, a Remote Access Trojan is one of seven major types of Trojan horse
designed to provide the attacker with complete control of the victim's system. Attackers
usually hide these Trojan horses in games and other small programs that unsuspecting
users then execute on their PCs.
Destructive Trojan
A type of Trojan horse designed to destroy and delete files, and is more like a virus than
any other Trojan. It can often go undetected by antivirus software
Proxy Trojan
A type of Trojan horse designed to use the victim's computer as a proxy server. This gives
the attacker the opportunity to do everything from your computer, including the possibility
of conducting credit card fraud and other illegal activities, or even to use your system to
launch malicious attacks against other networks.
FTP Trojan
A type of Trojan horse designed to open port 21 (the port for FTP transfer) and lets the
attacker connect to your computer using File Transfer Protocol (FTP).
DOS Attack
Short for denial-of-service attack, a type of attack on a network that is designed to bring
the network to its knees by flooding it with useless traffic. Many DOS attacks, such as the
Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all
known DOS attacks, there are software fixes that system administrators can install to limit
the damage caused by the attacks. But, like viruses, new DOS attacks are constantly being
dreamed up by hackers.
19
Trojan Virus Information
The most common blunder people make when the topic of a computer virus arises is to refer
to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often
used interchangeably, they are not exactly the same. Viruses, worms and Trojan Horses are
all malicious programs that can cause damage to your computer, but there are differences
among the three, and knowing those differences can help you to better protect your
computer from their often damaging effects.
Let us take a look and understand Virus, Worm & Trojan horse
What Is a Virus?
A computer virus attaches itself to a program or file enabling it to spread from one
computer to another, leaving infections as it travels. Like a human virus, a computer virus
can range in severity: some may cause only mildly annoying effects while others can
damage your hardware, software or files.
Almost all viruses are attached to an executable file, which means the virus may exist on
your computer but it actually cannot infect your computer unless you run or open the
malicious program. It is important to note that a virus cannot be spread without a human
action, (such as running an infected program) to keep it going.
People continue the spread of a computer virus, mostly unknowingly, by sharing infecting
files or sending e-mails with viruses as attachments in the e-mail.
What Is a Worm?
20
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without
any human action. A worm takes advantage of file or information transport features on your
system, which is what allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so rather
than your computer sending out a single worm, it could send out hundreds or thousands of
copies of itself, creating a huge devastating effect. One example would be for a worm to
send a copy of itself to everyone listed in your e-mail address book. Then, the worm
replicates and sends itself out to everyone listed in each of the receiver's address book, and
the manifest continues on down the line.
Due to the copying nature of a worm and its capability to travel across networks the end
result in most cases is that the worm consumes too much system memory (or network
bandwidth), causing Web servers, network servers and individual computers to stop
responding. In recent worm attacks such as the much-talked-about Blaster Worm, the worm
has been designed to tunnel into your system and allow malicious users to control your
computer remotely.
To be considered a blended thread, the attack would normally serve to transport multiple
attacks in one payload. For example it wouldn't just launch a DOS attack — it would also,
for example, install a backdoor and maybe even damage a local system in one shot.
Additionally, blended threats are designed to use multiple modes of transport. So, while a
21
worm may travel and spread through e-mail, a single blended threat could use multiple
routes including e-mail, IRC and file-sharing sharing networks.
Lastly, rather than a specific attack on predetermined .exe files, a blended thread could do
multiple malicious acts, like modify your exe files, HTML files and registry keys at the same
time — basically it can cause damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of
viruses, as most blended threats also require no human intervention to propagate.
Moral of the story is Viruses, Worms and Trojan Horses are one family.
A firewall is a system that prevents unauthorized use and access to your computer. A
firewall can be either hardware or software. Hardware firewalls provide a strong degree of
protection from most forms of attack coming from the outside world and can be purchased
as a stand-alone product or in broadband routers. Unfortunately, when battling viruses,
worms and Trojans, a hardware firewall may be less effective than a software firewall, as it
could possibly ignore embedded worms in outgoing e-mails and see this as regular network
traffic.
For individual home users, the most popular firewall choice is a software firewall. A good
software firewall will protect your computer from outside attempts to control or gain access
your computer, and usually provides additional protection against the most common Trojan
programs or e-mail worms. The downside to software firewalls is that they will only protect
the computer they are installed on, not a network.
It is important to remember that on its own a firewall is not going to rid you of your
computer virus problems, but when used in conjunction with regular operating system
updates and a good anti-virus scanning software, it will add some extra security and
protection for your computer or network.
22
Trojan Virus Information
Trojan:W32/Feedel
Name : Trojan:W32/Feedel
Category: Malware
Type: Trojan
Platform: W32
Disinfection Example
To protect themselves from deletion, Link Optimizer variants modify their file security
permissions and registry key. Additional steps are required to successfully remove them
from the system.
23
Please Navigate to the following:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe]
Start cmd.exe
Kill all processes that do not have SYSTEM or NETWORK SERVICE in the User Name column,
EXCEPT the cmd.exe process
Using cmd.exe, go to the folder where the malware sample is located, for example: cd
windows\system32
• Navigate to
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe]
Add necessary permissions to the key by right-clicking on it, then selecting Permissions and
selecting the Full Control checkbox
24
Delete the key from the Registry
Start explorer.exe
Restart the system and check the Registry again. If the registry key is not present,
the infection has been successfully removed
Additional Details
The Feedel trojan is downloaded onto a system by a separate downloader program, which
will then proceed to execute Feedel.
Feedel's actual payload depends on the type of malware which is stored in the final,
encrypted section of its code, and is usually a Link Optimizer or Trojan-Password stealer.
Download Method
The actual download is performed by a small (usually 6000 to 7000 bytes) downloader with
the mutex name "Global\__RST__". The downloader itself is usually packed with UPX.
The downloader retrieves an encrypted data file (usually named aacaa.gif, aacab.gif or
similar) from a malicious link. The name of the link varies, but usually appears as:
http://[...]/pix/[filename].gif
The IP address of the malicious link is password-protected; in the sample we received, the
password was "countermode.ws".
Once downloaded onto the system, the downloader completely decrypts the data file.
25
Encryption Method
All the possible strings, API names and other details of the downloaded file are completely
encrypted using the encryption algorithm RC4 block cipher. Before decryption, the data file
appears as:
Continued…………
26
The data file is also protected by a password. The password appears as:
27
In the above example shown, the password is "zlf4g0wdlv".
The size of the password used for the encrypted data is usually around 10 characters. The
strength of this password means that using a brute-force attack to crack it would take a
long time. Simply guessing it would be almost impossible.
28
After decryption, the same data file appears as:
29
Execution Method
On execution, the downloader will decrypt the actual malware, which is contained in the last
encrypted segment of content in the downloaded file, and is protected by a separate 9-byte
long password. Once decrypted, the malware will lock itself to the hardware. The type of
malware stored into this final segment may vary, but have usually been Linkoptimizers or
Trojan-PSW malware.
In the sample we analyzed, the trojan collects system information from the infected
machine, specifically the serial number of the Windows drive and the size of the partition.
Using this information, it then adds an additional layer of encryption and drops the malware
in the temporary folder, using a value obtained from GetTickCount API for the filename.
Feedel uses this information as an encryption/decryption RC4 key, to ensure that the
malware cannot and will not be executed on any other machine. Incidentally, this also
makes analysis very difficult to perform.
Feedel uses the system temporary folder, %temp%. An example path is as follows:
C:\%temp%\10874359.exe
C:\Windows\Temp\10874359.exe
The temporary file is then executed, after which both the downloader and the file that
created the above mentioned file will be deleted.
30
Trojan Virus Information
Contents
• 1 Purposes
• 2 Infectious malware: viruses and worms
o 2.1 Capsule history of viruses and worms
• 3 Concealment: Trojan horses, rootkits, and backdoors
o 3.1 Trojan horses
o 3.2 Rootkits
o 3.3 Backdoors
• 4 Malware for profit: spyware, botnets, keystroke loggers, and dialers
• 5 Data-stealing malware
• 6 Characteristics of data-stealing malware
• 7 Examples of data-stealing malware
• 8 Data-stealing malware incidents
• 9 Vulnerability to malware
o 9.1 Eliminating over-privileged code
• 10 Anti-malware programs
• 11 Academic research on malware: a brief overview
• 12 Grayware
• 13 Web and spam
o 13.1 Wikis and blogs
o 13.2 Targeted SMTP threats
o 13.3 HTTP and FTP
31
Information about Malwares
Software is considered malware based on the perceived intent of the creator rather than
any particular features. Malware includes computer viruses, worms, trojan horses, most
rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted
software. In law, malware is sometimes known as a computer contaminant, for instance in
the legal codes of several U. S. states, including California and West Virginia.
Malware is not the same as defective software, that is, software which has a legitimate
purpose but contains harmful bugs.
Malware is a category of malicious code that includes viruses, worms, and Trojan
horses. Destructive malware will utilize popular communication tools to spread, including
worms sent through email and instant messages, Trojan horses dropped from web sites,
and virus-infected files downloaded from peer-to-peer connections. Malware will also seek to
exploit existing vulnerabilities on systems making their entry quiet and easy
32
Information about Malwares
Contents
• 1 Purposes
• 2 Infectious malware: viruses and worms
o 2.1 Capsule history of viruses and worms
• 3 Concealment: Trojan horses, rootkits, and backdoors
o 3.1 Trojan horses
o 3.2 Rootkits
o 3.3 Backdoors
• 4 Malware for profit: spyware, botnets, keystroke loggers, and dialers
• 5 Data-stealing malware
• 6 Characteristics of data-stealing malware
• 7 Examples of data-stealing malware
• 8 Data-stealing malware incidents
• 9 Vulnerability to malware
o 9.1 Eliminating over-privileged code
• 10 Anti-malware programs
• 11 Academic research on malware: a brief overview
• 12 Grayware
• 13 Web and spam
o 13.1 Wikis and blogs
o 13.2 Targeted SMTP threats
o 13.3 HTTP and FTP
33
Information about Malwares
Hostile intent related to vandalism can be found in programs designed to cause harm or data loss.
Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard
disk, or to corrupt the file system by writing invalid data. Network-borne worms such as the
2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize
web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's
alias or affinity group appearing everywhere the worm goes.
However, since the rise of widespread broadband Internet access, malicious software has come
to be designed for a profit motive, either more or less legal (forced advertising) or criminal. For
instance, since 2003, the majority of widespread viruses and worms have been designed to take
control of users' computers for black-market exploitation Infected "zombie computers" are used
to send email spam, to host contraband data such as child pornography, or to engage in
distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware -- programs designed to
monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing
revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally
installed by exploiting security holes or are packaged with user-installed software, such as peer-
to-peer applications.
34
Infectious malware: viruses and worms
The best-known types of malware, viruses and worms, are known for the manner in which
they spread, rather than any other particular behavior. The term computer virus is used for
a program which has infected some executable software and which causes that software,
when run, to spread the virus to other executable software. Viruses may also contain a
payload which performs other actions, often malicious. A worm, on the other hand, is a
program which actively transmits itself over a network to infect other computers. It too may
carry a payload.
These definitions lead to the observation that a virus requires user intervention to spread,
whereas a worm spreads automatically. Using this distinction, infections transmitted by
email or Microsoft Word documents, which rely on the recipient opening a file or email to
infect the system, would be classified as viruses rather than worms.
Some writers in the trade and popular press appear to misunderstand this distinction, and
use the terms interchangeably.
The first worms, network-borne infectious programs, originated not on personal computers,
but on multitasking Unix systems. The first well-known worm was the Internet Worm of
1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert
itself into other programs. Instead, it exploited security holes in network server programs
and started itself running as a separate process. This same behavior is used by today's
worms as well.
With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro
systems of its applications, it became possible to write infectious code in the macro
language of Microsoft Word and similar programs. These macro viruses infect documents
35
and templates rather than applications, but rely on the fact that macros in a Word
document are a form of executable code.
Today, worms are most commonly written for the Windows OS, although a small number
are also written for Linux and Unix systems. Worms today work in the same basic way as
1988's Internet Worm: they scan the network and leverage vulnerable computers to
replicate.
Trojan horses
For a malicious program to accomplish its goals, it must be able to do so without being shut
down, or deleted by the user or administrator of the computer via which it is running.
Concealment can also help get the malware installed in the first place. When a malicious
program is disguised as something innocuous or desirable, users may be tempted to install
it without knowing what it does. This is the technique of the Trojan horse or trojan.
Broadly speaking, a Trojan horse is any program that invites the user to run it, concealing a
harmful or malicious payload. The payload may take effect immediately and can lead to
many undesirable effects, such as deleting the user's files or further installing malicious or
undesirable software. Trojan horses known as droppers are used to start off a worm
outbreak, by injecting the worm into users' local networks.
One of the most common ways that spyware is distributed is as a Trojan horse, bundled
with a piece of desirable software that the user downloads from the Internet. When the user
installs the software, the spyware is installed alongside. Spyware authors who attempt to
act in a legal fashion may include an end-user license agreement which states the behavior
of the spyware in loose terms, and which the users are unlikely to read or understand...
Rootkits
Once a malicious program is installed on a system, it is essential that it stays concealed, to
avoid detection and disinfection. The same is true when a human attacker breaks into a
computer directly. Techniques known as rootkits allow this concealment, by modifying the
host operating system so that the malware is hidden from the user. Rootkits can prevent a
malicious process from being visible in the system's list of processes, or keep its files from
being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix
system where the attacker had gained administrator (root) access. Today, the term is used
more generally for concealment routines in a malicious program.
Some malicious programs contain routines to defend against removal: not merely to hide
themselves, but to repel attempts to remove them. An early example of this behavior is
recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing
system:
Each ghost-job would detect the fact that the other had been killed, and would start
a new copy of the recently slain program within a few milliseconds. The only way to
36
kill both ghosts was to kill them simultaneously (very difficult) or to deliberately
crash the system.
Similar techniques are used by some modern malware, wherein the malware starts a
number of processes which monitor and restore one another as needed.
Backdoors
A backdoor is a method of bypassing normal authentication procedures. Once a system has
been compromised (by one of the above methods, or in some other way), one or more
backdoors may be installed, in order. Backdoors may also be installed prior to malicious
software, to allow attackers entry.
The idea has often been suggested that computer manufacturers preinstall backdoors on
their systems to provide technical support for customers, but this has never been reliably
verified. Crackers typically use backdoors to secure remote access to a computer, while
attempting to remain hidden from casual inspection. To install backdoors crackers may use
Trojan horses, worms, or other methods.
During the 1980s and 1990s, it was usually taken for granted that malicious programs were
created as a form of vandalism or prank. More recently, the greater share of malware
programs have been written with a financial or profit motive in mind. This can be taken as
the malware authors' choice to monetize their control over infected systems: to turn that
control into a source of revenue.
Spyware programs are commercially produced for the purpose of gathering information
about computer users, showing them pop-up ads, or altering web-browser behavior for the
financial benefit of the spyware creator. For instance, some spyware programs redirect
search engine results to paid advertisements. Others, often called "stealware" by the media,
overwrite affiliate marketing codes so that revenue is redirected to the spyware creator
rather than the intended recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or another. They
differ in that their creators present themselves openly as businesses, for instance by selling
advertising space on the pop-ups created by the malware. Most such programs present the
user with an end-user license agreement which purportedly protects the creator from
prosecution under computer contaminant laws. However, spyware EULAs have not yet been
upheld in court.
Another way that financially-motivated malware creators can profit from their infections is
to directly use the infected computers to do work for the creator. The infected computers
are used as proxies to send out spam messages. The advantage to spammers of using
infected computers is they provide anonymity, protecting the spammer from prosecution.
Spammers have also used infected PCs to target anti-spam organizations with distributed
denial-of-service attacks.
37
In order to coordinate the activity of many infected computers, attackers have used
coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an
Internet Relay Chat channel or other chat system. The attacker can then give instructions to
all the infected systems simultaneously. Botnets can also be used to push upgraded
malware to the infected systems, keeping them resistant to anti-virus software or other
security measures.
It is possible for a malware creator to profit by stealing sensitive information from a victim.
Some malware programs install a key logger, which intercepts the user's keystrokes when
entering a password, credit card number, or other information that may exploited. This is
then transmitted to the malware creator automatically, enabling credit card fraud and other
theft. Similarly, malware may copy the CD key or password for online games, allowing the
creator to steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control of a dial-up
modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-
rate telephone number such as a U.S. "900 number" and leave the line open, charging the
toll to the infected user.
Data-stealing malware
Data-stealing malware is a web threat that divests victims of personal and proprietary
information with the intent of monetizing stolen data through direct use or underground
distribution. Content security threats that fall under this umbrella include keyloggers, screen
scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such
as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in
file download or direct installation, as most hybrid attacks do, files that act as agents to
proxy information will fall into the data-stealing malware category.
• It is difficult for antivirus software to detect final payload attributes due to the
combinations of malware components
• The malware uses multiple file encryption levels
38
• The malware hides in web traffic
• The malware is stealthier in terms of traffic and resource use
39
Vulnerability to malware
In this context, as throughout, it should be borne in mind that the “system” under attack
may be of various types, e.g. a single computer and operating system, a network or an
application.
• Homogeneity – e.g. when all computers in a network run the same OS, if you can
exploit that OS, you can break into any computer running it.
• Defects – malware leveraging defects in the OS design
• Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be
executed without the user’s agreement.
• Over-privileged users – some systems allow all users to modify their internal
structures.
• Over-privileged code – most popular systems allow code executed by a user all
rights of that user.
Most systems contain bugs which may be exploited by malware. A typical example is the
buffer overrun, in which an interface designed to store data in a small area of memory
allows the caller to supply more data than will fit. This extra data then overwrites the
interface's own structure. In this way malware can force the system to execute malicious
code, by replacing legitimate code with its own payload.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this
to be the default boot device. This meant that a corrupt floppy disk could subvert the
computer during booting, and the same applies to CDs. Although that is now less common,
it is still possible to forget that one has changed the default, and rare that a BIOS makes
one confirm a boot from removable media.
40
under-privileged users in mind. As privilege escalation exploits have increased this priority is
shifting for the release of Microsoft Windows Vista. As a result, many existing applications
that require excess privilege (over-privileged code) may have compatibility problems with
Vista. However, Vista's User Account Control feature attempts to remedy applications not
designed for under-privileged users through virtualization, acting as a crutch to resolve the
privileged access problem inherent in legacy applications.
Malware, running as over-privileged code, can use this privilege to subvert the system.
Almost all currently popular operating systems, and also many scripting applications allow
code too many privileges, usually in the sense that when a user executes code, the
system allows that code all rights of that user. This makes users vulnerable to malware in
the form of e-mail attachments, which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they trust, and to be
wary of code received from untrusted sources. It is also common for operating systems to
be designed so that device drivers need escalated privileges, while they are supplied by
more and more hardware manufacturers.
The system would have to maintain privilege profiles, and know which to apply for each user
and program. In the case of newly installed software, an administrator would need to set up
default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue
executables. Two techniques, used in VMS, that can help are memory mapping only the
registers of the device in question and a system interface associating the driver with
interrupts from the device.
• Various forms of virtualization, allowing the code unlimited access only to virtual
resources
• Various forms of sandbox or jail
• The security functions of Java, in java.security
Such approaches, however, if not fully integrated with the operating system, would
reduplicate effort and not be universally applied, both of which would be detrimental to
security.
41
Anti-malware programs
As malware attacks become more frequent, attention has begun to shift from viruses and
spyware protection, to malware protection, and programs have been developed to
specifically combat them.
1. They can provide real time protection against the installation of malware software on
a computer. This type of spyware protection works the same way as that of anti-
virus protection in that the anti-malware software scans all incoming network data
for malware software and blocks any threats it comes across.
2. Anti-malware software programs can be used solely for detection and removal of
malware software that has already been installed onto a computer. This type of
malware protection is normally much easier to use and more popula. This type of
anti-malware software scans the contents of the windows registry, operating system
files, and installed programs on a computer and will provide a list of any threats
found, allowing the user to choose what which files to delete or keep, or compare
this list to a list of known malware components, removing files which match.
Real-time protection from malware works identically to real-time anti-virus protection: the
software scans disk files at download time, and blocks the activity of components known to
represent malware. In some cases, it may also intercept attempts to install start-up items
or to modify browser settings. Because many malware components are installed as a result
of browser exploits or user error, using security software (some of which are anti-malware,
though many are not) to "sandbox" browsers (essentially babysit the user and their
browser) can also be effective to help restrict any damage done.
42
hybrid encrypts plaintext data on the victim's machine using the randomly generated IV and
SK. The IV+SK are then encrypted using the virus writer's public key. In theory the victim
must negotiate with the virus writer to get the IV+SK back in order to decrypt the
ciphertext (assuming there are no backups). Analysis of the virus reveals the public key, not
the IV and SK needed for decryption, or the private key needed to recover the IV and SK.
This result was the first to show that computational complexity theory can be used to devise
malware that is robust against reverse-engineering.
Another growing area of computer virus research is to mathematically model the infection
behavior of worms using models such as Lotka–Volterra equations, which has been applied
in the study of biological virus. Various virus propagation scenarios have been studied by
researchers such as propagation of computer virus, fighting virus with virus like predator
codes, effectiveness of patching etc.
Grayware
Grayware (or greyware) is a general term sometimes used as a classification for
applications that behave in a manner that is annoying or undesirable, and yet less serious
or troublesome than malware. Grayware encompasses spyware, adware, dialers, joke
programs, remote access tools, and any other unwelcome files and programs apart from
viruses that are designed to harm the performance of computers on your network. The term
has been in use since at least as early as September 2004.
Grayware refers to applications or files that are not classified as viruses or trojan horse
programs, but can still negatively affect the performance of the computers on your network
and introduce significant security risks to your organization. Often grayware performs a
variety of undesired actions such as irritating users with pop-up windows, tracking user
habits and unnecessarily exposing computer vulnerabilities to attack.
43
Web and spam
The World Wide Web is a criminals' preferred pathway for spreading malware. Today's web
threats use combinations of malware to create infection chains. About one in ten Web pages
may contain malicious code.
44
The Threat – Spyware & Adware
Contents:
What is a Spyware?
Examples of spyware
• CoolWebSearch
• Internet Optimizer
• Zango
• Movieland
Criminal law
Adware Application
45
The Threat – Spyware & Adware
What is a Spyware?
Spyware is computer software that is installed surreptitiously on a personal computer to
collect information about a user, their computer or browsing habits without the user's
informed consent.
While the term spyware suggests software that secretly monitors the user's behavior, the
functions of spyware extend well beyond simple monitoring. Spyware programs can collect
various types of personal information, such as Internet surfing habits, sites that have been
visited, but can also interfere with user control of the computer in other ways, such as
installing additional software, and redirecting Web browser activity. Spyware is known to
change computer settings, resulting in slow connection speeds, different home pages,
and/or loss of Internet or functionality of other programs. In an attempt to increase the
understanding of spyware, a more formal classification of its included software types is
captured under the term privacy-invasive software.
In response to the emergence of spyware, a small industry has sprung up dealing in anti-
spyware software. Running anti-spyware software has become a widely recognized element
of computer security best practices for Microsoft Windows desktop computers. A number of
jurisdictions have passed anti-spyware laws, which usually target any software that is
surreptitiously installed to control a user's computer. The US Federal Trade Commission has
placed on the Internet a page of advice to consumers about how to lower the risk of
spyware infection, including a list of "do's" and "don'ts."
46
Before Internet Explorer 7 was released, the browser would automatically display an
installation window for any ActiveX component that a website wanted to install. The
combination of user naiveté towards malware and the assumption by Internet Explorer that
all ActiveX components are benign, led, in part, to the massive spread of spyware. Many
spyware components would also make use of exploits in Javascript, Internet Explorer and
Windows to install without user knowledge or permission.
The Windows Registry contains multiple sections that by modifying keys values allows
software to be executed automatically when the operating system boots. Spyware can
exploit this design to circumvent attempts at removal. The spyware typically will link itself
from each location in the registry that allows execution. Once running, the spyware will
periodically check if any of these links are removed. If so, they will be automatically
restored. This ensures that the spyware will execute when the operating system is booted
even if some (or most) of the registry links are removed.
Examples of spyware
These common spyware programs illustrate the diversity of behaviors found in these
attacks. Note that as with computer viruses, researchers give names to spyware programs
which may not be used by their creators. Programs may be grouped into "families" based
not on shared program code, but on common behaviors, or by "following the money" of
apparent financial or business connections. For instance, a number of the spyware programs
distributed by Claria are collectively known as "Gator". Likewise, programs which are
frequently installed together may be described as parts of the same spyware package, even
if they function separately.
• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages
to advertising. When users follow a broken link or enter an erroneous URL, they see
a page of advertisements. However, because password-protected Web sites (HTTP
Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer
makes it impossible for the user to access password-protected sites.
47
Legal issues related to spyware
Criminal law
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S.
Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other
countries. Since the owners of computers infected with spyware generally claim that they
never authorized the installation, a prima facie reading would suggest that the promulgation
of spyware would count as a criminal act. Law enforcement has often pursued the authors
of other malware, particularly viruses. However, few spyware developers have been
prosecuted, and many operate openly as strictly legitimate businesses, though some have
faced lawsuits.
Spyware producers argue that, contrary to the users' claims, users do in fact give consent
to installations. Spyware that comes bundled with shareware applications may be described
in the legalese text of an end-user license agreement (EULA). Many users habitually ignore
these purported contracts, but spyware companies such as Claria claim these demonstrate
that users have consented.
Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can
be taken as consent to the entire text, relatively little case law has resulted from their use.
It has been established in most common law jurisdictions that a clickwrap agreement can be
a binding contract in certain circumstances.[ This does not, however, mean that every such
agreement is a contract or that every term in one is enforceable.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware
have infected a Windows computer, the only remedy may involve backing up user data, and
fully reinstalling the operating system. For instance, some versions of Vundo cannot be
completely removed by Symantec, Microsoft, PC Tools, and others because it infects rootkit,
Internet Explorer, and Windows' lsass.exe (Local Security Authority Subsystem Service)
with a randomly-filenamed dll (dynamic link library).
48
Microsoft Anti-Spyware, in real-time protection blocks an instance of the AlwaysUpdateNews
from being installed.
1. They can provide real time protection against the installation of spyware software on
your computer. This type of spyware protection works the same way as that of anti-virus
protection in that the anti-spyware software scans all incoming network data for spyware
software and blocks any threats it comes across.
2. Anti-spyware software programs can be used solely for detection and removal of spyware
software that has already been installed onto your computer. This type of spyware
protection is normally much easier to use and more popular. With this spyware protection
software you can schedule weekly, daily, or monthly scans of your computer to detect
and remove any spyware software that has been installed on your computer. This type of
anti-spyware software scans the contents of the windows registry, operating system files,
and installed programs on your computer and will provide a list of any threats found,
allowing you to choose what you want to delete and what you want to keep.
Such programs inspect the contents of the Windows registry, the operating system files, and
installed programs, and remove files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time anti-virus
protection: the software scans disk files at download time, and blocks the activity of components
known to represent spyware. In some cases, it may also intercept attempts to install start-up
items or to modify browser settings. Because many spyware and adware are installed as a result
of browser exploits or user error, using security software (some of which are antispyware, though
many are not) to sandbox browsers can also be effective to help restrict any damage done.
49
What is a Adware?
Adware or advertising-supported software is any software package which automatically
plays, displays, or downloads advertisements to a computer after the software is installed
on it or while the application is being used. Some types of adware are also spyware and can
be classified as privacy-invasive software.
Adware Application
Advertising functions are integrated into or bundled with the software, which is often
designed to note what Internet sites the user visits and to present advertising pertinent to
the types of goods or services featured there. Adware is usually seen by the developer as a
way to recover development costs, and in some cases it may allow the software to be
provided to the user free of charge or at a reduced price. The income derived from
presenting advertisements to the user may allow or motivate the developer to continue to
develop, maintain and upgrade the software product. Conversely, the advertisements may
be seen by the user as interruptions or annoyances, or as distractions from the task at
hand.
Some adware is also shareware, and so the word may be used as term of distinction to
differentiate between types of shareware software. What differentiates adware from other
shareware is that it is primarily advertising-supported. Users may also be given the option
to pay for a "registered" or "licensed" copy to do away with the advertisements.
50
The Threat – Backdoor
Content:-
What is a Backdoor Virus?
About Backdoors
What they are, how they are used to invade a computer network or a personal computer.
INFORMATION BACKDOOR
51
The Threat – Backdoor
Definition:
Backdoors
What they are, how they are used to invade a computer network or a personal
computer.
A proxy server is a method by which computers talk to each other. An open proxy is a
backdoor that has been opened in a computer network (either by a friendly or unfriendly
method), meaning that the network's Internet access can be used by authorized personnel
within the network or, if the backdoor is not well-protected or is unknown, by malicious
access from anywhere in the world outside the network. Unknown backdoors can be
installed on a personal computer, desktop or laptop.
The purpose of a backdoor is to get around the security measures installed to protect a
computer system and allow access into the system from the outside. If the backdoor was
opened by a piece of spyware, then that spyware was programmed to sniff out standard
security programming and disable a part of the security program that recognizes and blocks
an unauthorized attempt to access that computer and its network. If the backdoor was
opened by a live person sitting at the computer, then the recognition pattern was disabled
manually.
Malicious programs that open backdoors can be found in emails, ad banners, web sites, and
downloads, sometimes without the knowledge of the website or download owner, or without
52
the knowledge of the email author. Trojan horses are a popular method of opening
backdoors.
In the past, backdoors were only a problem for IT (Information Technology) Managers in
large corporations, universities, and government facilities where sometimes hundreds of
computers are linked together under one roof or between geographically separated offices.
Today families and small businesses network their computers, as do libraries, clinics, rehab
hospices, retirement homes, and local law enforcement departments. Even isolated
computers are susceptible to invasion through the covert installation of malicious programs
that open a passage through the computer's firewall.
There are programs that spend 24 hours a day surfing the Web in search of unprotected
and unknown backdoors. They run around "pinging" IP's until they find one that sends back
a signal indicating that access can be granted. A program such as CallerIP scans all the
ports (where your modem or cable or telephone is plugged in) on your system and alerts
you to any malicious backdoors that can provide unauthorized access to your computer.
Summary
Backdoor is a hacker's remote access tool. Usually a backdoor is a standalone file that installs itself to
system and then remains active there listening to specific network ports for specific commands. A typical
backdoor consists of 2 parts - client and server. Some backdoor packages have configuration utilities that
allow a hacker to configure server parts to their needs. A few backdoors have special scanner utilities to
locate victim computers where server parts are installed.
There also exist IRC backdoors. These backdoors are controlled via bots that they create in specific
channels on selected IRC channels. These channels are usually invite-only, so they can be only
accessed by hackers who use these backdoors.
A server part of a typical backdoor is usually installed on a computer which is going to be accessed.
Hackers use different tricks to infect users with server parts of backdoors - they send them in trojan
dropper packages, give fancy names to server files and send them in e-mails. Some worms and viruses
drop backdoors to infected systems.
When a typical backdoor is run, it copies its file to Windows or Windows System folder and creates a
Registry key to start that file during every Windows session. Also some backdoors modify WIN.INI and
SYSTEM.INI files or copy themselves to startup folders for different users. After installation some
backdoors can show fake error messages. Modern backdoors usually send a notification to specific e-
mail, ICQ or MSN account when they are activated. They report infected computer's IP address and some
other info. After a backdoor is installed, it starts to listen to certain network ports for specific commands
coming from a client part.
A client part of a backdoor is used to control a server part that is installed on a victim's computer. Client
parts usually have a well-designed GUI (Graphical User Interface) to make communications with servers
easy.
The most advanced backdoors allow a hacker to get full control over an infected system. They include
such features as sending and receiving files, browsing through victim's hard and network drives, getting
53
system information, receiving a screenshot from a victim's computer, communicating with an infected
user, change date/time and settings of operating system, play tricks (like open/close CD-ROM tray) and
so on. Some backdoors even allow a hacker to listen and see what happens at a remote computer it it's
equipped with a microphone and a webcam. Simple backdoors only allow upload, download and run files
on victim's computers.
54
The Threat – Backdoor & Example
Backdoor.Sdbot
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT,
Windows Server 2003, Windows XP
1. Copies itself to the %System% folder. The file name to which it copies itself can
vary. Some known file names are:
• Aim95.exe
• CMagesta.exe
• Cmd32.exe
• Cnfgldr.exe
• Explorer.exe
• FB_PNU.EXE
• IEXPL0RE.EXE
• MSTasks.exe
• MSsrvs32.exe
• Mssql.exe
• Regrun.exe
• Svchosts.exe
• Sys32.exe
• Sys3f2.exe
• Syscfg32.exe
• Sysmon16.exe
• YahooMsgr.exe
• cthelp.exe
• iexplore.exe
55
• ipcl32.exe
• quicktimeprom.exe
• service.exe
• sock32.exe
• spooler.exe
• svhost.exe
• syswin32.exe
• vcvw.exe
• winupdate32.exe
• xmconfig.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
56
• %System%\SVKP.sys (This is a clean driver that can be used for malicious
purposes.)
• %System%\msdirectx.sys (This file is intended to provide rootkit functionality
and may be detected as Hacktool.Rootkit.)
4. Opens a back door by connecting to an IRC channel using its own IRC client. Some
examples of IRC servers that it may connect to are:
• bmu.h4x0rs.org
• bmu.q8hell.org
• bmu.FL0W1NG.NET
5. Listens for the commands from a remote attacker. The attacker accesses the Trojan
via IRC channels using a password-protected authorization. The remote attacker may
perform the following actions on the compromised computer:
57
Recommendations
• Use a firewall to block all incoming connections from the Internet to services that
should not be publicly available. By default, you should deny all incoming
connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password
files on compromised computers. This helps to prevent or limit damage when a
computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges
necessary to complete a task. When prompted for a root or UAC password, ensure
that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network
and removable drives, and disconnect the drives when not required. If write access is
not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password
protection to limit access. Disable anonymous access to shared folders. Grant access
only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems
install auxiliary services that are not critical. These services are avenues of attack. If
they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those
services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public
services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS
services.
• Configure your email server to block or remove email that contains file attachments
that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr
files.
• Isolate compromised computers quickly to prevent threats from spreading further.
Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do
not execute software that is downloaded from the Internet unless it has been
scanned for viruses. Simply visiting a compromised Web site can cause infection if
certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require
its use, ensure that the device's visibility is set to "Hidden" so that it cannot be
scanned by other Bluetooth devices. If device pairing must be used, ensure that all
devices are set to "Unauthorized", requiring authorization for each connection
request. Do not accept applications that are unsigned or sent from unknown sources.
58
The Threat – Backdoor & Example
Backdoor Trojans
Examples of backdoor Trojans
Examples of backdoor trojans are Netbus or Back Orifice. They allow other people to control
your computer over the Internet. When you run a program that contains the Backdoor
trojan, it will copy itself to the Windows or Windows\System directory and add itself to the
system's registry. Trojans are usually claimed to be some sort of desirable program. For
example, one popular trojan wrapper is a game called "Whack a Mole". Another is a game
call "Pie Bill Gates". Once the program is in memory, it tries to hide itself on the task list. It
doesn't show any icon or indication that it is running. It listens on a port until someone
connects. The person who is controlling your computer uses a program that lets them
record keystrokes, view files, move the mouse, open and close the CD-ROM, etc.
Sometimes, the trojan is customized so that the person who planted it gets an e-mail when
you run it.
Removal
The trojan tries to make itself hard to remove. For Back Orifice, it uses a file with a name
that shows usually shows up as " .EXE" Sometimes it uses a name like "MSGSRV32.DRV".
Windows prevents deleting the trojan file while it is active. Some of the regular antivirus
software can find these trojans and delete them while Windows is not running. The antivirus
program should find at least one EXE or DRV file containing the trojan. If it finds a .DLL file,
then it is just an add-on to the trojan that provides extra features. If you decide to use a
single purpose trojan remover, then be cautious. Sometimes trojans are disguised as trojan
removers. For example, SynTax Back Orifice Remover and BOSniffer are all Back Orifice.
A program imitating Antigen named Trojan.Win32.Antigen claims to remove Back Orifice but
is actually a program that steals passwords. There are legitimate Anti-Trojan programs, but
make sure you get recommendations from people who have tried them and download them
directly from the author's site. You can also remove it from the registry manually. Click
Start, then Run, then type regedit in the text box, then click OK. Click
59
HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion.
Check under Run and RunServices for any suspicious-looking files. Some files are Normally
under this part of the registry. They are Rundll32.exe, systray.exe, scanregw.exe,
taskmon.exe, mstask.exe.
There are also some other files that are legitimate parts of the registry. The trojan will
usually be in the Windows or Windows\System folder. Netbus is by default called patch.exe
and the command ends in "/nomsg".
Remember that someone could rename them to a different name. Usually they are given a
technical-sounding name like "MSGSRV32.DRV" or "TCP.DRV". Instead of guessing which
one is a trojan, see if your antivirus program will pick it up. If it doesn't detect it, send a
sample of the program(s) you supect are the virus to your antivirus producer's submission
address.
60
Select the entry that loads the trojan and press delete. Click Yes. Close regedit. You will now be
able to delete the trojan.
Special instructions for difficult trojans, especially "Pretty Park" and BackDoor-G.ldr ("Sub
seven"):
Download the UNDO.ZIP from following:
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
Click Start, then Run, then type "c:\windows\win.ini" in the text box, then click OK. Scroll
down to the line that begins with "run=" and if it loads the trojan program, delete it. Click
Start, then Run, then type "c:\windows\system.ini" in the text box, then click OK. Scroll
down to the line that begins with "shell=" and if it loads the trojan program, be very careful
to delete only the part that loads the trojan. After you are done the shell= should look like
this:
shell=Explorer.exe
Close notepad and save your changes. Reboot your computer. The trojan will no longer be
active. Then you will be able to delete it from inside Windows. Just go to the folder where
the file resides and send it to the recycle bin.
61
The Threat – Rootkits
Contents:
What is a rootkit?
Types of Rootkits
Detecting A Rootkit
62
The Threat – Rootkits
What is a rootkit?
The term rootkit is very old and is dated back to the days when UNIX ruled the world.
Rootkits for the UNIX operating system were typically used to elevate the privileges of a
user to the root level (=administrator). This explains the name of this category of tools.
Rootkits for Windows work in a different way and are typically used to hide malicious
software from for example an antivirus scanner. Rootkits are typically not malicious by
themselves but are used for malicious purposes by viruses, worms, backdoors and spyware.
A virus combined with a rootkit produces what was known as full stealth viruses in the MS-
DOS environment.
The malware may remain undetected even if the computer is protected with state-of-the-art
antivirus. And the antivirus can't remove something that it can't see. The threat from
modern malware combined with rootkits is very similar to full stealth viruses that caused a
lot of headache during the MS-DOS era. All this makes rootkits a significant threat.
Rootkits are already quite common in spyware programs but not as common in viruses.
There is clear evidence that rootkits is a technique that works in practice. But the actual
threat is still small compared to the potential of this technique.
63
Shouldn't antivirus detect rootkits before they go into
hiding?
Yes, and in some cases it will. However, rootkits are usually distributed in source code and
that means a hacker can modify the rootkit until antivirus products no longer detect it. In
fact, many rootkit and Trojan authors sell "undetection service" to their "customers". This
means that for a certain amount of money they guarantee that the rootkit binary they sell is
not at that point detected by any antivirus vendors. There are also some other features in
modern antivirus products that may detect rootkits. For example F-Secure Internet Security
2005 has a feature we call "Manipulation Control". It is a behavioral blocking mechanism
that prevents malicious processes from manipulating other processes. This will prevent the
activation of some rootkits, but not all.
Rootkits can make hidden backdoors or spam-relays in infected computers useful for a
much longer time. There is reason to believe that the use of rootkits will increase in the
future.
64
The Threat - Rootkits
Types of Rootkits
There are three basic types of rootkits - Library, Application and Kernel. There are also
two subtypes - Memory Based and Persistent depending on whether the malware
survives reboot and whether it executes in user mode or kernel mode.
Library level Rootkits will most commonly patch or replace system calls with versions that
hide information so the rootkit is not visible by normal means. It is difficult to find the files
with a normal file search, or by going to the task manager to check what applications are
running.
Application level Rootkits usually operate by replacing normal application binaries with
Trojan, or modifying program behavior through the use of hooks, patches, or other injected
code.
Kernel level Rootkits cover backdoors on a computer system by writing additional code or
by replacing portions of kernel code with modified code via device drivers in Windows or
Loadable Kernel Modules in Linux. Kernel rootkits can be difficult to detect making them
even more dangerous.
Persistent Rootkits are designed to easily survive a system re-boot. In order to survive a
re-boot, this kind of rootkit must have some means of permanently storing its code on the
victims’ machine, usually on the hard drive. It must also use some form of a hook in the
65
system boot sequence so it will be loaded from disk into memory each time the machine
starts so it can begin execution again.
Memory-based Rootkits code exists only in volatile memory and they may be installed
covertly via a software exploit. When attacker wants to perform a quick, one-time, in-and-
out procedure of some sort, remain undetected, and then leave un-noticed without
intending to return, usually uses memory-based rootkits. These types of attacks are usually
used as information gathering missions by an attacker that has already discovered when a
machine is normally turned on or running. These rootkits can also be reserved for use only
against server machines that are left running for long periods of time, and by an attacker
that wants to remain completely undiscovered and untraceable.
The fight against rootkits is a real armed struggle. The following techniques can be used to
detect the existence of rootkits within a system:
· Signature-Based Detection
· Detection-By Comparison
· Heuristic-Based Detection
· Integrity-Based Detection
66
Heuristic or Behavior-Based Detection: Identifies rootkits by recognizing any deviations
in the computer’s normal activity.
The first line of defense against rootkits consists in preventing them from entering your
computer. To do this, please bear in mind the following basic advice on protection against
malware:
· Install a good antimalware solution on the computer, and always keep it activated
and updated.
· Install a personal firewall that will protect against unauthorized access to your
computer.
· Always ensure that the applications installed on computer are kept up-to-date,
and make sure to install any security patches supplied by manufacturers.
· However, the task of protecting against rootkits is not to be taken lightly, and
cannot be limited to a series of generic protection measures.
67
The Threat - Rootkits
Most users are familiar with common threats such as viruses, worms, spyware and even
phishing scams. But, many computer users may think you're talking about a gardening
product to fertilize your flowers or kill the weeds if you mention a rootkit. So, what is a
rootkit?
Answer:
What Is A Rootkit?
At the core of the term "rootkit" are two words- "root" and "kit". Root refers to the all-
powerful, "Administrator" account on Unix and Linux systems, and kit refers to a set of
programs or utilities that allow someone to maintain root-level access to a computer.
However, one other aspect of a rootkit, beyond maintaining root-level access, is that the
presence of the rootkit should be undetectable.
A rootkit allows someone, either legitimate or malicious, to maintain command and control
over a computer system, without the the computer system user knowing about it. This
means that the owner of the rootkit is capable of executing files and changing system
configurations on the target machine, as well as accessing log files or monitoring activity to
covertly spy on the user's computer usage.
Is A Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even
by parents or employers wishing to retain remote command and control and/or the ability to
monitor activity on their employee's / children's computer systems. Products such as
eBlaster or Spector Pro are essentially rootkits which allow for such monitoring.
However, most of the media attention given to rootkits is aimed at malicious or illegal
rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit
might somehow be installed on a system through the use of a virus or Trojan of some sort,
the rootkit itself is not really malware.
Detecting A Rootkit
68
Detecting a rootkit on your system is easier said than done. Currently, there is no off-the-
shelf product to magically find and remove all of the rootkits of the world like there is for
viruses or spyware.
There are various ways to scan memory or file system areas, or look for hooks into the
system from rootkits, but not many of them are automated tools, and those that are often
focus on detecting and removing a specific rootkit. Another method is just to look for bizarre
or strange behavior on the computer system. If there are suspicious things going on, you
might be compromised by a rootkit. Of course, you might also just need to clean up your
system using tips from a book like Degunking Windows.
In the end, many security experts suggest a complete rebuild of a system compromised by
a rootkit or suspected of being compromised by a rootkit. The reason is, even if you detect
files or processes associated with the rootkit, it is difficult to be 100% sure that you have in
fact removed every piece of the rootkit. Peace of mind can be found by completely erasing
the system and starting over.
Many malicious rootkits manage to infiltrate computer systems and install themselves by
propagating with a malware threat such as a virus. You can safeguard your system from
rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software
is updated and running, and that you don't accept files from or open email file attachments
from unknown sources. You should also be careful when installing software and read
carefully before agreeing to EULA's (end user license agreements), because some may state
overtly that a rootkit of some sort will be installed.
69
The Threat – Rootkits & Example
ALIAS
Backdoor.Padodor.w, TrojanSpy.Win32.Qukart
:
ALIAS
Berbew, Webber, Padodor, Qukart
:
SIZE: 51712
Summary
The Padodor.W variant was found early on June 25th, 2004 as a result of Scob incident
investigation:
http://www.f-secure.com/v-descs/scob.shtml
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original
Padodor backdoor source code was used to create this variant, but the backdoor
functionality was removed. Padodor/Qukart steals personal information including credit card
numbers, logins and password that a user types and other sensitive data.
This backdoor contains the code to hide its presence in a system (rootkit functionality), but
this variant does not use it to hide its files, it only hides its process. However, later versions
of this backdoor, for example Padodor.AQ do hide their files from file managers. It should be
noted that the files are still visible if viewed from Command shell (CMD.EXE).
Detailed Description
The trojan's file is a PE executable 51712 bytes long. The trojan's file is encrypted and the
decryption routine is polymorphic. Every time the trojan installs itself, it changes its
decryptor, so its file will look different after every installation.
70
The trojan was created using Padodor backdoor code. There's some discussion now on
whether HangUp team was involved. Unless they provided their Padodor source code to
someone else (which is doubtful), they are responsible for the latest Padodor/Qukart
incidents. Up to .G variant of Padodor their copyright was in the backdoor files:
In the later variants of the backdoor the copyright string was removed, but the project
name "padonok" (an incorrectly spelled Russian word "podonok" that means "scum")
remained:
We do not directly accuse HangUp hacker's group of writing Padodor, we only provide facts
for investigation. It's the court's job to prove that someone is guilty or not after analysing
all evidence.
Installation to System
When the trojan's file is run, it installs itself to system. It copies its file to Windows System
directory with a random name that can contain '32' in the end. The name can be for
example 'amackg32.exe'. Also the trojan extracts and writes a small DLL file to Windows
System folder. That file also has a randomly generated name that can contain '32' in the
end, for example 'bnldnl32.dll'. That DLL file is a starter for the dropped trojan's executable
file. It already contains the name of the dropped trojan file - it is inserted there before
extaction.
[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
@ = "%WinSysDir%\<random>.dll"
"ThreadingModel" = "Apartment"
where %WinSysDir% represents the name of Windows System folder and <random>
represends randomly generated file name. As a result, the DLL gets loaded every time
Windows starts and it activates the trojan's file.
71
[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
The trojan creates a mutex named 'KingKarton_10' and checks it at startup to avoid loading
several copies of itself to memory.
The trojan creates the 'surf.dat' file in Windows System folder and writes computer name
and user name there every time it activates.
When the trojan is active, one of its threads is constantly looking for the following text
strings in Microsoft Internet Explorer windows:
.paypal.com
signin.ebay.
.earthlink.
.juno.com
my.juno.com/s/
webmail.juno.com
.yahoo.com
and
Sign In
Log In
If such text strings are found, the Trojan tracks user's login and password and saves it to a
file called DNKK.DLL located in Windows System folder. Then the Trojan can show a fake
web form and ask a user to select his/her credit card type, input his/her full name, credit
card number, expiration date, CVV2 code and ATM PIN. The collected data is stored in a file
called KK32.DLL file located in Windows System folder. Here's a screenshot of the fake form
displayed by the Trojan:
The Trojan creates a thread that periodically creates or changes the following Registry keys:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<zone>]
"1601" = <value>
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = <value>
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProces
s]
"BrowseNewProcess" = "yes"
Then this thread creates an HTML file where it copies stolen data, opens it with Internet
Explorer and the data gets submitted to one following websites (selected randomly) using a
small script:
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
72
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
After submitting the trojan checks for the feedback from the site and if it is a string equal to
'X-okRecv11', the trojan deletes the HTML file and terminates Internet Explorer process.
The trojan creates another thread that periodically accesses the following webpages:
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://ldark.nm.ru/index.htm
http://fethard.biz/index.htm
Before accessing the above mentioned websites the trojan creates an HTML file with a
special script. If the index.htm page on these sites contain 'X-okRecv11' string the trojan
terminates Internet Explorer and deletes the created HTML file. Otherwise the trojan
browses Internet cache files and appends the last used HTML file to the KK32.VXD file
located in Windows System folder.
It should be noted that during the operation described above the trojan creates a new
desktop called 'blind user' on an infected computer that a user can not see and then opens
Internet Explorer there.
73
The Threat – BOT (Worm)
Content:
What is a BOT?
Characteristics of bots
74
The Threat – BOT (Worm)
BOT is a malicious program with the purpose of fraudulent use of computer. Once your
computer is infected with BOT, the malicious attacker (referred to "attacker"
hereinafter) remotely controls your computer from the external.
This attack causes serious harm of making public nuisance such as "sending numerous
number of mails" and "attacking a particular website", as well as of stealing information
stored in your computer, i.e., "spying activities.チ h
As this external control of your computer is analogous to a robot, it is referred to BOT.
A BOT is a general term for software designed to automate tasks - an electronic robot.
Legitimate bots are commonly used as 'web spiders', gathering data for search engines,
or to monitor specific sites, such as watching a sales site for bargains or blocking abuse
and profanity from a forum or chat system.
Continued………….
75
A malicious bot is a similar program which resides on an infected system,
communicating with a botherder and forming part of a botnet. The bot will usually be
implanted by a worm or trojan, which opens a backdoor. The bot then monitors the
backdoor for further instructions. These can include sending out spam, hosting
malicious websites, probing networks for vulnerabilities, and even downloading updates
of its own code.
With their flexibility making them ideal for a variety of malicious purposes, bots are one
of the most common tools used by cybercriminals. Many security vendors now provide
services to check whether such bots are resident within a network.
76
BOTs generally do not show specific visible symptoms even
when your computer is infected, being unlike the
conventional viruses or worms. A user therefore does not
realize the infection of his/her computer and continue to
use it without noticing any difference of the computer from
before the infection.
77
To perform the item 3 "Network
Utilizing vulnerabilities of computers, infection", BOTs collect information of
BOTs take actions to augment infection the computers with vulnerabilities.
so that the number of computers Using the collected information,
available for nuisance mails and DoS another computer is selected as the
attacks are increased. BOTs take over next target for infection.
computers that have vulnerabilities and
send in programs for infecting other
computers.
78
Information about BOT-Worm
When Backdoor.IRC.Bot.B is executed, it may create a copy of itself in the \Windows or the
\Windows\System folder. In most cases, this Trojan uses one or more of the common loading
points to make sure that it runs when you start Windows. It may add itself into the registry to the
following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
79
• Flooding mailboxes (mailbombing)
• Executing programs and scripts on your computer
• Uploading or downloading the files to the host
• Updating the version of the Trojan
• Participating in a Distributed Denial of Service (DDoS) attack on a remote host
• Uninstalling the Trojan
Internet bots, also known as web robots, WWW robots or simply bots, are software
applications that run automated tasks over the Internet. Typically, bots perform tasks that
are both simple and structurally repetitive, at a much higher rate than would be possible for
a human alone. The largest use of bots is in web spidering, in which an automated script
fetches, analyses and files information from web servers at many times the speed of a
human. Each server can have a file called robots.txt, containing rules for the spidering of
that server that the bot is supposed to obey.
In addition to their uses outlined above, bots may also be implemented where a response
speed faster than that of humans is required (e.g., gaming bots and auction-site robots) or
less commonly in situations where the emulation of human activity is required, for example
chat bots.
These chatterbots may allow people to ask questions in plain English and then formulate a
proper response. These bots can often handle many tasks, including reporting weather, zip-
code information, sports scores, converting currency or other units, etc. Others are used for
entertainment, such as SmarterChild on AOL Instant Messenger and MSN Messenger and
Jabberwacky on Yahoo! Messenger.
An additional role of IRC bots may be to lurk in the background of a conversation channel,
commenting on certain phrases uttered by the participants (based on pattern matching).
This is sometimes used as a help service for new users, or for censorship of profanity.
AOL Instant Messenger has now introduced a feature that allows you to make a screen
name into a BOT. This new feature removes the rate limit on the screen name, however it is
now limited in the amount of instant messages that can be sent and received.
80
The Threat – Virus
Contents:
What Is a Virus?
81
The Threat – Virus
What Is a Virus?
A computer virus attaches itself to a program or file enabling it to spread from one
computer to another, leaving infections as it travels. Like a human virus, a computer virus
can range in severity: some may cause only mildly annoying effects while others can
damage your hardware, software or files.
Almost all viruses are attached to an executable file, which means the virus may exist on
your computer but it actually cannot infect your computer unless you run or open the
malicious program. It is important to note that a virus cannot be spread without a human
action, (such as running an infected program) to keep it going.
People continue the spread of a computer virus, mostly unknowingly, by sharing infecting
files or sending e-mails with viruses as attachments in the e-mail.
A virus is inactive until you execute an infected program or application OR start your
computer from a disk that has infected system files. Once a virus is active, it loads into your
computer's memory and may save itself to your hard drive or copies itself to applications or
system files on disks you use.
82
Some viruses are programmed specifically to damage the data on your computer by
corrupting programs, deleting files, or even erasing your entire hard drive. Many viruses do
nothing more than display a message or make sounds / verbal comments at a certain time
or a programming event after replicating themselves to be picked up by other users one
way or another. Other viruses make your computer's system behave erratically or crash
frequently. Sadly many people who have problems or frequent crashes using their
computers do not realize that they have a virus and live with the inconveniences.
In addition, Macintosh viruses do not infect DOS / Window computer software and vice
versa. For example, the Melissa virus incident of late 1998 and the ILOVEYOU virus of 2000
worked only on Window based machines and could not operate on Macintosh computers.
One further note-> viruses do not necessarily let you know they are present in your
machine, even after being destructive. If your computer is not operating properly, it is a
good practice to check for viruses with a current "virus checking" program.
Once in memory, one of a number of things can happen. The virus may be programmed to
attach to other applications, disks or folders. It may infect a network if given the
opportunity.
Viruses behave in different ways. Some viruses stay active only when the application it is
part of is running. Turn the computer off and the virus is inactive. Other viruses will operate
every time you turn on your computer after infecting a system file or network.
83
How to Prevent a Virus Invasion!
1. Load only software from original disks or CD's. Pirated or copied software is always a
risk for a virus.
2. Execute only programs of which you are familiar as to their origin. Programs sent by
email should always be suspicious.
3. Computer uploads and "system configuration" changes should always be performed
by the person who is responsible for the computer. Password protection should be
employed.
4. Check all shareware and free programs downloaded from on-line services with a
virus checking program.
5. Purchase a virus program that runs as you boot or work your computer. Up-date it
frequently.
84
The Threat – Virus-Examples
Introduction
"author did not know" is specious defense
Early Examples
Brain Virus
Lehigh Virus
Chrisma Worm
Morris Worm
MBDF Virus
Pathogen Virus
Melissa Virus
ILOVEYOU Worm
Anna Worm
Three Worms:
CodeRed
Sircam
Nimda
BadTrans.B Worm
Klez
Rcent malicious programs
Economic Damage
Sources of Information
Conclusion
85
Introduction
This essay contains a description of several famous malicious computer programs (e.g.,
computer viruses and worms) that caused extensive harm, and it reviews the legal consequences
of each incident, including the nonexistent or lenient punishment of the program's author.
It is not my intention to provide information on threats by current malicious programs: this essay
is only a historical document. (You can find information on current threats at websites operated
by vendors of anti-virus software.)
• Learning how past incidents caused damage may help you protect your computer from
future damage. I say may, because new types of threats are continually emerging.
• Because the law reacts to past events, learning about past harmful incidents shows us
how the law should be corrected to respond appropriately to the new crimes of writing
and distributing malicious computer programs.
• In May 2002, the Norton Anti-Virus software for Windows operating systems detected
about 61000 malicious programs. Astoundingly, there have been criminal prosecutions
and convictions of the author(s) of only five malicious programs, all of which are
described below:
1. the Morris worm released in 1988,
2. the author and distributors of the MBDF virus,
3. the author of the Pathogen virus,
4. the author of the Melissa virus, and
5. the author of the Anna worm
I hope that when people read this essay and become aware of both the malicious design
and great harm caused by computer viruses and worms, readers will urge their legislators:
A. to enact criminal statutes against authors of computer viruses and worms, with
punishment to reflect the damage done by those authors, and
B. to allocate more money to the police for finding and arresting the authors of
malicious computer programs.
I have not cited a source for each fact mentioned in this essay, because most of these facts have
86
been reported at many different sources, and are well known to computer experts who are
familiar with viruses and worms. (I do cite a source for facts that are either not well known or
controversial.) Further, this essay is not a formal scholarly document, with numerous citations,
but only an informative review intended for attorneys, legislators, the general public, students,
businessmen, etc. Some general sources are mentioned later.
The most common excuse made by criminal defense attorneys who represent authors of
computer worms and viruses is that their client did not know how rapidly the worm or virus
would spread. Because this excuse occurs in several of the cases presented below, let's discuss it
at the beginning.
Such an excuse might be plausible to someone who had no understanding of the Internet and
computer programming. However, it is ridiculous to suggest that a computer programmer who
creates a worm is unaware that it will spread rapidly. Students who major in computer science,
mathematics, physics, or engineering learn in mathematics classes about geometric series. There
is a good reason why mathematics classes are required for science and engineering students:
mathematics is really useful for predicting results of experiments that one should not perform.
A good example of a geometric series is the propagation of a computer worm. Consider the
following hypothetical example in which each victim's computer provides the addresses of four
new victims, and the worm requires one hour to be received by the next wave of victims, to
search the next victim's computer and find four new addresses, then to be sent to the four new
victims:
87
10 1048576
In this hypothetical example, at 24 hours there would be approximately 1014 new victims, which
is a ridiculous extrapolation, because there are only about 109 people on the planet earth. But this
example clearly shows the rapid growth of a geometric series and why authors of worms should
not be surprised when their worm rapidly gets out-of-control. Seen in this context, the criminal
defense attorney's statement that his/her client "did not know ...." is not plausible. Actually, the
defense attorney's statement is ludicrous.
Even if one ignores the rapid growth of a geometric series, the historical examples of the rapid
propagation of the Chrisma Worm in Dec 1987 and the Morris Worm in Nov 1988 show what
happens when worms are released into computer networks. There is absolutely no need for
another "experiment" of this kind, as we already know what will happen. (I put "experiment" in
quotation marks, because the design and release or a computer virus or worm is a crime, not a
legitimate scientific experiment.)
Other examples of specious defenses for writing or releasing malicious programs are contained
in my essay on Computer Crime.
Early Examples
Brain virus
The first computer virus for Microsoft DOS was apparently written in 1986 and contains
unencrypted text with the name, address, and telephone number of Brain Computer Services, a
store in Lahore, Pakistan. This virus infected the boot sector of 5¼ inch floppy diskettes with a
360 kbyte capacity. Robert Slade, an expert on computer viruses, believes the Brain virus was
written as a form of advertising for the store in Pakistan.
A variant of the Brain virus was discovered at the University of Delaware in the USA during
Oct 1987 where the virus destroyed the ability to read the draft of at least one graduate student's
thesis.
Lehigh Virus
In November 1987, a virus was discovered infecting the COMMAND.COM file on DOS diskettes at
Lehigh University. When an infected COMMAND.COM had infected four other copies of
COMMAND.COM (i.e., when copying to a floppy diskette), the virus wrote over the
file allocation table on all disks in the system, destroying the ability to read files from those
disks.
88
500 computer disks and diskettes at Lehigh University were lost because of this one virus.
To the best of my knowledge, the author of the Lehigh Virus was never identified, so there was
no punishment for him.
Christma Worm
A student at a university in Germany created a worm in the REXX language. He released his
worm in December 1987 on a network of IBM mainframe computers in Europe.
The worm displayed an image of a conifer tree on the user's monitor, while it searched two files
on the user's account to collect e-mail addresses, then automatically sent itself to all of those
addresses. (This trick would be used again, on a different operating system, in March 1999 by
the Melissa virus.) The Christma worm deleted itself after it functioned once. However, the one
copy deleted was replaced by multiple copies sent to everyone with an e-mail address in either
the in-box or out-box of the user's account, so the total number of copies continued to increase.
The worm itself was relatively harmless: it neither deleted nor altered the user's computer files.
However, the rapid propagation of the worm created a mailstorm in the network of IBM
mainframe computers from 9 to 14 Dec 1987.
The author of the Christma worm was identified, by tracing the mail messages back to the
original source. His computer account was closed, but I can not find any other punishment for
him.
Morris Worm
On 2 November 1988, Robert Tappan Morris, then a first-year graduate student in computer
science at Cornell University, released his worm that effectively shut down the Internet for
several days.
The Morris Worm used four different ways to get unauthorized access to computers connected to
the Internet:
The worm only infected SUN-3 and Digital Equipment Corp. VAX computers running versions
of the Berkeley UNIX operating system.
The Morris Worm succeeded in infecting approximately 3000 computers, which was about 5%
89
of the Internet at that time. Among the affected computers were those at the University of
California at Berkeley, MIT, Stanford, Princeton , Purdue, Harvard, Dartmouth, University of
Maryland, University of Utah, Georgia Institute of Technology, and many other universities, as
well as computers at military and government laboratories.
When Morris understood that his worm was propagating faster than he had expected, he called a
friend at Harvard University. The friend then sent the following anonymous message with a false
source address to the TCP-IP mailing list via the Internet:
A possible virus report:
There may be a virus loose on the internet.
Here is the gist of a message I got:
I'm sorry.
Here are some steps to prevent further transmission:
[three terse suggestions for how to stop the worm omitted here]
Hope this helps, but more, I hope it is a hoax.
However, because the Internet was already clogged with copies of his worm or because
computers were disconnected from the Internet to avoid infection by the Morris Worm, the
message did not arrive until after system administrators had devised their own techniques for
removing the worm. Further, the anonymous source, and also the tentative tone (i.e., "possible
virus report", "may be a virus loose", "I hope it is a hoax."), make this message much less helpful
than it could have been. If Morris had really been innocent, he could have faxed the source code
for his worm to system administrators at University of California at Berkeley, MIT, Purdue,
University of Utah, etc. who were trying to decompile the worm and understand it. And Morris
could have given system administrators authoritative suggestions for how to stop his worm.
Morris apparently never personally explained his intentions or motives in designing and
releasing his worm. Some of his defenders have said that Morris did not intend the consequences
of his worm. A Cornell University Report by Ted Eisenberg, et al. at pages 17, 27 and especially
at Appendix 8, [bibliographic citation below], mentions comment lines by Morris in his
15 Oct 1988 source code that say:
Such comments appear as clear indications of criminal intent by Morris. In a 17 Oct 1994
UseNet posting, Prof. Spafford at Purdue, who has also actually seen the worm's source code at
Cornell that was written by Morris (including the comment lines by Morris that are not present in
the decompiled versions), said:
The comments in the original code strongly suggested that Robert intended it to behave
the way it did – no accidents involved.
Morris was the first person to be arrested, tried, and convicted for writing and releasing a
90
malicious computer program. He was found guilty on 22 Jan 1990 and appealed, but the U.S.
Court of Appeals upheld the trial court's decision. The U.S. Supreme Court refused to hear an
appeal from Morris.
U.S. v. Morris, 928 F.2d 504, 506 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991).
The Court of Appeals noted that: "Morris released the worm from a computer at the
Massachusetts Institute of Technology [MIT]. MIT was selected to disguise the fact that the
worm came from Morris at Cornell." Id. at 506. The Court of Appeals also noted that the cost of
removing the worm from each installation on the Internet was estimated to be "from $ 200 to
more than $ 53000." Id.
There are no precise figures on the amount of damage that Morris did, but a widely quoted
estimate by Clifford Stoll at Harvard is that the total cost of dealing with the Morris Worm is
somewhere between US$ 105 and US$ 107.
Despite the severity of this damage, Morris was sentenced in May 1990 to a mere:
In addition to this legal punishment, Cornell University suspended him from the University for
at least one year. When Morris applied for re-admission a few years later, Cornell refused to
accept him. Morris earned his Ph.D. at Harvard University in 1999.
There are a number of technical publications that discuss the Morris worm and its effect on
computers that constituted the Internet:
• Mark Eichin and Jon Rochlis, With Microscope and Tweezers: An Analysis of the
Internet Virus of November 1988, Feb 1989. Available from the MIT website and
published in various places.
• Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and
Thomas Santoro, The Computer Worm, A Report to the Provost of Cornell University on
an Investigation Conducted by The Commission of Preliminary Enquiry, 45 pp.,
6 Feb 1989. Available from the Office of Information Technologies at Cornell
University.
91
• Bob Page, A Report on the Internet Worm, University of Lowell, 5 pp., 7 Nov 1988.
Available from a website in Canada and also from Purdue.
• Donn Seeley, A Tour of the Worm, Computer Science Department, University of Utah,
18 pp., 1988. Available from Francis Litterio's website.
• Eugene H. Spafford, The Internet Worm Program: An Analysis Technical Report CSD-
TR-823, Purdue University, 41 pp., 8 Dec 1988. Available from Purdue University.
• Eugene H. Spafford, The Internet Worm Incident, Technical Report CSD-TR-933, Purdue
University, 18 pp., 19 Sep 1991. Available from Purdue University. (I recommend this
report as the best place to start reading about the effect of the worm on the Internet and
ethical issues.)
• The June 1989 issue (Vol. 32, Nr. 6) of Communications of the ACM, a major journal for
professional computer programmers, contains several articles concerning the Morris
Worm.
I have posted the unpublished Judgment of the trial court in U.S. v. Robert Tappan Morris, as
well as the opinion of the appellate court that was published at 928 F.2d. 504.
MBDF Virus
In 1992, four undergraduate students at Cornell University created and released the MBDF virus,
which attacks Apple Macintosh computers. This virus was released in three shareware programs:
David S. Blumenthal wrote the virus and inserted it in the three programs. Blumenthal also
created an anonymous account on a Cornell computer, so that apparently untraceable file
transfers could be made. Mark A. Pilgrim used this anonymous account on 14 Feb 1992 to
upload the three programs to an Internet archive at Stanford University.
The initial victims downloaded the programs from Stanford and infected their computers. As
these victims shared their infected files with other users, they unwittingly spread the virus to
additional victims.
The MBDF virus was a relatively benign program that did not directly harm the victim's data
files. However, this virus could cause harm in three different ways:
1. The virus caused some programs to crash when the user selected an item from the menu
bar.
92
2. The CIAC reported on 25 February 1992: "When MBDF A infects the system file, it
must re-write the entire system file back to disk; this process may take two or three
minutes. If the user assumes the system has hung, and reboots the Macintosh while this is
occurring, the entire system file will be corrupted and an entire reload of system software
must then be performed."
3. The virus took several seconds to infect each program file on the victim's computer, and,
during those several seconds, the display would freeze. If the victim rebooted the
computer during those several seconds, application files on the computer could become
corrupted.
To recover from such problems, the victim first needed to run anti-virus software to delete the
MBDF virus, then any corrupted files (e.g., either applications software or the operating system
itself) would need to be re-installed. Depending on the skill of the victim in identifying which
files were damaged, the recovery process could take hours or days.
Compared with other malicious programs, the damage from the MBDF virus was relatively
small. The only reason that I mention the MBDF virus in this essay is that it is one of a very few
cases in which the author and distributors of a malicious program were arrested and punished for
their crime.
The MBDF virus was first discovered in the wild by a professor of mathematics in Wales, who
sent it to John Norstad, the author of a now-discontinued anti-virus program for the Macintosh.
Experts in computer security at several universities promptly traced the origin of the MBDF
virus to Cornell University.
Blumenthal and Pilgrim were arrested and put in jail on 24 February, just ten days after the
MBDF virus was first released. They were arraigned in a New York state court on charges of
second-degree computer tampering, a misdemeanor. They each posted $2000 cash bail and were
released from jail. Pilgrim cooperated with the police, told them the details of what had
happened, and incriminated Blumenthal.
As reports of infected computers were received from all over the USA, Japan, Europe, Australia,
and Canada, the district attorney contemplated increasing the charges to a felony, because he
could prove a larger harm than what had initially been apparent.
During grand jury proceedings in June 1992, two other Cornell students were revealed to have
played a role in the distribution of the MBDF virus to various computer bulletin boards. One of
them was granted immunity from criminal prosecution in exchange for his testimony. The other,
who will be identified here by the fictitious name Doe, was indicted along with Blumenthal and
Pilgrim, but Doe later had his record expunged.
On 16 June 1992, a 17-count indictment was issued against Blumenthal, Pilgrim, and Doe. The
indictment included four counts of first-degree computer tampering (a felony), and also seven
counts of attempted computer tampering (a misdemeanor), plus one count of second-degree
attempted computer tampering. In addition, Blumenthal alone was charged with felony counts of
forgery and falsifying business records, for his creation of the anonymous computer account at
93
Cornell University. I obtained a photocopy of the indictment from the Tompkins County Court
and posted it here.
On 4 September 1992, Blumenthal and Pilgrim each pled guilty to one count of second-degree
computer tampering, a misdemeanor, in exchange for the dismissal of all other charges and
neither prison nor fines. On 5 October 1992, Blumenthal and Pilgrim were each sentenced to:
• pay restitution (a total of $ 6000 to Cornell University, $ 1300 to a victim in New York
City, and $ 65 to a victim in California);
• each would provide 520 hours of community service, which they fulfilled by writing
software for a handicapped person in Tennessee;
• forfeit their personal computers; and
• be on probation.
The court clerk has informed me that there is no written Judgment filed for either Blumenthal or
Pilgrim. Doe pled guilty to disorderly conduct and later had his record expunged, so there is no
record of Doe's sentence.
Additionally, each of the four students was either expelled or suspended from Cornell University
for at least one year.
Cornell University, whose reputation had been besmirched by the Morris Worm in
November 1988, found itself in 1992 portrayed by journalists as a breeding ground for malicious
computer programs. University administrators must be ready to deal with both the legal and
public relations aspects of arrests of students for creating malicious computer programs.
The best source of information that I have found on the obscure MBDF virus case is the archives
of The Post-Standard newspaper in Syracuse, NY.
Pathogen Virus
In April 1994, the Pathogen computer virus was released in the United Kingdom, by uploading
an infected file to a computer bulletin board, where victims could download a copy of the file.
The Pathogen virus counted the number of executable (e.g., *.EXE and *.COM) files that it
infected. When the virus had infected 32 files, and an infected file was executed between 17:00
and 18:00 on a Monday:
94
The Pathogen virus contained a second virus, Smeg, which hid Pathogen from anti-virus
software.
What makes the Pathogen virus worth including here is that its author is one of the very few
authors of malicious computer programs who were arrested and convicted.
Pathogen Perpetrator
The author of Pathogen was Christopher Pile (aka "Black Baron") a 26-year-old unemployed
computer programmer who lived in Devon, United Kingdom. At his trial on 26 May 1995, Pile
pled guilty to:
These charges were the result of his development and release of the Pathogen and Queeg viruses
(both also containing the Smeg virus) in 1993 and continuing up to April 1994.
The prosecutor claimed that one unnamed victim had suffered damage in the amount of a half a
million pounds (approximately US$ 800,000) from Pile's viruses.
On 15 November 1995, a judge sentenced Pile to 18 months in prison. The judge declared:
"Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect
lenient treatment."
Pile's punishment was more severe than other criminals who have written and released malicious
programs. Other viruses and worms have been much more widespread, and caused much more
damage, but their authors have generally been able to avoid prison (e.g., Morris and de Wit) or
received a sentence not much longer than Pile's (e.g., the author of the Melissa virus spent
20 months in prison, despite having done at least a hundred times more damage than Pile).
Melissa Virus
The Melissa virus was released on 26 March 1999 and was designed to infect macros in
wordprocessing documents used by the Microsoft Word 97 and Word 2000 programs. Macro
viruses were not new, they had been known since 1995.
The innovative feature of the Melissa virus was that it propagated by e-mailing itself to the first
fifty addresses in the Microsoft Outlook e-mail program's address book. This feature allowed the
Melissa virus to propagate faster than any previous virus. The virus arrived at each new victim's
computer disguised as e-mail from someone who they knew, and presumedly trusted. (About
11 years earlier, the Christma Worm automatically sent itself to everyone in a victim's e-mail
address book on an IBM mainframe computer.)
95
The Melissa virus propagated in two different ways:
1. On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used
the Outlook program to send an e-mail containing an attachment, with a filename like
list.doc. This file contained a Microsoft Word document with a macro, and a copy of
the Melissa virus was inside the macro.
When this e-mail was received by someone who had Microsoft Word on his/her
computer (even if their computer was an Apple Macintosh), and the recipient clicked on
the attachment, the document would open and the Melissa virus would automatically
infect Word's normal.dot template file, thus infecting the recipient's computer.
While Microsoft Outlook was necessary for the automatic sending of infected documents,
the recipient of such e-mail could be infected even if the recipient used a non-Microsoft
e-mail program.
2. Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail
sent by victim, etc. When such infected documents were opened in Microsoft Word, the
Melissa virus would automatically infect Word's normal.dot template file, thus infecting
the recipient's computer.
Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign".
That claim is not true. There were a number of distinctly different harms caused by Melissa:
• Documents in Microsoft Word format were automatically sent, using Microsoft Outlook,
to fifty people by the Melissa virus. Such automatic transmission could release
confidential information from the victim's computer.
• When the day number equals the number of minutes in the current time (e.g., at 11:06 on
the 6th day of the month), the Melissa virus inserted the following text in whatever
document was then being edited in Word on the victim's computer:
Such an insertion was a deliberate modification of data files on the victim's hard drive, an
unauthorized tampering with the victim's document files.
• Future victims were most commonly infected by opening an attachment in an e-mail from
someone who they knew, and presumedly trusted. Until the workings of the Melissa virus
were understood by all the victims, trusted relationships between people could be harmed
by this unauthorized sending of e-mail.
• As with any rapidly propagating virus or worm, e-mail can be delayed, which sometimes
has economic consequences (e.g., lost productivity).
96
• And, as with all viruses and worms, there was the cost of removing the infection and
restoring the computer to normal.
The fact that the Melissa virus could have been more destructive (e.g., by deleting data files from
the victim's computer) is hardly praise for the author of the Melissa virus.
Finally, using an Apple Macintosh gives one immunity from most computer viruses and worms.
However, Apple computer users who also use Microsoft Word 97 or later are vulnerable to the
same macro viruses that plague Word users on Microsoft Windows 95 or later. However, the
Melissa virus can not automatically transmit itself by e-mail from a computer that uses the
Macintosh operating system.
Melissa Perpetrator
The Melissa virus was written by David Lee Smith and first released on 26 March 1999 as an
attachment to his posting to an alt.sex newsgroup. That posting said the attachment contained a
list of passwords for pornographic websites, but the attachment actually contained his virus.
Smith named his virus "Melissa" after a topless dancer in Florida, who Smith knew.
It is obvious that Smith knew what he was doing was wrong, because he used a stolen AOL
account and password to make the initial release to the alt.sex newsgroup. Before his arrest,
Smith discarded the hard drives that were used to create his virus at his home in New Jersey,
then he hid at his brother's house, where David Lee Smith was arrested.
Smith was arrested on 1 April 1999. The CNN news report shows the police mugshot of Smith,
with a smirking expression. He was charged in federal court with violations of 18 USC § 1030(a)
(5)(A) and in New Jersey state court with violations of NJSA 2C:20-25(a) and 2C:20-26(a).
Smith was fired from his job doing computer programming from AT&T. He subsequently
worked as a computer technician at Rutgers University after his arrest. (Rutgers did not know
that Smith had been arrested for this crime.) Smith voluntarily quit his job at Rutgers six days
before he pled guilty.
On 9 Dec 1999, Smith pled guilty in federal court. The plea agreement between prosecutors and
Smith had the following features:
• Smith would cooperate with authorities in thwarting other creators of malicious computer
programs.
• It would be stipulated that the Melissa virus did "more than eighty million dollars of
damage". (The actual amount was much, much higher – one estimate was
US$ 1100 million. However, the stipulation became a "fact" accepted in court for the
purposes of determining Smith's sentence.)
• Any state and federal prison sentences would run concurrently, and end at the same time.
97
On 1 May 2002, a judge in federal court imposed the following sentence on Smith:
Apparently, the 29-month interval between Smith's guilty plea and his sentencing (an unusually
long interval) was the result of his cooperation with authorities in investigating other malicious
computer programs. The authorities did not reveal any details of the cooperation, so it is not
possible to know what the government got in exchange for more than halving Smith's prison
sentence.
On 3 May 2002, a judge in New Jersey state court imposed the following sentence on Smith:
• the maximum allowable sentence of ten years in state prison. However, because of his
plea agreement, Smith would serve only the 20 months in federal prison and then be a
free man.
• fined US$ 2500.
• Information filed by the U.S. Attorney for the District of New Jersey, charging David Lee
Smith with violation of 18 USC § 1030(a)(5)(A).
• Letter of 8 Dec 1999 from the U.S. Attorney for New Jersey to the attorney representing
David Smith, offering a plea agreement.
• U.S. Attorney's 1 May 2002 press release about Smith's sentence. Another copy is at the
DoJ website.
weak punishment
If one accepts the legal stipulation that the Melissa virus did US$ 8 × 107 in damage, and one
considers Smith in prison to lose 16 hours/day of freedom (who cares where he sleeps for
8 hours/day?) for 20 months, then the effective value of Smith's time in prison is US$ 8330/hour.
That is a ridiculously high value for Smith's time.
98
The prosecutors ignored that Smith's virus fraudulently sent e-mails from each victim's computer
to new victims who were in previous victim's e-mail address book. The new victims opened the
attachment in e-mail apparently from someone who they knew, and presumedly trusted, and
were infected with a copy of Smith's virus. I believe society should express outrage at this kind
of fraud.
ILOVEYOU Worm
The ILOVEYOU worm was first reported in Hong Kong on 4 May 2000 and spread westward on
that day. The ILOVEYOU worm affected computers at more than half of the companies in the
USA and more than 105 mail servers in Europe. Internal e-mail systems at both the U.S. Senate
and Britain's House of Commons were shut down. It was estimated that the ILOVEYOU worm
did more damage than any other malicious program in the history of computing: approximately
US$ 9 × 109. On 4 May 2000, MessageLabs filtered ILOVEYOU from one in every 28 e-mails,
the all-time highest daily infection rate seen by MessageLabs.
The ILOVEYOU incident was commonly reported as a virus in the news media, but it was
actually a worm, because this malicious program did not infect other programs. I call this worm
by the subject line of e-mail that propagated this worm. Norton Anti-Virus calls it
VBS.Loveletter.A.
The ILOVEYOU worm arrived at the victim's computer in the form of e-mail with the
ILOVEYOU subject line and an attachment. The e-mail itself was innocuous, but when the user
clicked on the attachment to read the alleged love letter, LOVE-LETTER-FOR-YOU.TXT.VBS, the
attachment was a Visual Basic program that performed a horrible sequence of bad things:
The worm overwrote a copy of itself to a file with the name of the original file,
appending the extension *.VBS, so the total number of files on the victim's hard disk
would be unchanged and the damage more difficult to immediately detect. Further, if a
victim clicked on one of these files, the ILOVEYOU worm would be activated again on
that one victim.
By overwriting files, instead of merely deleting files, the worm made it much more
difficult (perhaps impossible) to recover the original file on the victim's hard drive.
99
For example, if the worm had merely deleted files, then the victim could restore the files
from the Recycle Bin or Trash Can.
In addition, the worm marked files of type *.MP3 as hidden, so they would no longer
appear in directory listings, then copied the worm to new files *.MP3.VBS.
2. password theft
The attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft
Internet Explorer start page to a URL at a web server in the Philippines, which would
download WIN-BUGSFIX.EXE to the victim's machine.
The worm then set the victim's machine to run WIN-BUGSFIX.EXE the next time the
victim's machine was booted.
WIN-BUGSFIX.EXE was a Trojan Horse program that collected usernames and passwords
from the victim's hard drive and e-mailed them to an address in the Philippines,
mailme@super.net.ph. (That was a really stupid feature, since law enforcement agents, within
12 hours of the initial release of the worm, identified the person who owned that e-mail address.)
Furthermore, there was a copyright notice in the Trojan Horse's code!
An Internet Service Provider in Europe alerted the web server in the Philippines at
08:30 GMT on Thursday, 4 May 2000, and WIN-BUGSFIX.EXE was removed from the
website, which prevented most of the harm in Europe and the USA from this password-
collecting program. Later, the web server in the Philippines was overwhelmed (i.e., a
kind of a denial of service attack) with requests from the worm for WIN-BUGSFIX.EXE.
This Trojan Horse program had been previously submitted as a thesis proposal at a
computer college in the Philippines. The proposal was rejected with handwritten
comments "This is illegal." and "We don't produce burglars." The student then dropped
out of the college without earning a degree. A copy of the student's rejected thesis
proposal is posted at Richard M. Smith's website.
3. worm propagates
The worm transmitted itself using features of the earlier Melissa program: scanning the
address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU e-
mail to all of those e-mail addresses. This method of transmission rapidly disseminated
the worm to millions of victims. In comparison, Melissa sent copies to only the first
50 entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every
address in the that victims' book.
The worm also sent copies to other people on the same Internet Relay Chat channel that
the victim was using.
100
The first copycat version appeared on Thursday afternoon with a subject line fwd:joke and an
attachment veryfunny.vbs.
Another copycat version appeared on Sunday with a subject line Dangerous Virus Warning
and an attachment virus_warning.jpg.vbs. Anyone who clicked on the attachment to read the
warning would activate the worm on their machine and become a victim. The deception in this
subject and e-mail message may be particularly horrifying to a naive person, but one must not
expect computer criminals to be honest and sincere. It's a sad fact of life that people without a
healthy amount of skepticism and cynicism will become victims of crimes.
Just five days after the initial release of the ILOVEYOU worm, Norton AntiVirus had identified
29 different versions of the worm. It takes minimal skill to slightly modify a version of a worm
and release the new version, which is one reason there are so many copycat versions. Some of
the copycat versions were more destructive than the original, as these copycat versions overwrote
files of types *.COM, *.EXE, and *.INI, which destroyed the user's operating system.
ILOVEYOU Perpetrator
Police in the Philippines knew the name and location of the suspect within 12 hours of the initial
release of the worm, but the police were hampered by the lack of laws there for computer crimes.
The closest relevant Philippine law was designed to cover credit card or bank account fraud, but
was broad enough to cover unauthorized taking of goods and services. However, the police were
not able to find sufficient evidence for prosecutors to apply this fraud statute. On 7 June 2000,
police and prosecutors in the Philippines closed their investigation of the ILOVEYOU worm,
because the creation and release of this worm was not a crime in the Philippines. On
21 August 2000, prosecutors dropped all charges against the people who apparently designed and
released the ILOVEYOU worm.
Partly as a result of inadequate law in the Philippines, just five days after the initial release of the
virus there was active discussion of extraditing the suspect to a developed country where harm
occurred and where the laws were adequate to punish the perpetrator. However, extradition laws
only allow extradition in cases where the offense was a crime in both the suspect's home country
and in the country to which extradition is sought, so extradition from the Philippines was not
possible.
This example shows the international nature of computer crime: a criminal in one country can
rapidly cause havoc all over the world, using the international reach of the Internet. In contrast, a
criminal who physically moves from one country to the next would need to pass though
immigration and customs controls at each border, as well as become subject to personal
jurisdiction in each country.
On 11 May 2000, one week after the initial release of the worm, the author's attorney said that
his client did not realize how rapidly the worm would propagate. Sorry, that's not plausible; see
my remarks above.
One week after the initial release of the worm, the author's attorney said that the worm had been
101
"accidentally" released. This excuse is too easy. There is no acceptable reason to create such
malicious software: remember that the program overwrote files on the victim's disk drive, the
overwriting had absolutely no benefit to the author of the program, except for glee at hurting
other people. There is no rational reason to write a program that one intends never to use. And, if
one writes such a destructive program, then one must use extraordinary care (i.e., the same care
that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make
certain that the program is never released. Society ought to demand that those who release
malicious programs, even if the release is an "accident", be held legally responsible for the
damage caused by the malicious programs.
The author of the password-stealing Trojan Horse had attempted to justify his program because
Internet access in the Philippines was expensive (e.g., US$ 2.50/hour with no "unlimited use"
plans available), therefore he sought to use victim's accounts for free. This is simply theft of
services.
Anna Worm
On 11 Feb 2001, a malicious program was released that was contained in an attachment to e-
mail. The attachment purported to be a picture of a 19-year-old Russian tennis player, Anna
Kournikova, but the attachment was actually a computer worm. The attachment had the file
name AnnaKournikova.jpg.vbs
The file type .jpg is commonly used for graphic images, such as photographs. However, the real
file type was .vbs, which is an executable file, a computer program written in Microsoft Visual
Basic Script.
This malicious program is often known by the last name of the innocent tennis player. I have
chosen to refer to this malicious program by her first name, Anna, to avoid associating the tennis
player with this malicious program. Norton Anti-Virus calls this worm VBS.SST@mm. F-Secure
calls this worm OnTheFly after the pseudonym of its author.
The Anna worm did the following two things on a victim's computer:
• sends one copy of the worm to each e-mail address in the victim's Microsoft Outlook
address book.
• on 26 Jan of each year, it displays the homepage of an innocent computer store on the
victim's web browser.
The Anna worm does not have any novel technical features. I mention the Anna worm here only
because it is one of the very few cases in which the author was arrested and punished.
The Anna worm rapidly spread amongst computers, particularly in North America, on 12-
13 Feb 2001. While the Anna worm was relatively benign (e.g., it did not damage any files on
the victim's computer), it still caused harm by clogging the Internet with many copies of itself
and by requiring each victim to remove it from his/her computer.
102
Perpetrator of Anna Worm
The author, Jan de Wit, was a 20-year-old man who lived in Friesland in the Netherlands. He
downloaded a tool from the Internet for creating malicious programs and wrote this worm in just
a few hours.
An Internet website purporting to be by the author of the Anna worm said "It's their own fault
they got infected." (See, for example wired.com and cnet.com.) I have two comments:
1. It is true that the victim was infected when he/she clicked on the attachment in e-mail that
purported to be a photograph, but was actually a worm. But the author of the Anna worm
ignores the fact that the worm was deceptively, or fraudulently, presented as a
photograph. I would be more willing to accept the author's blame-the-victim statement
about the worm had it arrived in an e-mail that said "Click here to receive a computer
virus." But, of course, no criminal would be so honest.
2. Blaming the victim for the harm caused by a crime is repugnant. Can you imagine
someone accused of homicide saying that he only perpetrated an assault/battery, because
the victim would not have died if the victim had worn a bullet-proof vest. Thus the
homicide is the victim's fault, for recklessly not wearing body armor!
The anti-virus software company F-Secure in Finland identified the author of the Anna worm to
police in the Netherlands.
On 14 Feb 2001, after his worm spread worldwide and caused considerable inconvenience,
Jan de Wit surrendered to police in the Netherlands.
On 27 Sep 2001, a Dutch court sentenced de Wit to a mere 150 hours of community service. This
sentence was light, because prosecutors had difficulty in finding admissible evidence about the
cost of removing the Anna worm from computers. Businesses were reluctant to admit that their
computers were infected with a worm.
CodeRed
The initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, not
computers of users. This worm was propagated as an http get request, i.e. a request to get a
webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000
103
operating systems, a defect in those operating systems allowed the worm to infect that server.
An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but only
exists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a
scan of the hard disk with anti-virus software. Switching the infected computer off, then on, will
remove the infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week),
unlike computers in homes and offices that may be rebooted daily.
The CodeRed worm did different things depending on the day of the month. Most versions of
CodeRed used the following schedule:
1. During the first 19 days of each month, the CodeRed worm sent out many http get
requests to random IP addresses (i.e., websites and Internet users), seeking webservers to
infect. This feature of CodeRed is essentially a port probe, looking for webservers
running Windows NT 4.0 or Windows 2000 operating systems. The large number of
bogus requests from CodeRed could mimic a denial-of-service attack on a webserver.
3. After the 28th day of the month, CodeRed goes into a sleep state until the next month,
although the server is still infected.
4. Under certain circumstances, one early version of CodeRed running on a webserver that
uses the English language will intercept requests for a webpage and return its own HTML
code:
After 10 hours, CodeRed again returns the proper requested webpage. The temporary
unavailability of some webpages will cause concern to webmasters, then the problem will
"magically" disappear, frustrating operators of webservers who are trying to find the
problem.
A CERT advisory showed that CodeRed infected 2.0 × 105 computers in just five hours on
19 July 2001, which was a rapid rate of infection and a good example of geometric series
mentioned earlier in this essay. CERT said that "at least 280000 hosts were compromised in the
first wave" of attacks on 19 July 2001.
CodeRed II
A new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important new
feature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor
into the infected webserver. After this backdoor is installed, any web surfer can send commands
104
by using any web browser. Such commands could, for example, delete files from the webserver,
or upload new files to the webserver. The Trojan Horse also disables the system file checker
function in Windows, so that the modified operating system files can not be detected.
Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate
faster, and for a longer time, in webservers that use the Chinese language.
Perpetrator of CodeRed
To the best of my knowledge, the author of the CodeRed worm was never identified, so there can
be no legal consequences for him.
Sircam
The initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed first
appeared.
The worm arrived at a victim's computer in e-mail with the following text:
Hi! How are you?
[second line: one of four choices below]
See you later. Thanks
There are four different versions of the second line of the e-mail text:
Clicking on the attached file infects the victim with the Sircam worm.
Note: the text of e-mail containing malicious programs often contains ungrammatical text,
punctuation errors (e.g., the missing periods in Sircam's text), or misspelled words, because the
author is a non-native speaker of English. Such mistakes in English text in an e-mail apparently
from an English-speaking country should alert the reader to the possibility of e-mail from a
forged address.
• on computers using the day/month/year date format and when the date is 16 October,
there is a 5% chance that Sircam will delete all files and delete all directories on the C:
hard disk drive.
• Sircam automatically sends copies of itself with the victim's e-mail address as the From:
address. If Sircam can not find the victim's e-mail address, then Sircam will forge a
105
From: address from the current username and one of four mail servers
(e.g., @prodigy.net.mx).
The To: addresses are harvested from the Windows Address Book and also from e-mail
addresses found in the web browser cache files.
The e-mail has one attachment which contains a copy of the Sircam worm followed by
the contents of a file with file type .doc or .zip from the My Documents folder on the
victim's computer. This document could contain the victim's confidential information,
which is then sent to numerous addresses.
The name of the attachment had a double file extension, which like Melissa and Anna
above, is symptomatic of a malicious attachment. The filename and left extension of the
attachment was identical to the copied file from the victim's machine, Sircam then added
a second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the
attachment an executable file type.
• Sircam uses its own internal mail program, so that copies of outgoing e-mail do not
appear in the user's e-mail program's out-box. Thus the user does not know his/her
computer is mailing copies of the Sircam worm to other people.
• The Sircam worm has a length of 137216 bytes. The additional space required by the
document from the victim's computer makes the attachment even larger, perhaps more
than 200000 bytes, which is larger than most webpages and most e-mail messages. This
large file size helps Sircam clog the Internet.
Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highly
unlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircam
apparently intended those harms to occur.
Perpetrator of SirCam
To the best of my knowledge, the author of the SirCam worm was never identified, so there can
be no legal consequences for him. A copyright notice in the Sircam code says that this worm was
made in Mexico, but I have seen no confirmation that this statement is correct.
The anti-virus software vendor Trend Micro reported on 10 May 2002 that a total of 1.0 × 106
computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos
and Computer Associates both reported SirCam as the second most prevalent malicious program
infecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in
2001. On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious
program in e-mail.
106
Nimda
The Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.
1. Nimda could infect a computer when the user read or previewed an e-mail that contained
a copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user
would need to click on an attachment to infect the user's computer.
2. Nimda could modify webpages on a webserver, so that accessing those webpages could
download a copy of Nimda to the browser's computer.
These two novel features represented a significant "advance" in ability to harm victims.
The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5.
A patch that repairs this defect had been available from the Microsoft website since
29 March 2001, but most computer users do not bother to install the latest updates. Why did a
defect in a web browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is
sent in HTML format, the same format used by webpages, and e-mail software (e.g., Microsoft
Outlook) uses Internet Explorer web browser to display such e-mail. This vulnerability could be
avoided by (1) selecting either Netscape Navigator or Opera as the default browser and (2) using
a non-Microsoft e-mail program, such as Eudora.
1. Like the CodeRed worm, every copy of Nimda generates many random IP addresses to
target http get requests, i.e. a request to get a webpage from a server. If the server was
running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in
those operating systems allowed the worm to infect that server.
The name of the Nimda worm is a reversal of the computer term admin (administrator),
which designates a user with the privilege of modifying system files. By exploiting a
defect in Windows, the Nimda worm is able to act as an administrator.
2. Once a webserver was infected by Nimda, the worm adds a small amount of Javascript
code to webpages on that server with filenames:
index, default, or readme
and extensions:
.html, .htm, or .asp.
Depending on the settings on the user's computer regarding Javascript, when the user
accessed one of these altered webpages, the user's web browser might:
o automatically download readme.eml and execute the Nimda worm, thus infecting
the user's computer,
107
o display a prompt to ask whether the user wanted to download the file
readme.eml, or
o automatically refuse to download the file.
3. Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-
mail addresses from the following sources:
o in-boxes for the user's e-mail program (e.g., Microsoft Outlook)
o *.HTML and *.HTM files in the user's web browser cache (also called the
Temporary Internet Files folder).
After harvesting e-mail addresses, Nimda selects one of these addresses as the From:
address and the remainder as To: addresses, and sends copies of Nimda in an apparently
blank e-mail.
Note that the infected computer is not used as the From: address, so there is no easy way
for the recipient of e-mail to determine whose computer sent the copy of Nimda.
Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail
do not appear in the user's e-mail program's out-box. Thus the user does not know his/her
computer is mailing copies of the Nimda worm to other people.
As mentioned above, Nimda can infect the recipient's machine when the recipient either
reads or previews the e-mail, without needing to click on an attachment.
4. Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are
sometimes transferred to other computers, which will spread the Nimda infection.
The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared to
many webpages and e-mail messages. This large file size helps Nimda clog the Internet.
I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were
11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do not
exist on the server that hosts my website, as that server runs the Unix operating system.) The
webhosting service that I use reported on 18 Sep 2001 that they were receiving approximately
8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-
service attack on a webserver.
108
Perpetrator of Nimda
To the best of my knowledge, the author of the Nimda worm was never identified, so there can
be no legal consequences for him. The code for the Nimda contains a copyright notice stating
that it originated in communist China, but I have seen no confirmation that this statement is
correct.
The anti-virus software vendor Trend Micro reported on 14 May 2002 that a total of 1.2 × 106
computers worldwide had been infected with Nimda. The anti-virus software vendor Sophos
reported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for
27% of the reports to Sophos.
BadTrans.B worm
The BadTrans.B worm was discovered on 24 Nov 2001. There was an epidemic from late
November 2001 through early January 2002.
• installs a Trojan Horse program to record the victim's keystrokes that are typed into any
window with a title that begins PAS[sword], LOG[on], or four similar words that indicate
an attempt to logon to some service. This program later e-mailed the collected keystrokes
(e.g., including username and password) to an e-mail address specified in the Trojan
Horse.
• finds yet unread e-mail in Microsoft Outlook on the victim's machine and replies to those
unread e-mails with a copy of the BadTrans worm in an attachment to the reply. This
novel feature of the BadTrans worm increased the chances of propagation, since the
recipient was expecting a reply from the victim.
The From: address will be the victim's e-mail address if the worm can find that
information in the victim's computer, otherwise the From: address will be chosen from a
list of 15 addresses, mostly with female names, contained in the worm. These
15 addresses connected to real people, who were selected by the author of the BadTrans
worm. One of them, Joanna Castillo, posted a webpage about her experience. Also, the
now-defunct Newsbytes website had an article about the "e-mail hell" experienced by
Castillo and one other victim of the forged From: addresses.
Before sending copies with the victim's From: address, the worm adds the underline
character (i.e., _) to the beginning of that From: e-mail address. Such an additional
character will prevent warnings from the recipient from reaching the victim. Also, any
returned copies of the worm (e.g., because the worm replied to spam that had an invalid,
forged address) will not reach the victim and inform him/her of the unauthorized sending
from his/her computer.
109
Some variants of the BadTrans worm also sent copies of the worm to e-mail addresses
found in previously read e-mail in the victim's inbox or to addresses contained in files of
types *.htm, *.html, and *.asp in documents downloaded from the Internet.
• exploits a defect in Microsoft Internet Explorer that allows the worm to be launched
without the victim opening an attachment. The same defect was exploited earlier by the
Nimda worm.
BadTrans.B Perpetrator
To the best of my knowledge, the author of the BadTrans worm was never identified, so there
can be no legal consequences for him.
The anti-virus software vendor Trend Micro reported on 16 May 2002 that a total of 2.1 × 105
computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number
of computers that TrendMicro reported as infected with Sircam or Nimda, which also appeared
in the year 2001. However, the anti-virus software vendor Computer Associates reported
BadTrans.B as the most prevalent malicious program in the year 2001. On 2 Dec 2001,
MessageLabs filtered BadTrans.B from one in every 57 e-mails, the second-highest daily
infection rate seen by MessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B
worm was the all-time third-most-common malicious program in e-mail.
Klez
The original Klez program appeared on 26 October 2001. A number of variants appeared later,
of which the most significant were the E variant that first appeared on 17 January 2002 and the
H variant that first appeared on 17 April 2002. The H variant caused an epidemic from about
20 April 2002 through June 2002, and became the most widespread malicious program in the
history of the Internet.
Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website
calls a "blended threat".
There are a number of varieties of the Klez program and they each do slightly different harms to
the victim's computer. Among these harms are:
• deposit a copy of an ElKern computer virus in the victim's computer. The early versions
of this virus destroy information in all files on the victim's computer on 13 March and
13 September of each year.
• the Klez program is released when the victim reads or previews e-mail with Microsoft
Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the
Nimda and BadTrans worms.
110
• send copies of the Klez program via e-mail from the victim's computer, as discussed in
more detail below.
• attempts to disable many common anti-virus programs by modifying the Windows
registry file.
• on the 6th day of each odd-numbered month, attempts to overwrite many different files on
the victim's hard drive with a pattern of all zeroes, thus destroying data in those files.
• randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to
append to the attachment containing the Klez program, thus possibly sending confidential
information from the victim to future victims.
This long list of harms shows that the author of Klez had a truly malicious intent.
sending copies
The Klez program propagated by sending e-mail that contains Klez in an attachment. The subject
line, body of the e-mail, and name of the attachment were randomly selected from a long list of
possibilities contained in the Klez program. (This is unlike the Anna worm discussed above,
where the attachment always had the same name and could be easily recognized by someone
who had been warned by the news media.)
Some of the variants of Klez not only searched the Microsoft Outlook e-mail address book (like
the Melissa and ILOVEYOU programs), but also searched the entire hard drive on the victim's
computer for e-mail addresses contained in files of types .txt, .htm, and .html, amongst others.
These file types include webpages downloaded from the Internet and stored on the victim's
computer, and they may also include e-mail inboxes. This searching the entire hard drive for e-
mail addresses was a significant progression in the thoroughness of malicious programs in
obtaining a list of e-mail addresses to receive a copy of the malicious program.
Klez (like SirCam and Nimda) used its own internal e-mail program.
Some of the variants of Klez randomly selected one e-mail address in the list to be the designated
false source of e-mails containing copies of the Klez program. Copies were then sent to all of the
remaining addresses on the list. A wired.com news article says:
The [Klez] virus arrives attached to an e-mail that typically appears to have been sent by
someone the recipient knew.
Many computer users say that friends, co-workers, and business associates are angrily –
or patronizingly – accusing them of sending out viruses. Some victims say they fear their
professional reputations have been harmed.
This article quotes a public relations consultant who was falsely accused by eight of her clients,
as well as potential clients, for sending the Klez program to them: "I can't imagine they will trust
me with a campaign for a tech firm after this."
111
At least one version of the Klez program produced e-mail that said that the attachment (which
really contained the malicious Klez program) was an "immunity tool" and that the attachment
originated from a specific, well-known anti-virus software vendor. According to the Anti-Virus
website, one version of these e-mails included the following text:
Klez.E is the most common world-wide spreading worm. It's very
dangerous by corrupting your files. Because of its very smart stealth
and anti-anti-virus technic,most common AV software can't detect or
clean it.We developed this free immunity tool to defeat the malicious
virus. You only need to run this tool once,and then Klez will never
come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some
AV monitor maybe cry when you run it. If so,Ignore the warning,and
select 'continue'. If you have any question,please mail to me.
This fraudulent text instructed victims to disable their anti-virus (AV) software that would have
prevented their infection with Klez! As with earlier malicious programs, you can not trust what
you read in e-mail written by criminals. In connection with the SirCam text above, I observed
that grammar errors, punctuation errors (e.g., no space after commas and periods in the Klez
immunity tool message), and spelling errors in a message apparently from a native speaker of
English is suggestive that the message has a forged From: address and the attachment may
contain a malicious program.
Klez Perpetrator
To the best of my knowledge, the author of the Klez program was never identified, so there can
be no legal consequences for him.
The original Klez program in late October 2001 contained a comment inside HTML code that
said:
I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my
parents. Now you have seen my technical capabilities. How much my year-salary now?
NO more than $5,500. What do you think of this fact? Don't call my names,I have no
hostility. Can you help me?
Articles at some anti-virus websites mentioned the suspicion that the author lives in the
Guangdong province of communist China.
A later version of the Klez program claims to be "made in Asia" and the author boasts that he
wrote the entire program in only three weeks, so the program might not be free of defects.
These kinds of comments inside the Klez program make it appear that the author regards his
program as part of his professional portfolio, in order to be hired as a computer programmer.
Shame on any software vendor that hires the author of a malicious program! Ethical people are
not favorably impressed by someone whose portfolio harms other people.
The anti-virus software vendor Trend Micro reported on 17 May 2002 that a total of 9.5 × 105
computers worldwide had been infected with either KlezE or KlezH. On 17 May 2002,
MessageLabs reported the KlezH program was the all-time second-most-common malicious
112
program in e-mail. At that time, the epidemic was continuing and the total number of infected
computers was certain to increase substantially.
my second essay
A description of some malicious computer programs since mid-2002, with emphasis on the
nonexistent or lenient punishment for their authors, and with links to legal documents, is
contained in my second essay.
Economic Damage
There are many different harms resulting from malicious programs:
• Many malicious programs delete or alter data in files on the victim's hard drive.
Recovering from such an attack requires either the use of a backup copy or tediously
regenerating the data.
There will always be lost data after the last backup. The amount of lost data will be less
than one day's work, if one makes daily backups. However, daily backups are rare
amongst computer users at home and in small offices. That means most victims will lose
days, or even weeks, of wordprocessing and financial data. The value of that lost data far
exceeds the cost of the computer hardware.
• Many malicious programs alter the Microsoft Windows registry file. All of those
alterations must be undone, in order to recover from the malicious program.
In some cases (e.g., CodeRed), the best recovery is to reformat the hard disk drive, make
a clean installation of the operating system, then install all of the applications software,
and finally copy all of the user's data files from backup media. Such a process can take
many hours if the user is familiar with the process and has a recent backup copy of the
data files. Alternatively, if one has used special backup software that copies the entire
operating system (including hidden files), all applications software, and all data files onto
recordable media (e.g., compact disks or a tape cartridge), then one can use that media to
recover more quickly.
• Malicious program that propagate by e-mail clog e-mail servers with millions of copies
of a virus or worm, thus delaying receipt of useful e-mail, or causing valid messages to be
lost in a flood of useless e-mail. Some companies switch off their e-mail servers during
epidemics of malicious programs transmitted by e-mail, to prevent crashing their server,
but that makes valid e-mail undeliverable. Many businesses rely on prompt delivery of e-
113
mail for their routine operation, and slow e-mail will cause financial losses, such as the
cost of lost productivity.
There is no definite information on the exact cost of recovering from an epidemic of a malicious
program.
A quick calculation shows that the damage inflicted by a malicious program will be immense.
Some of these malicious programs infected more than 105 computers worldwide. If the cost of
removing the program from each computer is only US$ 200 (a very low estimate), then the total
harm exceeds ten million dollars. This quick calculation shows that the cost of each widespread
malicious program will be more than US$ 107, but we do not know how much more.
The estimated costs in the following table are from Computer Economics in January 2002.
Journalists who write news reports about malicious programs commonly use damage estimates
provided by Computer Economics.
The cost of recovery from malicious programs after ILOVEYOU was reduced by the availability
of software tools from anti-virus software companies that automate much of the process of
removing a worm.
Conclusion
Harms
It is at least reckless to release such computer programs that are designed to be harmful to
victims. For example:
114
• Many malicious programs delete or alter data in files on the victim's hard drive, a result
that has no benefit to the author of the malicious program, except glee in harming other
people. This is clearly a criminal act by the author of the malicious program.
• There is an enormous total cost of removing the virus or worm from many computers.
Some of these malicious programs infected more than 105 computers worldwide. If the
cost of removing the program from each computer is only US$ 200 (a low estimate), then
the total harm exceeds ten million dollars. Releasing a rapidly spreading virus or worm
should be a major crime, worse than a bank robbery.
• Beginning with the Melissa virus in March 1999, many of these malicious programs sent
copies of the program in e-mail bearing the victim's From: address, when the victim had
neither composed the e-mail message nor authorized the transmission. I believe that such
sending of e-mail is, or ought to be, a criminal act.
Malicious programs like Melissa and Anna automatically sent e-mail using the name of a
previous victim. While such e-mail really originated from the victim's machine, the
transmission was made without either the knowledge or permission of that victim. This
feature increased the chances that the recipient of the e-mail would open the attachment
and release the new copy of the malicious program, because the recipient knew, and
presumedly trusted, the person who apparently sent the e-mail.
Later malicious programs sent copies of themselves in e-mail with false From: addresses,
which is one step worse than Melissa and Anna. For example, if the BadTrans.B worm
could not find the victim's e-mail address book, that worm selected a false From: address
from a list of 15 addresses contained inside the worm. Some variants of the Klez program
did a total forgery of e-mail From: addresses, so copies of Klez were apparently sent
from people whose machines did not contain Klez. Such false designations of origin
cause innocent people to be accused of spreading a malicious program, and also damages
their reputation by falsely presenting them as someone who recklessly does not have
current anti-virus software running on their computer. Specific examples of such harm
were given above for the Nimda, BadTrans.B, and the Klez programs.
• Malicious programs that propagate by e-mail will clog e-mail servers with millions of
copies of a virus or worm, thus delaying receipt of useful e-mail, or causing valid
messages to be lost in a flood of useless e-mail. Many businesses rely on prompt delivery
of e-mail for their routine operation, and slow e-mail could cause financial losses.
As evidence of mens rea (i.e., criminal intent) one should consider not only the design of the
malicious program to do the above harms, but also the design of the malicious program to evade
or to defeat anti-virus software. Many modern computer viruses or worms are polymorphic,
which means that every copy is different and that they can not be detected by searching a
computer file for occurrence of specific text. Some modern malicious code modifies the
Windows registry file to disable anti-virus software, which is an unauthorized modification of
the victim's computer. Criminals who write such malicious software are not doing a prank: they
are designing a crime.
115
Punishment
Despite the immense value of the harm caused by each of these malicious computer programs,
the author of the program received either light punishment (e.g., Morris, Smith, and de Wit) or
no punishment (e.g., the authors of ILOVEYOU, CodeRed, Sircam, Nimda, BadTrans, Klez,
etc.). Alone amongst authors of malicious programs, Pile received what I consider a reasonable
punishment.
In May 2002, the Norton Anti-Virus software for Windows operating systems detected about
61000 malicious programs. Astoundingly, there have been criminal prosecutions and convictions
of the author(s) of only five malicious programs. (See above.)
There are several reasons for the rare arrest and prosecution:
1. Legislators had not yet passed criminal statutes that effectively proscribe writing and
distributing malicious programs.
2. Police departments have a budget that is too small to permit an investigation of all
crimes, so the focus is on major violent crimes (e.g., homicides, rapes) and larceny.
Police departments are generally not hiring detectives with an education in
computer science. In the few arrests of authors of malicious programs, clues to the
authors' identities were supplied by programmers employed by anti-virus software
vendors.
3. Finally, there is the international nature of distribution of software by the Internet and
sending malicious programs as attachments to e-mail. Traditional criminal law is
inherently local: a burglary in state X requires the criminal to be physically present in that
state. With malicious programs, the author could be in a foreign country (e.g., Philippines
in the ILOVEYOU incident, Netherlands in the Anna worm, possibly China in the Klez
program), but the harm can occur in all fifty states of the USA. The legal system has so-
far been unable to respond effectively to this international challenge.
1. Lack of resources (e.g., prosecutors, judges, and courtrooms) for the prosecution of all
criminals. Hence, most criminal cases must be disposed of by plea bargains.
2. Prosecutors and judges lack an education in science and technology (Most of them went
through high-school and college taking the minimum amount of science and mathematics
116
classes.), so they are eager to dispose of cases involving "complicated technology" with
plea bargains. The criminals exploit this eagerness by negotiating for a very lenient
sentence in return for their guilty plea.
4. It is difficult to know the amount of damage from a widespread computer virus or worm,
with the precision required for admission of evidence in a court. If only a small amount
of damage can be proved in court, then the author of the malicious program will receive a
lighter sentence than he deserves.
Corporate victims of computer crimes are often reluctant to disclose the amount of
damage done, perhaps because such admissions might erode public confidence in the
company's technical competence, which might cause customers/clients to flee to
competitors.
It is even more difficult to quantify the amount of damage done to individual computers
in people's homes. If N computers are infected and the average cost of removing the virus
or worm from one computer is $ M, then the total damage is $ N × M. In practice, neither
N nor M are known with the precision required for admission of legal evidence in court.
In April 2002, I could not find any website for reporting infection by a malicious
program, so N is unknown. Neither could I find any website for reporting the cost of
removing an infection. Since the FBI and other law enforcement agencies are not
collecting this information, damage to individual computers is being ignored. I expect
damage to home computers to be large, because people in homes tend not to update their
anti-virus software frequently, unlike corporate networks where anti-virus software is
updated regularly by trained computer specialists.
An additional issue, which receives little attention, is the presence on the Internet of resources
for creating malicious programs, such as was used to create the Anna worm in a few hours.
Should authors and distributors of such resources be held criminally liable for aiding and
abetting the creation of malicious programs? The obvious answer would appear to be Yes!
However, the issue is complicated by the fact that some resources might also have legitimate
uses (e.g., studying malicious code, so better anti-virus software can be designed). Legislators
are not yet ready to restrict some programming tools and software only to licensed programmers,
the way we make [potentially dangerous] drugs legally available only on prescription from a
licensed physician. In fact, computer programmers in the USA are not currently licensed by the
government, the way that other professionals (e.g., physicians, engineers, attorneys, accountants,
etc.) who affect the public health and safety are licensed.
A practical solution to malicious computer code distributed by e-mail would be for Internet
Service Providers (ISPs) to use current anti-virus software to scan all e-mail, both e-mails sent by
their customers and e-mails received by their customers. As a practical matter, it makes more
sense for the few ISPs to run anti-virus software (including daily updates of the virus definitions)
than for millions of customers, many of whom have a low level of competence with computer
117
software and hardware. I stress that this is a practical matter, not a legal obligation for ISPs.
In conclusion, the international criminal justice system has failed to arrest, punish, and deter
people from writing and releasing malicious software.
A. to enact criminal statutes against authors of computer viruses and worms, with
punishment to reflect the damage done by those authors, and
B. to allocate more money to the police for finding and arresting the authors of malicious
computer programs.
118