Sie sind auf Seite 1von 23

Computer Viruses and Worms

Definition of Virus
A virus is a small piece of software that
piggybacks on real programs in order to get
executed
Once its running, it spreads by inserting
copies of itself into other executable code or
documents

Computer Virus Timeline

1949
Theories for self-replicating programs are first developed.

1981
Apple Viruses 1, 2, and 3 are some of the first viruses in the wild, or in the public domain. Found on
the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983
Fred Cohen, while working on his dissertation, formally defines a computer virus as a computer
program that can affect other computer programs by modifying them in such a way as to include a
(possibly evolved) copy of itself.

1986
Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy
disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies
had Brain for a volume label.

1987
The Lehigh virus, one of the first file viruses, infects command.com files.

1988
One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus
affects both .exe and .com files and deletes any programs run on that day.
MacMag and the Scores virus cause the first major Macintosh outbreaks.

Worms

Wormisaselfreplicatingprogram,
similartoacomputervirus.Avirusattaches
itselfto,andbecomespartof,another
executableprogram;however,awormis
selfcontainedanddoesnotneedtobepart
ofanotherprogramtopropagateitself.

History of Worms

Thefirstwormtoattractwideattention,theMorris
worm,waswrittenbyRobertTappanMorris,whoat
thetimewasagraduatestudentatCornellUniversity.
ItwasreleasedonNovember2,1988
MorrishimselfwasconvictedundertheUS
ComputerCrimeandAbuseActandreceivedthree
yearsprobation,communityserviceandafinein
excessof$10,000.
XeroxPARC

Worms

Wormsisasmallpieceofsoftwarethatuses
computernetworksandsecurityholestoreplicate
itself.Acopyofthewormscansthenetworkfor
anothermachinethathasaspecificsecurityhole.
Itcopiesitselftothenewmachineusingthe
securityhole,andthenstartsreplicatingfrom
there,aswell.
Theyareoftendesignedtoexploitthefile
transmissioncapabilitiesfoundonmany
computers.

Zombies

InfectedcomputersmostlyWindows
machinesarenowthemajordelivery
methodofspam.

Zombieshavebeenusedextensivelyto
sendemailspam;between50%to80%of
allspamworldwideisnowsentbyzombie
computers

Money flow

Pay per click

Typical things that some current


Personal Computer (PC) viruses do

Display a message

Typical things that some current


Personal Computer (PC) viruses do
Display a message
Erase files
Scramble data on a hard disk
Cause erratic screen behavior
Halt the PC
Many viruses do nothing obvious at all
except spread!

DistributedDenialofService

A denial-of-service attack is an attack that


causes a loss of service to users, typically
the loss of network connectivity and
services by consuming the bandwidth of the
victim network or overloading the
computational resources of the victim
system.

How it works?

The flood of incoming messages to the target


system essentially forces it to shut down, thereby
denying service to the system to legitimate users.
Victim's IP address.
Victim's port number.
Attacking packet size.
Attacking interpacket delay.
Duration of attack.
MyDoom SCO Group

DDoS

MyDoom

26 January 2004: The Mydoom virus is


first identified around 8am. Computer
security companies report that Mydoom is
responsible for approximately one in ten email messages at this time. Slows overall
internet performance by approximately ten
percent and average web page load times by
approximately fifty percent

MyDoom

27 January: SCO Group offers a US $250,000


reward for information leading to the arrest of the
worm's creator.
1 February: An estimated one million computers
around the world infected with Mydoom begin the
virus's massive distributed denial of service attack
the largest such attack to date.
2 February: The SCO Group moves its site to
www.thescogroup.com.

Executable Viruses
Traditional Viruses
pieces of code attached to a legitimate
program
run when the legitimate program gets
executed
loads itself into memory and looks around
to see if it can find any other programs on
the disk

Boot Sector Viruses


Traditional Virus
infect the boot sector on floppy disks and
hard disks
By putting its code in the boot sector, a
virus can guarantee it gets executed
load itself into memory immediately, and it
is able to run whenever the computer is on

Decline of traditional viruses

Reasons:
Huge size of todays programs storing on a
compact disk
Operating systmes now protect the boot sector

E-mail Viruses
Moves around in e-mail messages
Replicates itself by automatically mailing
itself to dozens of people in the victims email address book
Example: Melissa virus, ILOVEYOU virus

Melissa virus

March 1999
the Melissa virus was the fastest-spreading virus
ever seen
Someone created the virus as a Word document
uploaded to an Internet newsgroup
People who downloaded the document and opened
it would trigger the virus
The virus would then send the document in an email message to the first 50 people in the person's
address book

Melissa virus

Took advantage of the programming


language built into Microsoft Word called
VBA (Visual Basic for Applications)

Prevention
Updates
Anti-Viruses
More secure operating systems
e.g. UNIX

Reference

http://mirror.aarnet.edu.au/pub/code-red/newframes-small-log.gif
http://www.factmonster.com/ipka/A0872842.html
http://www.faqs.org/faqs/computer-virus/new-users/
http://www.mines.edu/academic/computer/viri-sysadmin.htm