The Early Days: Viruses and Worms

Previous page
Table of content
Next page
 < Day Day Up > 

This section explores the initiation and evolution of the automated attack against computing infrastructures, including early virus and worm behavior and the drivers shaping these behaviors.

Virus Emergence and Early Propagation Methods

The concept of the computer worm or virus is not new. Those who created early computing machines conceived of malicious code or data nearly concurrently with their hardware discoveries. Early researchers used such code in elaborate games such as Core Wars in attempts to learn more about computing and how unexpected interaction between processes affects the computing environment.

The computer virus really started to have an effect at the onset of early business and consumer networking. In the mid-1980s, networking was likely to be done via sneakernet, the term for using floppy disks to move computer programs and data from machine to machine. The earliest examples of widespread computer viruses utilized this method to propagate themselves. Often, the virus would reside in the boot sector of the floppy disk or attach itself to executable files. When users then moved that disk to another machine and tried to boot from it or run executables on it, the virus copied itself into memory and waited to jump on the next clean boot sector or executable encountered. Although this form of propagation may today seem slow and primitive, it was remarkably effective. Note that this class of malicious tools was effective because it utilized the behavior of the attacked system itself as a weapon.

Viruses mutate and evolve to match their environment and to take advantage of new infection vectors. Those who write the viruses drive this mutation and evolution in the interest of getting the greatest possible impact. The first viruses were effective precisely because of the way computers operated and the way people interacted with them. The viruses took advantage of the following facts:

  • PCs booted via floppy disks, which provided boot sector viruses fertile ground for reproduction.

  • Floppy disks often contained application code and data along with boot code, which application viruses easily infected.

  • People regularly shared floppy disks as a convenient way to exchange information, which enabled these early viruses to proliferate.

In addition to their simple spreading behavior, viruses often contained some sort of pay-load. Payload is a common term used to describe what is being delivered to the targeted destination; in this case, the payload was malicious and destructive code along with some identifying information. The virus payload is what usually made the virus famous and often led to the name of the virus in question. Some viruses did nothing more than place an occasional message on the user s screen. Others might jumble keystrokes occasionally. Truly nasty viruses deleted files or destroyed the boot sector itself. Often, these viruses remained inactive within the executable files and in the computer s memory until a particular trigger date that would activate the malicious virus.

Throughout the late 1980s until the present, those who write malicious code have taken advantage of the increasingly well-connected nature of machines, operating systems, and applications, and their code has mutated and evolved accordingly. A thorough understanding of the inherent behavior of the target system is crucial to the creation of successful virus code crucial in fact to any attack against a particular system. To defend a system, you must have this same understanding of system behavior, architecture, and communication.

LAN Propagation

The advent of the LAN provided the traditional virus with new propagation opportunities. These networks removed the floppy disk and human mobility requirement and replaced them with much faster electrons moving through copper wire. With such systems, files and applications are shared with speeds orders of magnitude greater than with sneakernet.

With the introduction of LANs, viruses at first stuck to their old method of operating and continued to propagate, at much higher rates, through infected application files. The problem was compounded by the fact that LANs usually contain one or more file servers, which are devices that act as central repositories for user files and facilitate file sharing. If a virus infected an executable in this environment, it often was not long before the entire server s complement of user executable files was likewise infected.

The WAN and Internet

After the emergence of the LAN in business computing, business soon realized the productivity gains possible by joining the LANs of their own branches and those of their partners and customers across geographically dispersed areas. This new "super network" is called a WAN. A WAN provides the virus with an even more vast and extended network and gives an infected business the dubious honor of being able to spread their infection to their partners or customers.

With the emergence of the Internet as a valuable business tool, all of these LANs and WANs at thousands of businesses around the world had the potential to be joined, creating the "network of networks." Rapidly realized on a global scale, this convergence represents the terminal opportunity for virus code because of the great potential for sharing infected files and creates a new kind of vulnerable system. That system is the entire Internet itself.

The Network Worm

Writers of malicious code soon realized they could build a new type of attack, one that would be independent of executable files and would instead attack systems themselves via their network connection. This new attack, called a network worm, was automatic and usually did not rely on a user s interaction for infection of a vulnerable system to occur. As a result, this approach is a far more rapid and advanced method of spreading malicious code than the virus and one that takes advantage of the architecture and behavior of the large network.

Like the virus, the worm may contain and carry a malicious payload. Curiously (and luckily) few worms have done so. Most worms have caused damage due to denial of service (DoS) that results from their rapid propagation. The worm s ability to use all local CPU and network resources on the infected machine often renders them unusable.

The first known instance of a widespread network worm attack was the Morris worm of the late 1980s. This worm attacked machines connected to local networks and the Internet via the IP protocol suite. At the time of the Morris worm, the Internet was a loose affiliation of universities, government entities, and a handful of forward-looking high-tech businesses. Because of the ubiquity of certain operating systems on the Internet at the time, the Morris worm rapidly infected a considerable percentage of available hosts and, because of its propagation method, swamped CPU and communication resources on the infected machine, causing such machines to become unusable. It is generally accepted that the creator of this worm was performing research rather than attempting to cause trouble, but the damage done was considerable. The whole tech world was suddenly awakened to this new and alarming threat.

The Single Environment and Its Consequences

The success of a worm or virus depends heavily on the prevalence of the target system or application in the environment under attack. The Morris worm was powerful because many machines were connected and running a limited set of software possibilities. The worm easily could discover new vulnerable hosts for infection. As each new host became infected, that host in turn found many "neighbor" machines to infect.

Over the past decade, the Microsoft Windows environment has become the computing platform of choice for most of the world s PC users, business or individual. As a result, nearly 90 percent of the machines connected to the Internet are of the same general type and run the same basic networking, operating system, and application code. Although this commonality fosters productivity for connected users because of the ease of sharing, worms also benefit from such an environment and are easily "shared." A single-vendor computing environment fully interconnected with high-speed data links is fertile ground for aggressive malicious code. Combining today s interconnected high-speed networks such as Ethernet LANs, optical WANs, and always-on home Internet connections (cable modems and DSL) with interconnected machines operated by identical software presents easy targets to the network worm or virus.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
    Crystal Reports 9 on Oracle (Database Professionals)
    Snort Cookbook
    MySQL Clustering
    Cisco CallManager Fundamentals (2nd Edition)
    InDesign Type: Professional Typography with Adobe InDesign CS2
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy