< Day Day Up > |
This section covers several of the more common and deadly viruses and worms in years past. New viruses and worms come out all the time, and this is by no means an exhaustive list. Some of these viruses and worms are a few years old. You might be wondering why these older viruses and worms are covered here if they do not pose as much of a threat today. Including coverage of these viruses and worms is important not just because of their notoriety, but also because of their ingenuity. All of the viruses and worms mentioned in this chapter broke the ground of how viruses and worms operate. Other viruses and worms are typically based off the techniques discussed in the sections that follow. Specifically, this chapter addresses the following viruses and worms:
Note All of the viruses and worms mentioned are well-known. Therefore, good anti-virus software products can detect them. However, there is a rise in custom viruses that are being made by virus construction kits. These viruses do not have signatures because they are so new and are usually not as widespread. They can be just as deadly, however. Some popular virus construction kits include the following:
New viruses and worms come out every month. This list is by no means exhaustive, and it does not detail only the most recent viruses. Instead, it is meant to introduce you to some of the more ingenious and deadlier viruses and worms that have shaped the way people think about protecting corporations against viruses. Viruses and worms will continue to proliferate and infect computers. Now instant messaging and cell phone worms are becoming a threat. Any time new technologies are released, malicious hackers will attempt to exploit them through viruses and worms. Anti-virus software is not enough by itself because it does not protect against zero-day viruses (viruses for which no known signatures exist). You must also incorporate other measures, such as anomaly-based intruder detection systems. ChernobylThe Chernobyl virus is also known by the name W32.CIH.Spacefiller. (CIH stands for the creator's name, Chen Inghua.) This virus affected Windows 95/98 PCs. It does not pose much of a threat against the more popular XP systems today. The Chernobyl virus is a time bomb virus. A time bomb virus or worm is a malware program that is set to go off at a specific time. For that reason, this virus might lay dormant on a system for a long time before someone realizes that he is infected. It was named the Chernobyl virus because it was set to go off on April 26, 1999 (the anniversary of the Chernobyl nuclear reactor explosion). Its other name, W32.CIH.Spacefiller, describes what this deadly virus would do to a system. This was a spacefiller virus, which would destroy data on a hard drive by filling it with random "space" (essentially overwriting the disk with nothing). What made this virus unique was its capability not only to erase data, but also to erase Flash memory. Not only would your hard drive be erased (along with the master boot record), rendering it useless, but the Chernobyl virus also would erase your Flash memory, thus damaging your motherboard. If your motherboard manufacturer did not have a means to recover from this attack, you would be forced to purchase a new motherboard. I Love YouThe "I Love You" worm goes by many names, including LoveLetter, veryfunny.vbs, protect.vbs, and virus_warning.vbs. This was a VBScript worm that spread through Microsoft Outlook clients and an Internet Relay Chat (IRC) program called mIRC. The operation of this worm is as follows:
The end result of this virus is that its victims would have their passwords sent to the virus owner and have several files deleted on their network. MelissaThe Melissa virus was the first major Microsoft Word macro virus to make a significant impact on corporations. Named after a stripper in Florida who was a favorite of the virus creator, this virus was first found in a document that reportedly contained a list of passwords for pornographic websites called List.doc and was stored in List.zip. This document was posted repeatedly on the alt.sex newsgroup. This was a classic social engineering tactic, where unsuspecting victims were lured to opening this virus under the notion that they were gaining access to pornographic websites. (For more on social engineering, see Chapter 4, "Performing Social Engineering.") This virus operates as follows:
BugBearAlso called W32/BugBear.A, this was a virus that enabled others to gain access to an infected system. What made the virus even more dangerous was that it had the capability to go out to network shares and infect other computers. Like most viruses, BugBear was sent via e-mail. The virus took e-mail addresses from previous e-mail messages and the Outlook address book. The filename was random but usually contained key words like "news," "images," "resume," "music," and others that would catch the attention of an unsuspecting victim. The virus came with many different extensions including .scr, .pif, and .exe, but the execution of the virus was the same. What made this virus damaging was that it was the first major virus to automatically execute if the e-mail message was just opened or viewed in the Microsoft Outlook preview pane. This meant that users did not even have to launch the executable; simply opening the e-mail message was enough to become infected. Caution For this reason, you should always turn off the Microsoft Outlook preview pane and never open e-mail messages that appear suspicious. Outlook 2003 is guarded from this type of attack because macros do not run from preview mode. BugBear operates as follows:
Note Beware of virus hoaxes. One such hoax was the BugBear hoax, in which an e-mail was sent informing users how to remove the BugBear virus. The hoax advised people to delete the jdbgmgr.exe file, which had an icon of a teddy bear. Readers of this hoax often believed the advice and deleted this file. They thought they were deleting the BugBear virus, but they really were deleting Microsoft Debugger for Java. To read more about this hoax, visit the Microsoft knowledgebase article Q322993 at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993. MyDoomMyDoom, also called W32/MyDoom.A, WORM_MIMAIL.R, and W32.Novarg.A, is another mass e-mail worm that comes in the form of .bat, .cmd, .pif, .scr, .zip, or .exe files with a file size of 22,528 bytes. Similar to BugBear, this virus opens a backdoor for malicious hackers to gain access to infected systems. MyDoom opens TCP ports 3127 through 3198. What made this virus deadly was not just the backdoor that it left open for malicious hackers to penetrate, but its use in launching distributed denial-of-service (DoS) attacks. All infected hosts were configured to simultaneously launch a DoS attack against the SCO Group website on February 1, 2004 at 16:09:18: UTC. Tip To see open ports on a Windows computer, go to the MS-DOS shell and type netstat an. This shows all listening ports. If you see TCP ports 3127 through 3198 listening, you have probably been infected with the MyDoom virus. This virus has more than 35 different variants. Some variants have their own SMTP engine to launch e-mails, others target specific sites such as http://www.symantec.com in their DoS attacks, and still others are used to download viruses such as Backdoor.Nemog.B (W32.MyDoom.S variant). W32/KlezThis worm goes by many names, including W32/Klez, Elkern, Klaz, Kletz, I-worm, Klez, and W95/Klez@mm. When this worm appeared, it was the most sophisticated of its kind to date. In many ways, it was a virus within a virus, for it not only executed the Klez worm, but it also unwrapped the Elkern virus. This vicious worm operates as follows:
BlasterBlaster (also known as MSBlast.A) is a DoS worm that attacks the windowsupdate.com domain. A catch-22 situation occurs with this worm, leaving users with little to defend themselves. The Microsoft windowsupdate.com domain contains the patch to fix the vulnerability that this worm exploits, but because it launches an attack against the Microsoft update site, users cannot get to it to download the patch. The Blaster worm is a buffer overflow worm that attacks the Windows remote procedure call (RPC) function and uses it to infect other computers. The Blaster worm operates as follows:
The worm contains the text: "I just want to say LOVE YOU SAN!! billgates why do you make this possible? Stop making money and fix your software!" SQL SlammerThis worm was first detected on January 25, 2003 (although rumors say it might have been around since January 20). According to an April 2, 2004 ZDNet article, more than 8 million computers were infected with this worm. In addition, this worm caused 5 of the 13 Internet root name servers to crash. This worm, also known by the names W32.Slammer and the Sapphire worm, doubled in size every 8.5 seconds. This worm used UDP instead of TCP in its delivery. Because TCP communications require a three-way handshake, TCP-based applications are harder to spoof. However, UDP traffic is easy to spoof because it has no acknowledgements, windowing, or sequence numbers to keep track of. The SQL Slammer worm sent itself to UDP port 1434, the port used by Microsoft SQL Server. It attempted to cause a buffer overflow in a function found in ssnetlib.dll, a dynamic library loaded with the SQLServer.exe executable installed with Microsoft SQL Server 2000 and with the Microsoft Desktop Engine (MSDE) 2000 that came with Microsoft Office 2000 and Office XP. The file ssnetlib.dll contains a function to provide SQL Server registry access. It takes three strings and combines them to build the registry path:
The SQL Slammer worm sends a packet but smashes the stack on the second string by sending more than the allowed value. The instance name is supposed to be a maximum of 16 bytes, but this is not checked. The new return pointer address is 0x42B0C9DC. (For more on the operation of buffer overflows, see Chapter 14, "Understanding and Attempting Buffer Overflows.") The return address points to the JMP ESP instruction inside sqlsort.dll. It uses sqlsort.dll to make calls to the LoadLibrary() and GetProcAddress() functions. These functions help Slammer gain access to WS2_32.dll and kernel32.dll. These dynamic libraries help Slammer get the addresses of the Socket(), SendTo(), and GetTickCount() APIs, which replicate the worm. Next, the worm is sent to UDP 1434 to random IP addresses. What is unique about this is that the worm is sent in an endless loop. This not only floods the network with the worm, but it also causes CPU utilization to peak. This results in thousands of more infected hosts while launching a self-inflicted DoS attack. SasserThe Sasser worm is a deadly worm discovered in 2004 that infects Windows 2000 and XP computers. Although it cannot infect older computers running Windows 95 and 98, it can still run on those computers to infect other computers. The Sasser worm operates as follows:
Sasser took an estimated 14 minutes to compromise 95 percent of all vulnerable computers in April 2004. You can stop Sasser by patching Windows computers, using firewalls that block port 445, or using anti-virus software. Unfortunately, too few people had these precautions in place at the time the worm was launched. Sasser was not destructive to the individual hosts that were infected; instead, Sasser slowed down Internet communications as it spread exponentially. This impacted corporations relying on Internet communication for their business. |
< Day Day Up > |