Section 4.3. Viruses, Worms, and Trojans (Oh, My)

4.3. Viruses, Worms, and Trojans (Oh, My!)

While historically important, the classification of malicious code into categories such as "virus" or "worm" is today somewhat quaint. Attackers who want to harm your system will get there any way they can and whipping up a software half-breed that blurs definitions would be the least of their worries.

For this reason, modern attack tools tend to be labeled by their function more than their genealogy. Hence there are rootkits, Trojan horses, exploits, password sniffers, and zombies, more than there are viruses and worms. Although we will briefly explore the historic roots and definitions of such malicious programming in a moment, in this book we shall call all such programs malicious code, or for short, malware. And to keep in sync with the general public, we will use the term virus as its synonym.

Knowing a little bit about germs may help you prevent the spread of disease. Similarly, knowing something about malicious code may help prevent the spread of its effects. Most viruses and worms tend to be upgrades or variations of others seen before. For this reason we will review the historic terms and how they came to be, before returning to the present to fight viruses in the here and now.

4.3.1. Viruses

A virus is a code fragment that copies itself into a larger program, modifying that program. Unlike a worm, described in the next section, a virus is not an independent program but depends upon a host program, which it infects. A virus executes only when its host program begins to run. The virus then replicates itself, infecting other programs as it reproduces. After seeing to its own reproduction, it then does whatever dirty work it carries in its programming, or payload. There may not be a payload, or it might shoot blanks. Several powerful viruses have been uncovered that can spread at an alarming rate, but that don't really do much. Not to say they couldn't, of course, but their programmer chose to make them weak, or in some cases made a programming error that caused the payload portion to misfire. Nevertheless, every packet that traverses a network means that another packet has to wait its turn. Even if a virus is nothing more than a clever prank, sort of like graffiti on the computerscape, it still has negative impact. And because it is a rogue program turned loose within your computer, it is definitely an intrusion. It has gotten past your defenses, and has demonstrated that you are vulnerable until you take defensive measures.

While viruses generally see to their reproductive needs before their destructive ones, not all viruses launch at the first opportunity. A virus might start reproducing right away, or it might lie dormant for some time, until it's triggered by a particular event. For example, a particular triggering date may arrive (as with the infamous Friday the 13th virus), or a particular event may occur (for example, deleting a particular person's name from a payroll file, perhaps indicating that he's been fired). See the section on "Bombs" later in this chapter for more information about triggers.

Different pathogens may infect different parts to the body, and it is the same for viruses. A virus may infect memory, a floppy disk, a hard drive, a backup tape, or any other type of storage. Like a biological virus, a computer virus invades other organisms, causing those organisms to proliferate and spread the virus. It degrades system performance in addition to whatever other damage (e.g., data deletion) it does. At one time, viruses passed themselves about by hanging around in memory and jumping onto each new floppy disk that was inserted. Today, viruses (and worms too) can spread via a local area network, the Internet, or through the use of infected software on diskettes, recordable CDs, MP3 files, as email attachments, or in any situation in which computers lower their guard and trust each other.

While it is conceivable to catch a virus from electronic gathering places such as electronic bulletin boards or newsgroups, or via email or instant messaging software, viruses also can move about as macros, such as those written in the scripting language used to automate keystrokes in office programs such as Microsoft Word or Excel. As we shall see in Chapter 6, infected ActiveX files from the Web, or even Java code, can also be a source of infection.

Until recently, it was necessary for the user to activate a virus by running a corrupted program, such as opening an attachment to an email. Several email reader programs today have the ability to launch attached software automatically, such as music files or graphics. Attackers have figured out how to program malware into such files. As a result, when the user opens the email, the code executes.

Viruses and worms are often confused with each other. During a 1988 outbreak on the Internet, there was much debate about whether the invader was a virus or a worm. Even though we will discuss worms in a moment, in truth, the difference is somewhat academic. Both viruses and worms can deliver a payload, and because it takes processor time to open and activate them, either can result in system and network slowdowns.

Both viruses and worms can protect themselves by hiding in their host programs, by operating in delayed fashion, or by changing their physical characteristics to avoid detection. Sometimes, as is the case with rootkits, they also attempt to destroy the evidence of their wrongdoing. All this may hinder attempts to control and eradicate the offending code. And again, as is the case with a logic bomb that waits until a particular time or event to fire, some malware just entrenches itself and then lays low until called for by its master. A computer thus infected is often called a zombie.

Stealthy attackers create and collect zombies by running programming scripts that probe for vulnerable computers, using various attacks to corrupt them, and then at a time of their choosing, call them into play for their own purposes. This practice is so highly automated that many researches report that an unguarded computer on the Internet is likely to become infected in this manner within a few minutes or hours. And yes, some zombies include code that will erase their malware after execution, making them difficult for experts to trace. Of course, the computer owners are usually completely oblivious to this activity.

4.3.1.1. The history of viruses

According to computer consultant and columnist Rob Rosenberger, the roots of the modern computer virus go back to 1949. This was when computer pioneer John von Neumann presented a paper on the "Theory and Organization of Complicated Automata," in which he postulated that a computer program could reproduce.

Bell Labs employees gave life to von Neumann's theory in the 1950s in a game they called "Core Wars." In this game, two programmers would unleash software "organisms" and watch as they vied for control of the computer. Core Wars was described in three issues of Scientific American in 1983 and 1984. According to some pundits, the code snippets used to illustrate the concepts of this useful game may have provided the first roadmaps to taking viruses out of the arena and into the wild.

This is echoed in science fiction of the day. Gene Spafford of Purdue^[*] credits David Gerrold with being the first to use the word "virus" as a computer attack in Gerrold's science fiction stories about the G.O.D. machine.^[*] Spafford describes the origins of the virus:

^[*] Eugene H. Spafford, "The Internet Worm Program: An Analysis," Purdue Technical Report CSD-TR-823, West Lafayette (IN), November 29, 1988.

^[*] These stories were later combined and expanded into the book When Harlie Was One, Ballantine Books, First Edition, New York (NY), 1972). In later editions of the book, the virus plot was removed.

A subplot in that book described a program named VIRUS created by an unethical scientist. A computer infected with VIRUS would randomly dial the phone until it found another computer. It would then break into that system and infect it with a copy of VIRUS. This program would infiltrate the system software and slow the system down so much that it became unusable (except to infect other machines). The inventor had plans to sell a program named VACCINE that could cure VIRUS and prevent infection, but disaster occurred when noise on a phone line caused VIRUS to mutate so VACCINE ceased to be effective.

In 1984, Ken Thompson described the development of what can be considered the first practical computer virus (though he didn't give it that name). Thompson wrote a self-reproducing program in the C programming language. He modified the program to "learn" new syntax and then planted a Trojan horse (described later) that deliberately miscompiled the Unix login command, enabling him to log into the system as any user. Next, he added a second Trojan horse aimed at the C compiler. After compiling the modified source with the normal C compiler to produce a bugged binary, he installed this binary as the official C, and removed the bugs from the source of the compiler. Then, whenever the new source of the compiler was compiled, the new binary reinserted the bugs. The login command remained bugged, with no trace in the source.^[]

] Kenneth Thompson, "Reflections on Trusting Trust," A number of people developed computer viruses on IBM PC and Apple II computers (though they were not called viruses) during the early 1980s. (According to Spafford, "Festering Hate" and "Cyberaids" were among the infections.)

Fred Cohen from the University of Southern California was the first to define formally the term "computer virus." (The term was suggested by Cohen's advisor, Len Adleman, after Cohen developed an experimental program for a security seminar.) According to Cohen, a computer virus is:

...a program that can "infect" other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows^[].

^[] Fred Cohen, "Computer Viruses: Theory and Experiments,

In his experiments, Cohen showed how quickly a virus could propagate throughout an entire operating system.

Hundreds of thousands of viruses now inhabit computer systemsparticular in uncontrolled PC environments. Precise calculation is impossible because a generally agreed upon taxonomy of virus types has never come about. Formerly, viruses were often named for the place where they are first discovered (e.g., the Bulgarian Factory of viruses), or for some message displayed by the virus (e.g., the AIDS virus). Examples of early PC viruses include the Brain virus, the Fu Manchu virus, the Icelandic virus, and the Bouncing Ball virus. More recently, as competing teams of virus hunters have tried to eliminate duplication of effort, the names make reference to some distinctive feature in the code of the virus. Examples include SoBig, Code Red, and NIMDA. Even so they don't always get it right, hence several popular viruses are known by more than one name.^[*]

^[*] For a full taxonomy, see Eugene H. Spafford, Kathleen A. Heaphy, and David Ferbrache, Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats, ADAPSO, Arlington (VA), 1989. (Order from ADAPSO: (703) 522-5055.)

4.3.2. Worms

A worm is an independent program that reproduces by copying itself in full-blown fashion from one computer to another, usually over a network. Like a virus, a worm compounds the damage it does by spreading rapidly from one site to another. Unlike a virus, which attaches itself to a host program, a worm keeps its independence; it usually doesn't modify other programs. Like a virus, however, a worm can include malicious instructions that cause damage or annoyance, in addition to whatever inconvenience it causes by tying up the resources of the network as it maintains and reproduces itself.

The notion of a worm as a computer intruder apparently dates from John Brunner's 1975 science fiction novel, The Shockwave Rider. In Brunner's book, programs called "tapeworms" lived inside computers, spread from machine to machine, and were "indefinitely self-perpetuating so long as the net exists."^[]

] John Brunner, Around 1980, John Schoch and Jon Hupp, researchers at Xerox Palo Alto Research Center, developed the first experimental worm programs as a research tool.^[] The worms were designed to spread from one computer to another. Shoch and Hupp described their worms as follows:

^[] John F. Shoch and Jon A. Hupp, "The Worm ProgramsEarly Experience with a Distributed Computation," A worm is simply a computation which lives on one or more machines . . . The programs on individual computers are described as the segments of a worm . . . The segments in a worm remain in communication with each other; should one segment fail, the remaining pieces must find another free machine, initialize it, and add it to the worm. As segments (machines) join and then leave the computation, the worm itself seems to move through the network.

The Xerox PARC worms were, on the whole, useful creatures; they handled mail, ran distributed diagnostics, and performed other distributed functions. A few errant, experimental worms did get out of control, however, before a "worm watcher" was added to the network.

The Morris Worm The worm that took the spotlight may not actually have been a worm at all. It was the creation of Robert Tappan Morris, a 23-year-old doctoral student from Cornell, who on the second of November 1988, at about 6:00 p.m., released a self-replication bit of code onto the Internet designed to spread itself freely, but to do little else. There was no dangerous payload. It erased no files. It did not attempt to establish accounts with which to exploit other computers. It logged no keystrokes and stole no passwords. It was intended to spread, nothing more, and once it did so, it was pretty much supposed to just lay low in the operating system and let the world go by. Soon, however VAX and Sun machines (the only systems targeted) across the country started to bog down. The process load caused by hundreds of instances of the worm running at once used up all the systems' available power, and no other users could log on. Desperate administrators disconnected their equipment from the Internet, or powered down their expensive machines and brought them up again, only to discover that they were quickly reinfected and were often worse off than before. Had the Morris worm been a true virus, it would have attached itself to some other piece of computer code and remained inert until its host program was called. It also would have had to depend on some action of the user to allow it to spread from system to system. As a worm however, the program was self replicating, and required no action on the part of a user to spread. It sought out new victims on its own, and was transmitted to them via the Internet. Whether virus or worm, a possible flaw in the code caused the code to attach itself very quickly to new processes inside the targeted computer, and then for each of these to attempt to do the same. The result was rapidly expanding numbers of copies of the virus running in the victim computer at the same time, squeezing out legitimate traffic, and rendering the machine useless. This same scene was replayed at the sites of over 6,000 machines across the country. While no physical damage was caused by the worm, the U.S. General Accounting Office estimated that the worm cost between $100,000 and $10,000,000 due to lost access. Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of more than $10,400. He went on to have a very successful career in computer science and education.

4.3.3. Trojan Horses

A Trojan horse is a code fragment that hides inside a program and performs a disguised function. In classical mythology, a Trojan horse was a large hollow horse made of wood by Odysseus during the Trojan War. The Greeks hid soldiers inside the horse and left it at the gates of Troy. After the Trojans were persuaded to bring the horse inside the gates, the hidden soldiers opened the doors for the rest of the army, which attacked the city and won the war.

In the modern computer world, a Trojan horse hides in an independent program that performs a useful or appealing functionor appears to perform that function. Along with the apparent function, however, the program performs some other unauthorized operation. A typical Trojan horse tricks a user into running a program, often an attractive or helpful one. When the unsuspecting user runs the program, it does indeed perform the expected function. But its real purpose is often to penetrate the defenses of the system by usurping the user's legitimate privileges and thus obtaining information that the penetrator isn't authorized to access. An example of this would be the modern rootkit, which is a script that controls a small suite of programs that create an administrative level account on the targeted system, and then create a backdoor, an unmonitored entrance way that evades the security mechanisms, through which the attacker can later gain convenient access. Trojan horses are often hidden in programs that entice users by displaying information about new system features or by hiding in downloadable applications or games.

Many web site operators today insert Trojan horses that create content that pops up on your screen while you are doing other functions. While the marketers may claim they are merely displaying additional advertisements that may be in sync with what you were currently browsing, what they are actually doing is monitoring your actions, and then sending out codes over your network that pull in content you did not request, and then put it in front of you. For this service they charge the content owner a fee.

Dan Edwards of NSA is credited as being the first to use the term "Trojan horse^[*] in the context of malicious software. One classic Trojan horse attack was described by Dennis M. Ritchie.^[] An attacker wrote a "password grabber program that simulated the normal login process and ran it on the victim's computer. When an unsuspecting user saw the login: prompt and attempted to log in, the program captured her username and password and transmitted to whomever was doing the spying. The Trojan then prompted the victim to reenter the username or password, claiming there had been an error, and then shut itself off. The user then ran through the normal login sequence in the ordinary way, but perhaps resolving to take more care in typing. One unpublicized defense against such an attack may have been to enter a curt two-word epithet as the first logon attempt, and then to log in normally on the second try.

^[*] Morrie Gasser, Building a Secure Computer System, New York (NY), Van Nostrand Reinhold, 1988. Also, Donn B. Parker, "The Trojan Horse Virus and Other Crimoids," in Denning, Peter J., ed., Computers Under Attack: Intruders, Worms, and Viruses, ACM Press, Addison Wesley, Reading (MA), 1990.

^[] Dennis M. Ritchie, "On the Security of UNIX, UNIX System Manager's Manual (SMM), 4.3 Berkeley Software Distribution, University of California, Berkeley (CA), 1986.

Some Trojan horses do not actively interact with the user, but instead simply monitor keystrokes on the keyboard. This technique can seize passwords more readily with less risk of detection. Other versions of this ploy snatch the users' name, credit card numbers, and expiration dates for transmission to a storage facility. The numbers are later tested by placing a small order. If the numbers prove valid, they are sold to unscrupulous customers.

A clever Trojan horse will leave no trace of its presence, may reside indefinitely in unsuspecting software, and may even be programmed to self-destruct before it can be detected.

4.3.4. Bombs

Not all malware goes to work immediately. Attacking code can be stealthier if it just lays low for awhile, often using an assumed filename or a filename that is very close to a legitimate system file. Later, the attack can be launched when it is not expected. Sometimes this approach is called a bomb. A bomb is a type of Trojan horse, used to release a virus, a worm, or some other system attack. It's either an independent program or a piece of code that's been planted by a system developer or a programmer. A bomb works by triggering some kind of unauthorized action when a particular date, time, or condition occurs.

Technically, there are two types of bombs: time and logic. A bomb that's set to go off on a particular date or after some period of time has elapsed is called a time bomb. The Friday the 13th Virus, which started doing damage on the first Friday the 13th in 1988, is an example of a time bomb. A bomb that's set to go off when a particular event occurs is called a logic bomb. Software developers have been known to explode logic bombs at key moments after installationfor example, if the customer fails to pay a bill or tries to perform an illicit copy.

A.K. Dewdney described a logic bomb in the French spy novel by Thierry Breton and Denis Beneich, Softwar: La Guerre Douce: ^[*]

^[*] A.K. Dewdney, "A Core War Bestiary of Viruses, Worms, and Other Threats to Computer Memories," Scientific American, Volume 252, Number 3, pp. 14-23, March 1985.

...they spin a chilling yarn about the purchase by the Soviet Union of an American supercomputer. Instead of blocking the sale, American authorities, displaying studied reluctance, agree to the transaction. The computer has been secretly programmed with a "software bomb." Ostensibly bought to help with weather forecasting over the vast territory of the Soviet Union, the machine, or rather its software, contains a hidden trigger; as soon as the U.S. National Weather Service reports a certain temperature at St. Thomas in the Virgin Islands, the program proceeds to subvert and destroy every piece of software it can find in the Soviet network.

4.3.5. Trap Doors

A trap door, or a back door, is a mechanism that's built into a system by its designer. The function of a trap door is to give the designer a way to sneak back into the system, circumventing normal system protection. Unlike a logic bomb, which usually explodes in someone else's system, a trap door gives the original designer a secret route into the software.

Sometimes, programmers leave trap doors (entry points) in a program to allow them to test the program, or monitor its operation, without having to follow what may be cumbersome access rules or security measures. These trap doors also provide a way to get into the program in case there's a problem with the access routines. Although such trap doors are ordinarily removed before the program is shipped to the customer, sometimes they're left in the code by accident or by design.

A trap door is typically activated by the person who planted it. Usually, the means of access is not apparentfor example, an unlikely set of keystrokes or sequence of events, or a particular login. Once the developer gets in through the trap door, he may get special program privileges. In the 1983 movie, War Games, the hero gained access to a NORAD computer system by inadvertently entering a trap door planted by its creator (allowing him to log in without an authorized account), setting off a global thermonuclear war game that became all too real.

Another common example of a trap door, although harmless, is the Easter egg. This is hidden code that can only be actuated by an unlikely set of keystrokes, often while doing a specific task. Typically the egg is a set of credits for the unsung authors of the code who have toiled for months or years in anonymity, and feel they deserve at least a mention. Other times, complete games, MIDI tunes, and photo arcades have been included as a little hidden treasure. Various web sites list current Easter eggs as they are discovered and reported.

4.3.6. Spoofs and Masquerades

A masquerade is a generic name for a program that tricks an unsuspecting user into giving away privileges. Often, the ruse is perpetrated by a Trojan horse mechanism in which an authorized user is tricked into inadvertently running an unauthorized program. (The Trojan horse login described earlier is an example of such an attack.) The program then takes on the privileges of the user and may run amuck!

A spoof, on the other hand, is an important technique used for misdirection and concealment. Sometimes, a communication that the sender wishes to transmit anonymously is tagged with a false return address. Spoofing return addresses in this way is one of the techniques used to create unsolicited junk email advertisements (spam) with no way to track down the offending sender.