Computer Viruses and Worms
Computer Viruses and Worms
Dragan Lojpur
Dragan Lojpur
Zhu Fang
Zhu Fang

Definition of Virus
Definition of Virus

A virus is a small piece of software that piggybacks on real programs
A virus is a small piece of software that piggybacks on real programs
in order to get executed
in order to get executed

Once it’s running, it spreads by inserting copies of itself into other
Once it’s running, it spreads by inserting copies of itself into other
executable code or documents
executable code or documents

Computer Virus Timeline
Computer Virus Timeline

1949
1949
Theories for self-replicating programs are first developed.
Theories for self-replicating programs are first developed.

1981
1981

Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on
Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on
the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.
the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983
1983
Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer
Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer
program that can affect other computer programs by modifying them in such a way as to include a
program that can affect other computer programs by modifying them in such a way as to include a
(possibly evolved) copy of itself.”
(possibly evolved) copy of itself.”

1986
1986
Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy
Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy
disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies
disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies
had “© Brain” for a volume label.
had “© Brain” for a volume label.

1987
1987
The Lehigh virus, one of the first file viruses, infects command.com files.
The Lehigh virus, one of the first file viruses, infects command.com files.

1988
1988

One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus
One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus
affects both .exe and .com files and deletes any programs run on that day.
affects both .exe and .com files and deletes any programs run on that day.
MacMag and the Scores virus cause the first major Macintosh outbreaks.
MacMag and the Scores virus cause the first major Macintosh outbreaks.

…
…

Worms
Worms

Worm
Worm
- is a self-replicating program, similar to a computer virus. A
- is a self-replicating program, similar to a computer virus. A
virus attaches itself to, and becomes part of, another executable
virus attaches itself to, and becomes part of, another executable
program; however, a worm is self-contained and does not need to be
program; however, a worm is self-contained and does not need to be
part of another program to propagate itself.
part of another program to propagate itself.

History of Worms
History of Worms

The first worm to attract wide attention, the Morris
The first worm to attract wide attention, the Morris
worm, was written by Robert Tappan Morris, who at

worm, was written by Robert Tappan Morris, who at
the time was a graduate student at Cornell
the time was a graduate student at Cornell
University.
University.

It was released on November 2, 1988
It was released on November 2, 1988

Morris himself was convicted under the US
Morris himself was convicted under the US
Computer Crime and Abuse Act and received three
Computer Crime and Abuse Act and received three
years probation, community service and a fine in
years probation, community service and a fine in
excess of $10,000.
excess of $10,000.

Xerox PARC
Xerox PARC

Worms…
Worms…

Worms
Worms
– is a small piece of software that uses
– is a small piece of software that uses
computer networks and security holes to replicate
computer networks and security holes to replicate

itself. A copy of the worm scans the network for
itself. A copy of the worm scans the network for
another machine that has a specific security hole.
another machine that has a specific security hole.
It copies itself to the new machine using the
It copies itself to the new machine using the
security hole, and then starts replicating from
security hole, and then starts replicating from
there, as well.
there, as well.

They are often designed to exploit the file
They are often designed to exploit the file
transmission capabilities found on many
transmission capabilities found on many
computers.
computers.

Zombies
Zombies

Infected computers — mostly Windows machines — are now the
Infected computers — mostly Windows machines — are now the
major delivery method of spam.
major delivery method of spam.

Zombies have been used extensively to send e-mail spam; between
Zombies have been used extensively to send e-mail spam; between
50% to 80% of all spam worldwide is now sent by zombie computers
50% to 80% of all spam worldwide is now sent by zombie computers


Money flow
Money flow

Pay per click
Pay per click

Typical things that some current
Typical things that some current
Personal Computer (PC) viruses do
Personal Computer (PC) viruses do

Display a message
Display a message

Typical things that some current
Typical things that some current
Personal Computer (PC) viruses do
Personal Computer (PC) viruses do

Erase files
Erase files

Scramble data on a hard disk
Scramble data on a hard disk

Cause erratic screen behavior
Cause erratic screen behavior

Halt the PC

Halt the PC

Many viruses do nothing obvious at all except spread!
Many viruses do nothing obvious at all except spread!

Display a message
Display a message

Distributed Denial of Service
Distributed Denial of Service

A
A
denial-of-service attack
denial-of-service attack
is an attack that causes a loss of service to
is an attack that causes a loss of service to
users, typically the loss of network connectivity and services by
users, typically the loss of network connectivity and services by
consuming the bandwidth of the victim network or overloading the
consuming the bandwidth of the victim network or overloading the
computational resources of the victim system.
computational resources of the victim system.

How it works?
How it works?

The flood of incoming messages to the target
The flood of incoming messages to the target
system essentially forces it to shut down, thereby

system essentially forces it to shut down, thereby
denying service to the system to legitimate users.
denying service to the system to legitimate users.

Victim's IP address.
Victim's IP address.

Victim's port number.
Victim's port number.

Attacking packet size.
Attacking packet size.

Attacking interpacket delay.
Attacking interpacket delay.

Duration of attack.
Duration of attack.

MyDoom – SCO Group
MyDoom – SCO Group

DDoS
DDoS

MyDoom
MyDoom

26 January 2004:
26 January 2004:

The Mydoom virus is first identified around 8am.
The Mydoom virus is first identified around 8am.
Computer security companies report that Mydoom is responsible for
Computer security companies report that Mydoom is responsible for
approximately one in ten e-mail messages at this time. Slows overall
approximately one in ten e-mail messages at this time. Slows overall
internet performance by approximately ten percent and average web
internet performance by approximately ten percent and average web
page load times by approximately fifty percent
page load times by approximately fifty percent



MyDoom…
MyDoom…

27 January:
27 January:
SCO Group offers a US $250,000
SCO Group offers a US $250,000
reward for information leading to the arrest of the
reward for information leading to the arrest of the
worm's creator
worm's creator
.
.

1 February:
1 February:
An estimated one million computers

An estimated one million computers
around the world infected with Mydoom begin the
around the world infected with Mydoom begin the
virus's massive distributed denial of service attack
virus's massive distributed denial of service attack
—the largest such attack to date.
—the largest such attack to date.

2 February:
2 February:
The SCO Group moves its site to
The SCO Group moves its site to
www.thescogroup.com.
www.thescogroup.com.



Executable Viruses
Executable Viruses

Traditional Viruses
Traditional Viruses

pieces of code attached to a legitimate program
pieces of code attached to a legitimate program

run when the legitimate program gets executed
run when the legitimate program gets executed

loads itself into memory and looks around to see if it can find any

loads itself into memory and looks around to see if it can find any
other programs on the disk
other programs on the disk

Boot Sector Viruses
Boot Sector Viruses

Traditional Virus
Traditional Virus

infect the boot sector on floppy disks and hard disks
infect the boot sector on floppy disks and hard disks

By putting its code in the boot sector, a virus can guarantee it gets
By putting its code in the boot sector, a virus can guarantee it gets
executed
executed

load itself into memory immediately, and it is able to run whenever the
load itself into memory immediately, and it is able to run whenever the
computer is on
computer is on

Decline of traditional viruses
Decline of traditional viruses

Reasons:
Reasons:
–
Huge size of today’s programs storing on a

Huge size of today’s programs storing on a
compact disk
compact disk
–
Operating systmes now protect the boot sector
Operating systmes now protect the boot sector

E-mail Viruses
E-mail Viruses

Moves around in e-mail messages
Moves around in e-mail messages

Replicates itself by automatically mailing itself to dozens of people in
Replicates itself by automatically mailing itself to dozens of people in
the victim’s e-mail address book
the victim’s e-mail address book

Example:
Example:
Melissa virus
Melissa virus
,
,
ILOVEYOU virus
ILOVEYOU virus



Melissa virus

Melissa virus

March 1999
March 1999

the Melissa virus was the fastest-spreading virus
the Melissa virus was the fastest-spreading virus
ever seen
ever seen

Someone created the virus as a Word document
Someone created the virus as a Word document
uploaded to an
uploaded to an
Internet newsgroup
Internet newsgroup



People who downloaded the document and opened
People who downloaded the document and opened
it would trigger the virus
it would trigger the virus

The virus would then send the document in an e-
The virus would then send the document in an e-
mail message to the first 50 people in the person's
mail message to the first 50 people in the person's
address book
address book


Melissa virus
Melissa virus

Took advantage of the programming language built into Microsoft
Took advantage of the programming language built into Microsoft
Word called VBA (Visual Basic for Applications)
Word called VBA (Visual Basic for Applications)

Prevention
Prevention

Updates
Updates

Anti-Viruses
Anti-Viruses

More secure operating systems
More secure operating systems
e.g. UNIX
e.g. UNIX

Reference
Reference

/> />
/> /> /> />