Inside malware and the minds who make it.
Today's online world faces an evolving, shadowy epidemic - one that every day looks to break free from its delicate digital quarantine. Logan Booker goes into the mind of the modern virus writer to unveil the secrets that lie within.
One of the more bizarre facets of today's economy is the 'industry of fate', where a company can make money on catastrophic but unlikely events. This industry goes by the more common name of 'insurance', and it is an integral part of our debt-based economy, much like banks, accountants and Rupert Murdoch. Believe it or not, companies such as Symantec, Sophos and Computer Associates are also in the business of shafting fate, with products such as firewalls and anti-virus scanners. These programs protect against viruses that may hit, and attacks from hackers that might never occur.
The difference between your typical insurance policy and network security is that you're a thousand times more likely to fall victim to the latest email worm than say, drive your car into someone's house or drop your hair curler into your bathtub. Ironically, a business will invest more in property or liability insurance rather than a firewall or anti-virus scanner - perhaps because the loss of tangible business assets is perceived as more crippling than a virus infection.
This however, is a particularly weak sentiment in the age of global connectivity, considering last year's Blaster worm cost businesses worldwide an estimated US$500 million in damages. What makes this situation even more comical is that there isn't some veteran, 40-year old computer whiz behind worms such as Blaster - here it's just an 18 year-old kid. A kid still in high school; still looking for the ideal job, passing time by wreaking his own special blend of havoc on the online world. Inexperience makes people like this blind to the repercussions, short of proving themselves to a group of equally immature minded individuals. What could possibly motivate these young people to create viruses that clog email servers, cause systems to shutdown, knock out websites such as Yahoo, Microsoft and Google, and, most disturbing of all, make them money in the most unethical of ways?
Phat and sassyMay this year saw the arrest of 18-year old German, Sven Jaschan, the creator of the infamous Sasser worm that violated millions of internet-connected PCs back in April. Jaschan, who coded the worm in the basement of his parent's house, is also allegedly involved with Skynet, the group of virus writers responsible for the Netsky worm discovered a few months ago, in March. While Netsky spread 'slowly' via email and contained a payload (a timed denial of service attack), Sasser was many times more virulent and spread quickly - but had no actual payload. Despite this, Sasser received considerable media attention - not to mention the eyes, ears and elite disassembling skills of virus software vendors and, of course, Microsoft. Jaschan's notoriety however came at a price: he faces an uncertain future at the hands of German authorities, not to mention several large corporations whose online businesses were hampered by his 'test' virus.
It's believed he was double-crossed by his underground compatriots. In August 2003, Jeffery Lee Parson, responsible for coding the second variant of the highly infectious Blaster worm, Blaster-B, was also arrested for his cyber crimes. Like Jaschan, he was 18 years old. However, Parson had no one but himself to blame for his arrest. Code within the variant he wrote not only connected to his own website, but also contained references to his online nickname. In this case, Parson took preexisting viral code and made his own changes. This is an example of a typical virus writer - while they may have a hand when it comes to coding, they're not the sharpest knives in the drawer, relying on what's already available to craft their careers as internet terrorists.
Unfortunately for Parson, it is not an easy career. 'The skill required to write a "successful" virus is quite high,' says Daniel Zatz, Computer Associates' senior security consultant for Australia and New Zealand. 'While most viruses appear to be written by "script kiddies" who generally pinch ideas and code from other authors and then add their own touch to it, the really malicious viruses and worms require in-depth knowledge of operating systems and applications. 'Sometimes one virus author may not know enough to write a virus alone and will team up with someone else in the underground world [that] does have the necessary skills to complete the virus,' says Zatz.
While it's likely Parson will be remembered as a 'script kiddie', Jaschan has forever been immortalised by his father who, on hearing what his son had done, asked: 'Sven, you didn't do anything stupid, did you?' Obviously, Jaschan did not believe what he was doing was stupid - at the time at least - otherwise it's unlikely he'd have done it. This leaves us with the question of 'Why?', and the answer goes deeper than just a simple case of an attention-seeking teen.
The usual suspects'There hasn't been a lot of research done into the motivations of a virus writer. However, it appears the motivations are changing,' says Zatz. 'Three years ago, the primary motive seemed to be the thrill experienced from writing a program that caused damage and exploited a vulnerability.'
Virus definitionsWhile the way in which malicious code works and the purposes it serves have changed over the years, the definition of what is a virus, worm or trojan has not.
'By definition, a virus is a program that self-replicates,' says Computer Associates' David Zatz. 'In other words, it tries to create multiple copies of itself either on a single computer or multiple computers.' Considering that replicating code serves little purpose in a legitimate application, the term 'virus' is very appropriate. Viruses can do a number of things, ranging from simply taking up resources to delivering destructive payloads.
Worms are a type of virus. 'Technically speaking ... a virus that copies itself from one computer to another is referred to as a worm,' says Zatz. What differentiates them is their ability to spread independently. A virus tends to latch on to another bit of code - usually a program - and must do so in order to replicate. A worm on the other hand is often a piece of selfsustaining code that can infect and replicate by itself. Right now, worms are the most common type of virus.
Finally, there are trojans. Trojans typically do not replicate and must be 'injected' manually into the host machine. A Trojan will then allow the would-be hacker to gain access to the infected system easily, using a 'back door', and the trojan itself can record keystrokes, search the system for addresses, banking details and other important information, or allow the system to be used as a mailing proxy or 'zombie' PC in a denial of service attack. It's important to note that some trojans spread using worms, such as the Mitglieder Trojan that spread via variants of the Bagle worm.
Although the term 'virus' was made popular by Fred Cohen in his article Computer Viruses — Theory and Experiments back in the early 1980s, the name itself was coined by Len Adleman, inventor of RSA encryption.
Issue: 111 | April, 2010