'Some viruses don't contain destructive payloads ... however, they perform other actions that are deemed malicious such as [attacking] a website. For example, the MyDoom virus earlier this year [2004] caused infected machines to launch a distributed denial of service (DDoS) attack on Microsoft's update website: windowsupdate.com,' says Zatz.
What's disturbing is that, while mass-mailing worms such as Melissa started out as 'benign', or even briefly malignant, as in the case of MyDoom and Code Red, today authors of malicious code are making money from unlearned, and even misinformed users. 'Recently ... the motives of a number of virus writers have changed and there are financial incentives. For example, the MiMail worm that infected computers last year [2003] carried a message telling people that their PayPal account had expired and they needed to run an application (attached to the email) to reactivate their account,' says Zatz. 'Instead of sending the account details to PayPal, the details were actually sent to the virus writer who was then able to log into the victim's account and use it.'
MiMail is just the tip of a rather large iceberg. Many worms, including Bagle, and more recently Xombe and Korgo, install 'back doors' into the systems they infect, so that they can be used at a later date. For instance Korgo, after it has infected a system, will try to connect to a number of Internet Relay Chat (IRC) servers. Once it has connected, it can join a channel where the virus writer can monitor and send commands to the infected system. Systems used in such a manner are called 'zombie' PCs - unknowing servants infected with a virus that leaves them at the beck and call of a greater power. It's all very Daleks and Dr Who.
The advantages of such a setup are numerous. The virus writer can access information on the user's system; infected computers can be used to perform a DDoS attack on a website; the systems can be used to mass-mail the virus to other systems; and, perhaps worst of all, the virus writer can sell lists of internet addresses (IPs) of infected systems to less-than-honest companies, who can then use those IPs as mass-mailers, to send spam for goods and services that the recipients almost certainly have no interest in. As systems are disinfected, the lists change, other computers contract the virus, and the cycle continues.
Genocidal virusesThanks to Netsky, Bagle and MyDoom, virus activity in the first half of 2004 exceeded that of the entire year of 2003. In fact, AusCERT's 2004 Computer Crime and Security survey shows that the number of Australian businesses that have suffered financial loses from attacks from viruses rose by almost 15 percent, over 2003. 'There were about twice as many serious worm and virus hybrids in circulation between January 2003 and Feburary 2004 ... than for the previous survey period,' it goes on to say.
While all three viruses used a similar means to spread - mainly Simple Mail Transfer Protocol (SMTP) mailing engines - it is not all they share in common. 'One phenomenon we have seen recently is one virus removing another one if it exists. Some of these were dubbed good viruses; however, that is far from the truth,' says Zatz.
'The majority of the time when a virus searches for and removes another virus, it is because the author doesn't want the old one to interfere with their own creation. The authors of MyDoom and Netsky viruses, which have been so prevalent in 2004, appeared to be waging a war against each other at the expense of the internet community.
'To date, there are over 20 variants of each of these viruses and in most cases, one would try to remove the other,' says Zatz. Bagle, when it was released, also attempted to remove traces of Netsky, and vice versa. The 'D' variant of the Blaster worm, called 'Nachi', would not only remove other variants of Blaster, it would also patch the user's system so it could not be re-infected. 'A more recent example is the Sasser worm. Sasser exploited a vulnerability in Microsoft Windows and left a copy of itself on the infected computer. Another virus called Korgo looks to see if the file left by Sasser exists and, if so, it is deleted. The reason for this is because both viruses exploit the same vulnerability in Windows and therefore potentially would interfere with each other,' says Zatz.
Bluffing buffersAccording to the AusCERT survey, the number of businesses that were victimised by operating system and software exploits jumped by 31 percent between 2003 and 2004, making exploits such as buffer overflows by far the most popular way to infect a user's system. Buffer overflow exploits however are extremely fickle. Making use of a buffer overflow requires detailed knowledge of the product you plan on exploiting, as well as an idea of what can be done once the exploit is successful. This is one of the reasons why most virus writers use pre-existing, tested viral code - so they can spend more time programming the virus itself. First, the virus writer must find an 'unchecked' buffer - a space in memory allotted for a certain chunk of information whose size in memory is not monitored for inconsistency. Then, the writer has to guess how large the buffer is and, byte by byte, fill that buffer until it overflows, usually causing the host application to crash.
Once this happens, the writer can insert their own code, which will be run in place of legitimate code. Where the application is located in memory will determine how much work the virus will have to do in order to perform tasks on the user's system. For example, if the exploited program is responsible for changing user information, then it's a good bet that all the necessary program files will be loaded to make those changes. This means the virus will be smaller, faster and more efficient as it doesn't need to load these files.
One of the smallest viruses of recent times, Slammer, was a mere 376 bytes in size and took advantage of a buffer overflow exploit in Microsoft's SQL Server. It was transmitted by a single User Datagram Protocol (UDP) packet, and was global in the space of 10 minutes after its release.
Issue: 137 | June, 2012