Viruses, Worms, Trojans.

Where are we
going?

Absurd opinions by: IcE tRe

Past Viruses
Elk Cloner
Stoned
Michelangelo / Media Darlings
Good Times virus

Elk Cloner
The program with personality.
It will get on all your disks. It will
infiltrate your chips. Yes its Cloner.
It will stick to you like glue. It will modify
ram too. Send in the cloner!

First virus in the wild.

Coded and ran on an Apple ][e.
No damaging payload.
No real threat.

Stoned
Simple boot block virus.
Code is the basis of most boot block
viruses including the monkey. Which
was much more damaging.
No real damaging payload.
Cute messages displayed upon
bootup. Much like Elk Cloner.

Michelangelo / Media Darlings

Few infections of actual virus where seen.
Media attention actually more damaging
then the virus could actually be.
Media caused unrealistic expectations of
the virus. Only to crash those expectations
causing later warnings not to be taken
seriously.
No actual damage occurred contrary to
Press predictions.
Result the first and last virus to receive
such attention. This could be conceived as
both good and bad.

Good Times

Recent Viruses

Nimda
My Doom
Sasser
MS Blaster

Nimda
The Good
Multidistribution virus,
uses damn near any
method it can get ahold of
to try to proliferate, even !
fileshares!
Fairly inteligent, walks
through the filesystem
looking for stuff it can
use..
Infects websites, changing
the index to refer to an
infected file, which loads
the virus. Website looks
the same, but loads the
virus.. SMART!!!

The Bad
Once again! No ambition,
it just proliferates. It really
doesn't do much of
anything other than
spread..
I mean seriously what if
nimbda had a nasty
payload, say something
simple but damaging; like
destroying the filesystem
on the hard drive.
Wow, considering how
widespread this virus this
was, there'd be alot of
people with bad hdds

My Doom
The Good

The Bad

In my opinion about as
good of a virus as blaster.
Opens a backdoor, this
could be useful!
Spreads through Email,
Kazza
ddos SCO... Good, they
deserve it!
expiration date: great idea
really.. These things don't
live forever, and
there's a good reason for it.
Why assume as the writer
that it's going to live
forever..
Diversionary tactic! Load
notepad, and show
garbage!

I mean really, is it actually

needed to have 71 ports open for
your
backdoor?
S'allright, I am sure no one will
notice anyways...
Polymorphic; is it really that hard
to change the data in the virus
enough
to not be detected by simple
regexes on the mail server?
Still a real lack of ambition here.
While sco is a worthy cause, I
mean
really, is this all we can come up
with?
Retalitory attacks on a terrible
company?

Sasser
The Good

Similar to blaster, used a

lsass vuln to overcome the
system same conditions
really, just need a
machine that's on the
network and
alive and kicking
written in C++ WOw! it's
like an actual program and
shit!

The Bad

Yes, while similar to blaster, it's just

lame. uses what could be a potential
invisible hole in the user subsystem
and then makes little to no attempts to
hide itself from the end user.
Exploit causes alert to user about lsass
crashing.. Well there goes low
profile..
Opens FTP on port 5554.. eeek!
Opens a shell on port 9996.. However
will the targets ISP ever find us?
FTP sessions are logged in C:/win.log
Great, why not leave your name and
phone number at the beep while your
at it..
Rather quick infection times, so
estimated at 8 minutes to encompass
the
globe. While impressive at first, with
rates like this how long did it take
before CNN reported on it..

Ms Blaster
The Good

Requires nothing other

than a vulnerable
machine and a network
connection.
Incredibly prolific, took
very little time to spread
across the world
Opens backdoor
used mostly already
used ports to proliferate;
ie 445 and 135.
So even
when it was noticed that
something was up it was
very hard to dertermine
what it was.

The Bad

So prolific, that it called

attention to itself, both
in sessions spawned
and network traffic
spikes.
No real payload other
than a lame DDOS that
was mitigated on the
DNS level
by most ISP's and then
Left a backdoor open on
a noticable port (4444)

In

In

In

fe

fe

fe

te

te

te

In

te

te

fe

In

fe

In

fe

te

In
fe
c
te
d
!

In

In

fe

fe

te

te

te

te

fe

fe

In

In

MS Blaster

Viruses in the Future

The main problem with todays
viruses is simple greed.
Attaining to much attention to
quickly usually ends up alerting both
the users and the media
They could really use it to their
advantage.

Sc
fo an
vu r
ho
ln
st
er
A
ab
ili
ty
1.

In the Future

Scan host B
for
vulnerability 2

Sc
fo an
ho
vu r
st
l
3 ne
C
ra
bi
li t
y

Sc
fo an
vu r
ho
ln
st
er
A
ab
ili
ty
1.

d
te
c
fe
!

In

Sc
fo an
ho
vu r
st
l
1 ne
C
ra
bi
li t
y

Host B has been patched and

can not be infected

Biblography / Sources
Groups.google.com
fsecur.com
http://securityresponse.symantec.com/