Examples of Malicious Computer Programs

Table of Contents

the author and distributors of the MBDF virus,

the author of the Anna worm

I hope that when people read this essay and become aware of both the malicious design and good harm caused by computer viruses and worms, readers will urge their legislators:

1. to enact criminal statutes against authors of computer viruses and worms, with penalty to reflect the harm done by those authors, and
2. to allocate more money to the police for finding and arresting the authors of malicious computer programs.

I have not cited a source for each fact mentioned in this essay, because most of these facts have been reported at many different sources, and are well known to computer experts who are familiar with viruses and worms. (I do cite a source for facts that are either not well known or controversial.) Further, this essay is not a formal scholarly document, with numerous citations, but only an informative review intended for attorneys, legislators, the general public, students, businessmen, etc. Some general sources are mentioned later.

Author did not know .

In this hypothetical example, at twenty four hours there would be approximately ten 14 fresh victims, which is a ridiculous extrapolation, because there are only about ten 9 people on the planet earth. But this example clearly shows the rapid growth of a geometric series and why authors of worms should not be astonished when their worm rapidly gets out-of-control. Seen in this context, the criminal defense attorney’s statement that his/her client "did not know . " is not plausible. Actually, the defense attorney’s statement is ludicrous.

Early Examples

Brain virus

Lehigh Virus

Christma Worm

Morris Worm

When Morris understood that his worm was propagating swifter than he had expected, he called a friend at Harvard University. The friend then sent the following anonymous message with a false source address to the TCP-IP mailing list via the Internet: A possible virus report:

There may be a virus liberate on the internet.

Here is the gist of a message I got:

Here are some steps to prevent further transmission:

[three terse suggestions for how to stop the worm omitted here]

Hope this helps, but more, I hope it is a hoax. However, because the Internet was already clogged with copies of his worm or because computers were disconnected from the Internet to avoid infection by the Morris Worm, the message did not arrive until after system administrators had devised their own technologies for removing the worm. Further, the anonymous source, and also the tentative tone (i.e., "possible virus report", "may be a virus liberate", "I hope it is a hoax."), make this message much less helpful than it could have been. If Morris had truly been harmless, he could have faxed the source code for his worm to system administrators at University of California at Berkeley, MIT, Purdue, University of Utah, etc. who were attempting to decompile the worm and understand it. And Morris could have given system administrators authoritative suggestions for how to stop his worm.

Morris evidently never personally explained his intentions or motives in designing and releasing his worm. Some of his defenders have said that Morris did not intend the consequences of his worm. A Cornell University Report by Ted Eisenberg, et al. at pages 17, twenty seven and especially at Appendix 8, [bibliographic citation below], mentions comment lines by Morris in his fifteen Oct one thousand nine hundred eighty eight source code that say:

• "the aim is to infect about three machines per ethernet."
• "Two) methods of violating into other systems."
• "Ten) source code, shell script, or binary-only? latter makes it stiffer to crack once found, but less portable"
• "hitting another system:

1) rsh from local host, maybe after cracking a local password and .

Two) steal his password file, break a password, and rexec."

Such comments emerge as clear indications of criminal intent by Morris. In a seventeen Oct one thousand nine hundred ninety four UseNet posting, Prof. Spafford at Purdue, who has also actually seen the worm’s source code at Cornell that was written by Morris (including the comment lines by Morris that are not present in the decompiled versions), said: The comments in the original code strongly suggested that Robert intended it to behave the way it did – no accidents involved.

Morris was the very first person to be arrested, attempted, and convicted for writing and releasing a malicious computer program. He was found guilty on twenty two Jan one thousand nine hundred ninety and appealed, but the U.S. Court of Appeals upheld the trial court’s decision. The U.S. Supreme Court refused to hear an appeal from Morris.

U.S. v. Morris, nine hundred twenty eight F.2d 504, five hundred six (2dCir. 1991), cert. denied, five hundred two U.S. Eight hundred seventeen (1991).

In addition to this legal penalty, Cornell University suspended him from the University for at least one year. When Morris applied for re-admission a few years later, Cornell refused to accept him. Morris earned his Ph.D. at Harvard University in 1999.

Bibliography on the Morris Worm

MBDF Virus

David S. Blumenthal wrote the virus and inserted it in the three programs. Blumenthal also created an anonymous account on a Cornell computer, so that evidently untraceable file transfers could be made. Mark A. Pilgrim used this anonymous account on fourteen Feb one thousand nine hundred ninety two to upload the three programs to an Internet archive at Stanford University.

Pathogen Virus

Pathogen Perpetrator

Melissa Virus

Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign". That claim is not true. There were a number of distinctly different harms caused by Melissa:

• Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to fifty people by the Melissa virus. Such automatic transmission could release confidential information from the victim’s computer.

The fact that the Melissa virus could have been more devastating (e.g., by deleting data files from the victim’s computer) is hardly praise for the author of the Melissa virus.

Melissa Perpetrator

On one May 2002, a judge in federal court imposed the following sentence on Smith:

• 20 months in federal prison,
• 36 months of "supervised release" (i.e., probation) after his prison term completes, during which time he can access the Internet only with the permission of his probation officer,
• fined US$ 5100, and
• ordered to serve one hundred hours of "community service" work in the "technological field", perhaps providing lectures in schools about the harmfulness of computer viruses.

Evidently, the 29-month interval inbetween Smith’s guilty prayer and his sentencing (an unusually long interval) was the result of his cooperation with authorities in investigating other malicious computer programs. The authorities did not expose any details of the cooperation, so it is not possible to know what the government got in exchange for more than halving Smith’s prison sentence.

Some documents in Smith’s case have been posted on the Internet:

• Information filed by the U.S. Attorney for the District of Fresh Jersey, charging David Lee Smith with disturbance of eighteen USC § 1030(a)(Five)(A).

feeble penalty

ILOVEYOU Worm

The worm overwrote files from the victims’ hard disk drive, specifically targeting files with extensions:

• *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing audio/visual data),
• *.CSS (i.e., cascading style sheets called by HTML Four.0 documents).
• some later versions deleted *.COM or *.EXE files, which prevented the computer from kicking off when rebooted.
• some later versions deleted *.INI files.

The worm overwrote a copy of itself to a file with the name of the original file, appending the extension *.VBS, so the total number of files on the victim’s hard disk would be unswitched and the harm more difficult to instantly detect. Further, if a victim clicked on one of these files, the ILOVEYOU worm would be activated again on that one victim.

The attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft Internet Explorer begin page to a URL at a web server in the Philippines, which would download WIN-BUGSFIX.EXE to the victim’s machine.

The worm transmitted itself using features of the earlier Melissa program: scanning the address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU e-mail to all of those e-mail addresses. This method of transmission rapidly disseminated the worm to millions of victims. In comparison, Melissa sent copies to only the very first fifty entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every address in the that victims’ book.

copycat versions of the ILOVEYOU worm

ILOVEYOU Perpetrator

Anna Worm

Perpetrator of Anna Worm

The anti-virus software company F-Secure in Finland identified the author of the Anna worm to police in the Netherlands.

three worms: CodeRed, Sircam, Nimda

CodeRed

Hacked by Chinese! After ten hours, CodeRed again comes back the decent requested webpage. The makeshift unavailability of some webpages will cause concern to webmasters, then the problem will "magically" vanish, frustrating operators of webservers who are attempting to find the problem.

A CERT advisory showcased that CodeRed infected Two.0 × ten Five computers in just five hours on nineteen July 2001, which was a rapid rate of infection and a good example of geometric series mentioned earlier in this essay. CERT said that "at least two hundred eighty thousand hosts were compromised in the very first wave" of attacks on nineteen July 2001.

CodeRed II

Perpetrator of CodeRed

Sircam

[2nd line: one of four choices below]

See you later. Thanks There are four different versions of the 2nd line of the e-mail text:

1. I send you this file in order to have your advice
2. I hope you can help me with this file that I send
3. I hope you like the file that I sendo you
4. This is the file with the information that you ask for

Clicking on the linked file infects the victim with the Sircam worm.

Note: the text of e-mail containing malicious programs often contains ungrammatical text, punctuation errors (e.g., the missing periods in Sircam’s text), or misspelled words, because the author is a non-native speaker of English. Such mistakes in English text in an e-mail evidently from an English-speaking country should alert the reader to the possibility of e-mail from a forged address.

Several anti-virus websites note that there is a bug in the Sircam worm that makes it "very unlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircam evidently intended those harms to occur.

Perpetrator of SirCam

Nimda

Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-mail addresses from the following sources:

• in-boxes for the user’s e-mail program (e.g., Microsoft Outlook)
• *.HTML and *.HTM files in the user’s web browser cache (also called the Improvised Internet Files folder).

After harvesting e-mail addresses, Nimda selects one of these addresses as the From: address and the remainder as To: addresses, and sends copies of Nimda in an evidently blank e-mail.

On eleven Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses that appeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forged source addresses, whether a deliberate act or whether a random occurrence caused by execution of a malicious program, damages the reputation of guiltless people. (I elaborate on this point later in this essay, in discussing the Klez program.)

Perpetrator of Nimda

BadTrans.B worm

BadTrans.B Perpetrator

sending copies

e-mail with false text

Klez Perpetrator

my 2nd essay

Economic Harm

There is no definite information on the exact cost of recovering from an epidemic of a malicious program.

Related video: