Tag Archives: talk acmaq

Examples of Malicious Computer Programs

Examples of Malicious Computer Programs

Table of Contents

  • the author and distributors of the MBDF virus,
  • the author of the Anna worm
  • I hope that when people read this essay and become aware of both the malicious design and good harm caused by computer viruses and worms, readers will urge their legislators:

    1. to enact criminal statutes against authors of computer viruses and worms, with penalty to reflect the harm done by those authors, and
    2. to allocate more money to the police for finding and arresting the authors of malicious computer programs.

    I have not cited a source for each fact mentioned in this essay, because most of these facts have been reported at many different sources, and are well known to computer experts who are familiar with viruses and worms. (I do cite a source for facts that are either not well known or controversial.) Further, this essay is not a formal scholarly document, with numerous citations, but only an informative review intended for attorneys, legislators, the general public, students, businessmen, etc. Some general sources are mentioned later.

    Author did not know .

    In this hypothetical example, at twenty four hours there would be approximately ten 14 fresh victims, which is a ridiculous extrapolation, because there are only about ten 9 people on the planet earth. But this example clearly shows the rapid growth of a geometric series and why authors of worms should not be astonished when their worm rapidly gets out-of-control. Seen in this context, the criminal defense attorney’s statement that his/her client "did not know . " is not plausible. Actually, the defense attorney’s statement is ludicrous.

    Early Examples

    Brain virus

    Lehigh Virus

    Christma Worm

    Morris Worm

    When Morris understood that his worm was propagating swifter than he had expected, he called a friend at Harvard University. The friend then sent the following anonymous message with a false source address to the TCP-IP mailing list via the Internet: A possible virus report:

    There may be a virus liberate on the internet.

    Here is the gist of a message I got:

    Here are some steps to prevent further transmission:

    [three terse suggestions for how to stop the worm omitted here]

    Hope this helps, but more, I hope it is a hoax. However, because the Internet was already clogged with copies of his worm or because computers were disconnected from the Internet to avoid infection by the Morris Worm, the message did not arrive until after system administrators had devised their own technologies for removing the worm. Further, the anonymous source, and also the tentative tone (i.e., "possible virus report", "may be a virus liberate", "I hope it is a hoax."), make this message much less helpful than it could have been. If Morris had truly been harmless, he could have faxed the source code for his worm to system administrators at University of California at Berkeley, MIT, Purdue, University of Utah, etc. who were attempting to decompile the worm and understand it. And Morris could have given system administrators authoritative suggestions for how to stop his worm.

    Morris evidently never personally explained his intentions or motives in designing and releasing his worm. Some of his defenders have said that Morris did not intend the consequences of his worm. A Cornell University Report by Ted Eisenberg, et al. at pages 17, twenty seven and especially at Appendix 8, [bibliographic citation below], mentions comment lines by Morris in his fifteen Oct one thousand nine hundred eighty eight source code that say:

    • "the aim is to infect about three machines per ethernet."
    • "Two) methods of violating into other systems."
    • "Ten) source code, shell script, or binary-only? latter makes it stiffer to crack once found, but less portable"
    • "hitting another system:

    1) rsh from local host, maybe after cracking a local password and .

    Two) steal his password file, break a password, and rexec."

    Such comments emerge as clear indications of criminal intent by Morris. In a seventeen Oct one thousand nine hundred ninety four UseNet posting, Prof. Spafford at Purdue, who has also actually seen the worm’s source code at Cornell that was written by Morris (including the comment lines by Morris that are not present in the decompiled versions), said: The comments in the original code strongly suggested that Robert intended it to behave the way it did – no accidents involved.

    Morris was the very first person to be arrested, attempted, and convicted for writing and releasing a malicious computer program. He was found guilty on twenty two Jan one thousand nine hundred ninety and appealed, but the U.S. Court of Appeals upheld the trial court’s decision. The U.S. Supreme Court refused to hear an appeal from Morris.

    U.S. v. Morris, nine hundred twenty eight F.2d 504, five hundred six (2dCir. 1991), cert. denied, five hundred two U.S. Eight hundred seventeen (1991).

    In addition to this legal penalty, Cornell University suspended him from the University for at least one year. When Morris applied for re-admission a few years later, Cornell refused to accept him. Morris earned his Ph.D. at Harvard University in 1999.

    Bibliography on the Morris Worm

    MBDF Virus

    David S. Blumenthal wrote the virus and inserted it in the three programs. Blumenthal also created an anonymous account on a Cornell computer, so that evidently untraceable file transfers could be made. Mark A. Pilgrim used this anonymous account on fourteen Feb one thousand nine hundred ninety two to upload the three programs to an Internet archive at Stanford University.

    Pathogen Virus

    Pathogen Perpetrator

    Melissa Virus

    Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign". That claim is not true. There were a number of distinctly different harms caused by Melissa:

    • Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to fifty people by the Melissa virus. Such automatic transmission could release confidential information from the victim’s computer.

    The fact that the Melissa virus could have been more devastating (e.g., by deleting data files from the victim’s computer) is hardly praise for the author of the Melissa virus.

    Melissa Perpetrator

    On one May 2002, a judge in federal court imposed the following sentence on Smith:

    • 20 months in federal prison,
    • 36 months of "supervised release" (i.e., probation) after his prison term completes, during which time he can access the Internet only with the permission of his probation officer,
    • fined US$ 5100, and
    • ordered to serve one hundred hours of "community service" work in the "technological field", perhaps providing lectures in schools about the harmfulness of computer viruses.

    Evidently, the 29-month interval inbetween Smith’s guilty prayer and his sentencing (an unusually long interval) was the result of his cooperation with authorities in investigating other malicious computer programs. The authorities did not expose any details of the cooperation, so it is not possible to know what the government got in exchange for more than halving Smith’s prison sentence.

    Some documents in Smith’s case have been posted on the Internet:

    • Information filed by the U.S. Attorney for the District of Fresh Jersey, charging David Lee Smith with disturbance of eighteen USC § 1030(a)(Five)(A).

    feeble penalty

    ILOVEYOU Worm

    The worm overwrote files from the victims’ hard disk drive, specifically targeting files with extensions:

    • *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing audio/visual data),
    • *.CSS (i.e., cascading style sheets called by HTML Four.0 documents).
    • some later versions deleted *.COM or *.EXE files, which prevented the computer from kicking off when rebooted.
    • some later versions deleted *.INI files.

    The worm overwrote a copy of itself to a file with the name of the original file, appending the extension *.VBS, so the total number of files on the victim’s hard disk would be unswitched and the harm more difficult to instantly detect. Further, if a victim clicked on one of these files, the ILOVEYOU worm would be activated again on that one victim.

    The attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft Internet Explorer begin page to a URL at a web server in the Philippines, which would download WIN-BUGSFIX.EXE to the victim’s machine.

    The worm transmitted itself using features of the earlier Melissa program: scanning the address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU e-mail to all of those e-mail addresses. This method of transmission rapidly disseminated the worm to millions of victims. In comparison, Melissa sent copies to only the very first fifty entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every address in the that victims’ book.

    copycat versions of the ILOVEYOU worm

    ILOVEYOU Perpetrator

    Anna Worm

    Perpetrator of Anna Worm

    The anti-virus software company F-Secure in Finland identified the author of the Anna worm to police in the Netherlands.

    three worms: CodeRed, Sircam, Nimda

    CodeRed

    Hacked by Chinese! After ten hours, CodeRed again comes back the decent requested webpage. The makeshift unavailability of some webpages will cause concern to webmasters, then the problem will "magically" vanish, frustrating operators of webservers who are attempting to find the problem.

    Read more