CSC 379: Ethics in Computing  
  Summer II 2006  
 
 
 
  CSC 379  
 
HOME
  
 
Announcements
  
 
Homework & Grading
 
 
TEXTBOOK
  
  COURSE OVERVIEW  
  This course is is a survey of the ethical issues involved in computing. It discusses the way that computers and software pose new ethical questions or pose new versions of standard moral problems and dilemmas. It stresses case studies that relate to ethical theory.  
     
  INSTRUCTOR  
  Edward F. Gehringer
Office: 2301 Partners I
(919) 515-2066
Office hours:
MW 2:45-3:45
efg@ncsu.edu 		 
     
  TEACHING ASSISTANT  
  Ahmed Bakir
abakir@ncsu.edu
919-641-6642		  
  Lecture 8: Malware
 
   
Lecture 8: Malware
  
   

2004 was the worst in history for malware, a collective name for software designed to damage a system. New worm variants increased 400% over 2003, which was already a bad year, with the Slammer worm, the fastest-spreading intruder in Internet history, infecting an estimated 90% of vulnerable hosts within 10 minutes. In the first half of 2005, the number of malware attacks declined, but there was a rise in the number of attacks that exposed confidential information. Year-end statistics showed fewer viruses but more worms than in 2004.

The three main kinds of malware are worms, viruses, and Trojan horses. A worm is a program that propagates over a network, reproducing itself as it goes, without any action on the part of the computer user. Most modern worms propagate by e-mail. Then there is the virus, a program that when run, incorporates copies of itself into other programs. Finally, there is the Trojan horse, a program that performs some apparently useful function, while containing hidden code that performs a usually malicious action.

A long history. Each of these types of malware has a long history. Worms have been around since the middle 1970s, when a network of computers in a Silicon Valley research center was taken over by a program that loaded itself onto an idle workstation, disabled the keyboard, drew random pictures on the screen, and monitored the network for other idle workstations to invade. The network had to be shut down to restore normal operation. Viruses were born in 1983, when Fred Cohen, a Ph.D. student at the University of Southern California presented theoretical work and several experiments that showed that viruses could spread even in the most "secure" computer networks. Even before that, two science-fiction books, Thomas Brunner's Shockwave Rider and Thomas Ryan's Adolescence of P-1 described worlds where a piece of software could copy itself from one computer to another while escaping detection.

In early September 1986, an unauthorized user logged on to a large number of computer systems in the San Francisco area. He first broke into a mail gateway system that had a guest account with the password "guest". He then became a superuser, which he was able to do because /usr/spool/at was unprotected. It was easy to trick the operating system into executing privileged commands by storing them in that directory. Then he could assume the identity of anyone in system. He then went through .rlogin files and used them to break into other accounts. He left behind a recompiled login program so he could log in more easily later, but didn't do any damage at all. This was a Trojan horse; the useful function was logging in authorized users. The hidden code gave the intruder full access to the systems.

In today's world, the three kinds of malware often work together. One week after the September 11, 2001 terrorist attack, computer systems worldwide were attacked by Nimda. It struck both servers and desktop machines via e-mail and Web browsers. The damage was so severe that within three days, the White House and Department of Defense were meeting with security experts and anti-virus companies to dissect it. What made Nimda so unique is that it blended all three kinds of malware. Nimda self-propagated by e-mail, making it a worm. It was a virus, because when run, it incorporated a copy of itself into other programs. Nimda turns Web pages on infected servers into Trojan horses, using them to propagate to machines of people that visited them.

SoBig opened a fourth line of attack, by exploiting compromised hosts to send spam. It was soon copied by Mimail, which could spread to unpatched systems without any action on the part of the user. One of the latest attacks, Bobax, tests Internet connections to see if they are fast enough to spam effectively. As we read in Lecture 2, up to 80% of spam is now sent by zombies, allowing spammers to evade punitive action by their ISPs.

Milestones in malware. Worms first came to public attention in November 1988, when thousands of Internet hosts were hit by Robert Morris's Internet worm. At the time, Morris was a graduate student at Cornell. His exploit made the front page of he New York Times, and the Computer Virus Industry Association estimated the damage at $96 million, a figure that may have been seriously inflated. The damage was basically confined to the United States, because only a few overseas sites were directly connected at that time.

The first PC virus was Brain, written in Pakistan in 1986. It was a boot-sector virus that infected only 360 KB diskettes. Diskettes were the predominant mode of transmission. In those days, a virus would take months to spread around the globe. Viruses targeted operating systems and attached themselves to application programs.

The first virus to attach itself to a document was a Word macro virus written in the fall of 1994 by a certain Joel McNamara. It was totally benign, and he kept it under wraps until a real Word virus, the Concept macro virus, was discovered in 1995. Then he revealed it. Releasing even a benign virus can be dangerous, since Word macro viruses are easy to modify. Such viruses were the first cross-platform viruses. Because documents in Microsoft Office can be opened on any recent version of Windows or Macintosh OSs, Word and Excel macro viruses can move from platform to platform with ease.

The first virus to propagate by reading address books was Melissa, in 1999. Within a couple of years, virus writers were using "social engineering" to induce people to open attachments. A common trick is for the message to say it is from an administrator, asking a user to perform some action (e.g., open a virus-laden attachment). Two good examples are Love Bug and Anna Kournikova.

Trojan-horse attacks on browsers are increasing. In these attacks, a user visits a Web page that appears harmless, but actually contains hidden code that performs a malevolant action, such as sabotaging a computer or revealing private information. About 1/3 of organizations surveyd by the Computing Technology Industry Association said they had been hit by at least one browser attack between September 2003 and March 2004.

Viruses are being harnessed to do new kinds of mischief. The MyDoom virus not only sought hosts to use as zombies, but also launched a denial-of-service attack on SCO, which had been involved in highly publicized lawsuits claiming to own the rights to code from which critical parts of Linux have been derived. It managed to bring down the site and force SCO to move to an alternate site. The attack was supposed to last twelve days, but actually lasted longer due to PCs with dates set incorrectly.

New horizons for malware. Nor is malware confined to computers anymore. The world's first cellphone virus was unleashed in June 2004. It is spread through wireless Bluetooth technology. It was e-mailed to antivirus companies, not released "into the wild." If a malevolent cellphone worm were released, it could erase contact number's from the phone's memory, and also send out text messages purporting to be from the phone's owner. Observers predict that such worms could cost wireless carriers billions in the coming years. The carriers themselves have begun to develop security software for cellphones.

Instant messaging is also proving vulnerable to viruses. Last month, 25 viruses were detected by Akonix Systems, a company whose services include the detection and monitoring of new threats. And recently, malware has begun to target security software itself.

A frequent concern is that malware could be targeted by terrorists at certain IP blocks, such as addresses in the United States, and systematically bring down servers and networks across the country. Although terrorists have heretofore preferred human targets, a cyberwarfare attack could do billions in damage to the economy. Two security reserachers with the International Computer Science Institute at the University of California estimate that a worst-case attack could cause $50 billion or more in direct economic damage. It would be easy to "marry" a worm to a more destructive payload, which could be used against specific targets or as a weapon of cyberwarfare.

How viruses work. Most viruses work by attaching themselves to executable files. You are in danger if you obtain programs from unknown sources, such as Web sites that you have run across. Obviously, if you had the source code for a virus, you could detect it much more easily. A Trojan horse, however, could be inserted by a rogue compiler. Then you could never find it by reading the source code for the Trojaned program. Could you find it by reading the source code for the compiler? Well, if the compiler was used to compile itself, it might really be invisible.

To escape detection, most viruses contain a marker that lets them recognize copies of themselves. This keeps the files from being reinfected and growing so large that they are obvious. The destructive actions often come later--weeks or months after the virus was picked up.

How worms work. Despite its antiquity, the Morris Internet worm is still illustrative of how worms spread. It exploited three major The worm exploited three common weaknesses in operating systems. The first of these is buffer overflow. A common utility of the time was a program called finger, which would print out a short file on the user's job title and location, kind of a compressed version what would be on a user's homepage today. Remote finger requests were serviced by a program called fingerd. It accepted connections from remote programs, reads a single line of input, and sends back output matching the received request. The bug involved overwriting the daemon's input buffer. The standard Unix library has a few I/O routines that read input without bounds checking for buffer overflow. For example, gets accepts input to a buffer without doing any bounds checking. The input overran the buffer and rewrote the stack frame, altering the behavior of the program. Specifically, it overwrote the return address of the main routine so that it pointed back into the buffer on the stack. On VAX computers, this resulted in transferring control to a shell that was connected to the worm via a TCP connection that the worm had set up. Buffer overflow is still a common attack today, and has been exploited by the Code Red, Blaster, and Slammer worms. Anyone writing code has an ethical responsibility to make sure that all buffer bounds are checked at all times--if this not done automatically by the compiler and run-time system, checks should be built into the code.

The second weakness was in sendmail, the program that is responsible for transferring mail from one host to another. The mode exploited by the worm has the mailer operating as a background process. The program is listening on a TCP port for attempts to deliver mail using SMTP. When the mailer detects such an attempt, it enters into a dialog with the sender to transfer the mail. The worm used sendmail's debug option. It issued a debug command, then issued a set of commands instead of a user address. (The debug option was there in order to allow testers to verify that mail is arriving at a particular site. It allows them to display the state of the mail system without having to log in. It was used often because of the complexity of configuring sendmail for local conditions.)

The third means of infection was poorly chosen passwords. The worm looked through each account in the password file. First it checked for the case of no password. If a user's account lacked a password, the worm was able to log in immediately. Next, the worm attempted to "crack" user passwords. It could do this because the file containing encrypted passwords is publicly readable. When a user logs in and types a password, the password is encrypted and compared against the encrypted password stored in the file. The worm tested the "most likely" choices for passwords. Among these were various permutations of the login name and the user's real name. It checked for a password that was the same as the account name, for the account name concatenated with itself, or with its first letter capitalized. Then it checked for the user's real name, or the account name backwards. If none of these worked, it then went through an internal dictionary of 432 words. In this manner it was able to "crack" a large number of accounts. Attacks such as this have proliferated. Nowadays, it is feasible to use methods of attack that search through all strings shorter than seven alphabetic characters. This is why users are encouraged to use digits and/or special characters in their passwords.

We have seen several pages from this excellent tour of the Morris worm. Please feel free to peruse it further to learn more about how worms work.

Virus hoaxes. The destructive power of viruses is well known--so well known that it spreads fear and trepidation in the hearts of novice computer users at the mere mention of the name. This led to a veritable proliferation of virus hoaxes. The Good Times virus was the first to achieve worldwide notoriety. It began in 1994, as an e-mail message that warned against reading a message with a subject line that read, "Good times." It said that if you read such a message, your hard drive would be erased. Of course, no virus can be spread by just reading text; some code needs to be executed. It encouraged spreading the word, and proliferated on mailing lists throughout the Internet.

In fact, an admonition to spread the word is almost de rigeur in a virus hoax. Hoaxes became so common by early 1997 that some virus-response teams spent more time on them than on real viruses. Hoaxes quickly moved from the sublime to the ridiculous. One of the more outlandish was the Free Money hoax, which might more accurately be called a hoax spoof. It claims that an infected computer will jump out of your window and run through the streets killing pets and mocking the Pope. Hoaxes were spread in the latter half of the 1990s by "newbies" on the Internet. They have now died down, as more users have become able to recognize them. Nowadays, almost any posting of a virus hoax to a listserv will quickly be answered with a link to a hoax-busting Web site

Why write viruses? New research indicates that virus-writers are mostly socially inadequate males from 14 to 34 years old. "They have a chronic lack of girlfriends, are usually socially inadequate and are drawn compulsively to write self-replicating codes. It's a form of digital graffiti to them," said Jan Hruska, the chief executive of British-based Sophos, the world's fourth-largest anti-virus software vendor.

One motive is to infiltrate technology. There is the story is of a kid from an NYC exurb who, as a teen, gathered a group of kids to paint graffiti with their messages on subway trains. Later he founded the worldwide Phalcon/Skism virus-writers' group. This stands for Smart Kids Into Sick Methods.

Another reason is get "their name in lights." There was the Joshi virus that popped up every January 5th and commanded users to type "Happy Birthday, Joshi" to get their computers back. A third motivation is "scientific"--or pseudo-scientific--interest. A programmer named Mark Ludwig established an international virus-writing contest.

Then there was the virus "demonstration" that unexpectedly turned real. In 1988, Montreal computer-magazine publisher Richard Brandow and his co-worker Pierre Zovile created a benign virus, known later as MacMag. On the birthday of the Macintosh II, March 2, 1988, infected Macs would display a "universal message of peace to all Macintosh users." The virus was created to highlight the problems of software piracy. Within two months, Brandow says, illegal copying had transferred it to 350,000 Macs throughout the world. The virus was passed to Marc Canter, president of a company that made training disks for Aldus. While in Canada, he was given a diskette containing a game called Mr. Potato Head. Playing that game caused his hard disk to be infected. It crashed his computer, perhaps because earlier Macs use a different video card/monitor architecture than the Mac II. Many games for earlier Macintoshes wouldn't run on Mac IIs, and crashed the system. Anyway, Canter passed the virus to a training disk he delivered to Aldus. This forced Aldus to recall or rework thousands of packages of new software.

Protection from viruses. One of the best protections against viruses is memory protection, which limits a program to a particular address space. It is really an application of the principle of least privilege, which limits a program's access to those programs it needs to do its jobs. Memory protection can prevent some viruses, but not all, because certain portions of the operating system must be accessible to certain programs.

Early operating systems for personal computers provided no memory protection. Even today, most users do not take advantage of the file-system protection their OS offers. On unprotected systems, any program has the ability to modify any other program on any disk attached to the system.

Several companies sell anti-virus programs. These can detect known viruses by recognizing their code, but can't detect as-yet-unknown viruses. Nonetheless, if you keep your copy up to date, the chance of being hit by a recently created virus is acceptably low. Information on viruses is available through several anti-virus databases on the Web.

To protect an organization from malware, this four-pronged strategy can be used. First, put a knowledgeable group in place to deal with incidents. The group may be a formal part of an organization or an informal collection of knowledgeable people. The group should be responsible for educating users about the threat of viruses, providing accurate information about viruses, responding to reports of viruses, and dealing w/viral infections when they occur. Second, make sure each employee knows how to contact this group if (s)he suspects a viral infection. Third, develop a plan to deal with viruses before there is a problem. Use anti-virus software to decrease the risk of an internal infection, from internal & external sources. Be especially be sure it is in place on LANs. Also, use a more general change detector on particularly critical systems. Put mechanisms in place to detect viral infections quickly. Develop procedures to contain an infection once one is detected. Know how to recover from a viral infection. Finally, test the plan periodically, as you would test a fire-evacuation plan. But do not use a real virus to test the plan!

However, there is a real question as to whether an organization can get everyone to use antivirus software and download the almost-daily security patches announced for Windows systems. This calls for more responsibility on the part of programmers. As NCSU's Coordinator of Special IT Projects Henry Schaffer put it,

Well designed wordprocessing software should give a choice such as, "This is not the document it claims to be, but is a computer program. Do you want to allow this program to run and do whatever the writer designed it to do? Click for "yes"--Do you really mean that??" If it really is a document, then the document should be opened and displayed--and if there is an executable also included (e.g., a "macro") there should be another prompt/warning. (Microsoft Word used to be shipped with this capability disabled. I believe they finally changed and now have it enabled - but I don't think it gives an explicit warning.) Similarly, IMHO, well designed mail agent software should look at the "real" file extension, (as in xyz.txt.exe where this is really an .exe file, i.e. a program, not a .txt file--i.e., data) and say something similar-- not simply automatically route this to the OS to be executed.

Viruses, worms, and Trojan horses are a scourge of modern computer systems. By studying the harms these programs have done, we become aware of the need to take responsibility for the programs we write and the software we download.