Computer Security Part 1 : History

This article will be published on NYX in their respective sections within a given time frame. For convenience, I have divided this entire article into 3 separate posts. As usual, I would advise that you read extremely long articles such as these off their custom page at NYX. The colour scheme there is more suitable for it.

The word count for this article at the end of the last section. I am afraid people will be scared off by it. If you want to learn something reasonable, just read the second section. Read the first and the last section only if you are more adventurous. Besides, the first section is nothing special as I practically ripped it off entirely from Wikipedia.

Article Start:

When we think of computer security, the words “viruses, spyware” immediately come to mind. Well, in most cases, these two forms of methods are the most common in terms of breaching corporate networks, causing inconvenience and intruding into personal privacy. In my article here, I shall focus more on viruses and worms since they usually cause the most amount of damage today.

This article is divided into 3 parts

1. History of viruses
2. Tips for end-users
3. Future roadmap of computer security

As such, let me dive into the history of the evolution of viruses and several key ones that redefined the landscape of computer security.

According to Wikipedia, the first virus that appeared was the Creeper worm in 1971. Its code was fairly rudimentary. All it did was to move from computer to computer displaying a message “Catch me if you can”. No damage was done and it died out soon after when another virus presumably written by the same programmer removed all traces of it in infected computers.

With this, it started the ball rolling. The next milestone to be encountered was how to spread a virus quickly and remain undetected in the process. This was milestone was reached in 1986 with the “Brain” virus. It copied itself to the boot sector of any removable storage media such as floppy disks. In this way, it could spread very quickly as floppy disks were the most common modes of data transmission in the 1980s before the advent of the Internet. It was only detected by users when it begun to slow down their floppy drives.

Up to this point, computer viruses were usually mild and were largely confined to a small local group of computers. All these changed when the use of the Internet became widespread. The Morris worm was one of the first to utilise the power of the Internet to propagate itself. Since its inception in 1988, it was estimated that about 10% of the world’s computers were infected then as a result. Computers that were infected began to slow down dramatically as the virus began to rum multiple instances of it within infected systems.

As you can see, the viruses in this 1980s era were focused mainly on attacking the operating system (OS) itself rather using personal documents as a means of propagation. The “Melissa’ virus in 1999 was the first macro virus that appeared. It marked the shift away from attacking the OS directly to infecting Word documents. Such documents were previously seen to be safe as they contained no executable code. Anti-virus companies were shocked then about this new mode of transmission.

It turns out that the Melissa virus used the macro features of Microsoft Word as a method to execute its code. The virus (worm) soon began to clog up email systems as it sent itself to multiple computers.

(A macro is a set of instructions embedded in a document. Its primary purpose would be to automate certain processes during the usage of the document. These instructions would usually be run during the opening file stage.)

However, all these viruses up to this point were working as individual stand-alones. Yet the use of power of these machines in the form of distributed computing to commit spamming attacks was not utilised. The Sobig worm which first appeared in 2003 made used of this form of attack when it managed to compromise hundreds of thousands of computers. The effect of mass spamming from these computers crashed many corporate server systems worldwide.

The Blaster worm also dubbed “lazy” worm by some was created to exploit not a new unknown vulnerability, but rather, a known one. In fact, the loophole (RPC service) exploited by Blaster was already known by Microsoft and a patch created one month before its inception in August 2003. As a result of the Blaster worm, the tech community coined a new term which is the 30-day attack window and subsequently the 0-day exploit. It signified the vulnerability window between the discovery of the flaw and point where all affected systems are finally patched up.

The Blaster also combined several key technologies like buffer-overflow and denial-of-service (DoS) attacks. The DoS attacks were focused relatively successfully on the Windows Update site. Fortunately the real site was of a different URL then the one targeted by the virus and Microsoft escaped unscathed.

(Buffer flow is a type of programming error that occurs when an (physical) input to a program is unexpected (large). This may cause the program to crash as it cannot handle this information. The most famous example of the buffer-overflow error occurred in 1996 when the European Space Agency’s Ariane 5 501 rocket crashed shortly after takeoff. It was found out a 16-bit program could not recognise and use a 64-bit input.

DoS attacks are usually focused on servers hosting websites or corporate VPN servers. It is usually done by first infecting a huge number of computers. Then at a preset time, these computers will attempt to load or access a public server on the Internet with a specific request such as loading a webpage. The server being unable to handle the heavy load will crash, bringing down other mission critical tasks it may be required to do.)

Now to recent times – the Storm worm. It started spreading since January 2007 and it continues to do so today albeit with much less potency. It set the record for the most number of computers infected at any one time. Experts put that number between 1 to 50 million computers

It combined many modern methods like DoS and distributed computing also called a botnet. The Storm worm uses peer-to-peer technology to communicate and divide tasks among other infected computers. This technology is similar to file sharing torrents where no central server leads the botnet.

(Bots are individual workstations being controlled to cooperate with multiple other bots to accomplish certain tasks. These tasks could be to attack a website, spamming or to seek out other computers to infect. A botnet is essentially the collection of all the bots.)

The bots operate as individual entities. When they contact each other, certain computers (usually the faster ones) automatically assume leadership positions to dictate the tasks done by the slower computers. When one bot leaves the network, there is always another bot available to take over its job.

It is stunning to note that the virus code in all of the bots are generally identical and this form of leadership AI can arise even when everybody is processing the same instructions.

The Storm botnet also employs certain defensive strategies to ensure its survival. One of which is the DoS attack. All bots are constantly on the lookout for any computer that attempts to detect and eliminate it. Once detected, this bot will immediately notify the leader it is associated with. The leader will analyse the severity of the attack and mobilise a calculated number of bots to “attack it” using the DoS technique , enlisting the help of other leaders if necessary.

Next, Part 2: Tips for End-users

November 18, 2007 - Posted by yeokm1 | CCA, computers