Plague

We are all afraid of two types of illness: illness of the body, and illness of the computer.

Which one is worse?

Just joking.

Following this week’s seminar, I found myself thinking about the variety of tools, bugs, and viruses that cyber criminals and cyber attackers employ to attack their adversaries. What makes them destructive? How do they attack their victims, and why?

A few high profile examples; ILOVEYOU, Conficker, and Reign.

ILOVEYOU; the ultimate in unwanted affection. Beginning in 2000, ILOVEYOU sent what appeared to be a text file via email to its victims, claiming to be a love letter. The virus, once opened, would send itself to the first fifty people in the contact list, spreading faster than any previous virus. It was not, in fact, a text file, and would then destroy user’s image files. By preying on human emotions, ILOVEYOU went global in just a few hours. (1)

Conficker; first detected in 2008, Conficker downloads itself onto a computer that has not been properly updated, and additionally attempts to spread through leaking into shared files and hitching rides on USB drives. The virus protects itself by disabling updates and security protection attempts (2), and became one of the largest computer viruses of all time, costing millions in damages. (3)

Reign; a tool of cyber attack, likely created by a nation state, capable of turning an infected computer inside out. Reign can collect screenshots, copy files, and watch what you type. (4) Some watchers believe that the virus passes directly from internet service providers to customers, without infecting the service provider itself. (5)

So we have a collection of strategies; self propagation, self protection, using human psychology, and targeted attacking.

Say we wanted to cause the most destruction possible. I would follow a strategy of self-propagation, in which the virus downloads itself, and then lies dormant while quietly disabling security services. The virus would simultaneously attempt to spread to any device which connects to the infected computer. At some point, when the infections had reached a desirable level, the creator would trigger the virus to wipe the files of every computer with the worm.

Say we had more nuanced motives; money. I would again self-propagate, and lie dormant until I had reached some sufficient spread. I would then trigger a key log capability to harvest user’s passwords when they visit the IP addresses of banks.

Say we were looking to run reconnaissance. I would create a worm which mimics an email sent to a device, deleting the original email and replacing the old file with the virus’s code. Once opened, the email would download a watcher, much like Reign. The purpose of email propagation is to lull the user into a false sense of security, oblivious to the presence of my watcher.

Like dreaming up chimeras, this activity is a fun one. But it also serves as a warning. Don’t open suspicious files; don’t forget to update; don’t use USB drives; don’t be a target of espionage.

Maybe that sounds like too much for one person to do, even a young digital native. But until there are legislative protections in place or true care from the companies that make our software, self defense is our best, and only, means of protection.

 

  1. https://www.smithsonianmag.com/science-nature/top-ten-most-destructive-computer-viruses-159542266/?c=y&page=2
  2. https://www.pcc.edu/resources/tss/info-security/conficker.html
  3. http://www.nytimes.com/2009/01/23/technology/internet/23worm.html
  4. https://usa.kaspersky.com/resource-center/threats/regin-platform-malware
  5. http://www.irelandwebsitedesign.com/blog/290-reign-spying-malware-virus.html

 

2 Comments »

  1. profsmith

    November 16, 2017 @ 2:49 pm

    1

    Personally, I think of computer “illness” more like human mental illness. When you see a computer or a human acting strangely, it’s hard to know what to do. I find it easier to know what to do when you see someone with the flu, for example.

    I enjoyed reading about your infection scenarios. A small comment. Counterintuitively, you want to do the opposite of what you said in one part. Instead of “quietly disabling security services” you’d want to fix the leaky security services that you exploited to get your code onto the remote system. The reason is that you don’t want the computer on which you sit to become infected with some other bad actor until you’ve had a chance to run your exploit. When you break into a house, you typically don’t leave the front door open inviting other robbers (or the neighbors/police) to take notice.

    And you can use USB drives. Just don’t use ones that you don’t know where they’ve been (like other good similar advice).

  2. Jim Waldo

    November 19, 2017 @ 8:01 pm

    2

    When I teach my cyber security course, I have the students (and it is an executive education course, so many of the students are from industry or government and have responsibility for computer security) run through a number of exercises like this. If you wanted to get food from a vending machine without paying, how would you do it? If you wanted to listen in on a conversation, how would you do that? If you wanted to get someone’s password, what would you do?

    Thinking like a hacker (in the new sense of the term) is important for defense, for the simple reason that when you are defending your computer you are working against a sentient opponent. It is more like playing chess than fixing a bug. You have to think of what the other person is likely to do, and defend before he or she does it. It makes cyber security both very interesting and very hard.

Leave a Comment

Log in