About site: Security/Malicious Software/Viruses - Examples of Malicious Computer Programs

About site: http://www.rbs2.com/cvirus.htm

Title: Security/Malicious Software/Viruses - Examples of Malicious Computer Programs Long essay that describes harm done by major computer viruses or worms, and discusses the nonexistent or lenient punishment for the authors or distributors of these malicious programs.

Alexa statistic for http://www.rbs2.com/cvirus.htm

Please visit: http://www.rbs2.com/cvirus.htm

Related sites for http://www.rbs2.com/cvirus.htm

Fire_Antivirus_Kit_-_Virus_Information_Library Provides detailed information on viruses

F-Secure_Virus_Information_Centre A searchable database of virus descriptions, from the provider of F-Secure range of anti-virus software.

#hackfix_project_-_software_configuration_guides Configuration guides for many popular antivirus and antitrojan packages

How_Stuff_Works__Computer_Virus Multipart tutorial describes how computer viruses work.

IBM\'s_Antivirus_Research News and information about virus prevention, the latest in IBM's research, virus alerts, and lists of the latest hoaxes and hype.

Lets_have_fun_with_EICAR Article showing how to test the effectiveness of anti-virus heuristics using modifications of the EICAR test file.

This is best-2006.com cache of m/ as retrieved on 2009.01.08 best-2006.com's cache is the snapshot that we took of the page as we crawled the web. The page may have changed since that time.

Examples of Malicious Computer Programs

Copyright 2002 by Ronald B. Standler

Introduction "author did not know" is specious defenseEarly Examples Brain Virus Lehigh Virus Chrisma Worm Morris Worm MBDF Virus Pathogen VirusMelissa VirusILOVEYOU WormAnna WormThree Worms: CodeRed Sircam NimdaBadTrans.B WormKlezrecent malicious programsEconomic DamageSources of InformationConclusion

Introduction

This essay contains a description of severalfamous malicious computer programs (e.g., computer viruses and worms)that caused extensive harm, and it reviewsthe legal consequences of each incident,including the nonexistent or lenient punishment of the program's author.It is not my intention to provide information onthreats by current malicious programs: this essay is onlya historical document. (You can find information on current threats atwebsites operated by vendors ofanti-virus software.)There are three reasons to understand past malicious programs:Learning how past incidents caused damage may help you protect your computer from future damage. I say may, because new types of threats are continually emerging.Because the law reacts to past events, learning about past harmful incidents shows us how the law should be corrected to respond appropriately to the new crimes of writing and distributing malicious computer programs.In May 2002, the Norton Anti-Virus software for Windows operating systems detected about 61000 malicious programs. Astoundingly, there have been criminal prosecutions and convictions of the author(s) of only five malicious programs, all of which are described below: the Morris worm released in 1988, the author and distributors of the MBDF virus, the author of the Pathogen virus, the author of the Melissa virus, and the author of the Anna worm I hope that when people read this essay and become aware of both the malicious design and great harm caused by computer viruses and worms, readers will urge their legislators: to enact criminal statutes against authors of computer viruses and worms, with punishment to reflect the damage done by those authors, and to allocate more money to the police for finding and arresting the authors of malicious computer programs.I have not cited a source for each fact mentioned in this essay,because most of these facts have been reported at many different sources,and are well known to computer experts who are familiar with viruses and worms.(I do cite a source for facts that are either not well known or controversial.)Further, this essay is not a formal scholarly document, with numerouscitations, but only an informative review intended forattorneys, legislators, the general public,students, businessmen, etc.Some general sources are mentioned later.Author did not know ....The most common excuse made by criminal defense attorneys whorepresent authors of computer worms and viruses is that theirclient did not know how rapidly the worm or virus would spread.Because this excuse occurs in several of the cases presented below,let's discuss it at the beginning.Such an excuse might be plausible to someone who had no understandingof the Internet and computer programming. However, it is ridiculousto suggest that a computer programmer who creates a worm isunaware that it will spread rapidly.Students who major in computer science, mathematics, physics,or engineering learn in mathematics classes about geometric series.There is a good reasonwhy mathematics classes are required for science and engineering students:mathematics is really useful for predicting results ofexperiments that one should not perform.A good example of a geometric series is the propagation of a computer worm.Consider the following hypothetical example in whicheach victim's computer provides the addresses of four new victims,and the worm requires one hourto be received by the next wave of victims,to search the next victim's computer and find four new addresses,then to be sent to the four new victims: time in hours number of new victims 1 42 163 644 2565 10246 40967 163848 655369 26214410 1048576In this hypothetical example, at 24 hoursthere would be approximately 1014 new victims,which is a ridiculous extrapolation, because there are only about109 people on the planet earth.But this example clearly shows the rapid growth of a geometricseries and why authors of worms should not be surprised whentheir worm rapidly gets out-of-control.Seen in this context, the criminal defense attorney's statement thathis/her client "did not know ...." is not plausible.Actually, the defense attorney's statement is ludicrous.Even if one ignores the rapid growth of a geometric series,the historical examples of the rapid propagation of theChrisma Worm in Dec 1987 and theMorris Worm in Nov 1988 showwhat happens when worms are released into computer networks.There is absolutely no need for another "experiment" of this kind,as we already know what will happen.(I put "experiment" in quotation marks, because the design and releaseor a computer virus or worm is a crime,not a legitimate scientific experiment.)Other examples of specious defensesfor writing or releasing malicious programs are contained in my essayon Computer Crime.

Early Examples

Brain virusThe first computer virus for Microsoft DOS was apparently written in 1986and contains unencrypted text with the name, address, and telephonenumber of Brain Computer Services, a store in Lahore, Pakistan.This virus infected the boot sector of 5¼ inchfloppy diskettes with a 360 kbyte capacity.Robert Slade, an expert on computer viruses, believes the Brain viruswas written as a form of advertising for the store in Pakistan.A variant of the Brain virus was discoveredat the University of Delaware in the USA during Oct 1987 wherethe virus destroyed the ability to read the draftof at least one graduate student's thesis.Lehigh VirusIn November 1987, a virus was discovered infectingthe COMMAND.COM file on DOS diskettes atLehigh University. When an infected COMMAND.COMhad infected four other copies of COMMAND.COM(i.e., when copying to a floppy diskette), the virus wrote overthe file allocation table on all disks in the system, destroyingthe ability to read files from those disks.Quick intervention at Lehigh University, including overnightdevelopment and distribution of a disinfection program, stopped this virusfrom spreading off campus.The data on approximately 500 computer disks and diskettes atLehigh University were lost because of this one virus.To the best of my knowledge, the authorof the Lehigh Virus was never identified, so there was no punishment for him.Christma WormA student at a university in Germany created a wormin the REXX language. He released his worm in December 1987on a network of IBM mainframe computers in Europe.The worm displayed an image of a conifer tree on the user's monitor,while it searched two files on the user's account to collect e-mailaddresses, then automatically sent itself to all of those addresses.(This trick would be used again, on a different operating system,in March 1999 by the Melissa virus.)The Christma worm deleted itself after it functioned once.However, the one copy deleted was replaced by multiple copies sentto everyone with an e-mail address in either the in-box or out-box of theuser's account, so the total number of copies continued to increase.The worm itself was relatively harmless: it neither deletednor altered the user's computer files.However, the rapid propagation of the wormcreated a mailstorm in the network of IBM mainframe computersfrom 9 to 14 Dec 1987.The author of the Christma worm was identified, by tracingthe mail messages back to the original source.His computer account was closed, but I can not find any otherpunishment for him.Morris WormOn 2 November 1988, Robert Tappan Morris, then a first-year graduate student incomputer science at Cornell University, released his worm that effectivelyshut down the Internet for several days.The Morris Worm used four different ways to get unauthorizedaccess to computers connected to the Internet:exploit a defect in sendmail when DEBUG was enabled during compileexploit a defect in fingerd buffer overflowtrusted hosts feature that allows use without a password (rexec, rsh)an algorithm that tried 432 common passwords, plus variations on the user's name, and then /usr/dict/words/.The worm only infected SUN-3 and Digital Equipment Corp. VAXcomputers running versions of the Berkeley UNIX operating system.The Morris Worm succeeded in infecting approximately 3000 computers,which was about 5% of the Internet at that time.Among the affected computers were those at the University of Californiaat Berkeley, MIT, Stanford, Princeton , Purdue, Harvard, Dartmouth,University of Maryland, University of Utah,Georgia Institute of Technology, and many other universities,as well as computers at military and government laboratories.When Morris understood that his worm was propagating fasterthan he had expected, he called a friend at Harvard University.The friend then sent the following anonymous messagewith a false source addressto the TCP-IP mailing list via the Internet:A possible virus report: There may be a virus loose on the internet. Here is the gist of a message I got: I'm sorry. Here are some steps to prevent further transmission: [three terse suggestions for how to stop the worm omitted here] Hope this helps, but more, I hope it is a hoax.However, because the Internet was already cloggedwith copies of his worm or because computers were disconnected fromthe Internet to avoid infection by the Morris Worm, the message didnot arrive until after system administrators had devised theirown techniques for removing the worm.Further, the anonymous source, and also the tentative tone(i.e., "possible virus report", "may be a virus loose","I hope it is a hoax."),make this message much less helpful than it could have been.If Morris had really been innocent, he could have faxed the sourcecode for his worm to system administrators at University of Californiaat Berkeley, MIT, Purdue, University of Utah, etc.who were trying to decompile the worm and understand it.And Morris could have given system administratorsauthoritative suggestions for how to stop his worm.Morris apparently never personally explained his intentionsor motives in designing and releasing his worm. Some of hisdefenders have said that Morris did not intend the consequences ofhis worm. A Cornell University Report by Ted Eisenberg, et al.at pages 17, 27 and especially at Appendix 8,[bibliographic citation below],mentions comment lines by Morris in his 15 Oct 1988 source codethat say:"the goal is to infect about 3 machines per ethernet.""2) methods of breaking into other systems.""10) source code, shell script, or binary-only? latter makes it harder to crack once found, but less portable""hitting another system: 1) rsh from local host, maybe after breaking a local password and .... 2) steal his password file, break a password, and rexec."Such comments appear as clear indications of criminal intent by Morris.In a 17 Oct 1994 UseNet posting, Prof. Spaffordat Purdue, who has also actually seen the worm's source code at Cornell thatwas written by Morris (including the comment lines by Morris thatare not present in the decompiled versions), said:The comments in the original code strongly suggested that Robert intended it to behave the way it did – no accidents involved.Morris was the first person to be arrested, tried, and convictedfor writing and releasing a malicious computer program.He was found guilty on 22 Jan 1990and appealed, but the U.S. Court of Appeals upheld the trial court's decision.The U.S. Supreme Court refused to hear an appeal from Morris.U.S. v. Morris, 928 F.2d 504, 506 (2dCir. 1991),cert. denied, 502 U.S. 817 (1991).The Court of Appeals noted that:"Morris released the worm from a computer at the MassachusettsInstitute of Technology [MIT]. MIT was selected to disguisethe fact that the worm came from Morris at Cornell."Id. at 506.The Court of Appeals also noted that the cost of removing the wormfrom each installation on the Internet was estimated to be"from $ 200 to more than $ 53000." Id.There are no precise figures on the amount of damage that Morris did,but a widely quoted estimate by Clifford Stoll at Harvard is thatthe total cost of dealing with the Morris Worm is somewhere betweenUS$ 105 and US$ 107.Despite the severity of this damage,Morris was sentenced in May 1990 to a mere:three years of probation,400 hours of community service,a fine of US$ 10050,the US$ 3276 cost of his supervision during probation, butno incarceration in prison.In addition to this legal punishment, Cornell Universitysuspended him from the University for at least one year.When Morris applied for re-admission a few years later,Cornell refused to accept him. Morris earned his Ph.D.at Harvard University in 1999.Bibliography on the Morris WormThere are a number of technical publications that discussthe Morris worm and its effect on computers that constituted the Internet:Peter J. Denning, editor, Computers Under Attack, Addison-Wesley, 1990. A collection of reprinted articles from computer science journals, which has about 90 pages on the Morris Worm.Mark Eichin and Jon Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, Feb 1989. Available from the MIT website and published in various places.Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro, The Computer Worm, A Report to the Provost of Cornell University on an Investigation Conducted by The Commission of Preliminary Enquiry, 45 pp., 6 Feb 1989. Available from the Office of Information Technologies at Cornell University.Bob Page, A Report on the Internet Worm, University of Lowell, 5 pp., 7 Nov 1988. Available from a website in Canada and also from Purdue.Donn Seeley, A Tour of the Worm, Computer Science Department, University of Utah, 18 pp., 1988. Available from Francis Litterio's website.Eugene H. Spafford, The Internet Worm Program: An Analysis Technical Report CSD-TR-823, Purdue University, 41 pp., 8 Dec 1988. Available from Purdue University.Eugene H. Spafford, The Internet Worm Incident, Technical Report CSD-TR-933, Purdue University, 18 pp., 19 Sep 1991. Available from Purdue University. (I recommend this report as the best place to start reading about the effect of the worm on the Internet and ethical issues.)The June 1989 issue (Vol. 32, Nr. 6) of Communications of the ACM, a major journal for professional computer programmers, contains several articles concerning the Morris Worm.I have posted the unpublished Judgment of thetrial court inU.S. v. Robert Tappan Morris, as well as the opinion of theappellate court that was published at928 F.2d. 504.MBDF VirusIn 1992, four undergraduate students at Cornell Universitycreated and released the MBDF virus, which attacks Apple Macintosh computers.This virus was released in three shareware programs:Obnoxious Tetris, a computer game,Ten Tile Puzzle, a computer game, andTetriscycle, a Trojan Horse program that contained an encrypted copy of the MBDF virus.David S. Blumenthal wrote the virus and inserted it in the three programs.Blumenthal also created an anonymous account on a Cornell computer,so that apparently untraceable file transfers could be made.Mark A. Pilgrim used this anonymous account on 14 Feb 1992to upload the three programs to an Internet archive at Stanford University.The initial victims downloaded the programs from Stanfordand infected their computers. As these victims shared their infectedfiles with other users, they unwittingly spread the virus to additionalvictims.The MBDF virus was a relatively benign program that did not directlyharm the victim's data files. However, this virus could cause harm inthree different ways:The virus caused some programs to crash when the user selected an item from the menu bar.The CIAC reported on 25 February 1992: "When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occurring, the entire system file will be corrupted and an entire reload of system software must then be performed."The virus took several seconds to infect each program file on the victim's computer, and, during those several seconds, the display would freeze. If the victim rebooted the computer during those several seconds, application files on the computer could become corrupted.To recover from such problems, the victim first needed to run anti-virussoftware to delete the MBDF virus, then any corrupted files (e.g.,either applications software or the operating system itself)would need to be re-installed. Depending on the skill of the victimin identifying which files were damaged, the recovery process couldtake hours or days.Compared with other malicious programs, the damage from the MBDF viruswas relatively small. The only reason that I mention the MBDF virus inthis essay is that it is one of a very few cases in which the authorand distributors of a malicious program were arrestedand punished for their crime.The MBDF virus was first discovered in the wild by a professor of mathematicsin Wales, who sent it to John Norstad, the author of a now-discontinuedanti-virus program for the Macintosh.Experts in computer security at several universities promptlytraced the origin of the MBDF virus to Cornell University.Blumenthal and Pilgrim were arrested and put in jail on 24 February,just ten days after the MBDF virus was first released.They were arraigned in a New York state court on charges ofsecond-degree computer tampering, a misdemeanor.They each posted $2000 cash bail and were released from jail.Pilgrim cooperated with the police, told them the detailsof what had happened, and incriminated Blumenthal.As reports of infected computers were receivedfrom all over the USA, Japan, Europe, Australia, and Canada,the district attorney contemplated increasing the charges toa felony, because he could prove a larger harm than what hadinitially been apparent.During grand jury proceedings in June 1992, two otherCornell students were revealed to have played a role in the distributionof the MBDF virus to various computer bulletin boards.One of them was granted immunity from criminal prosecutionin exchange for his testimony.The other, who will be identified here by the fictitious name Doe,was indicted along with Blumenthal and Pilgrim,but Doe later had his record expunged.On 16 June 1992, a 17-count indictment was issuedagainst Blumenthal, Pilgrim, and Doe. The indictmentincluded four counts of first-degree computer tampering (a felony),and also seven counts of attempted computer tampering (a misdemeanor),plus one count of second-degree attempted computer tampering.In addition, Blumenthal alone was charged withfelony counts of forgery and falsifying business records,for his creation of the anonymous computer accountat Cornell University.I obtained a photocopy of the indictment from theTompkins County Court and posted it here.On 4 September 1992, Blumenthal and Pilgrim each pled guilty toone count of second-degree computer tampering, a misdemeanor,in exchange for the dismissal of all other charges andneither prison nor fines.On 5 October 1992, Blumenthal and Pilgrim were each sentenced to:pay restitution (a total of $ 6000 to Cornell University, $ 1300 to a victim in New York City, and $ 65 to a victim in California);each would provide 520 hours of community service, which they fulfilled by writing software for a handicapped person in Tennessee;forfeit their personal computers; andbe on probation.The court clerk has informed me that there is no written Judgmentfiled for either Blumenthal or Pilgrim.Doe pled guilty to disorderly conduct and later had his recordexpunged, so there is no record of Doe's sentence.Additionally, each of the four students was either expelled or suspended fromCornell University for at least one year.Cornell University, whose reputation had been besmirchedby the Morris Worm in November 1988, found itself in 1992 portrayedby journalists as a breeding ground for malicious computer programs.University administrators must be ready to dealwith both the legal and public relations aspects of arrests of studentsfor creating malicious computer programs.The best source of information that I have found on the obscure MBDF viruscase is the archives ofThe Post-Standardnewspaper in Syracuse, NY.Pathogen VirusIn April 1994, the Pathogen computer virus was released in theUnited Kingdom, by uploading an infected file to a computerbulletin board, where victims could download a copy of the file.The Pathogen virus counted the number of executable(e.g., *.EXE and *.COM)files that it infected. When the virus had infected 32 files,and an infected file was executed between 17:00 and 18:00 on a Monday:the keyboard is disableddata in the first 256 cylinders of the hard disk drive are corrupteddisplays a message on the CRT that includes: "I'll be back for breakfast..... Unfortunately some of your data won't!!!!!"The Pathogen virus contained a second virus, Smeg, which hidPathogen from anti-virus software.What makes the Pathogen virus worth including here is that its authoris one of the very few authors of malicious computer programs whowere arrested and convicted.Pathogen PerpetratorThe author of Pathogen was Christopher Pile (aka "Black Baron")a 26-year-old unemployed computer programmer who lived in Devon, United Kingdom.At his trial on 26 May 1995, Pile pled guilty to:five counts of unauthorized access to computers to facilitate crimefive counts of unauthorized modifications of computer softwareone count of inciting others to spread computer viruses that he wrote.These charges were the result of his development and release of thePathogen and Queeg viruses (both also containing the Smeg virus)in 1993 and continuing up to April 1994.The prosecutor claimed that one unnamed victim had suffered damagein the amount of a half a million pounds (approximately US$ 800,000)from Pile's viruses.On 15 November 1995, a judge sentenced Pile to 18 months in prison.The judge declared: "Those who seek to wreak mindless havoc on one ofthe vital tools of our age cannot expect lenient treatment."Pile's punishment was more severe than other criminalswho have written and released malicious programs.Other viruses and worms have been much more widespread, and caused much moredamage, but their authors have generally been able to avoid prison(e.g., Morris andde Wit)or received a sentence not much longer than Pile's(e.g., the author of the Melissavirus spent 20 months in prison, despite having done at leasta hundred times more damage than Pile).

Melissa Virus

The Melissa virus was released on 26 March 1999and was designed to infect macros in wordprocessingdocuments used by the Microsoft Word 97 and Word 2000 programs.Macro viruses were not new, they had been known since 1995.The innovative feature of the Melissa virus was that it propagatedby e-mailing itself to the first fifty addresses in theMicrosoft Outlook e-mail program's address book.This feature allowed the Melissa virus to propagate faster thanany previous virus.The virus arrived at each new victim's computer disguised ase-mail from someone who they knew, and presumedly trusted.(About 11 years earlier,the Christma Wormautomatically sent itself to everyone in a victim's e-mailaddress book on an IBM mainframe computer.)The Melissa virus propagated in two different ways:On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used the Outlook program to send an e-mail containing an attachment, with a filename like list.doc. This file contained a Microsoft Word document with a macro, and a copy of the Melissa virus was inside the macro. When this e-mail was received by someone who had Microsoft Word on his/her computer (even if their computer was an Apple Macintosh), and the recipient clicked on the attachment, the document would open and the Melissa virus would automatically infect Word's normal.dot template file, thus infecting the recipient's computer. While Microsoft Outlook was necessary for the automatic sending of infected documents, the recipient of such e-mail could be infected even if the recipient used a non-Microsoft e-mail program.Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail sent by victim, etc. When such infected documents were opened in Microsoft Word, the Melissa virus would automatically infect Word's normal.dot template file, thus infecting the recipient's computer.Many documents about the Melissa virus claim this virus was"relatively harmless" or "benign". That claim is not true.There were a number of distinctly different harms caused by Melissa:Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to fifty people by the Melissa virus. Such automatic transmission could release confidential information from the victim's computer.When the day number equals the number of minutes in the current time (e.g., at 11:06 on the 6th day of the month), the Melissa virus inserted the following text in whatever document was then being edited in Word on the victim's computer: Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Such an insertion was a deliberate modification of data files on the victim's hard drive, an unauthorized tampering with the victim's document files.Future victims were most commonly infected by opening an attachment in an e-mail from someone who they knew, and presumedly trusted. Until the workings of the Melissa virus were understood by all the victims, trusted relationships between people could be harmed by this unauthorized sending of e-mail.As with any rapidly propagating virus or worm, e-mail can be delayed, which sometimes has economic consequences (e.g., lost productivity).And, as with all viruses and worms, there was the cost of removing the infection and restoring the computer to normal.The fact that the Melissa virus could have been more destructive(e.g., by deleting data files from the victim's computer)is hardly praise for the author of the Melissa virus.For more technical details on Melissa, see theCERT advisoryand the F-Secure description.Finally, using an Apple Macintosh gives one immunity from most computerviruses and worms. However, Apple computer users who also useMicrosoft Word 97 or later are vulnerable to the same macroviruses that plague Word users on Microsoft Windows 95 or later.However, the Melissa virus can not automatically transmit itselfby e-mail from a computer that uses the Macintosh operating system.Melissa PerpetratorThe Melissa virus was written by David Lee Smithand first released on 26 March 1999 as an attachment to his postingto an alt.sex newsgroup. That posting said the attachmentcontained a list of passwords for pornographic websites,but the attachment actually contained his virus.Smith named his virus "Melissa" after a topless dancerin Florida, who Smith knew.It is obvious that Smith knew what he was doing was wrong,because he used a stolen AOL account and passwordto make the initial release to the alt.sex newsgroup.Before his arrest, Smith discarded the hard drives that were usedto create his virus at his home in New Jersey, then hehid at his brother's house, where David Lee Smith was arrested.Smith was arrested on 1 April 1999. TheCNNnews report shows the police mugshot of Smith, with a smirking expression.He was charged in federal court with violations of18 USC § 1030(a)(5)(A)and in New Jersey state court with violations ofNJSA 2C:20-25(a) and 2C:20-26(a).Smith was fired from his job doing computer programming from AT&T.He subsequently worked as a computer technician at Rutgers Universityafter his arrest. (Rutgers did not know that Smith had been arrestedfor this crime.)Smith voluntarily quit his job at Rutgers six days before he pled guilty.On 9 Dec 1999, Smith pled guilty in federal court.The plea agreement between prosecutors and Smith had the following features:Smith would cooperate with authorities in thwarting other creators of malicious computer programs.It would be stipulated that the Melissa virus did "more than eighty million dollars of damage". (The actual amount was much, much higher – one estimate was US$ 1100 million. However, the stipulation became a "fact" accepted in court for the purposes of determining Smith's sentence.)Any state and federal prison sentences would run concurrently, and end at the same time.On 1 May 2002, a judge in federal court imposed the following sentenceon Smith:20 months in federal prison,36 months of "supervised release" (i.e., probation) after his prison term ends, during which time he can access the Internet only with the permission of his probation officer,fined US$ 5100, andordered to serve 100 hours of "community service" work in the "technological field", perhaps giving lectures in schools about the harmfulness of computer viruses.Apparently, the 29-month interval between Smith's guilty pleaand his sentencing (an unusually long interval) was the resultof his cooperation with authorities in investigating othermalicious computer programs. The authorities did not reveal anydetails of the cooperation, so it is not possible to knowwhat the government got in exchange for more than halving Smith'sprison sentence.On 3 May 2002, a judge in New Jersey state court imposedthe following sentence on Smith:the maximum allowable sentence of ten years in state prison. However, because of his plea agreement, Smith would serve only the 20 months in federal prison and then be a free man.fined US$ 2500.Some documents in Smith's case have been posted on the Internet:Information filed by the U.S. Attorney for the District of New Jersey, charging David Lee Smith with violation of 18 USC § 1030(a)(5)(A).Letter of 8 Dec 1999 from the U.S. Attorney for New Jersey to the attorney representing David Smith, offering a plea agreement.DoJ press release about Smith's guilty plea.Judgment issued by Judge Greenaway on 1 May 2002.U.S. Attorney's 1 May 2002 press release about Smith's sentence. Another copy is at the DoJ website.weak punishmentIf one accepts the legal stipulation that the Melissa virusdid US$ 8 × 107 in damage,and one considers Smith in prison to lose 16 hours/dayof freedom (who cares where he sleeps for 8 hours/day?)for 20 months, then the effective value of Smith'stime in prison is US$ 8330/hour.That is a ridiculously high value for Smith's time.The prosecutors ignored that Smith's virus fraudulentlysent e-mails from each victim's computer tonew victims who were in previous victim's e-mail address book.The new victims opened the attachment in e-mailapparently from someone who they knew, and presumedly trusted,and were infected with a copy of Smith's virus.I believe society should express outrage at this kind of fraud.

ILOVEYOU Worm

The ILOVEYOU worm was first reported in Hong Kong on 4 May 2000and spread westward on that day.The ILOVEYOU worm affected computers at more than half of thecompanies in the USA and more than 105 mail servers in Europe.Internal e-mail systems at both the U.S. Senate andBritain's House of Commons were shut down.It was estimated that the ILOVEYOU wormdid more damage than any other malicious program in the history of computing:approximately US$ 9 × 109.On 4 May 2000, MessageLabs filtered ILOVEYOU fromone in every 28 e-mails, the all-time highest daily infection rateseen by MessageLabs.The ILOVEYOU incident was commonly reported as a virus in thenews media, but it was actually a worm, because this malicious programdid not infect other programs.I call this worm by the subject line of e-mail that propagated this worm.Norton Anti-Virus calls it VBS.Loveletter.A.The ILOVEYOU worm arrived at the victim's computer in the formof e-mail with the ILOVEYOU subject line and an attachment.The e-mail itself was innocuous, but when the user clicked on the attachmentto read the alleged love letter,LOVE-LETTER-FOR-YOU.TXT.VBS, the attachmentwas a Visual Basic program that performed a horrible sequence of bad things:deletion of files from victim's hard disk The worm overwrote files from the victims' hard disk drive, specifically targeting files with extensions: *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing audio/visual data), *.CSS (i.e., cascading style sheets called by HTML 4.0 documents). some later versions deleted *.COM or *.EXE files, which prevented the computer from starting when rebooted. some later versions deleted *.INI files. The worm overwrote a copy of itself to a file with the name of the original file, appending the extension *.VBS, so the total number of files on the victim's hard disk would be unchanged and the damage more difficult to immediately detect. Further, if a victim clicked on one of these files, the ILOVEYOU worm would be activated again on that one victim. By overwriting files, instead of merely deleting files, the worm made it much more difficult (perhaps impossible) to recover the original file on the victim's hard drive. For example, if the worm had merely deleted files, then the victim could restore the files from the Recycle Bin or Trash Can. In addition, the worm marked files of type *.MP3 as hidden, so they would no longer appear in directory listings, then copied the worm to new files *.MP3.VBS.password theft The attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft Internet Explorer start page to a URL at a web server in the Philippines, which would download WIN-BUGSFIX.EXE to the victim's machine. The worm then set the victim's machine to run WIN-BUGSFIX.EXE the next time the victim's machine was booted. WIN-BUGSFIX.EXE was a Trojan Horse program that collected usernames and passwords from the victim's hard drive and e-mailed them to an address in the Philippines, mailme@super.net.ph. (That was a really stupid feature, since law enforcement agents, within 12 hours of the initial release of the worm, identified the person who owned that e-mail address.) Furthermore, there was a copyright notice in the Trojan Horse's code! An Internet Service Provider in Europe alerted the web server in the Philippines at 08:30 GMT on Thursday, 4 May 2000, and WIN-BUGSFIX.EXE was removed from the website, which prevented most of the harm in Europe and the USA from this password-collecting program. Later, the web server in the Philippines was overwhelmed (i.e., a kind of a denial of service attack) with requests from the worm for WIN-BUGSFIX.EXE. This Trojan Horse program had been previously submitted as a thesis proposal at a computer college in the Philippines. The proposal was rejected with handwritten comments "This is illegal." and "We don't produce burglars." The student then dropped out of the college without earning a degree. A copy of the student's rejected thesis proposal is posted at Richard M. Smith's website.worm propagates The worm transmitted itself using features of the earlier Melissa program: scanning the address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU e-mail to all of those e-mail addresses. This method of transmission rapidly disseminated the worm to millions of victims. In comparison, Melissa sent copies to only the first 50 entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every address in the that victims' book. The worm also sent copies to other people on the same Internet Relay Chat channel that the victim was using.copycat versions of the ILOVEYOU wormThe first copycat version appeared on Thursday afternoon with asubject line fwd:joke and an attachment veryfunny.vbs.Another copycat version appeared on Sunday with asubject line Dangerous Virus Warningand an attachment virus_warning.jpg.vbs.Anyone who clicked on the attachment to read the warningwould activate the worm on their machine and become a victim.The deception in this subject and e-mail message may be particularlyhorrifying to a naive person, but one must not expect computer criminalsto be honest and sincere. It's a sad fact of life that people withouta healthy amount of skepticism and cynicism will become victimsof crimes.Just five days after the initial release of the ILOVEYOU worm,Norton AntiVirus had identified 29 different versionsof the worm. It takes minimal skill to slightly modify a versionof a worm and release the new version, which is one reason thereare so many copycat versions. Some of the copycat versions were moredestructive than the original, as these copycat versions overwrotefiles of types *.COM, *.EXE, and *.INI,which destroyed the user's operating system.ILOVEYOU PerpetratorPolice in the Philippines knew the name and locationof the suspect within 12 hours of the initial release of the worm,but the police were hampered bythe lack of laws there for computer crimes. The closest relevantPhilippine law was designed to cover credit card or bank account fraud,but was broad enough to cover unauthorized taking of goods and services.However, the police were not able to find sufficient evidencefor prosecutors to apply this fraud statute.On 7 June 2000, police and prosecutors in thePhilippines closed their investigation of the ILOVEYOU worm,because the creation and release of this worm was nota crime in the Philippines.On 21 August 2000, prosecutors dropped all chargesagainst the people who apparently designed and released the ILOVEYOU worm.Partly as a result of inadequate law in the Philippines,just five days after the initial release of the virus therewas active discussion of extraditing the suspect to a developed countrywhere harm occurred and where the laws were adequate to punishthe perpetrator. However, extradition laws only allow extraditionin cases where the offense was a crime in boththe suspect's home country and in the country to which extraditionis sought, so extradition from the Philippines was not possible.This example shows the international nature of computer crime:a criminal in one country can rapidly cause havoc all over the world,using the international reach of the Internet. In contrast,a criminal who physically moves from one country to the next wouldneed to pass though immigration and customs controls at each border,as well as become subject to personal jurisdiction in each country.On 11 May 2000, one week after the initial release of the worm,the author's attorney said thathis client did not realize how rapidly the worm would propagate.Sorry, that's not plausible;see my remarks above.One week after the initial release of the worm,the author's attorney said that the worm had been "accidentally" released.This excuse is too easy.There is no acceptable reason to create such malicious software: remember thatthe program overwrote files on the victim's disk drive, the overwritinghad absolutely no benefit to the author of the program,except for glee at hurting other people.There is no rational reason to write a program that one intends never to use.And, if one writes such a destructive program, then one mustuse extraordinary care (i.e., the same care that one takes withtoxic chemicals, explosives, highly radioactive materials, etc.)to make certain that the program is never released.Society ought to demand that those who release malicious programs,even if the release is an "accident", be held legally responsible for thedamage caused by the malicious programs.The author of the password-stealing Trojan Horsehad attempted to justify his program because Internet access in thePhilippines was expensive (e.g., US$ 2.50/hour with no "unlimited use"plans available), therefore he sought to use victim's accounts for free.This is simply theft of services.

Anna Worm

On 11 Feb 2001, a malicious program was released thatwas contained in an attachment to e-mail.The attachment purported to be a picture of a 19-year-old Russian tennisplayer, Anna Kournikova, but the attachment was actually a computer worm.The attachment had the file nameAnnaKournikova.jpg.vbsThe file type .jpg is commonly used for graphic images,such as photographs. However, the real file type was.vbs, which is an executable file, a computer program writtenin Microsoft Visual Basic Script.This malicious program is often known by the last name of the innocenttennis player. I have chosen to refer to this malicious programby her first name, Anna, to avoid associating the tennis playerwith this malicious program. Norton Anti-Virus calls this wormVBS.SST@mm.F-Secure calls this worm OnTheFly after the pseudonym of its author.The Anna worm did the following two things on a victim's computer:sends one copy of the worm to each e-mail address in the victim's Microsoft Outlook address book.on 26 Jan of each year, it displays the homepage of an innocent computer store on the victim's web browser.The Anna worm does not have any novel technical features.I mention the Anna worm here only becauseit is one of the very few cases in which the author wasarrested and punished.The Anna worm rapidly spread amongst computers,particularly in North America,on 12-13 Feb 2001.While the Anna worm was relatively benign (e.g., it did not damageany files on the victim's computer), it still caused harm byclogging the Internet with many copies of itself and by requiringeach victim to remove it from his/her computer.Perpetrator of Anna WormThe author, Jan de Wit, was a 20-year-old man who lived inFriesland in the Netherlands.He downloaded a tool from the Internet for creating malicious programsand wrote this worm in just a few hours.An Internet website purporting to be by the author of theAnna worm said "It's their own fault they got infected."(See, for examplewired.comand cnet.com.)I have two comments:It is true that the victim was infected when he/she clicked on the attachment in e-mail that purported to be a photograph, but was actually a worm. But the author of the Anna worm ignores the fact that the worm was deceptively, or fraudulently, presented as a photograph. I would be more willing to accept the author's blame-the-victim statement about the worm had it arrived in an e-mail that said "Click here to receive a computer virus." But, of course, no criminal would be so honest.Blaming the victim for the harm caused by a crime is repugnant. Can you imagine someone accused of homicide saying that he only perpetrated an assault/battery, because the victim would not have died if the victim had worn a bullet-proof vest. Thus the homicide is the victim's fault, for recklessly not wearing body armor!The anti-virus software company F-Secure in Finland identifiedthe author of the Anna worm to police in the Netherlands.On 14 Feb 2001, after his worm spread worldwideand caused considerable inconvenience,Jan de Wit surrendered to police in the Netherlands.On 27 Sep 2001, a Dutch court sentenced de Wit to a mere150 hours of community service.This sentence was light, because prosecutors had difficultyin finding admissible evidence about the cost of removing the Anna wormfrom computers. Businesses were reluctant to admit that theircomputers were infected with a worm.On 16 Oct 2001, de Wit appealed this sentence as too harsh.

three worms: CodeRed, Sircam, Nimda

The year 2001 saw the introduction of many serious malicious programs:CodeRed, Sircam, Nimda, BadTrans.B, and Klez.I treat the first three tersely in the following sections.CodeRedThe initial CodeRed worm was discovered on 16 July 2001.CodeRed targeted webservers, not computers of users.This worm was propagated as an http get request, i.e. a requestto get a webpage from a server. If the server was running MicrosoftWindows NT 4.0 or Windows 2000 operating systems,a defect in those operating systems allowed the worm to infect that server.An interesting feature of CodeRed is that it does not residein any file on the hard disk, but only exists in semiconductor memory (RAM):this feature allows CodeRed to escape detection by a scan of the hard diskwith anti-virus software.Switching the infected computer off, then on, will remove the infection,but webservers normally run continually(i.e., 24 hours/day, 7 days/week),unlike computers in homes and offices that may be rebooted daily.The CodeRed worm did different things depending on the day of the month.Most versions of CodeRed used the following schedule:During the first 19 days of each month, the CodeRed worm sent out many http get requests to random IP addresses (i.e., websites and Internet users), seeking webservers to infect. This feature of CodeRed is essentially a port probe, looking for webservers running Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests from CodeRed could mimic a denial-of-service attack on a webserver.During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service attack on the IP address that then corresponded to www.whitehouse.gov. The IP address of the U.S. President's website was changed to defeat CodeRed.After the 28th day of the month, CodeRed goes into a sleep state until the next month, although the server is still infected.Under certain circumstances, one early version of CodeRed running on a webserver that uses the English language will intercept requests for a webpage and return its own HTML code: Welcome to http:// www.worm.com ! Hacked by Chinese! After 10 hours, CodeRed again returns the proper requested webpage. The temporary unavailability of some webpages will cause concern to webmasters, then the problem will "magically" disappear, frustrating operators of webservers who are trying to find the problem.A CERT advisoryshowed that CodeRed infected 2.0 × 105computers in just five hours on 19 July 2001, which was a rapidrate of infection and a good example of geometric series mentionedearlier in this essay.CERT said that "at least 280000 hosts were compromised in the first wave"of attacks on 19 July 2001.CodeRed IIA new version of CodeRed appeared on 4 August 2001, called CodeRed II.The important new feature of CodeRed II is the installation ofa Trojan Horse program,which creates a backdoor into the infected webserver.After this backdoor is installed,any web surfer can send commands by using any web browser.Such commands could, for example, delete files from the webserver,or upload new files to the webserver.The Trojan Horse also disables the system file checker functionin Windows, so that the modified operating system files can not bedetected.Whoever wrote CodeRed II did not like the Chinese, as that variantis designed to propagate faster, and for a longer time, in webserversthat use the Chinese language.Perpetrator of CodeRedTo the best of my knowledge, the author of the CodeRed worm was never identified,so there can be no legal consequences for him.SircamThe initial Sircam worm was discovered on 17 July 2001, about the sametime as CodeRed first appeared.The worm arrived at a victim's computer in e-mail with the following text:Hi! How are you? [second line: one of four choices below] See you later. ThanksThere are four different versions of the second line of the e-mail text:I send you this file in order to have your adviceI hope you can help me with this file that I sendI hope you like the file that I sendo youThis is the file with the information that you ask forClicking on the attached file infects the victim with the Sircam worm.Note: the text of e-mail containing malicious programsoften contains ungrammatical text,punctuation errors (e.g., the missing periods in Sircam's text),or misspelled words, because the author is a non-native speaker of English.Such mistakes in English text in an e-mail apparently from an English-speakingcountry should alert the reader to the possibility of e-mail from a forged address.The Sircam worm inflicts several harms on the victim:a 2% chance that the file c:\recycled\sircam.sys will be created, then text is repeatedly added to this file until there is no more free space on the C: hard disk drive.on computers using the day/month/year date format and when the date is 16 October, there is a 5% chance that Sircam will delete all files and delete all directories on the C: hard disk drive.Sircam automatically sends copies of itself with the victim's e-mail address as the From: address. If Sircam can not find the victim's e-mail address, then Sircam will forge a From: address from the current username and one of four mail servers (e.g., @prodigy.net.mx). The To: addresses are harvested from the Windows Address Book and also from e-mail addresses found in the web browser cache files. The text of the e-mail was mentioned above. The e-mail has one attachment which contains a copy of the Sircam worm followed by the contents of a file with file type .doc or .zip from the My Documents folder on the victim's computer. This document could contain the victim's confidential information, which is then sent to numerous addresses. The name of the attachment had a double file extension, which like Melissa and Anna above, is symptomatic of a malicious attachment. The filename and left extension of the attachment was identical to the copied file from the victim's machine, Sircam then added a second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment an executable file type.Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear in the user's e-mail program's out-box. Thus the user does not know his/her computer is mailing copies of the Sircam worm to other people.The Sircam worm has a length of 137216 bytes. The additional space required by the document from the victim's computer makes the attachment even larger, perhaps more than 200000 bytes, which is larger than most webpages and most e-mail messages. This large file size helps Sircam clog the Internet.Several anti-virus websites note that there is a bug in the Sircam wormthat makes it "highly unlikely" that the disk-space-filling andfile-deleting will occur. However, the author of Sircam apparentlyintended those harms to occur.Perpetrator of SirCamTo the best of my knowledge, the author of the SirCam worm was never identified,so there can be no legal consequences for him.A copyright notice in the Sircam code says that this worm was made in Mexico,but I have seen no confirmation that this statement is correct.The anti-virus software vendor Trend Microreported on 10 May 2002 that a total of 1.0 × 106computers worldwide had been infected with Sircam.The anti-virus software vendors Sophos and Computer Associates bothreported SirCam as the second most prevalent malicious programinfecting computers in the year 2001:SirCam accounted for 20% of the reports to Sophos in 2001.On 17 May 2002, MessageLabs reported SirCam as theall-time most prevalent malicious program in e-mail.NimdaThe Nimda worm was discovered on 18 September 2001 and it spread rapidlyon the Internet.Nimda had two novel features:Nimda could infect a computer when the user read or previewed an e-mail that contained a copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would need to click on an attachment to infect the user's computer.Nimda could modify webpages on a webserver, so that accessing those webpages could download a copy of Nimda to the browser's computer.These two novel features represented a significant "advance"in ability to harm victims.The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5.A patch that repairs this defect had been available from the Microsoftwebsite since 29 March 2001, but most computer users do notbother to install the latest updates.Why did a defect in a web browser cause a vulnerability toworms sent by e-mail? Most modern e-mail is sent in HTML format,the same format used by webpages, and e-mail software (e.g., MicrosoftOutlook) uses Internet Explorer web browser to display such e-mail.This vulnerability could be avoided by(1) selecting either Netscape Navigator or Operaas the default browser and (2) using a non-Microsoft e-mail program,such as Eudora.The Nimda worm propagates in several different ways:Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target http get requests, i.e. a request to get a webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating systems allowed the worm to infect that server. The name of the Nimda worm is a reversal of the computer term admin (administrator), which designates a user with the privilege of modifying system files. By exploiting a defect in Windows, the Nimda worm is able to act as an administrator.Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code to webpages on that server with filenames: index, default, or readme and extensions: .html, .htm, or .asp. Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver. Depending on the settings on the user's computer regarding Javascript, when the user accessed one of these altered webpages, the user's web browser might: automatically download readme.eml and execute the Nimda worm, thus infecting the user's computer, display a prompt to ask whether the user wanted to download the file readme.eml, or automatically refuse to download the file.Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-mail addresses from the following sources: in-boxes for the user's e-mail program (e.g., Microsoft Outlook) *.HTML and *.HTM files in the user's web browser cache (also called the Temporary Internet Files folder). After harvesting e-mail addresses, Nimda selects one of these addresses as the From: address and the remainder as To: addresses, and sends copies of Nimda in an apparently blank e-mail. Note that the infected computer is not used as the From: address, so there is no easy way for the recipient of e-mail to determine whose computer sent the copy of Nimda. Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do not appear in the user's e-mail program's out-box. Thus the user does not know his/her computer is mailing copies of the Nimda worm to other people. As mentioned above, Nimda can infect the recipient's machine when the recipient either reads or previews the e-mail, without needing to click on an attachment.Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are sometimes transferred to other computers, which will spread the Nimda infection.On 11 Oct 2001, hundreds of e-mails containing Nimda were sent withforged From: addresses that appeared to originate from themanager of anti-virus research atF-Securein Finland. Such forged source addresses, whether a deliberate actor whether a random occurrence caused by execution of a malicious program,damages the reputation of innocent people.(I elaborate on this point later in this essay, in discussing theKlez program.)For more technical details on Nimda, see theCERT advisoryand the F-Secure description.The Nimda worm has a length of 57344 bytes, which makes it a relativelylarge file compared to many webpages and e-mail messages.This large file size helps Nimda clog the Internet.I noticed CodeRed and Nimda at my professional website, where,up to 10 May 2002,there were 11238 requests for Windows NT operatingsystem files, particularly cmd.exe. (These files do not existon the server that hosts my website, as that server runs the Unixoperating system.)The webhosting service that I use reported on18 Sep 2001 that they were receiving approximately8000 hits/second requesting cmd.exe.Such a high rate of requests approximates a denial-of-service attackon a webserver.Perpetrator of NimdaTo the best of my knowledge, the author of the Nimda worm was never identified,so there can be no legal consequences for him.The code for the Nimda contains a copyright notice stating thatit originated in communist China, but I have seen no confirmationthat this statement is correct.The anti-virus software vendor Trend Microreported on 14 May 2002 that a total of 1.2 × 106computers worldwide had been infected with Nimda.The anti-virus software vendor Sophos reported Nimda as the mostprevalent malicious program in the year 2001: Nimda accounted for27% of the reports to Sophos.

BadTrans.B worm

The BadTrans.B worm was discovered on 24 Nov 2001.There was an epidemic from late November 2001 through early January 2002.This worm did the following things to a victim's computer:installs a Trojan Horse program to record the victim's keystrokes that are typed into any window with a title that begins PAS[sword], LOG[on], or four similar words that indicate an attempt to logon to some service. This program later e-mailed the collected keystrokes (e.g., including username and password) to an e-mail address specified in the Trojan Horse.finds yet unread e-mail in Microsoft Outlook on the victim's machine and replies to those unread e-mails with a copy of the BadTrans worm in an attachment to the reply. This novel feature of the BadTrans worm increased the chances of propagation, since the recipient was expecting a reply from the victim. The From: address will be the victim's e-mail address if the worm can find that information in the victim's computer, otherwise the From: address will be chosen from a list of 15 addresses, mostly with female names, contained in the worm. These 15 addresses connected to real people, who were selected by the author of the BadTrans worm. One of them, Joanna Castillo, posted a webpage about her experience. Also, the now-defunct Newsbytes website had an article about the "e-mail hell" experienced by Castillo and one other victim of the forged From: addresses. Before sending copies with the victim's From: address, the worm adds the underline character (i.e., _) to the beginning of that From: e-mail address. Such an additional character will prevent warnings from the recipient from reaching the victim. Also, any returned copies of the worm (e.g., because the worm replied to spam that had an invalid, forged address) will not reach the victim and inform him/her of the unauthorized sending from his/her computer. Some variants of the BadTrans worm also sent copies of the worm to e-mail addresses found in previously read e-mail in the victim's inbox or to addresses contained in files of types *.htm, *.html, and *.asp in documents downloaded from the Internet.exploits a defect in Microsoft Internet Explorer that allows the worm to be launched without the victim opening an attachment. The same defect was exploited earlier by the Nimda worm.BadTrans.B PerpetratorTo the best of my knowledge, the author of the BadTrans worm was never identified,so there can be no legal consequences for him.The anti-virus software vendor Trend Microreported on 16 May 2002 that a total of 2.1 × 105computers worldwide had been infected with BadTrans.B, which wasonly about 1/5 the number of computers that TrendMicro reportedas infected with Sircam or Nimda, which also appeared in the year 2001.However, the anti-virus software vendor Computer Associates reportedBadTrans.B as the most prevalent malicious program in the year 2001.On 2 Dec 2001, MessageLabs filtered BadTrans.B fromone in every 57 e-mails, the second-highest daily infection rate seen by MessageLabs.On 17 May 2002, MessageLabs reported the BadTrans.B worm wasthe all-time third-most-common malicious program in e-mail.

Klez

The original Klez program appeared on 26 October 2001.A number of variants appeared later, of which the most significant were theE variant that first appeared on 17 January 2002and the H variant that first appeared on 17 April 2002.The H variant caused an epidemic from about 20 April 2002through June 2002, and became the most widespreadmalicious program in the history of the Internet.Klez has properties of both a computer virus and worm,what the Norton Anti-Virus website calls a "blended threat".There are a number of varieties of the Klez program and theyeach do slightly different harms to the victim's computer.Among these harms are:deposit a copy of an ElKern computer virus in the victim's computer. The early versions of this virus destroy information in all files on the victim's computer on 13 March and 13 September of each year.the Klez program is released when the victim reads or previews e-mail with Microsoft Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the Nimda and BadTrans worms.send copies of the Klez program via e-mail from the victim's computer, as discussed in more detail below.attempts to disable many common anti-virus programs by modifying the Windows registry file.on the 6th day of each odd-numbered month, attempts to overwrite many different files on the victim's hard drive with a pattern of all zeroes, thus destroying data in those files.randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to append to the attachment containing the Klez program, thus possibly sending confidential information from the victim to future victims.This long list of harms shows that the author of Klez had atruly malicious intent.sending copiesThe Klez program propagated by sending e-mail that contains Klez in an attachment.The subject line, body of the e-mail, and name of the attachment wererandomly selected from a long list of possibilities contained in theKlez program.(This is unlike the Anna worm discussed above,where the attachment always had the same name and could be easilyrecognized by someone who had been warned by the news media.)Some of the variants of Klez not only searched the Microsoft Outlooke-mail address book (like the Melissa and ILOVEYOU programs),but also searched the entire hard drive on the victim's computerfor e-mail addresses contained in files of types .txt,.htm, and .html, amongst others. These file types includewebpages downloaded from the Internet and stored on the victim's computer,and they may also include e-mail inboxes.This searching the entire hard drive for e-mail addresseswas a significant progression in the thoroughness of malicious programsin obtaining a list of e-mail addresses to receive a copy ofthe malicious program.Klez (like SirCam and Nimda) used its own internal e-mail program.Some of the variants of Klez randomly selected one e-mail address in the listto be the designated false source of e-mails containingcopies of the Klez program.Copies were then sent to all of the remaining addresses on the list.A wired.com news article says:The [Klez] virus arrives attached to an e-mail that typically appears to have been sent by someone the recipient knew. Many computer users say that friends, co-workers, and business associates are angrily – or patronizingly – accusing them of sending out viruses. Some victims say they fear their professional reputations have been harmed.This article quotes a public relations consultantwho was falsely accused by eight of her clients,as well as potential clients,for sending the Klez program to them: "I can't imaginethey will trust me with a campaign for a tech firm after this."e-mail with false textAt least one version of the Klez program produced e-mail thatsaid that the attachment (which really contained the malicious Klez program)was an "immunity tool" and that the attachment originated froma specific, well-known anti-virus software vendor. According to theNorton Anti-Viruswebsite, one version of these e-mails included the following text:Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.This fraudulent text instructed victims to disable their anti-virus (AV)software that would have prevented their infection with Klez!As with earlier malicious programs, you can not trust whatyou read in e-mail written by criminals.In connection with the SirCam text above,I observed that grammar errors, punctuation errors (e.g., no space after commasand periods in the Klez immunity tool message), and spelling errorsin a message apparently from a native speaker of English is suggestivethat the message has a forged From: address and theattachment may contain a malicious program.Klez PerpetratorTo the best of my knowledge, the author of the Klez program was never identified,so there can be no legal consequences for him.The original Klez program in late October 2001 containeda comment inside HTML code that said:I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?Articles at some anti-virus websites mentioned the suspicion that the authorlives in the Guangdong province of communist China.A later version of the Klez program claims to be "made in Asia"and the author boasts that he wrote the entire program in onlythree weeks, so the program might not be free of defects.These kinds of comments inside the Klez program make it appearthat the author regards his program as part of his professionalportfolio, in order to be hired as a computer programmer.Shame on any software vendor that hires the author of a malicious program!Ethical people are not favorably impressed by someonewhose portfolio harms other people.The anti-virus software vendor Trend Microreported on 17 May 2002 that a total of 9.5 × 105computers worldwide had been infected with either KlezE or KlezH.On 17 May 2002, MessageLabs reported the KlezH program wasthe all-time second-most-common malicious program in e-mail.At that time, the epidemic was continuingand the total number of infected computers was certain to increase substantially.

my second essay

A description of some malicious computer programs since mid-2002,with emphasis on the nonexistent or lenient punishment for their authors,and with links to legal documents, is contained in mysecond essay.

Economic Damage

There are many different harms resulting from malicious programs:Many malicious programs delete or alter data in files on the victim's hard drive. Recovering from such an attack requires either the use of a backup copy or tediously regenerating the data. There will always be lost data after the last backup. The amount of lost data will be less than one day's work, if one makes daily backups. However, daily backups are rare amongst computer users at home and in small offices. That means most victims will lose days, or even weeks, of wordprocessing and financial data. The value of that lost data far exceeds the cost of the computer hardware.Many malicious programs alter the Microsoft Windows registry file. All of those alterations must be undone, in order to recover from the malicious program. Many malicious programs attach themselves to parts of the operating system or applications programs. In some cases (e.g., CodeRed), the best recovery is to reformat the hard disk drive, make a clean installation of the operating system, then install all of the applications software, and finally copy all of the user's data files from backup media. Such a process can take many hours if the user is familiar with the process and has a recent backup copy of the data files. Alternatively, if one has used special backup software that copies the entire operating system (including hidden files), all applications software, and all data files onto recordable media (e.g., compact disks or a tape cartridge), then one can use that media to recover more quickly.Malicious program that propagate by e-mail clog e-mail servers with millions of copies of a virus or worm, thus delaying receipt of useful e-mail, or causing valid messages to be lost in a flood of useless e-mail. Some companies switch off their e-mail servers during epidemics of malicious programs transmitted by e-mail, to prevent crashing their server, but that makes valid e-mail undeliverable. Many businesses rely on prompt delivery of e-mail for their routine operation, and slow e-mail will cause financial losses, such as the cost of lost productivity.There is no definite information on the exact cost of recoveringfrom an epidemic of a malicious program.A quick calculation shows that the damage inflicted by a maliciousprogram will be immense.Some of these malicious programs infected more than 105computers worldwide. If the cost of removing the program from eachcomputer is only US$ 200 (a very low estimate), then the totalharm exceeds ten million dollars.This quick calculation shows that the cost of each widespreadmalicious program will be more than US$ 107,but we do not know how much more.The estimated costs in the following table are fromComputer Economicsin January 2002.Journalists who write news reports about malicious programs commonly usedamage estimates provided by Computer Economics. name of program estimated US$ cost Melissa 1.10 × 109ILOVEYOU 8.75 × 109CodeRed 2.62 × 109SirCam 1.15 × 109Nimda 0.635 × 109The cost of recovery from malicious programs after ILOVEYOU wasreduced by the availability of software tools from anti-virussoftware companies that automate much of the process of removinga worm.

Sources of Information

Early History of Malicious ProgramsThe following online resources describe the early history of malicious programs:Robert M. Slade, History of Computer Viruses, 1992. Posted at Univ. Wisconsin and cknow.com.Alan Solomon, A Brief History of PC Viruses, 1993 (?). Posted at Univ. Wisconsin and cknow.com.Joe Wells, Virus Timeline, 30 Aug 1996.Eugene Kaspersky, Computer Viruses, Nov 1998.There are also various books on this subject:Peter J. Denning, editor, Computers Under Attack, Addison-Wesley, 1990. A collection of reprinted articles.Alan Solomon and Tim Kay, Dr Solomon's PC Anti-Virus Book, Butterworth, 1994.Robert Slade's Guide to Computer Viruses, Springer-Verlag, second edition, 1996.Later Malicious ProgramsExcept for the early examples (i.e., before Melissa),I have compiled the information in this essay from sources at:Various anti-virus software websites (particularly: Computer Associates, F-Secure, McAfee, Norton/Symantec). Links to these websites are found in my webpage, Current Computer Attacks.CNN because retrieval of old news from this website is free, unlike most newspaper websites in the USA. News reports are not always technically accurate, for example, journalists don't know the difference between a computer virus and a worm.The Computer Emergency Response Team (CERT) at Carnegie Mellon University.In order to make this essay easier to read, I have omitted some filetypes and other technical details in my description of the workingsof each malicious program. For more complete information, consultthe primary sources at anti-virus software websites.Finally, there are differences amongst descriptions of nominally identicalworms at different anti-virus software websites. These differencesmay be the result of different teams of experts examining differentvariants of each worm.Prevalence of Malicious ProgramsQuantitive information on the number of computers (or number of files)infected with a malicious program is difficult to find, because thereis no central place for all computer users to report their infections.There are several sources frequently mentioned in this essay:Trend Micro in Japan has statistical information and a summary of the number of computers infected worldwide by each virus or worm. They get their statistics from their free online virus scanner and their computer network management services. Trend Micro's statistical database began 30 July 2000, so it is only useful for recent infections, not for old incidents like the Melissa virus or the ILOVEYOU worm.MessageLabs is a commercial service that, since 1999, filters malicious programs from large amounts of e-mail passing through its subscribers' systems. MessageLabs posts current information on the percent of e-mail that contains a computer virus or worm.I notice appreciable differences amongst the reported prevalence of a givenvirus or worm at different websites. The following are possibleexplanations for such different data:Data at both TrendMicro and McAfee Regional Virus Info show that the distribution of viruses and worms is not homogeneous throughout the world: there are real geographical differences in the prevalence of each malicious program. Each service that reports prevalence of viruses and worms (e.g., TrendMicro, MessageLabs, etc.) has a different global distribution of its customers, which can account for some of the differences in their prevalence data.Other difference may be attributable to differences in the relative number of malicious programs in e-mail received by people at businesses, compared to people in homes. People at businesses probably have their e-mail addresses listed in e-mail address books on many different computers, and also on several webpages; while many people may have their home e-mail addresses in only a few address books of their friends and on no webpage. Thus, business e-mail addresses are more likely to be harvested as the automatic targets of e-mail containing malicious programs, such as Melissa, ILOVEYOU, SirCam, Nimda, BadTrans.B, Klez, etc.Still other differences may be attributable to variations in the type of customers: some worms (e.g., CodeRed) target webservers, other worms target individual users' computers.

Conclusion

HarmsIt is at least reckless to release such computer programsthat are designed to be harmful to victims.For example:E-mail delivering these malicious programs is deceptively or fraudulently labeled, so to encourage victims to open an e-mail attachment containing the malicious program.Many malicious programs delete or alter data in files on the victim's hard drive, a result that has no benefit to the author of the malicious program, except glee in harming other people. This is clearly a criminal act by the author of the malicious program.There is an enormous total cost of removing the virus or worm from many computers. Some of these malicious programs infected more than 105 computers worldwide. If the cost of removing the program from each computer is only US$ 200 (a low estimate), then the total harm exceeds ten million dollars. Releasing a rapidly spreading virus or worm should be a major crime, worse than a bank robbery.Beginning with the Melissa virus in March 1999, many of these malicious programs sent copies of the program in e-mail bearing the victim's From: address, when the victim had neither composed the e-mail message nor authorized the transmission. I believe that such sending of e-mail is, or ought to be, a criminal act. Malicious programs like Melissa and Anna automatically sent e-mail using the name of a previous victim. While such e-mail really originated from the victim's machine, the transmission was made without either the knowledge or permission of that victim. This feature increased the chances that the recipient of the e-mail would open the attachment and release the new copy of the malicious program, because the recipient knew, and presumedly trusted, the person who apparently sent the e-mail. Later malicious programs sent copies of themselves in e-mail with false From: addresses, which is one step worse than Melissa and Anna. For example, if the BadTrans.B worm could not find the victim's e-mail address book, that worm selected a false From: address from a list of 15 addresses contained inside the worm. Some variants of the Klez program did a total forgery of e-mail From: addresses, so copies of Klez were apparently sent from people whose machines did not contain Klez. Such false designations of origin cause innocent people to be accused of spreading a malicious program, and also damages their reputation by falsely presenting them as someone who recklessly does not have current anti-virus software running on their computer. Specific examples of such harm were given above for the Nimda, BadTrans.B, and the Klez programs.Malicious programs that propagate by e-mail will clog e-mail servers with millions of copies of a virus or worm, thus delaying receipt of useful e-mail, or causing valid messages to be lost in a flood of useless e-mail. Many businesses rely on prompt delivery of e-mail for their routine operation, and slow e-mail could cause financial losses.As evidence of mens rea (i.e., criminal intent) one should considernot only the design of the malicious program to do the above harms,but also the design of the malicious program to evade or to defeatanti-virus software. Many modern computer viruses or worms arepolymorphic, which means that every copy is differentand that they can not be detected by searching a computer filefor occurrence of specific text. Some modern malicious codemodifies the Windows registry file to disable anti-virus software,which is an unauthorized modification of the victim's computer.Criminals who write such malicious software are not doing aprank: they are designing a crime.PunishmentDespite the immense value of the harm caused by each of thesemalicious computer programs, the author of the programreceived either light punishment (e.g.,Morris,Smith, andde Wit)or no punishment (e.g., the authors of ILOVEYOU, CodeRed,Sircam, Nimda, BadTrans, Klez, etc.).Alone amongst authors of malicious programs,Pile received what I considera reasonable punishment.In May 2002, the Norton Anti-Virus software for Windows operating systemsdetected about 61000 malicious programs.Astoundingly, there have been criminal prosecutions and convictionsof the author(s) of only five malicious programs.(See above.)There are several reasons for the rare arrest and prosecution:Legislators had not yet passed criminal statutes that effectively proscribe writing and distributing malicious programs.Police departments have a budget that is too small to permit an investigation of all crimes, so the focus is on major violent crimes (e.g., homicides, rapes) and larceny. Police departments are generally not hiring detectives with an education in computer science. In the few arrests of authors of malicious programs, clues to the authors' identities were supplied by programmers employed by anti-virus software vendors.Finally, there is the international nature of distribution of software by the Internet and sending malicious programs as attachments to e-mail. Traditional criminal law is inherently local: a burglary in state X requires the criminal to be physically present in that state. With malicious programs, the author could be in a foreign country (e.g., Philippines in the ILOVEYOU incident, Netherlands in the Anna worm, possibly China in the Klez program), but the harm can occur in all fifty states of the USA. The legal system has so-far been unable to respond effectively to this international challenge. Apparently, a substantial fraction of malicious programs are created by people in developing countries that have weak or ineffective legal systems (e.g., writing malicious programs may not be a crime, the police and judges may be corrupt, etc.). Even if the legal system in the USA were to respond effectively to computer crime, authors of malicious programs in foreign countries are still out-of-reach of the legal system in the USA, despite causing harm in the USA.The lenient punishment of authors of malicious programs is caused by:Lack of resources (e.g., prosecutors, judges, and courtrooms) for the prosecution of all criminals. Hence, most criminal cases must be disposed of by plea bargains.Prosecutors and judges lack an education in science and technology (Most of them went through high-school and college taking the minimum amount of science and mathematics classes.), so they are eager to dispose of cases involving "complicated technology" with plea bargains. The criminals exploit this eagerness by negotiating for a very lenient sentence in return for their guilty plea.As I noted in my essay on computer crime, nonviolent white-collar criminals have been traditionally treated more leniently than lower-class criminals, who are often violent.It is difficult to know the amount of damage from a widespread computer virus or worm, with the precision required for admission of evidence in a court. If only a small amount of damage can be proved in court, then the author of the malicious program will receive a lighter sentence than he deserves. Corporate victims of computer crimes are often reluctant to disclose the amount of damage done, perhaps because such admissions might erode public confidence in the company's technical competence, which might cause customers/clients to flee to competitors. It is even more difficult to quantify the amount of damage done to individual computers in people's homes. If N computers are infected and the average cost of removing the virus or worm from one computer is $ M, then the total damage is $ N × M. In practice, neither N nor M are known with the precision required for admission of legal evidence in court. In April 2002, I could not find any website for reporting infection by a malicious program, so N is unknown. Neither could I find any website for reporting the cost of removing an infection. Since the FBI and other law enforcement agencies are not collecting this information, damage to individual computers is being ignored. I expect damage to home computers to be large, because people in homes tend not to update their anti-virus software frequently, unlike corporate networks where anti-virus software is updated regularly by trained computer specialists.An additional issue, which receives little attention, is thepresence on the Internet of resources for creating malicious programs,such as was used to create the Anna worm in a few hours.Should authors and distributors of such resources be heldcriminally liable for aiding and abetting the creation of malicious programs?The obvious answer would appear to be Yes!However, the issue is complicated by the fact that some resourcesmight also have legitimate uses (e.g., studying malicious code,so better anti-virus software can be designed).Legislators are not yet ready to restrict some programming toolsand software only to licensed programmers, the waywe make [potentially dangerous] drugs legally availableonly on prescription from a licensed physician.In fact, computer programmers in the USA are not currently licensedby the government, the way that other professionals(e.g., physicians, engineers, attorneys, accountants, etc.)who affect the public health and safety are licensed.A practical solution to malicious computer code distributed by e-mailwould be for Internet Service Providers (ISPs) to use current anti-virussoftware to scan all e-mail, both e-mails sent by their customersand e-mails received by their customers. As a practical matter, itmakes more sense for the few ISPs to run anti-virus software(including daily updates of the virus definitions)than for millions of customers, many of whom have a low level ofcompetence with computer software and hardware. I stress thatthis is a practical matter, not a legal obligation for ISPs.In conclusion, the international criminal justice system hasfailed to arrest, punish, and deter peoplefrom writing and releasing malicious software.I hope that readers will urge their legislators:to enact criminal statutes against authors of computer viruses and worms, with punishment to reflect the damage done by those authors, andto allocate more money to the police for finding and arresting the authors of malicious computer programs.this document is at http://www.rbs2.com/cvirus.htmrevised 5 Oct 2002, revised links 19 Jan 2008return to my homepagego to my essay on Computer Crime

Long	essay	that	describes
harm	done	by	major	computer
viruses	or	worms,	and	discusses
the	nonexistent	or	lenient	punishment
for	the	authors	or	distributors
of	these	malicious	programs.

http://www.rbs2.com/cvirus.htm

Examples of Malicious Computer Programs 2009 January

dvd rental

dvd

Long essay that describes harm done by major computer viruses or worms, and discusses the nonexistent or lenient punishment for the authors or distributors of these malicious programs.

Rules

Recommended Sites: 1. Arts - Business - Computers - Games - Health - Home - Kids and Teens - News - Recreation - Reference - Regional - Science - Shopping - Society - Sports - World Miss Gallery - Top Anime Hentai - DVD rental by mail - Loans - Loans - Bad Credit Mortgages - Debt Consolidation - Credit Counseling Diety, Motywacyjny - Puma - Linki Bezpo�rednie - Optyk - Soczewki - Rezystory

2009-01-08 02:50:12

Copyright 2006 by Rules

--BEGIN VALIDATION CODE--
D lMmCgBiMjDcZnI fCaRoJq LrCaFp U fUyLoFpY sFzUlQ jSc EyDm T yYgFkHsVuH hAgCl WwDtQpJaGwBh UfRnKmV oZvKnVxWxRoQqNzT sBcW vHhIbJ bQuSfOnDcX kCrZ tYpG qHcMgFp NxB kNsPnIyGlWkHmL uTdN lOaL mLiPyGfMmN nS uKxXmIyU xK jBdKcVk B kU hGmSxQh hohositeX2006
--END VALIDATION CODE--

Examples of Malicious Computer Programs

Copyright 2002 by Ronald B. Standler

Table of Contents

Introduction

Early Examples

Melissa Virus

ILOVEYOU Worm

Anna Worm

three worms: CodeRed, Sircam, Nimda

BadTrans.B worm

Klez

my second essay

Economic Damage

Sources of Information

Conclusion

Long

essay

that

describes

harm

done

by

major

computer

viruses

or

worms,

and

discusses

the

nonexistent

or

lenient

punishment

for

the

authors

or

distributors

of

these

malicious

programs.

http://www.rbs2.com/cvirus.htm

Examples of Malicious Computer Programs 2009 January

dvd rental

dvd

Rules