Monday, 4 November 2013

Scary Code: Top 5 malware that kept researchers up at night

Which malicious code would be most frightening if sinister pieces of malware could rise from the dead on Halloween? Well, malware researchers spend all their time working with the creations of people who intend others harm, so you might expect they would be pretty immune to nervousness about the effects of malicious code. And it is true; a lot of us are very jaded about your average malware. Researchers certainly have a sense of the potential danger of the materials we are working with and are appropriately cautious, but there are some threats that are so scary that we will double or triple-check everything to make sure we cannot possibly let it loose somewhere accidentally.
While there are certainly other malware that has been more costly to fix or which spread much more widely, in terms of inconvenience or outright damage the following are the five malware that really give me the creeps:
  1. CIH (aka Chernobyl)
    CIH is the oldest of the malware on this list, and it was first discovered in 1998. This virus caused such pain for its victims that it was brought up in the news every year for ages, and almost every year it seemed to have a brand new nickname in the press, but the one that stuck was related to its particular payload.CIH would spread by hiding itself in “empty” spaces within innocent files, which made it very hard to clean – the size of those empty spaces varies a lot, so the virus code could be broken up in different ways, so it was hard to be sure that cleaning routines got every last bit of it out of a file. That could mean possibly manually replacing a lot of damaged executable files.Worse than that, if your system was still infected on April 26th (the anniversary of the Chernobyl disaster, which was speculated by some to be why the date was chosen) the virus was set to overwrite the first megabyte of the hard-drive, which made the computer hang or blue-screen. In some cases the virus would even flash the BIOS, which is to say it rendered the computer completely unusable by overwriting code on a chip attached to the motherboard that enables computers to turn on. This virus hit over a million computers worldwide, and stuck around for many years after the last variant was found.
  2. ExploreZip
    ExploreZip is a pretty old virus too, first discovered in 1999. This comes from back in the days when people started using the term “blended threat” to describe the increasingly popular tactic of worms spreading by using a variety of different mechanisms. This one spread both by replying to your unread email with a copy of itself, and by searching for network shares that it could silently copy itself to. Once it was executed, it showed an error message that seemed to indicate that you’d just run a corrupted ZIP file.So far, pretty mundane stuff. But in the background, this virus overwrote .DOC files and certain programming source files with zeroes, which meant the files were destroyed in a way that could not be undone without resorting to expensive data recovery techniques.
  3. CryptoLocker
    CryptoLocker is the newest threat on this list, having first been discovered in the last few months. It too causes changes to affected users’ files such that they may be beyond repair. This malware is considered ransomware, which means that it scrambles files from a list of different file-types, if the scammer is not paid $300 within a fixed time frame of a few days.That list of file-types it seeks is very extensive, so the odds are good that if you do not have a backup of your data files, they will soon be completely garbled. Sometimes with ransomware we will get lucky and there will be some sort of clue in the files or weakness in the encryption that will allow us to figure out how to decrypt the files. But as this uses asymmetric encryption (similar to the technique used by commercial products), without the attacker’s key the files cannot be retrieved.
  4. Mebromi
    Mebromi is a nasty beast that was discovered in 2011, which takes a tip from CIH in that it flashes the BIOS to store some of its code. This puts part of its code outside the confines of the hard disk, which means it is outside the reach of the usual software-based cleaning mechanisms. As this would mean monkeying with the motherboard, this is a process that would probably require a trip to a repair shop.
  5. ZMist
    You may have heard of polymorphic viruses, which are viruses that change the appearance of their code from one infection to the next so that they appear different enough to hopefully fool anti-malware scanners. The problem with this is that the code used to change itself is static, and can be used by scanners as a way to identify the virus. ZMist, which was discovered in 2002, was called a “metamorphic” virus because it took this idea to an even more complicated level. Rather than simply changing its appearance, it contained code to completely recompile itself from one infection to the next. This made it incredibly difficult to detect, with the technology that was available at the time.
These malware are all terribly unnerving in that they work hard to elude removal or create permanent damage on infected machines. But none of these threats managed to be truly undetectable, and most of them will not work at all on the latest versions of Windows.
The first two threats managed to become quite widespread, and they genuinely did cause a lot of damage. Because threats are now mostly financially motivated, it is generally not a good idea for them to announce their presence by causing a lot of damage on affected systems, as they are effectively killing their source of income. CryptoLocker is something of an exception to this rule, as some people are apparently paying to get their data back, but it is not truly damaging the files so much as rendering them unusable. But if you have backed up your data, this is merely an annoyance rather than a genuine problem.
The last two threats had researchers on tenterhooks for a while, as it could really have caused some major headaches or necessitated some changes in defensive technology, if malware authors had continued development of these strategies. But the thing is, malware authors looking for financial gain are not going to sink more of their time or money into development than they need to. Enough people are not employing good security practices that malware authors are able to make a considerable amount of money with much less complicated techniques.
Malware authors do not need to develop the most stealthy, armor-piercing creations imaginable to get what they want. But at the same time, this means you will not need bulletproof technology to defend yourself. For most people, practicing above average security hygiene–including good, up-to-date antivirus–is enough to evade most threats.

No comments:

Post a Comment