Building The Ubervirus

Johnath writes: "The HNN has a rather eye-opening article about a potential disaster dangling overhead. It's not so much that the ideas presented are revolutionary -- most /. readers would probably come up with a similar scheme, if called upon to design a killer net virus, but nevertheless, it pretty lucidly addresses the potential damage."

Not really news

Basically all these people have done is make a list of the parts of trojans, virii, hacks, that work the best and list some thoughts and figures on what they could do if someone actually spent some time to do a good distribution of a virus using IRC, FTP and user ignorance and then exploit the user ignorance factor to get it to spread like wild fire. It was a good read but not really news, I agree with the post, most any /. reader could come up with the same if they spent a couple minutes thinking about it.

More social engineering needed in viruses

Ok, people are doing some fine things with Outlook and other tools nowdays in the virus world but I think where they fall down is in the social engineering area :) I don't know whether this is technically feasible and I have no desire to find out (I take no responsibility etc....)

Let's say the point of the virus is not to physically disrupt the mail system, but to mentally disrupt it. People should be afraid to open mail messages, and disbelieve the ones they do open, rather than have the mail server crash.

So, step one is to send out the messages gradually so that people don't realise immediately that something is wrong. You don't want to make people wary at the begining. After some interval when you've infected enough machines, then go for the full virus crash.

Step two is to vary the subject. One way would be by making the subject be Re: of something already in the mailbox from the person you are sending the current message to. Make all others that you can't find messages to reply to start with Fwd:.

Step three is to look in the mailbox to see if you can find an administrator of some sort. Look for system administrator or something similar in the title, or look for membership of the admin group or similar. If you manage to get on an administrator's machine then send out a virus alert message to everyone in the address book. Include in the alert a copy of the virus with instructions to double click to disinfect the machine. If you are not on an administrator's machine then send to one or two people in the address book a message that says in the subject Fwd: Virus loose (from admin name here) to see if you can fool people that way.

Anyway don't try any of the above because they probably don't work, and I certainly don't want to be responsible if it does. I'd guess this is the sort of stuff that a professional/governmental virus would try to do. If you were China (for example) and wanted to disrupt email in the US (why I don't know) social engineering to produce a lack of trust in the system is more likely to be successful and effective than the sort of spam attacks we've been seeing lately.

AOL to the rescue!

Don't worry! As soon as the virus/worm starts to spread we'll all be inundated with "DON'T OPEN [MELISSA/STACY/LISA/BELINDA] IT WILL ERASE YOUR COMPUTER!!!1!!" emails, which will spread faster than the worm itslf.
--

Shades of Shockwave Rider

Brunner describes a similar scheme in Shockwave Rider, way back in 1975.

Nick Halflinger (an uberhacker who can cracka system using a touchtone phone) travels the world coding a giant worm designed to be launched as a simultaneous, distributed attack from hundreds of different computers, quaintly visiting each site in person.

Portions of the head of the worm are used for replication, other parts are used to detect and deter anti-virus attempts, the middle part breaks into secret archives, and the tale is the contents of the secret archives.

I can't recommend this book highly enough.

George

Virus = 1st real a-life?

Most (computer) viruses today are created with malicious intent. When you are infected, you know it. I was thinking the other day that if a virus were to arise "organically", i.e. not designed (or alternatively, mutated from a designed virus), that its best chance at survival is the exact opposite of what most viruses do. The best strategy would be to lie low, staying as much out of sight as possible, and continue reproducing when possible. Has a virus like this been seen? If so, then I wonder how many more have not been seen?

Das Uebervirus

Oh, sure, it seems all-powerful, but doesn't it still suffer from the same problems that plauge other worms? Namely, you have to a) be running an insecure system or b) be a sucker.

I'd like to think that most people don't use the dummy settings of Outlook (or even use it at all), and that they scan files they download for viruses, and that they don't blindly accept (or auto-accept) DCC sends.

Of course, I also think the succeptible masses don't really use IRC anyway. Now, if the virus could infiltrate various Instant Messenger networks...

I guess it would be nice to think that worm viruses shouldn't work, but as we all know, this is not the case. So, I'll just sit here with my Mac, running Eudora, and wait for this new worm to come out, as it inevitably will, and not affect me.

Killer Net Virus Can Happen Anytime

A killer net virus that would destroy the Net as we know it has been very easily in reach once the majority of computers on the Internet became homogenized Windows//MSFT Office//Outlook boxes.

Whenever I read about a Mellissa or an I Love You I smile to myself and think "I would have trashed their hard drives after spamming myself to all their friends.". If Mellissa or I Love You hadn't been content with simply bogging down net servers and had decided to set the file length of all .doc , .xls, .sys, .bat, .dll, .html and .jar to 0, I am sure corporations would probably be fuming about Trillions of dollars in irreparable damages (after all how much stuff is actually backed up or centrally stored in a Windows world).

In my opinion the article is overkill, a virus doesn't have to be particularly clever or well designed to cause havok anymore thanks to the beauty of MSFT operating systems. Any script kiddie or MSCE with a passable knowledge of Virus Building Script can bring it all toppling down.

Off course, none of us will ever do it because we know it would do so much damage to the 'Net (government would step in hard) and also hurt many of us financially in some indirect way.


WHY C SUCKS
-----------
int i =0;
i = i + 1;

Very scary NOT

It's a nice scaremongering document, but the hypothetical worm is a *worm*. We've already been bitten by vbs and StagesA, so the potential for a virus that self-replicates is, IMHO, diminished.

As for having web-servers which relay instructions/recieve data, the 'bot would have to know how to fill out registration forms/upload information, and even then the server would have to have some kind of handshake with the worm, which could be detected by the hosts of the web-site.(i.e. geocities)

Why not have the server host misc. content, with the instuctions embedded in the HTML?

In any case, is it a good thing to have people publishing design documents for killer virii? The script kiddies which came up with ILOVEYOU weren't smart enough to design something really nasty, and HNN are just providing inspiration, which means they'd be liable in the event such a worm was released.

Viruses

I can remember when virus writing used to be _hard_. You had to be a bit 1337 to be able to write a TSR, or a boot block virus.
Now look at the state of the virus world - ILOVEYOU.vbs (OK, it's a trojan, but still replicates like a virus) and the damage it caused. I'm not talking about the x billion the media claim it cost, just the panic in my IT department when virused email couldn't be deleted fast enough. Look at the code for ILOVEYOU.vbs - it is a doddle. No real inspiration involved - just patch 4 entries out off bugtraq together, and there you go.
What we have now is a state of play where the entry level in writing malicious code is dropping rapidly as more and more people get into computers. Don't want to spend a few years learning to code? Hah, our whizbang COMActiveXCORBA plugin gives you the power on your desktop!!!
Don't worry that your soft underbelly is now exposed because we can't give you the ease of use you want, without you knowing what you're doing!!! And you're too stupid to realise!!!
So now that the learning curve has been removed, you will have people all over the net trying to write and run viruses, without a clue of the repercussions it may cause. Because they don't really understand what they are doing.

Strong data typing is for those with weak minds.

Uber "Slashdot" Virus

The uber virus already exists!!! Here's how to do it, in one quick easy step:

1) Post an article on Slashdot reffering to a particular web site

Now sit back and watch the fun! The Slashdot Virus is guaranteed to take down ANY website within seconds!!!

Re:Second post!

Cool idea. Why doesn't Rob just re-post everything more than a year old, so we can have the same discussion over and over again?

Re:More social engineering needed in viruses

Exactly - most current virii are doing a piss-poor job of social engineering. You could even make a .exe virus, with the proper engineering - simply have it pass itself along as a "Virus alert", describing some (made-up) worm, and then instruct the user to run the disinfector - voila! Instant dumb-user virus.

Ever notice how most current worms aren't even in the best english? It seems that nobody in the US is writing worms, and so we get people with a bad knowledge of the language trying to fool people into clicking on the stuff.

Hey, where's the "This is more informative" link-trap?

We need computer control now

This just goes to prove the insanity of low-cost easily-accesible computers and software in the hands of everyone. Every day, hundreds, perhaps thousands of machines are infected with virus and trojan software. The cost in lost data and productivity is easily in the millions.

We have to stop this madness now.

Right now, computers are less regulated than lawnmowers or automobiles. We require drivers to pass a proficiency test, why not computer buyers? It's time we registered computers and performed background checks on people who buy them. This is the only way to keep computers out of the hands of children and criminals.

I am proposing a Million Geek March. We will have speakers telling stories of how their lives were destroyed by computers. Let's send a message to Washington now: "We need to be safe from computers!" It is absurd that in the year 2000, I have to scan every attachment I receive and every program I download. We need to make our information infrastructure safe again.

All of you who oppose my plan, I ask, "What do you have to fear?" We're not planning to take away your computers. We just want some common-sense legislation for the safety of all. It will be a tough fight -- the rich lobbyists from Dell and Microsoft will try to stop us. They'll claim that the right to access information cannot be restricted. They'll claim that computers aren't the problem. We know they're wrong. Modern computers make it easier than ever to create destructive programs. A computer in the home is a tragedy waiting to happen.

Let's get some common-sense computer regulation now. Thank you.

You could easily get much more nasty than that

Here is a clue.

The Samba folks don't publicize it, but they have found a number of buffer overflows in the stacks of every single OS out there. (They patched the ones they found in Linux.:-) A truly nasty critter would be set up to transmit itself using those overflows.

If done right you would get a worm or virus that can transmit from computer to computer without any manual intervention. There has to date been exactly one such on the internet. The Morris worm. It went out of its way to be nice, and it still shut down the Internet through sheer speed of reproduction.

You see getting a human in the loop slows things down. If you want to be truly nasty, automate it from start to finish. Then the first people will hear about it is when their networks go down.

Cheers,
Ben

Security by obscurity is bad for your health

In any case, is it a good thing to have people publishing design documents for killer virii?

One of worst things that can happen is the information about virii and other security threats to be shared only among some selected few. You may have seen the story about a 3 year old AOL security hole this weekend. The only way to prevent this kind of problem to become a major problem is to publicize the risk to the maximun possible extend. It guarantees that every system administrator in the world will hear about it and take the necessary steps to protect his/her piece of the network.

You missed one or two...

Ever hear of network.vbs? that ones sneaky but doesnt use buffer overflows or other sploits at all.. It just randomly scanns IP addys for windows machines with drive C shared and no password on it. When it finds one it installs itself.

If your firewall is getting hammered by UDP-netbios crap its a fair bet thats where its coming from. If you're a windows user just look for a file called NETWORK.VBS in your startup folder, in c:\windows\system and the root of drive C... if you got them, you got it and are portscanning other folks networks whenever you are online.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking

It's already been done!

Building a killer virus for fun and profit
By Bill Gates

1- Buy "Quick and Dirty Virus" from some other guy.

2- License virus to a large company that manufactures chess grandmasters. This should provide a fruitful infection vector. And remember: 640k is enough for anyone, so don't worry if your virus does things that prevent access to the rest of memory, nobody will notice.

3- When other, nicer looking viruses come along, copy the user interface, but make it quirky and inconsistant (this is a virus we're talking about here, so it has to be nasty in one way or another).

4- When "dr-virus" threaten to replace our virus, spit out weird error messages to confuse and disorient the user, allowing our virus opportunity to re-establish control over the system. Viruses that are dependant on our virus, however, can be left free to roam.

5- A web browser should be integrated into the virus. Everything integrates a web browser sooner or later so make sure its ours and not somebody else's. This will expose you to the feds, who love to go after virus writers, so be careful not to get caught.

6- By this time the virus should have infected most of the world. For new challenges, create another virus (or several!) and start the process again. If the feds put a stop to our old virus we'll still have this new virus already spreading.

7- And whatever you do, don't call it a virus!