Analysis of the Brain Virus, the Internet worm and Code Red

Posted on Posted in Information Security

The Brain Virus
How it works:
One of the earliest and most intensively studied viruses, the so-called Brain Virus got its name by the means of its attack, in which it changes the label of any infected disk to the word “BRAIN”. Believed to have originated in Pakistan, it attacks PCs with older versions of the Microsoft Operating System. Numerous variants of the virus have been produced leading people to believe that its source code was released to the underground virus community.

The Effects:
It like all viruses wants to spread itself, its does this by locating itself in a disks upper memory (floppy disks) where it executes a system call to reset the memory bound below itself so it is not disturbed as it works.

The Brain virus appears to have no effect other than it spreads itself onto floppy disks invariants such as Jerusalem, Lehigh, Ohio, and DenZuk.

Its works by positioning itself in the boot sector and 6 other sectors of the disk, where it, once established will intercept disk read requests for the disk under attack. With each read it reads the disk boot sector and inspects the fifth and sixth bytes of the hexadecimal value 1234 (its virus signature). If it finds the value it will conclude the disk is infected, if not I will proceed to infect the disk.

What was learned?
The Brain virus used the standard trick of viruses such as hiding itself in the boot sector and intercepting and screening interrupts. It is almost a prototype for later efforts; in fact, many virus writers have patterned their work on this basic virus and see it as a learning tool.
Unfortunately, its infection did not raise public consciousness of virus other than fear and misunderstanding. There is no general cure for viruses. Virus scanners are effective against today’s viruses and patterns of infection but cannot counter tomorrow’s variants.

The Internet Worm

How it works:
The internet worm was released into the MIT Network on the evening of the 2nd November 1988 by Robert T. Morris Jr to devastating effect.

1. It determines where it can spread to.
2. Spreads its infection
3. It will remain undiscovered and undiscoverable

The Effects: (3 Orders)
The worm’s primary effect is resource exhaustion causing a serious degradation in performance of the infected machine. The worm’s source code would indicate that it was supposed to check to see if a target host was already infected, if so, the worm would negotiate so that either the existing infection or the new infection would terminate, but due to a flaw in the source code, many new copies did not terminate. The result being that the infected machine soon became burdened with many copies of the worm busily spreading the infection.

The secondary effect was the disconnection of many systems from the internet. This was done by the systems administrators trying to halt the spread of the worm either to other sites or other machines.

The disconnections lead to the third order of effect, which was isolation and inability to do necessary work. The disconnected system could not communicate with other systems to carry out normal work.

Example Effects;

• When encryption can fail (password file visible)
• Buffer overflow (Unix finger program replaced by other code)
• Trapdoor (Sendmail program)

What was learned?
The immediate response was too close loopholes exploited by the worm and tighten security. Development of the COPs checking program which would check known flaws like password strength, file permissions, and anonymous FTP. Followed by the forming an emergency response team at Carnegie Mellon University to collect and disseminate information of malicious code attacks and their countermeasures which lead to similar centers being formed around the world.
The Code Red (Worm)
How it works:
The Code Red worm infected more than 250,000 systems in just 9hrs on 29 July 2001. It inflicted devastating financial damage that exceeded $2 Billion dollars. This spread has the potential to disrupt business and personal use of the internet for application such as e-commerce, email, and entertainment.
Code Red was more than a worm, it included several kinds of malicious code and mutated from one version to another.
Code Red has several version, it is a malicious software that propagates itself on servers running Microsoft Internet Information Server (IIS) Software. Code Red take two steps: Infection and Propagation. It takes advantage of a vulnerability in Microsoft IIS. It overflows the buffer in the dynamic link library to reside in the server’s memory. To propagate it checks IP addresses in port 80 of the PC to see if the web server is vulnerable.
The Effects:
The first version of Code Red defaced website with “Hello! Welcome to! Hacked by Chinese! ”.
The rest of the original Code Red was determined by the date. From day 1-19 it’s spawned 99 thread that scanned for other vulnerable computers, starting at the same IP address. Days 20 – 27 it launched a distributed Denial of Service (DOS) attack on the Whitehouse and finally from day 28 – end the worm did nothing.
What was learned?
Microsoft offered a patch to fix the overflow problem and prevent future infection by Code Red on its IIS software. Many administrators, unfortunately, neglected to apply these patches. Security Analysts have suggested that Code Red might be “a beta test for information warfare” targeting particular countries and groups.

Leave a Reply

Your email address will not be published. Required fields are marked *