The next viruses What we could wait for

1
The next virusesWhat we could wait for?

• Fernando de la Cuadra
• Panda Software International

2
Index

• Big attacks
• Summary of advantages and disadvantages
• What could we wait for?
• And then...

3
Big attacks

• Jerusalem
• Melissa
• Lovelettter
• Klez
• Sobig
• SQLSlammer
• Blaster

4
Jerusalem

• First big infection
• Payload
• Deletes executables files
• Low damage according with nowadays figures
• Factors for success
• Users misinformation
• Piracy
• Factors for being unsuccessful
• Low number of computers in 1989
• Date for payload Friday, 13th
• Spreads without conditions all EXE files

5
Melissa

• First mass-mailer worm for end users
• Payload
• Modifies Word 9.0 macro security
• Inserts some texts
• Forward itself to 50 addresses
• Factors for success
• First mass mailer worm for Outlook
• Users misinformation
• Factors for being unsuccessful
• Too many symptoms of being infected
• Excessive use of mail servers

6
Loveletter

• Another mass-mailer worm for end users, with high
  media impact
• Payload
• Overwrites certain files
• Steals personal information
• Factors for success
• Forwards itself to all addresses
• Users misinformation
• Fast spreading
• Factors for being unsuccessful
• Too many symptoms of being infected
• Excessive use of mail servers
• Big media impact

7
Klez

• First big security hole exploit
• Payload
• Stops antivirus
• Deletes files
• Spreads massively changing shape
• Factors for success
• Users lack of upgrading
• Vulnerability
• Factors for being unsuccessful
• ??????

8
Sobig

• Combined threat
• Payload
• Spreads massively
• Downloads a worm form Geocities
• Factors for success
• Social engineering
• Users misinformation
• Factors for being unsuccessful
• Use of mail servers
• Media impact

9
SQLSlammer

• Non-file threat
• Payload
• Denial of Services in MS SQL Servers
• Factors for success
• Fast spreading
• Lack of updating in servers
• Factors for being unsuccessful
• Upgrading of servers
• Correct firewall configuration

10
Blaster

• Using RPC vulnerability
• Payload
• Denial of Services to windowsupdate.com
• Installs Trivial File Transfer Protocol server
• Factors for success
• Fast spreading
• Lack of updating in computers
• Factors for being unsuccessful
• Upgrading of computers
• Media impact

11
Summary

• Success
• Social engineering
• Users misinformation
• Fast spreading
• Lack of updating in servers
• Fast spreading
• Lack of updating in computers

12
Summary

• Factors for being unsuccessful
• Excessive use of mail servers
• Media impact
• Upgrading of servers
• Correct firewall configuration
• Upgrading of computers
• Media impact

13
What could we wait for?

• E-mail virus
• Spreading through a non suspicious e-mail address
  and sender
• Postmaster may be a good sender
• Undeliverable may be a good subject
• It cannot look like spam
• Absolutely aseptic body and subject

14
What could we wait for?

• Slow action
• Not more than 10 messages per day
• No administrator will detect this low traffic
  increasing

15
What could we wait for?

• Propagation
• Direct SMTP commands
• E-mailing to addresses in different domains than
  the computer
• Inside domains, direct spreading through open
  standard ports

16
What could we wait for?

• Avoid address book to read addresses
• Look for addresses in hard drive
• Internet temporal files
• Word texts
• HTML files

17
What could we wait for?

• Very light PC damage
• Computers are its life support,
• Distributed attack to big Internet servers
• If it cracks PC, it will become well known
• For non ADSL or networked PC, it should dial-up
  its own connection when screen saver pops up

18
What could we wait for?

• Avoiding antivirus detection
• Encrypted attachment
• Random password inside the text
• WinZip may be a good tool!
• Better a new encryption system

19
And then...

• Just imagination
• New powerful antivirus engines
• Users training
• Administrators training

20
The next virusesWhat we could wait for?

• Fernando de la Cuadra
• Panda Software International