Why Some Computer Viruses Refuse To Die

There are zombies on the internet - odd, undead lumps of code that roam endlessly seeking and finding fresh victims to infect that help keep the whole ugly horde staggering on, and on. Most of these shambling data revenants are computer viruses and the most long-lived of all are worms.

"Most of those worms are self-spreading - that's why we still see them moving around," said Candid Wueest, principal threat researcher at Symantec, who has hunted viruses for years.

Typically, he said, when these malicious programs infected a machine, they kicked off a routine that scanned the entire net looking for other computers vulnerable in the same way as their current host. When they found one, they installed a copy that also started scanning.

"All it takes is a few machines to get them moving around again," he added.

The living dud

One of the most active zombie viruses is Conficker, which first struck in November 2008. At its height, the worm is believed to have infected up to 15 million Windows PCs.

The French navy, UK warships, Greater Manchester Police and many others were all caught out by Conficker, which targeted the Windows XP operating system.

The malware caused so much trouble that Microsoft put up a bounty of $250,000 (£193,000) for any information that would lead to the capture of Conficker's creators. That bounty was still live and, Microsoft told the BBC, remained unclaimed to this day.

Dr Paul Vixie, from Farsight Security, was part of the Conficker Working Group, set up when the malware was at its feverish peak.

The group had managed to stem the tide of infection, said Dr Vixie, because of the way the virus worked. One of the ways it spread was by it checking one of a handful of net domains for instructions or updates every day. And the first two variants of Conficker picked one domain from a list of 250 randomly generated names.

But some clever software reverse engineering worked out how the daily domains were generated.

In 2008, Dr Vixie helped to run the net's Domain Name System so was able to co-ordinate a global effort to register every day's possible domains before the malware's creators did the same. And data sent from infected machines was then "sinkholed" almost neutering Conficker's ability to spread.

"We got it from 11 million down to one million," said Dr Vixie. "That sounds like progress but one million is still a pretty big number."

That zombie virus was still wandering around, said Dr Vixie. Statistics gathered by Symantec suggest there were 1.2 million Conficker infections in 2016 and 840,000 in 2017. India suffered the highest number of infections last year.

"The population is gradually reducing in size because eventually computers wear out or they get upgraded or replaced," Dr Vixie said.

And that is just as well because the concerted efforts to directly combat Conficker are all but at an end. Dr Vixie and some others still block a few of the domains its variants seeks out but only to sample the traffic they send to get an idea of the viral load Conficker places on the net.

The good news was that Conficker had never been "weaponised", said Dr Vixie. His theory is that Conficker escaped too early and was too successful for its creators to risk making it more malicious.

Data of the dead

But Conficker was not alone in persisting long after its initial outburst, said Mr Wueest, from Symantec. Its network of sensors across the net regularly catches a wide range of malware that has lasted for much longer than anyone expected. Symantec regularly sees the SillyFDC virus from 2007, Virut from 2006 and even a file infector called Sality that dates from 2003.

"We do see Dos viruses now and then," he said. The disk operating system (Dos) is more than 36 years old and dates from the early days of the desktop PC. Even older versions ran on mainframes.

"Our guess is that sometimes it is researchers that have found an old disk and its gets run and gets detected," said Mr Wueest.

There were many others, said Martin Lee, technical, lead for security research at Cisco.

"Malware samples can be long-lived in that they are continued to be observed 'in the wild' many months or years after they were first encountered," he said.

One regularly caught in the spam traps by Cisco is another worm, called MyDoom, that appeared in 2004.

"It's often the most commonly detected malware we get in our traps," said Mr Lee.

But many viruses lived on in another fashion, he said, because of the way the cyber-crime underground treated code.

"Malware is rarely static," he said, "computer code from older malware families can be shared, or stolen, and used in the development of new malware."

One prime example of this, said Mr Lee, was the Zeus banking Trojan, whose source code was leaked in 2011. That code had proved so useful that it was still turning up seven years later, he said. The trend of zombie malware was likely to continue if more modern viruses were any guide, said Mr Lee.

Mirai first appeared in 2016 but is proving hard to eradicate.

"It has features suggesting that it will be exceptionally long lived," Mr Lee said.

The bug infects networked devices unlikely to be running anti-virus software. Some cannot be upgraded to run any kind of decent protection. As the net grows and starts to incorporate more of those dumber devices, Mirai, like Conficker will probably never be eradicated.

"With the source code of the malware leaked, and a simple method of propagation using default usernames and passwords to compromise devices, it is something that will be with us for years," Mr Lee said.

BBC:

You Might Also Read:

13 Ways Cyber Criminals Spread Malware

« CyberStars Cyber Security Competition
Russian Military Spy Software Is On Home Routers »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CyTech Services

CyTech Services

CyTech provides unique services and solutions complemented with professional subject matter experts to both the Federal and Commercial sectors.

Get Cyber Safe

Get Cyber Safe

Get Cyber Safe is a national public awareness campaign created to educate Canadians about Internet security and the simple steps they can take to protect themselves online.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

MailGuard

MailGuard

MailGuard delivers a full suite of security solutions across email and web to protect your business before threats reach your environment.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Crossmatch

Crossmatch

Crossmatch is a world leader in risk-based composite authentication and biometric identity management.

TUV Rheinland Group

TUV Rheinland Group

TUV Rheinland Group is a testing services company with nearly 145 years of technological experience. We help you to protect your systems comprehensively, proactively and permanently.

IT Search

IT Search

IT Search is a specialist IT recruitment company focusing on Cyber Security, IT Infrastructure, Software, Data, Digital Transformation and C Suite leadership positions.

Critical Start

Critical Start

Critical Start provides Managed Detection and Response services, endpoint security, threat intelligence, penetration testing, risk assessments, and incident response.

InfoLock

InfoLock

Infolock are experts in data governance, providing consulting and advisory services that help organizations effectively secure, manage, and optimize their data.

SEMNet

SEMNet

SEMNet is an IT solutions provider and an infrastructure and security consulting firm.

Sentra

Sentra

Sentra is focused on improving data security practices within the cloud, mitigating the risks of damaging data leaks by providing comprehensive visibility into critical data assets.

ViewDS Identity Solutions

ViewDS Identity Solutions

ViewDS Identity Solutions develops innovative identity software including cloud identity management solutions, directory services, access and authorization management solutions.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

SafeBase

SafeBase

Safebase provide the infrastructure for Trust Communication. Our Trust Center enables Security and Sales teams to share and automate access to security, compliance, and privacy information.

Darwinium

Darwinium

Darwinium is a Cyberfraud Prevention Platform that provides scalable customer journey protection without complexity.