Why Some Computer Viruses Refuse To Die

There are zombies on the internet - odd, undead lumps of code that roam endlessly seeking and finding fresh victims to infect that help keep the whole ugly horde staggering on, and on. Most of these shambling data revenants are computer viruses and the most long-lived of all are worms.

"Most of those worms are self-spreading - that's why we still see them moving around," said Candid Wueest, principal threat researcher at Symantec, who has hunted viruses for years.

Typically, he said, when these malicious programs infected a machine, they kicked off a routine that scanned the entire net looking for other computers vulnerable in the same way as their current host. When they found one, they installed a copy that also started scanning.

"All it takes is a few machines to get them moving around again," he added.

The living dud

One of the most active zombie viruses is Conficker, which first struck in November 2008. At its height, the worm is believed to have infected up to 15 million Windows PCs.

The French navy, UK warships, Greater Manchester Police and many others were all caught out by Conficker, which targeted the Windows XP operating system.

The malware caused so much trouble that Microsoft put up a bounty of $250,000 (£193,000) for any information that would lead to the capture of Conficker's creators. That bounty was still live and, Microsoft told the BBC, remained unclaimed to this day.

Dr Paul Vixie, from Farsight Security, was part of the Conficker Working Group, set up when the malware was at its feverish peak.

The group had managed to stem the tide of infection, said Dr Vixie, because of the way the virus worked. One of the ways it spread was by it checking one of a handful of net domains for instructions or updates every day. And the first two variants of Conficker picked one domain from a list of 250 randomly generated names.

But some clever software reverse engineering worked out how the daily domains were generated.

In 2008, Dr Vixie helped to run the net's Domain Name System so was able to co-ordinate a global effort to register every day's possible domains before the malware's creators did the same. And data sent from infected machines was then "sinkholed" almost neutering Conficker's ability to spread.

"We got it from 11 million down to one million," said Dr Vixie. "That sounds like progress but one million is still a pretty big number."

That zombie virus was still wandering around, said Dr Vixie. Statistics gathered by Symantec suggest there were 1.2 million Conficker infections in 2016 and 840,000 in 2017. India suffered the highest number of infections last year.

"The population is gradually reducing in size because eventually computers wear out or they get upgraded or replaced," Dr Vixie said.

And that is just as well because the concerted efforts to directly combat Conficker are all but at an end. Dr Vixie and some others still block a few of the domains its variants seeks out but only to sample the traffic they send to get an idea of the viral load Conficker places on the net.

The good news was that Conficker had never been "weaponised", said Dr Vixie. His theory is that Conficker escaped too early and was too successful for its creators to risk making it more malicious.

Data of the dead

But Conficker was not alone in persisting long after its initial outburst, said Mr Wueest, from Symantec. Its network of sensors across the net regularly catches a wide range of malware that has lasted for much longer than anyone expected. Symantec regularly sees the SillyFDC virus from 2007, Virut from 2006 and even a file infector called Sality that dates from 2003.

"We do see Dos viruses now and then," he said. The disk operating system (Dos) is more than 36 years old and dates from the early days of the desktop PC. Even older versions ran on mainframes.

"Our guess is that sometimes it is researchers that have found an old disk and its gets run and gets detected," said Mr Wueest.

There were many others, said Martin Lee, technical, lead for security research at Cisco.

"Malware samples can be long-lived in that they are continued to be observed 'in the wild' many months or years after they were first encountered," he said.

One regularly caught in the spam traps by Cisco is another worm, called MyDoom, that appeared in 2004.

"It's often the most commonly detected malware we get in our traps," said Mr Lee.

But many viruses lived on in another fashion, he said, because of the way the cyber-crime underground treated code.

"Malware is rarely static," he said, "computer code from older malware families can be shared, or stolen, and used in the development of new malware."

One prime example of this, said Mr Lee, was the Zeus banking Trojan, whose source code was leaked in 2011. That code had proved so useful that it was still turning up seven years later, he said. The trend of zombie malware was likely to continue if more modern viruses were any guide, said Mr Lee.

Mirai first appeared in 2016 but is proving hard to eradicate.

"It has features suggesting that it will be exceptionally long lived," Mr Lee said.

The bug infects networked devices unlikely to be running anti-virus software. Some cannot be upgraded to run any kind of decent protection. As the net grows and starts to incorporate more of those dumber devices, Mirai, like Conficker will probably never be eradicated.

"With the source code of the malware leaked, and a simple method of propagation using default usernames and passwords to compromise devices, it is something that will be with us for years," Mr Lee said.

BBC:

You Might Also Read:

13 Ways Cyber Criminals Spread Malware

« CyberStars Cyber Security Competition
Russian Military Spy Software Is On Home Routers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Quotium

Quotium

Quotium provides automated testing technologies to make business software applications secure and robust.

VivoSecurity

VivoSecurity

VivoSecurity is a pioneer in cyber risk quantification based on data science. Our products and services help organizations achieve optimal information security and GRC programs.

Secucloud

Secucloud

Secucloud GmbH is a provider of high-availability cyber-security solutions, offering a cloud-based security-as-a-service platform, particularly for providers.

Tempest

Tempest

TEMPEST is a leading provider of IT products and services including solutions for network and application security.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Cohesity

Cohesity

Cohesity radically simplifies the way businesses back up, manage, protect, and extract value from their data—in the data center, at the edge, and in the cloud.

South West Cyber Resilience Centre (SWCRC)

South West Cyber Resilience Centre (SWCRC)

The South West Cyber Resilience Centre (SWCRC) is led by serving police officers, as part of a not-for-profit partnership with business and academia.

HEQA Security

HEQA Security

HEQA Security (formerly QuantLR) offer the world’s most cost-effective, easy-to-integrate, and secure Quantum Key Distribution (QKD) solution

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

Commonwealth Scientific & Industrial Research Organisation (CSIRO)

CSIRO is Australia's national science agency. We solve the greatest challenges through innovative science and technology.

Oduma Solutions

Oduma Solutions

Oduma Solutions is a wholly owned Ghanaian Cybersecurity company that offers information security services to organisations seeking to improve their security posture.

Frontier Technology Inc. (FTI)

Frontier Technology Inc. (FTI)

Frontier Technology Inc provides the technology and deep data expertise to drive the best defense and intelligence solutions.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

DeltaSpike

DeltaSpike

DeltaSpike empowers individuals and organizations worldwide through its comprehensive cybersecurity solutions.

INT3L

INT3L

The INT3L group (formerly Defentek) is a provider of national security and intelligence solutions, systems and services.