Why Some Computer Viruses Refuse To Die

There are zombies on the internet - odd, undead lumps of code that roam endlessly seeking and finding fresh victims to infect that help keep the whole ugly horde staggering on, and on. Most of these shambling data revenants are computer viruses and the most long-lived of all are worms.

"Most of those worms are self-spreading - that's why we still see them moving around," said Candid Wueest, principal threat researcher at Symantec, who has hunted viruses for years.

Typically, he said, when these malicious programs infected a machine, they kicked off a routine that scanned the entire net looking for other computers vulnerable in the same way as their current host. When they found one, they installed a copy that also started scanning.

"All it takes is a few machines to get them moving around again," he added.

The living dud

One of the most active zombie viruses is Conficker, which first struck in November 2008. At its height, the worm is believed to have infected up to 15 million Windows PCs.

The French navy, UK warships, Greater Manchester Police and many others were all caught out by Conficker, which targeted the Windows XP operating system.

The malware caused so much trouble that Microsoft put up a bounty of $250,000 (£193,000) for any information that would lead to the capture of Conficker's creators. That bounty was still live and, Microsoft told the BBC, remained unclaimed to this day.

Dr Paul Vixie, from Farsight Security, was part of the Conficker Working Group, set up when the malware was at its feverish peak.

The group had managed to stem the tide of infection, said Dr Vixie, because of the way the virus worked. One of the ways it spread was by it checking one of a handful of net domains for instructions or updates every day. And the first two variants of Conficker picked one domain from a list of 250 randomly generated names.

But some clever software reverse engineering worked out how the daily domains were generated.

In 2008, Dr Vixie helped to run the net's Domain Name System so was able to co-ordinate a global effort to register every day's possible domains before the malware's creators did the same. And data sent from infected machines was then "sinkholed" almost neutering Conficker's ability to spread.

"We got it from 11 million down to one million," said Dr Vixie. "That sounds like progress but one million is still a pretty big number."

That zombie virus was still wandering around, said Dr Vixie. Statistics gathered by Symantec suggest there were 1.2 million Conficker infections in 2016 and 840,000 in 2017. India suffered the highest number of infections last year.

"The population is gradually reducing in size because eventually computers wear out or they get upgraded or replaced," Dr Vixie said.

And that is just as well because the concerted efforts to directly combat Conficker are all but at an end. Dr Vixie and some others still block a few of the domains its variants seeks out but only to sample the traffic they send to get an idea of the viral load Conficker places on the net.

The good news was that Conficker had never been "weaponised", said Dr Vixie. His theory is that Conficker escaped too early and was too successful for its creators to risk making it more malicious.

Data of the dead

But Conficker was not alone in persisting long after its initial outburst, said Mr Wueest, from Symantec. Its network of sensors across the net regularly catches a wide range of malware that has lasted for much longer than anyone expected. Symantec regularly sees the SillyFDC virus from 2007, Virut from 2006 and even a file infector called Sality that dates from 2003.

"We do see Dos viruses now and then," he said. The disk operating system (Dos) is more than 36 years old and dates from the early days of the desktop PC. Even older versions ran on mainframes.

"Our guess is that sometimes it is researchers that have found an old disk and its gets run and gets detected," said Mr Wueest.

There were many others, said Martin Lee, technical, lead for security research at Cisco.

"Malware samples can be long-lived in that they are continued to be observed 'in the wild' many months or years after they were first encountered," he said.

One regularly caught in the spam traps by Cisco is another worm, called MyDoom, that appeared in 2004.

"It's often the most commonly detected malware we get in our traps," said Mr Lee.

But many viruses lived on in another fashion, he said, because of the way the cyber-crime underground treated code.

"Malware is rarely static," he said, "computer code from older malware families can be shared, or stolen, and used in the development of new malware."

One prime example of this, said Mr Lee, was the Zeus banking Trojan, whose source code was leaked in 2011. That code had proved so useful that it was still turning up seven years later, he said. The trend of zombie malware was likely to continue if more modern viruses were any guide, said Mr Lee.

Mirai first appeared in 2016 but is proving hard to eradicate.

"It has features suggesting that it will be exceptionally long lived," Mr Lee said.

The bug infects networked devices unlikely to be running anti-virus software. Some cannot be upgraded to run any kind of decent protection. As the net grows and starts to incorporate more of those dumber devices, Mirai, like Conficker will probably never be eradicated.

"With the source code of the malware leaked, and a simple method of propagation using default usernames and passwords to compromise devices, it is something that will be with us for years," Mr Lee said.

BBC:

You Might Also Read:

13 Ways Cyber Criminals Spread Malware

« CyberStars Cyber Security Competition
Russian Military Spy Software Is On Home Routers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Mocana

Mocana

Mocana provides a software platform that allows you to develop, test and distribute more secure IoT devices and services.

ManagedMethods

ManagedMethods

ManageMethods Cloud Access Monitor is the only Cloud Access Security Broker (CASB) that can be deployed in minutes, with no special training, and with no impact on users or networks.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

Odix

Odix

Odix security software neutralizes file embedded targeted cyber attacks before they enter your organization’s network.

Greylock Partners

Greylock Partners

Greylock Partners is a leading venture capital firm based in Silicon Valley. We invest in all sectors of enterprise software technology including applications, cloud/SaaS, networking and security.

Lunio

Lunio

Lunio makes the internet a safer and more reliable place for everyone trying to grow their business by automatically getting rid of fake clicks, traffic, and leads on all ad platforms.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Prevasio

Prevasio

Prevasio is a next-gen Cloud Security Posture Management (CSPM) with a built-in Vulnerability and Anti-Malware Scan for Containers.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.

Helix Security Services

Helix Security Services

Helix Security provides IT & information security consultancy to government and businesses across New Zealand.

Sycope

Sycope

Sycope is focused on designing and developing highly specialised IT solutions for monitoring and improving network and application performance.

Ever Nimble

Ever Nimble

Ever Nimble are award-winning experts in IT support, cybersecurity, and cloud technology. Our proactive approach will enhance your security and protect you from cyber security threats.

PingSafe

PingSafe

PingSafe is creating the next-generation cloud security platform powered by attackers' intelligence, providing coverage for vulnerabilities that traditional security solutions would otherwise overlook

Novera

Novera

Novera offer security assessment and advisory services to help businesses manage risks from AI, cyber and privacy.

Aeris

Aeris

Aeris IoT Watchtower is the world’s first fully integrated cyber security solution for cellular IoT devices.