 Hello, hello everyone, thank you, thank you for coming here. Thank you to the organizers of the DEF CON for selecting my paper and not scheduling it at the same time as the DNS paper, because otherwise the audience will be empty I think. Before starting the talk, I would like to talk about definitions. Before starting any discussion, you should set along some definitions, otherwise it'll be pretty pointless, you wouldn't know what you are arguing about. So yesterday when I got my badge from DEF CON and I started hacking it, I went to the website that was created by Kingpin that describes the badge and all the details about it and I stumbled on a very interesting definition on that page and that's the definition given by Kingpin and it defines a hacker. To me a hacker can simply be defined as somebody involved in the exploration of technology, somebody who wants to learn about technology and make it do things that never have been done before. It's about creativity, education, experimentation and having fun. And the hack in the technology would usually define a new and novel creation or method of solving a problem typically in an unorthodox fashion. I think it's a great definition and I'm pretty sure by this definition me and a lot of my colleagues at McAfee would be hackers and as a matter of fact I started my sort of hacking career back in 1986 when I wrote a bunch of assembler programs that were hooking into those version 1.0 and providing keyboard support for Russian language and screen output in Russian. And I was fascinated by the computing technology since then and cracked a couple of games and started hacking into computer viruses and that sort of activity became my hobby. And in 1994 there was a security company that suddenly wanted to hire me and they offered to convert my hobby into a job which sounded just great. So I jumped on it and since then I was involved in professional security. I really, really love what DEF CON is doing because I'm seeing that DEF CON provides a hell of a lot of great spirit and diversity and some of colleagues of mine come here every year no matter whether the company would pay for that or not they're just regular. So they love DEF CON just that much. And let me tell you, I love you too. And now that you have that message in your mailbox, open it. It just could be a virus. I'm hoping it's a good one. So let's define a virus. A virus as opposed to a Trojan or other piece of malware is something that replicates that creates recursively copies of itself. So we will be talking about good viruses, something that replicates, not Trojans, not just malware that hacks into your computer starts sending stuff out for instance, just viruses, stuff that replicates. The idea of good virus appeared long, long ago. In fact, Fred Cohen in his first mathematical definition of a computer virus has a chapter describing how to create a good virus. Why is that? Why good or bad? Because viruses are created by people. And people have intentions. They can write something that does bad things. They can write something that does good things. And the argument whether viruses can be good or bad was going on since then. Every now and then somebody talks about good virus that compresses files and creates more disk space for you or does some other maintenance jobs, rolls out patches for you, that sort of stuff. But when I was looking at this, as a matter of fact, there were several papers written about good viruses back in the 90s. But since then there were a lot of developments in the security field. So I thought it would be worth looking at that again. And the first question that I had about good and bad viruses is why are we talking about technology and viruses are just a way of expressing technology in software? Why are we talking about technology being bad or good? It can't be bad or good. Technology isn't just that. It's something that can be dangerous sometimes. For example, take a nuclear reaction. If it's an atomic bomb, it'll explode, it'll kill a lot of people. That's pretty bad. Then if the same nuclear reaction is running under control in a power plant, a nuclear power plant, it creates electricity that's good for everybody. If the atom is split in the laboratory, it's research, it's great. So what would make a technology bad or good, dangerous or not dangerous? When atom bomb explodes, it's pretty dangerous. Why? Why is it different from the controlled chain reaction in a power plant? Because of the lack of control. When something goes out of control, it becomes dangerous. Pretty similar situation is with viruses. And during my talk, I'll try to answer a couple of questions that don't really seem obvious. Can a virus be written accidentally? I mean, is it possible to try to write a program which isn't a virus intentionally and you would end up with something that replicates? Do you think it's possible? It is. Can the virus get out of control? And you write it, you put controls in place and it does something else. Is it possible? Very much so. So in my talk, I'll tell you three stories. The first is the story of already 71, a tool and the virus. It was written as a tool. It happened to be a replicating worm. We'll go through a disassembly and operation of it. Then we'll have a look at the second story, a corrupted blood incident in World of Warcraft and watch a video, how it went out of control. And the third story, an example of W32 Nachi, a worm that exploited a vulnerability to patch it. And what happened? We'll discuss how patching vulnerability using worms can be used and make some conclusions. So before we go to the next slide, let me ask you a question. If we do a Google search on good virus and bad virus, what do you think will come up more frequently? So who thinks good virus would come up more frequently? Please raise your hand. I see just two hands. Who thinks that bad virus would come up more frequently? That's a hell of a lot more people. Now, the results of the Google search. As you can see, good virus comes up approximately 50% more frequently in the internet search. But other searches, like, for example, beneficial virus, beneficial worm, bad worm, horrible, awful, they skew the results. So in the end, overall, the total count of bad stuff is 127 and the total count of good stuff is just 108. The difference is mainly due to horrible and awful virus searches, which is when people got really annoyed or pissed off by a virus that hit their machine, I guess. Good virus is probably coming from people who discuss it in academic circles, in conferences, and talks about that. I'm hoping this presentation wouldn't change these results seriously, but I'm sure it will. So the results would look even more positive for good virus. So let's start our first story about already.com, a tool and a worm. This tool was written in 1991 and published in a magazine called PC Magazine. It's a very simple tool. It's a program of just 71 bytes long, so we'll be able to disassemble it in full. And the usage of that already.com is on the screen. Initially, if you start a batch file and then execute already.com, it will return you an error level. If it's one, that means this program has been executed today. And then you can skip some stuff that you don't want repeated on each restart. That can be placed in auto-exec, but for example, to remove your temporary files or perform a non-demand scan or something like that. So stuff that goes in here would execute just once a day. Stuff that goes here would execute always, depending on the return result that comes from the program. How does it do that? Here is the disassembly. I'm sure people at the back cannot see it, so I'll zoom it. And the program consists basically of three simple blocks. The beginning of the program is retrieving the current date from the operating system. That's right here. Then it compares the result with the current date and year that are recorded in the body of the program. And the date and year are recorded right here at the end of the program body. That portion. So if the comparison between the two is successful, the program just exits with the error level one, which means it has already been executed today. If the comparison finds a mismatch, then the program does the following. That's the most interesting part. It creates a file called already.com in the current folder and writes itself into it after updating the values of date and time that were obtained from the operating system. That means it's a self-modifying program that creates an exact copy of itself overwriting the body of itself on the disk. When it overwrites itself, normally just four bytes will be modified, two for a year, two for the date. And in that case, it doesn't return the error level one, it returns error level zero. The name of the program that it writes to the disk already.com is embedded in the body of the program. It's at the very end. Why the two happened to be a virus? That was due to the complexity of the environment where it was operating. In DOS, same in Windows, there is a concept of a current folder. So if a program is executed from a folder which is different from where it is saved, it will write the copy in the current folder, thus creating a new copy of itself. If you go to some other place, execute it again, yet another copy will be created. And if you do it regularly, the whole of your hard drive eventually will be sprinkled with copy of already.com all over it. So let's have a look at how it happens in reality. Here we have a folder called C tools, and there is one file already.com in it, 71 bytes long. That's the current folder, that's the current file. Now we go in another folder called C backslash test, do a DIR on it, and it's empty, zero bytes. Now we run our already.com, which is in C tools, and it executes it from the folder called C tools, naturally, and at that point, the program creates a copy of itself. So an empty folder, C test, had zero bytes, got a copy of already.com, 71 bytes, after the execution of the program. That's how it replicates. And still, of course, even though being a replicating worm, it's pretty innocent, it does what it says, and does it well. The point is that when you don't take into account the complexity of the environment where you write a program, you might end up with something that exhibits additional properties. And if you use techniques that are generally not recommended, self-modifying code, programs that modify other programs on disk or in memory, do injection, or use exploits, something unexpected might happen. And the more complex is the environment, the more likelihood is that that thing occurs. And insecure environments are unexpectedly common. Just about any piece of software has its insecurities as we all very well know. So let's have a look at the second story. The incident in World of Warcraft. How many of you play World of Warcraft? Could you please raise your hands? Not really that many, but there are some people. Oh, I forgot to ask, maybe there are people who used to play World of Warcraft and now playing something else? Could you raise your hands? Oh, that's a lot more. Wow, wow, sucks. So that incident happened in September 2005. Did anybody play World of Warcraft in September 2005? Actually, they're like five or six people, that's cool. You might have experienced that corrupted blood incidents. I would really be interested in hearing your first-hand experiences. So if you can find me after the talk in Room 106, I'd just appreciate that. Anyway, that incident happened in September 2005 when Blizzard, the company that produces World of Warcraft, rolled out a new release of the game. It was World of Warcraft 1.7 and they added a new so-called instance dungeon called Zul'Gurub. That looks very nice, that's a picture of it. Let me magnify it, so that's a nice place. Unfortunately, inside of that place lives a very unpleasant monster and the name of that monster was Hakka the Soul Flayer. It was the God of Blood. And when the developers were thinking of how to implement that monster, they came up with a very cute idea. If it's the God of Blood, why wouldn't it infect all the players that attack it with a disease, with a virus? And they implemented a virtual virus in World of Warcraft and it was called Corrupted Blood. It was done on purpose, it was programmed in the software and the way it works is that if this monster infects a player, that player can infect somebody else and that thing was so infectious, there is no human virus or a bacteria that spreads with as much certainty as Corrupted Blood. This infects you with 100% if you are just standing in the vicinity of other victim. So it's just deadly. What happened? That wasn't supposed to happen, but it did. An epidemic started in World of Warcraft. What exactly went wrong? The timeline of that event is such. World of Warcraft 1.7 that included that change went out on the 13th of September, 2005. The epidemic started on several servers. World of Warcraft, it's organized in several not related servers. Some players play on one server, some players on another and the epidemic started on several of them at almost the same time on the 15th of September. So it took players a couple of days to get to that new place and progress enough to face that horrible monster. And eventually it was clear that the source of that epidemic on all the servers was that Hakkar the Soul Flayer that lives in Zul'Gorub dungeon. So what made this viral infection, which was programmed, so deadly? The parameters of that spell are such. It hits any player with a damage of 200 health points and players who can only get into this dungeon are really high level players. They have a lot of health points, four or five thousand or some such. So each hit of corrupted blood doesn't hit them for too much. The spell affects them for 10 seconds and it gives them five hits every two seconds. So in total it will subtract about 2000 health points from an average player that goes into the dungeon. The radius of the infection is about 100 yards, which means pretty much everybody who joined the raid against that monster would get affected, 100%. As I said, more deadly than Ebola. By design, that infection should be very limited in time and space because it lasts for 10 seconds and then it's over. You either die or you survive. The problem was that that's a viral infection. It spreads and there was a security oversight in World of Warcraft. It spread not just from player to player. It spread to also non-player characters. It spread to the pets and pets. It's something that you can summon in a game like a dog or unicorn, something like that. And it would get infected. And then, because you are the master of that pet, you can hide it, you can unsummon it. And when that happens, the infection is conserved. It's frozen. So the 10-second timer isn't ticking anymore. So you go out of that dungeon. You walk into a big city, which is full of low-level players and you summon your pet. Guess what happens next? That's a screenshot from a place called Iron Forge. And you can see some bones everywhere. That's dead characters. You can see some like clouds of red stuff. That's corrupted blood infection. And now let's watch a video. If you have a look at the log in the right bottom corner, it says corrupted blood affected you. This character died. That many HP points were absorbed. You can see people running around with red waves all around, trying. That made the recording is very high level. So although his health points suffer, he doesn't die. But others do. So basically what was happening is that for several days, World of Warcraft was not playable by any low-level characters. If that's not a bad virus, I don't know what is. I mean, come on. Several days you log into a game, your character dies immediately. Fortunately, in World of Warcraft, death isn't actually terminal. The way to revive your character is to walk from a graveyard as a ghost and repopulate your body. But that's pointless because you die again. And as a result, many players couldn't play the game for several days until Blizzard rolled out a patch. And I like the official reaction of Blizzard while they were preparing a patch. I'll read it out and zoom it. It was actually a very cool reply. It appears that the hotfix remedy concocted to combat the recent Azerothian outbreak has not yielded desired results. They made several patches. They tried to isolate characters in certain areas sort of to quarantine them. That didn't work. At this time, our medical staff is continuing to develop an effective cure. And we look forward to ensuring the health and vitality of the citizens of Azeroth in the near future. It actually makes sense. They converted that software bug into some sort of in-game event, which is cool. And many players were actually quite excited about that. They said it's the first proper World event. I guess those higher level characters were probably more excited than lower level characters. And the fix eventually went out in World of Warcraft 1.8 which was released on the 10th of October. That's actually about two weeks after. But unofficially that fix was actually available earlier than that. And the log for that software release was that fixed the bug that would allow her cars corrupted blood to target pets. Because at that time it was pretty much clear how the infection was transported from an isolated dungeon to a populated place. There were several discussions of that incident in World of Warcraft after the event. And several security papers written about that. And even medical institutions were interested in the logs to sort of analyze the simulated virtual environment, how the infection spread and all that. Is there anybody from Blizzard in the audience, I wonder? Anyone? Anybody knows anyone from Blizzard? That's surprising. Somebody says that through a chain of six people you can reach pretty much everybody on the planet. And we can't find anybody from Blizzard. They're hiding well. I guess there are lots of annoyed players around. Anyway, what was interesting is not so much what happened in September or October, which was pretty cool anyway. But what happened later? They silently fixed something else. In 193 release, three months later, in February 2006, they again changed how that spell behaves. Corrupted blood now deals direct damage with the following damage over time, and no longer spreads to others in the raid. They removed the viral property from that spell completely. So before it couldn't only infect pets. It was actually spreading within the raid group that attacked the monster. Three months later, I guess they went through some nightmare scenarios and realized that something really, really bad might still happen. I have a theory. While theory, we have one infection. We have infection that moved slightly to the right. Then it moved again. Then it moves again. If you have a chain of people long enough and they all keep running in the right direction, you can still transport corrupted blood from a dungeon into a city. I think that's why they did that fix. They completely removed the replication property from the spell. So what did we learn from that event? Replication went completely out of control in an environment that was actually created by these same software guys at Blizzard. And that's pretty much what happened at Chernobyl. The guys had a nuclear plant. They started experimenting with it a little bit. Sort of trying to understand how long it'll generate power when it was being cooled down. And not understanding the full complexity of the environment, they made a mistake. And it blew up in both cases. Well, to some extent, similar situation happened with already 71. Unexpected environment. So the replication appeared. Same thing happened to the infamous Morris worm, the very first internet worm, which overloaded internet at the time, which was really, really small. And contemporary internet is so much complex. So much more complex than at the time of the Morris worm that it's not funny. So let's have a look how that problem demonstrated itself in the real internet environment. Story number three, W32 Nachi. Another name for it is Welchia. It's a worm which was created to be good to patch a vulnerability. And naturally, it went out of control. So the history was such. There was a very, very bad outbreak on the 11th of August, 2003, with W32 MS Blaster. Another name for it is Love Sun. I'm sure there are network administrators in that audience who suffered from that outbreak because it was pretty bad. So just seven days later, after the outbreak of MS Blaster, W32 Nachi was released, which was supposed to fix the problem. It does actually contain a code that downloads from Microsoft's site, official patch for MSO3-26, that was RPC-D-com vulnerability. It downloads the patch, it installs it, and plugs the security hole that let MS Blaster spread. The problem was that Nachi itself being a worm, spreads as well through the same vulnerability. That's overloaded many networks, especially because two worms were now competing for the same vulnerability. But to give the credit to the author, he didn't just put one control in place. One control being that once the vulnerability is patched, no spreading anymore to that host. He put another control in place. The worm was time limited. It was supposed to self-destruct in 2004. So it was checking the date, and in 2004 it'll just remove itself. The interesting thing is that some computers don't have correct clocks. And on the 1st of January 2004, there were still at least 30,000 machines in the internet, infected with W32 Nachi. It was still spreading happily. It was still knocking on all the doors and consuming the network bandwidth. So what went wrong with this thing? Any software, be it a program, online game, batch tool, a worm, it will contain bugs. All software contains bugs. Well, unless it's Hello World. All software contains bugs. And W32 Nachi lacked control in two places. The network load, it wasn't throttling itself. If it had been throttling itself properly, it would be fine. And it didn't die properly as expected. Instead of checking the date, it should have consulted an NTP server, found the proper date. Then it might have been better. The point is internet is very complex environment. When you do something in it, stuff just happens that you don't know about. So there is an idea of patching using worms, which W32 Nachi was sort of trying to implement. When I was talking to Microsoft guys about patching, using replication, using worms that travel in a controlled fashion from one computer to another, so exploiting sort of peer-to-peer propagation mechanism. They are naturally very interested in that because if there is a widespread vulnerability in those products somewhere, and if it's actually exposed to the internet, the worm can travel really, really quickly. To fix the vulnerability before worm hits more targets, you have to spread quicker than the worm. To spread quicker, you either have to have some complex mechanisms for propagating updates, which normally ask the user, do you want to install an update? But that's too long. If you ask a user that takes time, the user may be sleeping, computer may be running, you need to patch it. So the question is, there is a vulnerability. There is a worm spreading in the field. Microsoft would naturally know what the vulnerability is and how to patch it. Should they release a worm which would go and patch it? Well, I'm happy to say that only research folks and Microsoft are really thinking about it. I don't believe they would ever implement anything like that for several reasons because if they need to release a worm that does the patching, they would not have time for QA. And if they don't have time for QA, it might not work as expected. It might create more damage than solve problems. So it's technically very, very risky. And it's a very, very deep legal minefield because user consent is not collected at the time of the installation. It really might do something to the machines that it's not supposed to touch. So I can better create a beer that Microsoft would never do that. Come to me if I lose. And the conclusions. Replicative property is a rather dangerous technology. And the reason for it being dangerous is because it's available to just everybody. And it's very hard to control. As we have seen in the examples, you can't really that easily control software. It's just frequently buggy. Just imagine a situation if nuclear technology would be available to everybody in their garage. The earth probably wouldn't have existed today. So even though experimenting with splitting the atom in the laboratory is fine, that same technology being available to anybody with an ability to build a bomb in a garage would be bad. That's why I'm saying that replication is dangerous and probably more than we expect. It tends to go wrong. And if you want to mess with viral properties, you have to be very, very careful because things just tend to misbehave. But can useful virus be created? Yeah, of course it's possible. With enough controls in place, with the proper software QA, you can create something that will be useful, that'll propagate, do something good. But if you put so many controls in place, most people wouldn't even call it a virus. It'll be some sort of propagating software. There would be some other name for it, I guess. That's actually the end of my presentation. If you are interested, there are some references in the proceedings on the DEF CON CDROM with a bit more discussion about bad viruses and good viruses in particular with points from both sides of the fence. And if you have questions, please fire away. I'll be only too happy to try to answer them. If you have more questions, send them to my email, mig at McAfee.com. Just mig, not mig29, like an aircraft. So, please, questions? Anyone?