There are
zombies on the internet - odd, undead lumps of code that roam endlessly seeking
and finding fresh victims to infect that help keep the whole ugly horde
staggering on, and on.
Most of
these shambling data revenants are computer viruses and the most long-lived of
all are worms.
"Most
of those worms are self-spreading - that's why we still see them moving
around," said Candid Wueest, principal threat researcher at Symantec, who
has hunted viruses for years.
Typically,
he said, when these malicious programs infected a machine, they kicked off a
routine that scanned the entire net looking for other computers vulnerable in
the same way as their current host.
When they
found one, they installed a copy that also started scanning.
"All it
takes is a few machines to get them moving around again," he added.
One of the
most active zombie viruses is Conficker, which first struck in November 2008.
At its height, the worm is believed to have infected up to 15 million Windows
PCs.
The French
navy, UK warships, Greater Manchester Police and many others were all caught
out by Conficker, which targeted the Windows XP operating system.
The malware
caused so much trouble that Microsoft put up a bounty of $250,000 (£193,000)
for any information that would lead to the capture of Conficker's creators.
That bounty
was still live and, Microsoft told the BBC, remained unclaimed to this day.
Dr Paul
Vixie, from Farsight Security, was part of the Conficker Working Group, set up
when the malware was at its feverish peak.
The group
had managed to stem the tide of infection, said Dr Vixie, because of the way
the virus worked.
One of the
ways it spread was by it checking one of a handful of net domains for
instructions or updates every day.
And the
first two variants of Conficker picked one domain from a list of 250 randomly
generated names.
But some
clever software reverse engineering worked out how the daily domains were
generated.
In 2008, Dr
Vixie helped to run the net's Domain Name System so was able to co-ordinate a
global effort to register every day's possible domains before the malware's
creators did the same.
And data
sent from infected machines was then "sinkholed" almost neuteringConficker's
ability to spread.
"We got
it from 11 million down to one million," said Dr Vixie. "That sounds
like progress but one million is still a pretty big number."
That zombie
virus was still wandering around, said Dr Vixie.
Statistics
gathered by Symantec suggest there were 1.2 million Conficker infections in
2016 and 840,000 in 2017.
India
suffered the highest number of infections last year.
"The
population is gradually reducing in size because eventually computers wear out
or they get upgraded or replaced," Dr Vixie said.
And that is
just as well because the concerted efforts to directly combat Conficker are all
but at an end.
Dr Vixie and
some others still block a few of the domains its variants seeks out but only to
sample the traffic they send to get an idea of the viral load Conficker places
on the net.
The good
news was that Conficker had never been "weaponised", said Dr Vixie.
His theory
is that Conficker escaped too early and was too successful for its creators to
risk making it more malicious.
But
Conficker was not alone in persisting long after its initial outburst, said Mr
Wueest, from Symantec.
Its network
of sensors across the net regularly catches a wide range of malware that has
lasted for much longer than anyone expected.
Symantec
regularly sees the SillyFDC virus from 2007, Virut from 2006 and even a file
infector called Sality that dates from 2003.
"We do see Dos viruses now and
then," he said. The disk operating system (Dos) is more than 36 years old
and dates from the early days of the desktop PC. Even older versions ran on
mainframes.
"Our
guess is that sometimes it is researchers that have found an old disk and its
gets run and gets detected," said Mr Wueest.
There were
many others, said Martin Lee, technical, lead for security research at Cisco.
"Malware
samples can be long-lived in that they are continued to be observed 'in the
wild' many months or years after they were first encountered," he said.
One
regularly caught in the spam traps by Cisco is another worm, called MyDoom,
that appeared in 2004.
"It's
often the most commonly detected malware we get in our traps," said Mr
Lee.
But many
viruses lived on in another fashion, he said, because of the way the
cyber-crime underground treated code.
"Malware
is rarely static," he said, "computer code from older malware
families can be shared, or stolen, and used in the development of new
malware."
One prime
example of this, said Mr Lee, was the Zeus banking Trojan, whose source code
was leaked in 2011.
That code
had proved so useful that it was still turning up seven years later, he said.
The trend of
zombie malware was likely to continue if more modern viruses were any guide,
said Mr Lee.
Mirai first
appeared in 2016 but is proving hard to eradicate.
"It has
features suggesting that it will be exceptionally long lived," Mr Lee
said.
The bug
infects networked devices unlikely to be running anti-virus software. Some
cannot be upgraded to run any kind of decent protection.
As the net
grows and starts to incorporate more of those dumber devices, Mirai, like
Conficker will probably never be eradicated.
"With
the source code of the malware leaked, and a simple method of propagation using
default usernames and passwords to compromise devices, it is something that
will be with us for years," Mr Lee said.
Comments