Relentless Replicators

  |  Command Line Heroes Team  
安全防护
科技史

Command Line Heroes • • Relentless Replicators | Command Line Heroes

Relentless Replicators | Command Line Heroes

About the episode

Computer viruses and worms haunt the internet. They worm their way into a system, replicate, and spread again. It’s a simple process—with devastating consequences. But there’s a whole industry of people that rose up to fight back.

Craig Schmugar recalls how he and his team responded to MyDoom, one of the fastest-spreading worms ever. Dr. Nur Zincir-Heywood reveals the inner workings of viruses and worms, and how they draw their names from the world of biology. And security expert Mikko Hypponen shares advice on avoiding malware. But he also warns that we’re in an arms race against malware developers.

Command Line Heroes Team Red Hat original show

订阅

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

脚本

It's late one night in 1971. A young engineer is still awake, working away in the computer lab. Her name is Sheila and she loves it there. She's writing code on a PDP-10, that's running the flashy TENEX operating system. The first OS to run email. And she's even connected to the ARPANET. This feels to Sheila like a tech Utopia. A printer at the back of the lab starts spitting something out. Sheila wasn't printing anything. She looks around, still alone, walks over to check the printer and reads the words on the page. I'm the creeper. Catch me if you can. What was the creeper? Sheila couldn't have known then, but the creeper was moving all over the net, transferring itself into systems via the same ARPANET. Sheila was so excited to be using and printing its ominous message wherever it went. The Creeper was a new kind of malware, a worm, and nobody knew how to stop it. Welcome to season nine of Command Line Heroes, an original podcast from Red Hat. I'm Saron Yitbarek. I'm a coder, a founder and an entrepreneur. I live and read the stories we tell on Command Line Heroes. And I've definitely worried, like most people about keeping secure in a world full of malware. That's why this season is all about security. We're exploring the epic horror stories that hunt our digital lives. The viruses, the Trojan horses, the botnets. We'll cover lots of things that go bump in the digital night. We're starting with replicants, the viruses and worms that spread like wildfire. All the way back in 1949, mathematician John Von Neumann theorized that self replicating computer programs could be made. But it wasn't until the 1970s that programs like the Creeper proved him right. An engineer named Bob Thomas made the Creeper, not for any malicious reason, just because he wanted to prove it could be done. Programs could move through networks like the ARPANET multiplying and spreading. In the decade since, replicants have kept on terrorizing us. They can cause billions of dollars in damage. They can take computers hostage, destroy work and run away with our private information. So, was the Creeper ever stopped? You'll find out at the end of this episode. But first we need to learn how viruses and worms began threatening our digital lives and how they pushed us to build better tech. The creeper worm that Bob Thomas unleashed on the world was only a warning shot. Soon, there were some truly malicious replicators crawling through our networks. One of the creepiest arrived in 2004. It was very apparent that this was going to be a significant threat. Craig Schmugar is a security researcher at McAfee. It's his job to understand threats and come up with countermeasures. And he's been there about 20 years, which means he was there when one of the most epic security dramas began. In 2004, I was the virus research manager. I managed teams in North America and Asia-Pacific. Schmugar and his teams were ready for any serious virus to show up. This wasn't a 1970s anymore. They even laid some bait and were waiting for the next threat to snap it up. We actually had a honey pot, which was basically a set of mailboxes that had email addresses that were out in the world on the chance that a virus in the wild would pull down one of those addresses and send a copy to it like it would send to anybody else in the world. And one day something bit. Something big. There was a sense of adrenaline and heightened urgency to respond to this threat as quickly as we could. We immediately prioritized that if we had people looking at it from a code perspective, from a defensive signature perspective- They'd never seen this virus before. All they knew about it was that it moved fast. The rules in antivirus research are that whoever first discovers the threat gets to choose the name. And while looking at the threat, there was a string in there, M-Y-D-O-M-A-N for my domain and MyDoom was kind of born out of that. Schmugar named the new virus, MyDoom, a strange bit of malware replicating at an extraordinary rate and doing serious damage as it moved. When activated, MyDoom replicates itself, opens a back door for possible hackers and allows for the installation of a keystroke program to record keyboard activity. That way hackers can harvest passwords and credit card numbers, private information like that, allowing the hackers or their clients to steal cash. At this point, really virtually nobody in the world really knew what the threat was that was going on. Schmugar sat in the cubicle, coordinating with two coworkers racing against the cock. He didn't know it yet, but he was racing against something much bigger than he'd ever seen before. MyDoom was, at that time, the fastest spreading virus of all time. It was remarkable the speed in which it was spreading. And I think that was a big part of why there was such an urgency to get a fix in place. Within 36 hours of being released, MyDoom was generating 100 to 300 emails every minute. Within a few days, one in 12 emails bouncing around the internet carried MyDoom. At its height, the worm was slowing down global internet traffic by 10%. Schmugar and his team worked around the clock to develop a defense. We worked through the night. Actually, there were three or four of us there, but we were all in the same cube essentially working on this. And we worked through the night, got the detection in place and started pushing it out. But this thing was out there and spreading very quickly. Now, that's the dramatic version of the story, but the reality of virus and worm creation has more nuance to it. Let's take a step back and understand what we're really dealing with. Dr. Nur Zincir-Heywood is a professor of computer science at Dalhousie University and an expert on cybersecurity. A virus is a piece of code that attaches itself to another program. It cannot stand alone. It needs a host program to run. A worm, on the other hand, is a standalone program. It can replicate itself and spread across networks without needing to attach to another program. The terminology comes from biology, which makes sense. Both computer viruses and biological viruses hijack their hosts to replicate themselves. And just like biological viruses, computer viruses have evolved over time to become more sophisticated and harder to detect. Early viruses were relatively simple. They would just replicate themselves and maybe display a message. But modern viruses and worms can be incredibly complex. They can have multiple payloads, they can evade detection, they can modify themselves to avoid antivirus software. MyDoom was particularly insidious because it combined several different techniques. It spread via email, but it also installed a backdoor that allowed hackers to take control of infected computers. And it included a denial-of-service component that could be used to attack websites. What made MyDoom so effective was its multi-vector approach. It didn't rely on just one method of spreading or one type of payload. It was like a Swiss Army knife of malware. And the damage was enormous. MyDoom caused an estimated $38 billion in damages worldwide. It infected millions of computers and significantly slowed down internet traffic globally. But perhaps most importantly, it marked a turning point in the evolution of malware. MyDoom really represented a shift from viruses being written by hobbyists or people just trying to show off, to viruses being written for criminal purposes. There was clearly a financial motive behind MyDoom. This shift from amateur to professional malware development has had profound implications for cybersecurity. When viruses were written by teenagers looking for bragging rights, they were often sloppy and easy to detect. But when they're written by organized crime syndicates with financial motives, they become much more sophisticated and dangerous. The professionalization of malware development has led to an arms race between attackers and defenders. As security measures improve, attackers develop new techniques to bypass them. It's a constant cycle of innovation on both sides. This brings us to a key point about computer security: it's not just a technical problem, it's also a human problem. The most sophisticated security systems in the world can be undermined by human error or social engineering. Many successful attacks rely on exploiting human psychology rather than technical vulnerabilities. Phishing emails, for example, trick people into clicking on malicious links or downloading infected attachments. The technical aspects of these attacks may be simple, but they're effective because they exploit human trust and curiosity. This is why education and awareness are so important in cybersecurity. We can have the best firewalls and antivirus software in the world, but if users don't understand the risks and how to protect themselves, we're still vulnerable. One of the lessons from MyDoom and other major malware outbreaks is that security is everyone's responsibility. It's not just up to IT departments or security researchers. Every user has a role to play in keeping systems secure. But let's get back to our story. After working through the night, Schmugar and his team at McAfee had developed a signature that could detect and remove MyDoom. They pushed out the update to their antivirus software and began the long process of cleaning up infected systems. Getting the detection out was just the first step. We then had to work with internet service providers, with other security companies, with law enforcement, to try to track down the source of the worm and prevent future attacks. The response to MyDoom was a coordinated effort involving multiple organizations and countries. It demonstrated the importance of collaboration in fighting cybercrime, but it also highlighted how difficult it can be to track down the perpetrators of cyberattacks. To this day, we don't know for certain who created MyDoom. There were suspicions that it came from Russia or Eastern Europe, based on certain characteristics of the code and the timing of the attacks, but we never had definitive proof. This anonymity is one of the things that makes cybercrime so attractive to criminals. Unlike physical crimes, cybercrimes can be committed from anywhere in the world, and the perpetrators can hide behind layers of technical obfuscation. The internet was not designed with security in mind. It was designed for openness and connectivity. This fundamental architecture makes it inherently difficult to secure and easy for attackers to exploit. But despite these challenges, the security community has made significant progress in fighting malware. Modern antivirus software is far more sophisticated than it was in 2004, and new technologies like machine learning and behavioral analysis are helping to detect threats that traditional signature-based approaches might miss. The tools we have today are much more powerful than what we had when MyDoom hit. We can detect threats faster, respond more quickly, and share information more effectively. But the attackers have evolved too, so it's still an ongoing battle. Indeed, the malware landscape has continued to evolve since MyDoom. We've seen the rise of ransomware, which encrypts victims' files and demands payment for their release. We've seen state-sponsored attacks that target critical infrastructure. And we've seen the emergence of IoT botnets that exploit insecure internet-connected devices. Each new type of attack brings new challenges and requires new defenses. But the fundamental principles remain the same: defense in depth, keeping software updated, educating users, and maintaining good security hygiene. Speaking of security hygiene, let's hear from someone who's been fighting malware for even longer than Craig Schmugar. Mikko Hypponen is a global security expert at F-Secure, a cybersecurity company based in Finland. I've been fighting malware for over 30 years now. I started in the late 1980s when computer viruses were mostly a curiosity spread by floppy disks. The internet changed everything. Hypponen has seen the evolution of malware from simple pranks to sophisticated criminal enterprises. His perspective on the current state of cybersecurity is both sobering and informative. The biggest change I've seen is the monetization of malware. In the early days, virus writers were mostly motivated by curiosity or the desire to show off. Today, it's almost entirely about money. Organized criminal groups have taken over, and they're very good at what they do. This professionalization has made malware more dangerous but also, in some ways, more predictable. Criminal organizations operate like businesses, with clear incentive structures and risk-reward calculations. Understanding the economics of cybercrime is crucial for defenders. If we can make attacks more expensive or less profitable, we can reduce their frequency. This is why things like quick patching and good backup practices are so important - they increase the cost for attackers. Hypponen has also observed how the geopolitical landscape affects cybersecurity. Different regions have different approaches to fighting cybercrime, and this can create safe havens for malware developers. International cooperation is essential in fighting cybercrime, but it's also one of the biggest challenges. Different countries have different laws, different priorities, and different relationships with each other. This makes it difficult to pursue cybercriminals across borders. Despite these challenges, Hypponen remains optimistic about the future of cybersecurity. He believes that increased awareness and better technologies will help us stay ahead of the attackers. We're getting better at this. The general level of cybersecurity awareness has increased dramatically over the past decade. People are more cautious about clicking on suspicious links, companies are investing more in security, and governments are taking cybercrime more seriously. But what about the broader implications of malware and cybersecurity? How has the constant threat of digital attacks changed the way we think about technology and society? The prevalence of malware has forced us to build security into systems from the ground up, rather than treating it as an afterthought. This "security by design" approach is now considered a best practice in software development. This shift represents a fundamental change in how we think about technology. In the early days of computing, the focus was on functionality and performance. Security was often added later, if at all. Today, security is considered a core requirement from the beginning of the design process. The experience with MyDoom and other major malware outbreaks taught us that we can't just react to threats - we have to anticipate them. This has led to the development of threat intelligence, predictive analytics, and proactive defense strategies. The cybersecurity industry that emerged from these early battles has become a major economic force. Companies around the world now spend billions of dollars annually on cybersecurity products and services. The cybersecurity industry has created millions of jobs and become a critical part of the digital economy. But it's important to remember that security is not just about technology - it's about people, processes, and culture. When you work with security, we have a different kind of an enemy. We have a very concrete, very real group of people who are fighting us and trying to bypass everything we do and watch our moves and try to make our job harder. The online crime gangs are very concrete and very real enemy. When internet based spam made viruses into a potential gold mine for criminals, the virus wars of the early 2000s were launched. This was when viruses like MyDoom were really in their prime and Hypponen was getting worked around the clock. You get woken up in the middle of the night and something big is happening. And we put our minds to it and we tried to crack it and we crack it and we create a fix for it. And we add detection, we test it, we ship the detection and it feels like you've saved the world. And it's really great. And it's excellent until it happens again two days later or two nights later. And then again and again, and after when you've been woken up 15 times over a month, it's no longer exciting or fun. The virus wars were going to change though. The security landscape was evolving. Companies like F-Secure were setting up research facilities around the globe to provide 24 hour coverage. And the perpetrators, meanwhile, have changed from teenagers playing games to serious crime rings looking to profit off spam or denial-of-service attacks. We estimate that 98% of the malware samples we see in our labs are coming from organized online crime gangs where the motive is money. The days when the whole world could be consumed by a single worm are sort of over, though. The virus wars have become more subtle, more targeted. Today, every now and then we do find a piece of malware, typically, a web worm, which spreads like they used to. I mean, it infects a system and immediately the infected system starts scanning for more vulnerable machines in the network. And when it finds them, it infects them. And when you have outbreaks like these, they are exponential. But that's not very common because that almost always means that it burns out very quickly. If you are after money, you don't want your piece of malware to be the headlines. And that's why modern, organized crime gangs keep the infections and the outbreaks small on purpose. The really malicious stuff might be so targeted that ordinary users don't hear about it. From Hypponen's perspective, the virus wars have become increasingly sophisticated. There is an arms race underway and I don't think we're winning this arms race. It's quite clear that the attackers have an upper hand. Whenever someone starts to write a new piece of an exploit or new malware, they can always look at the security systems that are being deployed today. They can go into a shop and buy every single security product. Then they can develop their attack and try it against these defenses and keep changing the attack until it succeeds, bypassing today's technology. It's not an easy war to fight when your enemy has access to your weapons. That means securities specialists need help from ordinary users. We all have a part to play in the battle against replicators. So we asked, what can each of us do? Tip number one. Back up your stuff, make it right now, pause this podcast and start a backup right now. Make a backup of your computer, make a backup of your phone, make a backup of your tablet. Then make a backup of those backups. Then make sure the backups of the backups are stored somewhere else. Tip number two, patch, update and patch. Whenever you're prompted, you all, there's a new update, would you like to take it, the answer is yes. Tip number three, passwords. Stop using passwords. Start using password managers. These are great tips. They're easy. It's really basic digital hygiene. Reminds me of the simple things we can do to stop a biological virus from spreading. Wash your hands, wear a mask. And just like with COVID, defending yourself from computer viruses and worms is a way to protect the larger community too. Okay, I promised to tell you about the fate of the Creeper worm. Whatever happened back in 1971. Well, a fix was created by Ray Tomlinson, the same pioneer who created the first email system on the ARPANET. Reaper, as he called it, was the first piece of antivirus software. It traveled through the network, just like Creeper did, deleting the Creeper worm everywhere it lurked. It's a great example of how the same tech that causes a problem often can be used to solve it. The world of security is one big arms race and tech keeps opening new avenues for attack along with brilliant new solutions. All season, we're learning some of the greatest horror stories from the history of tech security. And more importantly, we're going to see what we can learn from them going forward. Think back to the MyDoom story. It wasn't some totally new threat. It was a new arrangement of past techniques. So many security breaches are really just a bit of recycling. One lesson, maybe the biggest, is just not to downplay or underestimate techniques of the past. Let's keep that in mind as we continue with season nine. These are moves in a never ending game of cat and mouse. We need to learn about these past security crises so that we can secure our future. I'm Saron Yitbarek. And this is Command Line Heroes, an original podcast from Red Hat. Next time we're moving on to another form of malicious malware, the devious Trojan horse. Subscribe, wherever you get your podcast and you won't miss an episode. Until then, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

博客文章

红帽对 OpenPrinting CUPS 安全漏洞 CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 和 CVE-2024-47177 的响应

2024年 9月 26日  |  

...

Linux
安全防护

博客文章

2024 年 Kubernetes 安全状况

2024年 6月 26日  |  

...

安全防护

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.