Why some computer viruses refuse to die By Mark Ward

Technology correspondent, BBC News Published duration 13 August 2018

image copyright Getty Images image caption Be careful, malware that never dies is still roaming the net

There are zombies on the internet - odd, undead lumps of code that roam endlessly seeking and finding fresh victims to infect that help keep the whole ugly horde staggering on, and on.

Most of these shambling data revenants are computer viruses and the most long-lived of all are worms.

"Most of those worms are self-spreading - that's why we still see them moving around," said Candid Wueest, principal threat researcher at Symantec, who has hunted viruses for years.

Typically, he said, when these malicious programs infected a machine, they kicked off a routine that scanned the entire net looking for other computers vulnerable in the same way as their current host.

When they found one, they installed a copy that also started scanning.

"All it takes is a few machines to get them moving around again," he added.

The living dud

One of the most active zombie viruses is Conficker, which first struck in November 2008. At its height, the worm is believed to have infected up to 15 million Windows PCs.

The French navy, UK warships, Greater Manchester Police and many others were all caught out by Conficker, which targeted the Windows XP operating system.

The malware caused so much trouble that Microsoft put up a bounty of $250,000 (£193,000) for any information that would lead to the capture of Conficker's creators.

That bounty was still live and, Microsoft told the BBC, remained unclaimed to this day.

Dr Paul Vixie, from Farsight Security, was part of the Conficker Working Group , set up when the malware was at its feverish peak.

image copyright Getty Images image caption There are millions of viruses in circulation - but most have only a short life

The group had managed to stem the tide of infection, said Dr Vixie, because of the way the virus worked.

One of the ways it spread was by it checking one of a handful of net domains for instructions or updates every day.

And the first two variants of Conficker picked one domain from a list of 250 randomly generated names.

But some clever software reverse engineering worked out how the daily domains were generated.

In 2008, Dr Vixie helped to run the net's Domain Name System so was able to co-ordinate a global effort to register every day's possible domains before the malware's creators did the same.

And data sent from infected machines was then "sinkholed" almost neutering Conficker's ability to spread.

"We got it from 11 million down to one million," said Dr Vixie. "That sounds like progress but one million is still a pretty big number."

That zombie virus was still wandering around, said Dr Vixie.

Statistics gathered by Symantec suggest there were 1.2 million Conficker infections in 2016 and 840,000 in 2017.

India suffered the highest number of infections last year.

"The population is gradually reducing in size because eventually computers wear out or they get upgraded or replaced," Dr Vixie said.

And that is just as well because the concerted efforts to directly combat Conficker are all but at an end.

Dr Vixie and some others still block a few of the domains its variants seeks out but only to sample the traffic they send to get an idea of the viral load Conficker places on the net.

The good news was that Conficker had never been "weaponised", said Dr Vixie.

His theory is that Conficker escaped too early and was too successful for its creators to risk making it more malicious.

Data of the dead

But Conficker was not alone in persisting long after its initial outburst, said Mr Wueest, from Symantec.

Its network of sensors across the net regularly catches a wide range of malware that has lasted for much longer than anyone expected.

Symantec regularly sees the SillyFDC virus from 2007, Virut from 2006 and even a file infector called Sality that dates from 2003.

"We do see Dos viruses now and then," he said. The disk operating system (Dos) is more than 36 years old and dates from the early days of the desktop PC. Even older versions ran on mainframes.

"Our guess is that sometimes it is researchers that have found an old disk and its gets run and gets detected," said Mr Wueest.

image copyright Thinkstock image caption Net-connected cameras are helping attackers mount large-scale attacks such as Mirai

There were many others, said Martin Lee, technical, lead for security research at Cisco.

"Malware samples can be long-lived in that they are continued to be observed 'in the wild' many months or years after they were first encountered," he said.

One regularly caught in the spam traps by Cisco is another worm, called MyDoom, that appeared in 2004.

"It's often the most commonly detected malware we get in our traps," said Mr Lee.

But many viruses lived on in another fashion, he said, because of the way the cyber-crime underground treated code.

"Malware is rarely static," he said, "computer code from older malware families can be shared, or stolen, and used in the development of new malware."

One prime example of this, said Mr Lee, was the Zeus banking Trojan, whose source code was leaked in 2011.

That code had proved so useful that it was still turning up seven years later, he said.

The trend of zombie malware was likely to continue if more modern viruses were any guide, said Mr Lee.

Mirai first appeared in 2016 but is proving hard to eradicate.

"It has features suggesting that it will be exceptionally long lived," Mr Lee said.

The bug infects networked devices unlikely to be running anti-virus software. Some cannot be upgraded to run any kind of decent protection.

As the net grows and starts to incorporate more of those dumber devices, Mirai, like Conficker will probably never be eradicated.

"With the source code of the malware leaked, and a simple method of propagation using default usernames and passwords to compromise devices, it is something that will be with us for years," Mr Lee said.