1. Introduction to Malware

Malicious Software, Malware, is one of the biggest scourges plaguing the internet today. It can be hardware, software, or firmware that is intentionally included or inserted in a system for a harmful purpose. [19] This ranges from the loss of data, damage to computers, servers or networks, security breaches or extraction of sensitive information. As broadband capacity and network coverage increases, the spread of such applications is swift in comparison to the past when it relied on disks. This form has passed away due to the evolution of computers and widespread use of the internet.

In the beginning, Malware was formed simply to see how far a program could spread or multiply across various interconnected computers. They mutated into programs that could cause damage. In recent times, Malware has become a profitable business. Information about the user, advertising or redirecting users to particular websites create financial windfalls for the author. Some cyber criminals have been known to store incriminating evidence on infected machines, thus evading prosecution.

1.1 Types of Malware

The types of Malware fall into one of the following categories: Virus, Worm, Trojan, Spyware, Adware, Dialers or Hijackers.

1.1.1 Viruses:

Viruses were named as such as their characteristics match biological viruses. They pass from computer to computer in the same way as the human strain envelopes people. They operate by latching onto real applications or by email by sending itself to the entire contents of the address book. In the 1980’s, they spread via floppy disks while in the 1990’s by bulletin boards. They needed the user to explicitly execute it. The first virus was written in 1982 as a joke which targeted the Apple DOS 3.3 and was known as the “Elk Cloner”. In 1986, the first boot sector virus (c)Brain was created by two brothers in Pakistan to prevent against privacy. [20]

1.1.2 Worms:

Worms replicate by copying itself from one system to another generally over a network. They act by exploiting vulnerabilities in all types of software. Data can be damaged directly and/or the system may become unstable. They tend to largely affect networks by consuming bandwidth or causing packet-loss. A single worm can propagate on multiple machines simultaneously. The first implementation of a worm was in 1988 by researchers at Xerox Parc in order to improve the CPU cycle use efficiency across an entire network. The first worm to attract notoriety was the Morris Worm released the same year causing havoc and massive disruption. [21]

1.1.3 Trojans:

Trojans are true to its original story, it is not as it seems as in it claims to do one thing but does something else, a “serpent beneath the rose” – Shakespeare. Possible consequences after execution include hard disk format or concealing processes, files and system data. Spyware comes in the form of a Trojan as it is always hidden in the application. They may install a rookit on the system which is a set of tools an intruder can use, one of them being the ability to mask the Malware process from the user. In 2005, Sony created a storm after being caught installing a rookit on their audio CD’s. they took this step in order to stop piracy but this was counter productive.

1.1.4 Spyware:

Spyware is any software that aids in gathering information about a person or organization without their explicit permission or knowledge. It does not spread like viruses or worms but from a visited website. It has the ability to modify code or redirect traffic to a particular page, or retrieve information such as passwords, credit cards, about the user. Identity theft is a possible consequence of Spyware. It does not affect a computer in the style of a worm or virus but does affect the speed of the OS.

1.1.5 Adware:

Adware is any software application in which advertising banners or pop ups are displayed while the program is running. Many applications that are free have Adware running as a source of revenue which is covered in the License Agreement. It is generally accompanied by spyware and records the clients selections in order to display relevant advertisements. Some adware programs are known to reinstall after the user has deleted them.

1.1.6 Dialers:

Dialers infect by taking control of the modem to connect to a premium rate telephone number, thus creating a profit for the number’s owner. This connection would be live for long time slots with victims not realizing until receiving their phone bill. Due to this problem, Eircom blocked such foreign premium lines in specific countries. They put in place a verification process. [22]

1.1.7 Hijackers:

Hijackers manipulate different elements of your web browser, search bar, search pages or home page. They may redirect or guide you to certain sites, or to their own search engine if you attempt a search. Should you mistype an address or attempt to go to a site they would rather you not, such as an anti-malware page, you will not complete your request. Hijackers almost exclusively target Internet Explorer. [22] Hijackers would be considered a form of Spyware, but its motivation is specific.

1.2 Introduction to the Malware component on which the case study is based

I have chosen the Code Red Worm as my case study. There were 2 worms, Code Red I, released on July 13th 2001 and Code Red II on August 4th, 2001. These worms are also known as CodeRed.v3, CodeRed.C, W32.Bady.CCodeRed.F and CodeRed III. This phenomenal program replicated itself over 250,000 times in approximately nine hours on July 19, 2001. At its peak, CodeRed I infected 2,000 machines every minute, and infected 359,000 machines and cost $1.2 billion, according to the BBC. [9]

2. Case Study Detail

2.1 Propagation

All systems on the internet are searched for un-patched Windows NT or 2000 servers running Microsoft’s IIS web server. This section shall deal with the human contributions and the exploitation of system weaknesses.

2.1.1 Human contribution

Microsoft had already released a security patch for IIS that fixed the security hole on June 18, 2001. However not everyone had patched their servers, including Microsoft themselves. [23] This lack of action allowed the worm to spread rapidly. It is plausible that the author only became aware of the security hole after Microsoft’s patch release.

2.1.2 Exploit of computer and system weaknesses

CodeRed I was released 3 weeks after the announcement and corresponding release of the patch for the security hole, Microsoft Security Bulletin MS01-033. CodeRed operates over 3 cycles – scanning, flooding and dormancy. During the first phase, all systems on the internet are searched for Windows NT or 2000 servers running Microsoft’s IIS web server. This consumes a great deal of bandwidth and in some cases causing a total shutdown of the network. In the flooding phase, un-patched servers were exploited by the program copying itself to that server. After infection, the new program then targets other servers. The worm also sent copies of itself to the e-mail addresses in an infected computer, deleted files and directories, filled up space on the hard drive and sent out files to the Internet. This period lasted for 20 days. For the next 8 days, in its dormancy, it launches its attack on the White House. [13]

Microsoft’s IIS web server contains a .dll file. idq.dll contains an error in the code which reveals an unchecked buffer which deals with input URL’s. Susceptible servers containing this file are subjected to a buffer overflow attack once the worm makes a connection. This attack initiates prior to any indexing functionality. idq.dll operates in the %SYSTEMROOT% giving the worm total command when it takes advantage of this weakness. The consequences of this result in the extra data which is created overwriting adjacent memory bits. For example this data may contain variables, application data or other buffers.

CodeRed II exploits the same weaknesses but there are subtle differences which are outlined later.

2.2 Source code analyses

The infected machine executes CodeRed I from memory. Before the worm begins its path, it verifies whether the date falls between the 1st and 19th of the month. If this is the case, a random list of IP addresses is generated. The worm scans each address on the list searching for vulnerable machines. It endeavors to reproduce countless times by sending HTTP queries. The first CodeRed utilizes a static seed in its random number generator. The seed is the point where the worm starts its random number generator. This results in each infected machine producing identical lists of IP addresses. This ensured that the first version of the worm spread slowly as all machines on the list were either secure or contaminated.

Once the date reaches the 20th of the month, the worm is programmed to stop spreading. It begins its Denial-of-Service attack from 20th – 28th persecuting www1.whitehouse.gov.

In CodeRed II, the worm searches for the GetProcAddress function in the kernel32.dll\\\’s export table in the IIS server and then finds the addresses needed for further infection.

LoadLibraryA
CreateThread
….
….
GetSystemTime [13]

Another bug exists in Microsoft Windows, the “relative shell path”. The worm writes a shell program, “explorer.exe” in the SYSTEM context directory. This bug loads the “new” file instead of the original explorer.exe. Part of the worms application is deposited in the explorer.exe file giving the author remote access capabilities. This is known as a VirtualRoot and would be considered the Trojan element of the worm.

This changes the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SFCDisable registry key, halting all file system security. This allows the hacker to remotely access the C: and D: through a web browser. The Trojan adds read/write rights using the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ Parameters \Virtual Roots registry key. [12]

WS2_32.dll is loaded by the worm. This file contains the functions socket, closesocket and WSAGetLastError. Using the ExitWindowsEx from user32.dll, the worm reboots the system.

The worms searches for two different markers.

  1. “29A,” deals with the installation of the Trojan, VirtualRoot.

2. A semaphore, “CodeRedII.” If this exists, the worm sets off into an infinite slumber. [12]

The worm checks for the default language on the machine. If this reveals any form of the Chinese Language, it creates 600 new threads compared to the 300 for all other languages. Resulting from these threads are the random IP addresses of target web servers. During these operations, the main thread copies cmd.exe from the Windows NT system folder to the following locations:

C: \ Inetpub \ Scripts \ root.exe
D: \ Inetpub \ Scripts \ root.exe
C: \ Program Files \ Common Files \ System \ msadc \ root.exe
D: \ Program Files \ Common Files \ System \ msadc \ root.exe [12]

The worm is dormant for 24 on non-Chinese systems and 48 hours on other systems.

The computer boots up after sleeping. Additionally, if the time of year is October or if it is 2002, the computer restarts and executes the virus again. [13]

CodeRed II is similar to CodeRed I with a few exceptions. It is considered a variant as it uses the same buffer overflow technique. It does not launch a Denial-of-Service attack or deface web pages in the same manner. Only some top level hosts were infected with “Hacked by Chinese!”. It does not use a static seed but rather a random one. Its main threat is the installation of the back door which allows any program to be executed making the system prone to further exploits. [11]

It applies a mask to the random generated IP addresses to produce its list of potential carriers. While CodeRed I infected systems randomly, the second version infected machines belonging to the same subnet. This worm has the means to control root-level access remotely making this a much deadlier version than its predecessor.

CodeRed II generates a random IP address and then applies a mask to produce the IP address to probe. The CodeRed II worm is much more dangerous than CodeRed because CodeRed II installs a mechanism for remote, root-level access to the infected machine.

Where the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.

2.3 Payload analyses

Both programs always searched for other IIS servers to infect.

CodeRed I ruined the affected page to declare:

“HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”

Some hosts were defaced with this signature in CodeRed II.

During its sleeping period, the worm launches denial of service attacks on several fixed IP addresses.

While in its scanning phase, the worm did no form of testing to see if the targeted server was running a vulnerable version of IIS or even running IIS at all. Apache access logs diplayed log files of the character N repeated 224 times. [8] The typical signature of CodeRed II is the same with X instead of N. [23]

For CodeRed II, on Chinese systems, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours.
Due to the magnitude of the countless probes sent to infiltrate new addresses and the mass of infected systems, the traffic created a larger blow to the worldwide network. Some modems, routers, switches and even printers were not left unscathed. These devices could not be infected but ultimately had to reboot or crash when the worm was sent to them.

2.4 Containment of this Malware component

The capabilities of a hacker to connect remotely from an infected machine to other machines depends on the explicit compostion of the network. It is recommended that the design of the network considers the intrinsic high risk danger that that machines are exposed to on the internet. This can be drastically minimised by using procedures such as a Perimeter Network, utilizing minimal services and isolating interaction with internal networks. [44]

If the script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files do not exist, the bug cannot be exercised.

The compiler or the programmer can prevent buffer overflows by sufficient bounds checking.

Today, the majority of servers operating MS Windows run the 2003 server edition, impregnable against this type of attack. MS Windows 2000 systems are currently being phased out with support already discontinued for MS Windows 95 and 98.

To manually remove CodeRed I, apply the security patch and follow the steps:

Delete the files

C: \ inetpub \ scripts \ root.exe,

C: \ program files \ common files \ system\ msadc \ root.exe,
D: \ inetpub \ scripts\ root.exe,

D: \ program files \ common files \ system \ msadc \ root.exe.

Restart the computer to completely remove the worm. [12]

Manually removing CodeRed II is a more arduous task. The security patch should be applied and the following steps taken:

1. In the running processes, close the current process associated with the dropped Trojan. Norton detects this as Trojan.VirtualRoot.

2. Delete the recently created explorer.exe files including hidden and system files.

3. Delete the 4 files mentioned for removal of CodeRed I if they are present.

4. Using the Computer Manager on the web server, remove the open shares.

Registry Files:

  1. Find the key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots CodeRed II created 2 of these values which must be erased.
  2. Select and Delete: /C & /D
  3. Select:

/MSADC & /Scripts

  1. From the current value data, remove 217 and substitute with the value 201. After the system reboots, the proper values are formed.
  2. Choose from:
    • MS Windows 2000 system, proceed to step 6.
    • Not a MS Windows 2000 system, skip to step 9.

6. Find the key:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WinLogon

7. Select:

SFCDisable

8. Substitute the integer 0 for the value currently assigned.

9. Exit.

10. Reboot the system to ensure that CodeRed II has been completely erased.

[24]

2.5 Reason why this Malware was unleashed

This author of CodeRed I chose the Whitehouse in order to attack the American Government. In CodeRed II, he punished general society with Chinese systems receiving a greater penalty.

2.6 Profile of the author of this Malware

Many presumed after CodeRed I that the author was Chinese as he left “Hacked By Chinese!” as his signature. However CodeRed II targets Chinese machines vigorously. This would suggest to me that the author is neither Chinese nor American.

2.7 Prosecution against Malware author

The author of Code Red I has never been found and hence has evaded prosecution.

3. Global Economic Consequences as a result of Malware

According to the digital risk management firm, mi2g, the cost of Malware increased to $166bn in 2004. [26] No figures were available for more recent years.

Many corporations, large and small may lose network connections during an infection period. Software would require upgrades, especially if it has been reformatted after an attack. The recovery of data is an expensive process requiring a specialist company. Most forms of Malware consume a portion of bandwidth causing congestion. All time lost must be reallocated resulting in overtime payments or outsourcing. The helpdesk of any organisation would be under tremendous pressure to provide a speedy resolution. From my personal experience during Intra, I was part of the Network Administration Team. Although we were never attacked by a particularly potent form of Malware, the Helpdesk was in charge of the first line of defence against such an attack. All these factors combine to create a loss of productivity and business.

Some organisations in the past have placed rewards for the capture of certain virus authors. In 2003, Microsoft launched a $5 million reward program for this purpose. [27]

According to estimates from Ferris Research, the global cost of spam was €38 billion in 2005, €13 billion alone for US companies. The cost per employee, in time spent checking it, is currently €3,500 per annum. More astonishing is that 98% of fraud scams and security problems originate from junk email. [26]

4. Legal Position on Malware

While the law varies greatly globally, the definition of Malware corresponds universally. The general consensus is that Malware is intrusive, intended to cause harm or is considered criminal activity. In defining these laws, the terminology is crucial.

4.1 Globally

In Asia, there is very little regulation to convict a virus author. Some countries like China and North Korea have censored the internet but this may seem to have exasperated the problem.

In the EU, Technology laws are purposely defined as “technology neutral” meaning it relies on very broad, general definitions. Specific rules would be easier to implement but would become obsolete quickly. If specific definitions were used, it would be easier for developers to side step the laws. [29]

In the USA, there are 3 pieces of legislation covering Spyware. In 2004, Securely Protect Yourself Against Cyber Trespass Act, SPY ACT [33], Software Principles Yielding Better Levels Of Consumer Knowledge Act, SPY BLOCK Act [28] and the Internet Spyware Prevention Act, I-SPY Act [31] were introduced. The principles of these legislations was to prevent the unauthorised transmission of sensitive information and unacknowledged installation of software and access without authorisation.

Regarding Spam, the CAN-SPAM Act and the SPAM Act were set up in the USA and Australia respectively in 2004. [30] The purpose of these bills include being honest and specific in the subject line, providing a valid email address and an unsubscribe option.

In the UK, the Computer Misuse Act, CMA, deals with all forms of Malware. This broad act considers hacking, viruses, unauthorized access to computer systems, materials and modifications to be criminal acts of law. [35]

4.2 Nationally (Ireland)

Ireland does not have any specific laws pertaining to Malware. Similar to the EU and British governments, our laws are broad and can be applied across many technologies. The laws that are relevant to Malware include the following:

The Criminal Damage Act, 1991 decrees that it is an offence to intentionally or recklessly damage computer data and programmes or to threaten or possess anything with the intention of doing so and to access data without authorisation. [36]

The Electronic Commerce Act, 2000 introduced a number of offences relating to the misuse of electronic signatures and such creation devices. [36]

The Criminal Justice Theft & Fraud Offences Act, 2001 declares it an offence to dishonestly operate or cause to be operated a computer with the intention of making a gain for oneself or for another, or of causing loss to another person. [36]

There however some loopholes in our law. Like CodeRed I launched a Denial-of- Service attack on the White House, such an attack is not outlawed here. It cannot be classified as either damage of data or unauthorised access to data as described in the Act. [36]

Adware laws are covered by Advertising laws and so can exploit the laws here.

4.3 Effectiveness of the Law in Malware prevention

As can be seen by the sheer magnitude of Malware protruding into our lives, the law is not very effective in its prevention.

Like CodeRed, very good authors tend to evade prosecution while amateur writers are captured. The authors of the Sasser worm, Blaster worm and Maxwell were all “script kiddies” who were caught. Marc Rogers of the University of Manitoba in Winnipeg, Canada, and a former cyber detective has identified 4 different types of hacker: the old school hackers interested in analysing code, the “Script-Kiddie” category, consisting mainly of young males who download prewritten, scripts intent on vandalising or disrupting systems, the professional criminals, “scammers”, who are like highly organised groups who make a living from breaking into computer systems and selling the information and the final category relates specifically to ‘Virus Writers’ and ‘Coders’ who write the code of the virus but tend not to use it themselves. [37]

From the point of Malware, we must be wary of the Script Kiddies who wish to become notorious. They look at scripting viruses as a creative hobby. They are increasing at a rapid rate.

5. Global anti-virus/worm market

5.1 Current Global Market Value and Future Growth/Annum

The global antivirus market is thriving. Total revenue reached €2.85 billion in 2004, up 36 percent from 2003, market researcher IDC said in December. They forecast this market will grow to nearly 100% more to €5.6 billion in 2009. [16]

For 2006, McAfee, an anti-virus provider filed profits of $35 million, down 9% on the previous year. [38] Total revenue reached $1.06 billion and share prices stand at $29.89. [39] For the same year, Symantec, a larger corporation, generated revenues of $4.14 billion and announced a 5 year revenue growth of 37.16%. However, profits were down 8.8% on the previous year. Share prices are at $17.95. [41] Checkpoint Technologies produced revenues of $575 million compared to $579 million for the year before. Share prices stand at $24.31. [42]

From these figures it can be seen that these companies are extremely profitable. However profits have dwindled since last year. Symantec announced some minor job losses as a result. All companies though, are expecting growths for the coming year. It would appear that the market has stabilized after many years of bumper growths.

5.2 Do you think an Anti-Malware corporation will ever go bankrupt?

None of the companies mentioned filed any debt for the previous year. I do not think that many Anti-Malware corporations will go bankrupt, with the obvious exceptions of bad management. Computers shall become more sophisticated and there shall always be bugs in software, and authors, in good practise release details of these bugs. Hackers exploit these bugs when known and Anti-Malware companies will always be needed to fix this situation. There will always be virus writers trying to gain notoriety.

Consider early January 1992. The media in a hysterical frenzy announced that a virus, Michaelango, was going to wreck havoc at any moment. John McAfee, inventor and CEO of McAfee Antivirus, told journalists that approximately 5 million computers would be affected by this virus, a deadly hard disk erasing strain. This prediction increased sales significantly. This virus did eventually strike only 10,000 computers. Many media members claimed this was due to their reporting.

PC coverage is becoming greater by the day. More systems increase the chances of infection. Most wireless networks are not protected. Currently Dublin City Council have plans to make the city centre a Wi-Fi zone. If not properly secured, the potential for Malware propagation is enormous. Whilst not a major threat presently, the potential of Mobile phone Malware is a threat. These are areas in which antivirus companies could extend into if the situation deteriorates.

The main competitor to antivirus companies is from the open source community which is dealt with in the next section.

5.3 Is non-free, e.g. Norton Internet Security, better than the free, e.g. AVG, anti-virus software and Zonelabs firewall combination?

As a regular user of AVG Free and Spybot for the last 3 years, I can confidently say that free is just as good as non-free for home use. That time has been Malware free. I have recently started using Zonelabs Firewall and can confirm this is an excellent free product. One detraction maybe that there is no support but this is only a minor matter for personal use. It is rumoured that the Norton and McAfee packages have been deconstructed many times by virus writers making them insecure. Open source packages tend to be of a high calibre due to the large amount of programmers, testers and debuggers that are ardent supporters of antivirus packages. All source code is available which allows anyone to edit. Any improvements are generally sent to the authors and which would be incorporated in future updates.

For the corporate sector where revenue depends on the data hosted, a commercial anti-virus is preferred. During my Intra Work Experience, Version 1, my employer choose Sophos due to its online technical support. If they were to choose an open source package, there is no service agreement covering the company in the event of data loss making this a high risk choice. No free anti-virus applications offer this. AVG is not available for commercial use and cannot be installed on servers. There are no free antivirus packages that offer comprehensive support to corporations.

6. Conclusions

This paper covers many aspects of Malware. It is a problem that we all can make a contribution against, even by writing letters highlighting this issue makes a difference.

6.1 Lessons learned

Before undertaking this project, I had a vague idea of the workings behind virus authors, antivirus companies and the laws presiding over such matters. Upon completion I have a much greater understanding of these topics which will endeavour me to be more careful against such Malware. Whilst researching on which virus I would base my study on, I was amazed at the sheer volume of malicious software on the internet. Having a suitable antivirus and firewall is the minimum of my protection needs. I would ensure that any network I am working on be secure against any threats.

Virus authors are extremely intelligent and governments should put incentives in place in which these authors could test their talents. Maybe an online community should be set up where many software problems are posed and these writers could test their skills.

6.2 Threats posed

By April 2006, there were 115,000 known viruses. This number is growing daily. These were all directed at Windows Systems. Any of these computers that are connected facilitate their spread. Using any sort of storage device carries a risk of infection. There are many viruses that are “in the wild” which have not been released. This is sombre message which is the reality of today.

Any device with a programmable operating system is susceptible to Malware. It is written for many reasons with money as the mitigating factor. In the future we can look forward to new forms of Malware, maybe even on our stereo systems!

6.3 Preventive measures you deem necessary to thwart future threats

Microsoft has 90% of the market share in consumer PC’s, Linux and Macintosh own the majority of the remaining 10%. Users of these operating systems experience little or no malware activity. Switching to either of these systems is another option.

When a new patch is released the user should install that patch immediately. All anti-malware applications should have their definition files up to date. This would greatly reduce future threats.

All anti-malware companies should continue in their research preventing future attacks. I feel that a committee should be set up monitoring anti-virus companies and virus writers. Although there is no evidence of collusion between the two, it is in anti-virus companies interests that these writers continue to thrive.

Jonathan Yarden’s article makes many excellent points. It should be noted that in his observations, 90% of people actually contribute to the spread of viruses through their ignorance. [15] Perhaps companies that depend on a virus free environment should offer training towards preventive measures of viruses.

Bibliography:

John Whelan, EE438 Secure Systems Administration and Internetwork Security Course Notes.

References:

1. Symantec, www.symantec.com,12/02/2007

2. McAffee, www.mcaffee.com,12/02/2007

3. CarnegieMellon Software Engineering Institute, www.cert.org,12/02/2007

4. 62nds, http://62nds.com/pg/e90.php,12/02/2007

5. TotallyGeek, http://www.totallygeek.com/vscdb/,12/02/2007

6. Zonelabs, http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads,12/02/2007

7. Grisoft, http://free.grisoft.com/freeweb.php,12/02/2007

8. Symantec, http://www.symantec.com/home_homeoffice/products/category.jsp?pcid=is, 12/02/2007

9. Wikipedia, http://en.wikipedia.org/wiki/Code_Red_worm,12/02/2007

10. Microsoft, http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx,12/02/2007

11. Caida, http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml,13/02/2007

12. Bullguard, http://www.bullguard.com/antivirus/vit_codered_f.aspx, 13/02/2007

13. Symantec, http://www.symantec.com/security_response/writeup.jsp?docid=2001-080421-3353-99&tabid=2,13/02/2007

14. Wikipedia, http://en.wikipedia.org/wiki/Anti-virus,13/02/2007

15. ZDNet Asia, http://www.zdnetasia.com/techguide/security/0,39044901,39290756,00.htm, 13/02/2007

16. ZDNet.co.uk, http://news.zdnet.com/2100-1009_22-6078249.html,13/02/2007

17. Usa Today, http://www.usatoday.com/tech/columnist/ericjsinrod/2005-02-16-sinrod_x.htm,13/02/2007

18. Apple, http://www.apple.com/getamac/viruses.html,13/02/2007

19. University of Oulu, http://www.ee.oulu.fi/research/ouspg/sage/glossary/, 18/02/2007

20. Wikipedia, http://en.wikipedia.org/wiki/Computer_virus, 18/02/2007

21. Wikipedia, http://en.wikipedia.org/wiki/Computer_worm, 18/02/2007

22. Ars Technica, http://arstechnica.com/articles/paedia/malware.ars, 18/02/2007

23. Wikipedia, http://en.wikipedia.org/wiki/Code_Red_II_%28computer_worm%29, 19/02/2007

24. Symantec, http://www.symantec.com/security_response/writeup.jsp?docid=2001-080421-3353-99&tabid=3, 19/02/2007

25. Vnunet.com, http://www.vnunet.com/articles/print/2126635, 19/02/2007

26. Nomasfraude.com, http://www.nomasfraude.com/com/did_you_know/datos/, 19/02/2007

27. CNN, http://money.cnn.com/2003/11/05/technology/microsoftbounty/index.htm?cnn=yes, 19/02/2007

28. PC World, http://www.pcworld.com/article/id,114999-page,1/article.html, 19/02/2007

29. ZDNet.co.uk, http://news.zdnet.co.uk/itmanagement/0,1000000308,39172719,00.htm, 19/02/2007

30. http://www.oic.org/z/EGS/AVCO/ACLACEC1.htm, 19/02/2007

31. Wilet Rein LLP, http://www.wileyrein.com/publication.cfm?publication_id=12478, 19/02/2007

32. GCN, http://www.gcn.com/online/vol1_no1/25237-1.html, 19/02/2007

33. The Standard, http://www.thestandard.com/internetnews/001318.php, 19/02/2007

34. CRM, http://searchcrm.techtarget.com/sDefinition/0,290660,sid11_gci948840,00.html, 19/02/2007

35. Lancaster University, http://www.lancs.ac.uk/iss/rules/cmisuse.htm, 19/02/2007

36. Kilroys Solicitors, http://www.kilroys.ie/news_ebusiness_archive.html#cybercrime, 19/02/2007

37. Honeynet, http://www.honeynet.ie/articles/PDF2004/2004.02.BlackhatPsychology.pdf, 19/02/2007

38. SeekingAlpha, http://software.seekingalpha.com/article/26524, 20/02/2007

39. Wikipedia, http://en.wikipedia.org/wiki/McAfee, 20/02/2007

40. Wikipedia, http://en.wikipedia.org/wiki/Symantec, 20/02/2007

41. Symantec, http://investor.symantec.com/phoenix.zhtml?c=89422&p=irol-fundSnapshot2, 20/02/2007

42. SeekingAlpha, http://seekingalpha.com/article/25006, 20/02/2007

43. ZDNet.co.uk, http://www.zdnet.com.au/news/security/soa/First_mobile_phone_virus_nears_2nd_birthday/0,130061744,139257470,00.htm, 20/02/2007

44. Wikipedia, http://en.wikipedia.org/wiki/Demilitarized_zone_(computing), 22/02/07

VN:F [1.8.8_1072]
Rating: 0.0/10 (0 votes cast)
VN:F [1.8.8_1072]
Rating: 0 (from 0 votes)