Malicious De History

History of Malicious Programs
Malicious software may seem like a relatively new concept. The epidemics of the past few years have introduced the majority of computer users to viruses, worms and Trojans - usually because their computers were attacked. The media has also played a role, reporting more and more frequently on the latest cyber threats and virus writer arrests.

However, malicious software is not really new. Although the first computers were not attacked by viruses, this does not mean they were not potentially vulnerable. It was simply that when information technology was in its infancy, not enough people understood computer systems to exploit them.

But once computers became slightly more common, the problems started. Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent.

As technology has evolved, so have viruses. In the space of a couple of decades, we have seen computers change almost beyond recognition. The extremely limited machines which booted from a floppy disk are now powerful systems that can send huge volumes of data almost instantaneously, route email to hundreds or thousands of addresses, and entertain individuals with movies, music and interactive Web sites. And virus writers have kept pace with these changes.

While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.

So malicious software has turned into big business. An understanding of contemporary threats is vital for safe computing. This section gives an overview of the evolution of malware: it offers a glimpse of some historical curiosities, and provides a framework to help understand the origins of today's cyber-threats.

Historians are still debating when the first computer virus really appeared. We do know a few things for certain, however: the first computer, which is generally considered to have been invented by Charles Babbadge, did not have any viruses. By the mid-1970s, Univax 1108 and IBM 360/370 did.

Nevertheless, the idea for computer viruses actually appeared much earlier. Many consider the starting point to be the work of John von Neumann in his studies on self-reproducing mathematical automata, famous in the 1940s. By 1951, Neumann had already proposed methods for demonstrating how to create such automata.

In 1959, the British mathematician Lionel Penrose presented his view on automated self-replication in his Scientific American article 'Self-Reproducing Machines'. Unlike Neumann, Penrose described a simple two dimensional model of this structure which could be activated, multiply, mutate and attack. Shortly after Penrose's article appeared, Frederick G. Stahl reproduced this model in machine code on an IBM 650.

It should be noted that these studies were never intended to providing a basis for the future development of computer viruses. On the contrary, these scientists were striving to perfect this world and make it more suitable for human life. And it was these works that laid the foundation for many later studies on robotics and artificial intelligence.

In 1962, a group of engineers from America's Bell Telephone Laboratories, V. Vyssotsky, G. McIlroy, and Robert Morris, created a game called 'Darwin.' The game consisted of a so-called umpire in the memory of the computer that determined the rules and order of battle between competing programs created by the players. The programs could track and destroy opponents' programs and, more importantly, multiply. The point of the game was to delete your opponent's programs and gain control over the battle field.

The theoretical suppositions of scientists' and the engineers' harmless game were shadowed by the moment when the world realized that the theory of self-multiplying units could be used, equally successfully, for completely different purposes.

1970s
Sometime in the early 1970s, the Creeper virus was detected on ARPANET, a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, 'I'M THE CREEPER : CATCH ME IF YOU CAN.'

Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.

1974
A virus dubbed Rabbit appeared: it was called Rabbit because it didn't do anything except multiply and spread to other machines. The name was a comment on the speed with which the program multiplied. It clogged the system with copies of itself, impairing system performance. Once Rabbit multiplied to a certain level on an infected machine, the virus would crash.

1975
Pervading Animal, another game, this time written for a Univac 1108, appeared in 1975. To this day, analysts argue about whether this was another virus or the first Trojan.

The rules of the game were simple: the player would think of an animal and the program asked questions in an attempt to identify it. The game was equipped with a self-correction function; if the program was unable to guess the animal, it would update itself and enter new questions. The new modernized version overwrote the old version but, in addition to this, copied itself to other directories. After some time, as a result, all directories would contain copies of 'Pervading Animal.' It is unlikely that engineers appreciated this because the combined volume of the game's copies occupied a significant amount of disc space.

Was this simply a mistake by the game's creator or a conscious attempt to clutter up the system? It is difficult to say. The boundary between programs functioning incorrectly and malicious code was unclear in those days.

Univac programmers attempted to use the Creeper-Reaper model to control Pervading Animal: a new version of the game scanned for older versions and destroyed them. However, the issue was resolved fully only when Exec 8, a new version of the operating system, was released. The file system was modified and the game was unable to multiply.

Early 1980s
As computers gained in popularity, more and more individuals started writing their own programs. Advances in telecommunications provided convenient channels for sharing programs through open-access servers such as BBS - the Bulletin Board System. Eventually university BBS servers evolved into a global data bank and were available in all developed countries. The first Trojans appeared in large quantities; programs that couldn't self-replicate or spread, but did damage systems once downloaded and installed.

1981
The widespread use of Apple II computers predetermined this machine's fate in attracting the attention of virus writers. It is not surprising that the first large-scale computer virus outbreak in history occurred on the Apple II platform.

Elk Cloner spread by infecting the Apple II's operating system, stored on floppy disks. When the computer was booted from an infected floppy, a copy of the virus would automatically start. The virus would not normally affect the running of the computer, except for monitoring disk access. When an uninfected floppy was accessed, the virus would copy itself to the disk, thus infecting it, too, slowly spreading from floppy to floppy.

The Elk Cloner virus infected the boot sector for Apple II computers. In those days, operating systems were stored on floppy disks: as a result the floppies were infected and the virus was launched every time the machine was booted up. Users were startled by the side effects and often infected friends by sharing floppies, since most people had no idea what viruses were, much less how they spread.

The Elk Cloner payload included rotating images, blinking text and joke messages:

ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES, IT'S CLONER
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM, TOO
SEND IN THE CLONER!
1983
Len Eidelmen first coined the term 'virus' in connection with self-replicating computer programs. On November 10th, 1983, at a seminar on computer safety at Lehigh Unversity, this grandfather of modern computer virology demonstrated a virus-like program on a VAX11/750 system. The program was able to install itself to other system objects. A year later, at the 7th annual information security conference, he defined the phrase 'computer virus' as a program which is able to 'infect' other programs by modifying them to install copies of itself.

1986
The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.

The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.

Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.

That same year, a German programmer, Ralf Burger, invented the first programs that could copy themselves by adding their code executable DOS files in COM format. The working model of the program, named Virdem, was introduced by Burger in December 1986 in Hamburg at an underground computer forum, the Chaos Computer Club. Though most of the hackers at the event specialised in attacking VAX/VMS systems, they were still interested in the concept.

1987
The Vienna virus appeared: its appearance and subsequent spread around the world was hotly debated as the global community tried to discover the identity of the author. Franz Swoboda was the first person to detect the virus: his warning about the discovery of a self-replicating program named Charlie publicized by many information technology companies and attracted the attention of the media as well. As could be expected, many people were interested in discovering the author and the source of the epidemic. Information leaked out that Swoboda had received the virus from Ralf Burger, who completely denied Swoboda's story, and claimed that, on the contrary, he had received the virus from Swoboda. It was never revealed who had actually created the malicious program.

Despite the confusion surrounding the author of Vienna, its appearance was noteable for another reason. One of its potential authors, Rolf Burger, forwarded a copy to Bernt Fix, who was able to neutralize the virus. This was the first occasion when someone was able to neutralize a virus. Thus Fix was a precursor of modern anitvirus professionals, although contemporary antivirus experts not only analyze and neutralize viruses, but more importantly release protection, detection and disnfection modules.

Burger capitalized on Fix's work, and published the code used to neutralize Vienna in his book, Computer Viruses: The Disease of High Technology, which was analogous to B. Khizhnyak's Writing Viruses and Anti-Viruses. In his book, Burger explained how the virus code could be modified to eliminate its ability to replicate. However, the book probably gained popularity for explaining how viruses are created, serving as a stimulus for thousands of viruses which were partly or completely developed from ideas expressed in this book.

Several other IBM-compatible computer viruses appeared this year as well:

the famous Lehigh virus, named in honor of the university in Pennsylvania where it was first detected; this university is ironically the alma mater of the father of modern computer virology;
the Suriv family of viruses;
a number of boot-sector viruses in various countries;Yale in the US, Stoned in New Zealand, Ping Pong in Italy;
the first self-encrypting file virus, Cascade.
Lehigh made history as the first virus that caused direct damage to data: the virus destroyed information on discs. Fortunately, there were several computer experts at Lehigh Univeristy who were skilled at analyzing viruses. As a result, the virus never left the university, and Lehigh was never detected in the wild.

The Lehigh virus initiated a destructive routine that eventually deleted the virus as well as valuable data. Lehigh first infected only the command.com system files. After infecting four files it began destroying data, i.e. it eventually destroyed itself as well.

By this time, users had began taking security more seriously and learning how to protect themselves against viruses. More cautious users quickly learned to monitor the command.com file size once they knew that an increase in the file size of command.com was the first sign of potential infection.

The Suriv family of viruses (try reading the name backwards) written by an unidentified programmer from Israel was just as interesting. As with the Brain virus, it is difficult to determine whether this was merely an experiment that span out of control or the premeditated creation of a malicious program. Many antivirus experts were inclined to think that it was an experiment . The discovery at Yisrael Radai University of code fragments supported this version. The university was able to show that the virus's author was attempting to change the process for installing files in EXE format and the last modification of the virus was only a debugging version.

The first member of this virus family, aptly named by the author Suriv-1, was able to infect accessed COM files in real time. To do this, the virus loaded itself into the computer's memory and remained active until the computer was turned off. This allowed the virus to intercept file operations and, if the user loaded the COM file, to immediately infect it. This facilitated the almost instant spread of the virus to removable storage media.

Suriv-2, as opposed to its predecessor, targeted EXE files. It was, to all intents and purposes, the first virus able to penetrate EXE files. The third incarnation, Suriv-3, combined characteristics from the first and second versions and was able to infect both COM and EXE files.

The fourth modification of the virus, named Jerusalem, appeared shortly thereafter and was able to spread quickly worldwide; Jerusalem caused a worldwide virus epidemic in 1988.

The last significant event of 1987 was the appearance of the encrypted Cascade virus, which was named after part of its payload. Once the virus was activated, the symbols on the screen cascaded down to the bottom line (see cascade.bmp). The virus consisted of two parts - the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the encryption routine which decoded the virus body and transferred control to it.

This virus can be considered the predecessor of polymorphic viruses which have no permanent program code yet maintain their functionality. However, unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as a decryption key. The decryption routine remained unchanged which allows modern antivirus solutions to detect the virus with ease.

In 1988, Cascade caused a serious incident in IBM's Belgian office and served as the impetus for IBM's own antivirus product development. Prior to this, any antivirus solutions developed at IBM had been intended for internal use only.

Later, Mark Washburn combined information published by Ralf Burger on the Vienna virus with the concept of self-encryption used in Cascade and created the first family of polymorphic viruses: the Chameleon family.

IBM computers were not alone: viruses were written for Apple Macintosh, Commodore Amiga, and Atari ST.

In December 1987, the first major local network epidemic occurred: the Christmas Tree Worm, which was written in REXX spread on VM/CMS-9 operating systems. The worm was unleashed on the Bitnet network on December 9th from a West German university through a European Academic Research Network (EARN) portal and then onto IBM's Vnet. Within four days (on December 13th), the virus had flooded the network. Upon loading, the virus displayed a Christmas tree on-screen and sent copies of itself to all network users whose addresses were listed in the NAMES and NETLOG system files.

1988
Suriv-3, or the Jerusalem virus, as it is known today, caused a major epidemic in 1988. It was detected in many enterprises, government offices and academic institutions on Friday, May 13th. The virus struck all over the world, but the US, Europe and the Near East were hit hardest. Jerusalem destroyed all loaded files on infected machines.

May 13th 1988 came to be known as Black Friday. Ironically, antivirus experts and virus writers all pay close attention when the 13th of any month falls on a Friday. Virus writers are more active, while virus analysts treat it as a professional mini-holiday.

By this time, many antivirus companies had been established around the world. Generally, these were small firms, usually with two or three people. The software consisted of simple scanners that performed context searches to detect unique virus code sequences.

Users also appreciated the immunizers that came with the scanners. These immunizers would modify programs in such a way that a virus would think the computer was already infected and leave them untouched. Later, when the quantity of viruses increased into the hundreds, immunizers were rendered ineffective, as the number of immunizers required for the viruses in the wild was simply unrealistic to manufacture.

Both types of antivirus programs were either distributed for free or were sold for ridiculously low prices. Despite this, they failed to gain enough popularity effectively counter virus epidemics. Furthermore, the antivirus programs were completely helpless in the face of new viruses: imperfect channels for data transmission and the lack of a unified worldwide computer network like the modern Internet made the delivery of updated versions of antivirus programs extremely difficult.

The spread of viruses like Jerusalem, Cascade, Stoned and Vienna was also facilitated by human factors. First, users of that era did not know enough about the need for antivirus protection. Second, many users, and even professionals, didn't believe in the existence of computer viruses.

For instance, even Peter Norton, whose name is synonymous today with many products of US-based Symantec, was skeptical about computer viruses at one stage in his career. He declared their existence to be a myth and compared them to stories of large crocodiles inhabiting the sewers of New York. This incident didn't stop Symantec, however, from shortly after developing its own antivirus project, Norton AntiVirus.

This was an important year for the antivirus community as well: the first electronic forum devoted to antivirus security was opened on April 22. This was the Virus-L forum on the Usenet network created by Ken van Wyk, a university colleague of Fred Cohen's.

The first widespread virus hoax was also registered in 1988. This very interesting phenomenon refers to the spread of rumors about dangerous new viruses. Actually, in some cases, these rumors worked liked a virus. Scared users would spread these rumors at the speed of light. It goes without saying that these hoaxes did not harm anyone, however, they used up bandwidth and users' nerves and discredited those that initially believed the rumours.

Mike RoChennel (a pseudonym derived from the word 'Microchannel'), was the author of one of the first hoaxes.In October 1988, Mike sent a large number of messages to BBSs regarding an virus which could transfer from one 2400 baud modem to another. A suggested antidote to this virus was to use modems with a speed of 1200 bauds. However ridiculous this may have sounded, many users did indeed heed this advice.

Another such hoax was released by Robert Morris about a virus spreading over networks and changing port and drive configurations. According to the warning, the alleged virus infected 300,000 computers in the Dakotas in under 12 minutes. November 1988: a network epidemic caused by the Morris Worm. The virus infected over 600 computer systems in the US (including the NASA research center) and almost brought some to a complete standstill. Like the Christmas Tree worm, the virus sent unlimited copies of itself and completely overloaded the networks.

In order to multiply, the Morris Worm exploited a vulnerability in UNIX operating systems on VAX and Sun Microsystems platforms. As well as exploiting the UNIX vulnerability, the virus used several innovative methods to gain system access such as harvesting passwords.

The overall losses caused by the 'Morris Worm' virus were estimated at US $96 million dollars - a significant sum at the time.

Finally, a popular antivirius program; Dr. Solomon's Anti-Virus Toolkit was released onto the market in 1988. The program was created by UK programmer, Alan Solomon, and was widely used until 1998 when the company was taken over by US-based Network Associates (NAI).

1989
The Datacrime and FuManchu (a Jerusalem modification) viruses as well as virus families Vacsina and Yankee appeared.

The Datacrime virus was extremely dangerous: from October 13th through December 31st, it initiated low-level formatting of a hard disc's zero cylinder which led to the destruction of tables stored in FAT files and irrevocable loss of data.

The first warning about the virus came out of the Netherlands in March from Fred Vogel. Despite the relatively low infection rate, Datacrime evoked a hysterical reaction worldwide. The repeated warnings resulted in significantly distorted descriptions of how the virus really worked and what damage it caused.. In the US, the virus was named Columbus Day because many speculated that the virus had been written by Norwegian terrorists attempting to punish Americans for crediting Columbus instead of Eric the Red with the discovery of America.

An interesting incident occurred in Holland. The local police decided to begin a proactive fight against cyber-crime. They developed an antivirus program capable of neutralizing Datacrime and sold it directly to local precincts for a mere $1. There was tremendous demand for the antivirus program, but it was soon discovered that the program was unreliable and had a high false positive rate. A second version was produced to correct the mistakes; however, it was also riddled with bugs.

October 16th, 1989 saw the appearance of the WANK worm on VAX/VMS computers on the SPAN network. The worm spread via the DECNet protocol and changed system messages to read, 'WORMS AGAINST NUCLEAR KILLERS' accompanied by the message, 'Your System Has Been Officially WANKed.' WANK also changed system passwords to random symbols and sent them to a user by the name of GEMPAK on the SPAN network.

December 1989 witnessed the Aids Information Diskette incident. 20,000 discs containing a Trojan were sent to addresses in Eurpose, Africa, Australia and the WHO. The addresses had been stolen from the database of PC Business World. Once an infected disk has been loaded, the program would automatically install itself on the system, creating its own concealed files and directories and modifying system files. After 90 loads, the operating system encoded the names of all files, rendering them invisible and leaving only one file accessible. This file recommended paying money to a specified bank account. As a result, it was relatively easy to identify the Trojan's author as one Joseph Popp who had earlier been declared insane. Despite this, he was convicted in absentia by Italian authorities.

It is interesting to note that 1989 marked the beginning of virus epidemics in Russia as well. Towards the end of 1989, approximately 10 viruses (listed in the order they arrived) appeared in Russian cyber-space: 2 versions of Cascade, several modifications of Vacsina and Yankee, Jerusalem, Vienna, Eddie, and PingPong.

The spread of high technology worldwide predetermined the appearance of new antivirus projects throughout the world, just as it did in Russia-or at that time, the USSR. In 1989, antivirus expert Eugene Kaspersky, who would later found Kaspersky Lab, first ran into a virus: his work computer was infected by Cascade in October 1989. It was this incident that led Eugene to devote his life to antivirus research.

Only a month later, Eugene detected the Vascina virus using the first version of the -V antivirus program he had just written. Years later, -V turned into AVP Antiviral Toolkit Pro.

In fact, 1989 saw a bumper crop of antivirus companies: F-Prot, ThunderBYTE, and Norman Virus Control.

So many people became so nervous about viruses that various groups and individuals asked IBM, then undisputed leader in the IT market, to provide an antivirus solution. IBM in turn decided to commercialize the internal antivirus project they were running. IBM Virscan for MS-DOS went on sale in October 1989.

After brief consideration and market research, IBM decided to 'declassify' its antivirus project as developed in its TJ Watson Research Center and turn it into a full commercial product. IBM Virscan for MS DOS was first made available for purchase in October 1989 for only $35 dollars.

April of 1989 marked another landmark in the antivirus field: the first antivirus publications were founded. UK-based Sophos sponsored Virus Bulletin, whereas Dr. Solomon's founded Virus Fax International. Virus Bulletin exists to this day, while Virus Fax International was first renamed as Virus News International and eventually metamorphosed into Secure Computing.

Today, Secure Computing is considered one of the most popular sources in information technology security and specializes not only in antivirus programs but also in computer and device safety. Secure Computing conducts annual contests under the 'Secure Computing Awards' title for the best developments in various fields, including antivirus safety, cryptology, access-control, intranet screens, and others.

1990
1990 saw several important developments in virus writing. Virus writers developed new features and establish well-publicized communities to share information.

To start with, the first polymorphic viruses appeared in 1990: the Chameleon family (1260, V2P1, V2P2, and V2P6), which evolved from two earlier well-known viruses, Vienna and Cascade. Chameleon's author, Mark Washburn, used Burger's book on the Vienna virus and then added features from the self-encoding Cascade virus. Unlike Cascade, Chameleon was not only encrypted, but the virus code also changed with every infection. This particular feature rendered contemporary antivirus programs useless. Up to that point, antivirus programs had depended on an ordinary context search, for pieces of known virus code. Chameleon did not have permanent code which made the development of new types of antivirus programs priority number one. These developments were not long in coming. Soon thereafter, antivirus experts invented special algorithims to identify polymorphic viruses. Later, in 1992, Eugene Kaspersky developed an even more effective method for neutralizing polymorphic viruses: a processor-emulator for deciphering codes. Today, this technology is an integral attribute of all antivirus programs.

The second important milestone was the appearance of the Bulgarian Virus Producing Factory. Throughout this year and for a number of years afterwards, a large number of viruses of Bulgarian origin were detected in the wild. They included entire virus families such as Murphy, Nomenclatura, Beast (or 512 or Number of Beast), new modifications of Eddie, and many more.

A virus writer named Dark Avenger was particularly active: he released several viruses a year, which incorporated new infection and concealment techniques. It was Dark Avenger who first employed a technique where the virus, when detected, would automatically infect all files in the computer, even if the file was opened for read-only purposes. Dark Avenger demonstrated exceptional ability, not only in creating viruses, but in spreading them as well. He actively loaded infected programs onto BBSs, distributed source codes for his viruses, and advocated the creation of new viruses in every way possible.

The first BBS (VX BBS) aiming to provide an open forum for the exchange of viruses and information for virus writers was established in Bulgaria, probably by Dark Avenger. The philosophy behind the board was simple: if a user uploaded a virus, then in exchange he was allowed to download one from the board's catalog. If the user submitted a new and interesting virus, then he was granted full access to the board's resources and could download an unlimited quantity of viruses from the collection. It almost goes without saying what a powerful effect VX BBS had on the development of viruses, especially since the board was open to the whole world, not just Bulgaria.

In July of 1990, a serious incident occurred with the English computer magazine PC Today. Each issue of the magazine contained a free floppy disc which turned out to be infected with a copy of DiskKiller. More than 50,000 copies of the magazine were sold. The resulting epidemic made virology history!

Two innovative stealth viruses appeared in the second half of 1990: Frodo and Whale. Both used an incredibly complex algorithm to conceal themselves in the system. The nine kilobyte Whale, in addition, employed several levels of encryption and whole array of tricky anti-debugging techniques.

The first Russian viruses appeared: Peterburg, Voronezh, and LoveChild.

In December of 1990, EICAR (European Institute for Computer Antivirus Research) was established in Hamburg, Germany. The institute is still considered one of the most respected international organizations, uniting professionals from practically all major antivirus companies.