1991-1992
1991
The computer virus population continues to grow, reaching the 300 mark. As the number and severity of virus incidents escalated, the need for reliable security rose proportionally. Early 1991 saw the appearance of more AV products: Norton AntiVirus from Peter Norton who now believed in viruses; Central Point Antivirus; Untouchable from Fifth Generation System. The latter were bought out by Symantec in 1993 and 1994.
Other virus writer bulletin boards modeled after the VX BBS and new personalities emerged from the computer underground: Cracker Jack (Italy - the Italian research Laboratory BBS), Gonorrhea (Germany); Demoralized Youth (Switzerland), Hellpit (USA) and Dead on Arrival and Semaj (UK). The computer underground was forming.
Tequila, a polymorphic boot infector, caused a significant epidemic in April of this year. It was created by a Swiss programmer exclusively for research purposes and without malicious intent. However, one copy of the virus was stolen by an acquaintance who consciously infected other users.
The summer of 1991 saw a virus epidemic with Dir_II using a fundamentally new means of infecting files: link-technology. This virus, to this day, remains the only example of this type detected in the wild.
Altogether, 1991 was relatively calm; a calm before the storm that broke in 1992.
1992
Viruses for non IBM-compatible and non MS-DOS systems fade from the foreground at this time. Loopholes in global networks were closed, errors corrected, and network worms lost the conditions they required to spread - at least for the time being!
Instead, boot sector viruses were gaining popularity on the more commonly used operating systems (MS-DOS) on the most widely used platforms (IBM-PC). The number of viruses grew astronomically and security incidents occurred almost every day. New antivirus programs continued to appears as did several books and a number of regular publications dedicated to viruses. This was the background for some important developments in virus writing.
In the beginning of 1992 the first polymorphic generator, MTE appeared. Its primary purpose is to integrate with other viruses to facilitate their polymorphism. The author of this program, the infamous Dark Avenger, did everything possible to ease the work of his colleagues in this area. The MTE generator was delivered in the form of a ready to use module and was accompanied by documentation.
Due to MTE, several polymorphic viruses immediately appeared. MTE was also the forerunner of several other polymorphic generators, creating a headache for many antivirus companies. Even after months of work, many antivirus companies were unable to reach 100% results in detecting well-known versions of polymorphic viruses created with the help of MTE.
The first anti-antivirus programs appeared during this year. Peach was one of the first: it deleted the database of Central Point AntiVirus's change inspector. If the antivirus program was unable to locate its database, then it acted as if it had been installed for the first time, recreating the database. In this way viruses avoided detection, and slowly infected the entire system.
Law enforcement agencies worldwide began developing departments specializing exclusively in computer crimes. For example, the Computer Crime Unit of The New Scotland Yard successfully disarmed the English virus group, ARCV (Association for Really Cruel Viruses). Great Britain's proactive law enforcement position practically neutralized computer underground activity and even now, we are unaware of any serious organized groups of virus-writers there.
In March of 1992, we witnessed the Michelangelo (or March6) outbreak and the media hype in advance (the virus itself was first detected in 1991, but caused an outbreak in 1992) Though some experts predicted that over 5 million machines would be infected, only a few thousand machines actually suffered.
The VCL and PS-MPC virus constructors first appeared in July 1992. They allowed people to create their own viruses by adding a range of malicious payloads to the constructors This increased the number and potentially destructive effect of viruses, as did MTE.
1992 also brought Win.Vir_1_4, the first virus for Windows. Win.Wir_1_4 infected operating system executable files Despite the fact that the virus was poorly coded, had limited propagation ability, and had no special Windows functionality, it nevertheless opened a new chapter in the history of computer viruses.
On the antivirus vendor front, Symantec bought Certus International along with their proprietary antivirus product, Novi.
1993-1995
1993
Virus writers began to take their work seriously. The computer underground had already mastered an array of new polymorphic generators and constructors, and founded new electronic publications. This year saw new viruses which employed new techniques to infect files, penetrate systems, destroy data and conceal themselves from antivirus applications.
One such example is the PMBS virus which worked in the secure regime of Intel 80386 processors. Another example was the Strange (or Hmm) virus, the only stealth virus, however, executed on the level of device interruption at INT 0Dh and INT76h.
Carbuncle signaled a new generation of companion viruses. A number of other viruses like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to conceal themselves in the code of infected files.
The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors: Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based on the former Central Point AntiVirus (CPAV). The program was included in the standard delivery of MS-DOS and Windows operating systems. The first tests conducted by independent testing laboratories showed a high level of effectiveness. However, later on, its quality began to slowly decline and the project was discontinued.
1994
More and more significance is attached to the problem of viruses on CDs. Having quickly become popular, this removable storage media became one of the primary ways of spreading viruses. Several incidents were registered when a virus was discovered on the master-disc of a compact disc producer. As a result, the computer market was flooded with relatively large shipments (tens of thousands) of infected discs. Naturally, such carriers could not be disinfected, they can only be destroyed.
At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able detect these programs with 100% certainty. The virus writer placed the infected files on BBS boards and caused both an outbreak and a panic in the mass media.
The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the Internet and infected computers via email. However, sometime later, an ordinary DOS virus containing the text Good Times appeared and was named GT-Spoof.
Many other unusual viruses appear this year:
January: Shifter - the first virus to infect OBJ files.
Phantom1 becomes the first polymorphic virus in Moscow
April - ScrVir-a family of viruses which infects source code programs in C and Pascal.
June - OneHalf - a complex and dangerous polymorphic virus causes a significant outbreak: in fact, this virus is still active and can cause real damage to this day.
September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak by using a unique installation method: the new technique temporarily stumped the antivirus experts.
This year also marked several significant developments in the antivirus field.
In June, one of the leading antivirus vendors was purchased by Symantec, who had already earned a reputation for aquiring other antivirus projects.
AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product immediately won top marks in a series of independent tests conducted by Hamburg University.
1995
Nothing significant occurred in the field of DOS-viruses this year, although several complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus, Winstart. There were also two widespread, but not severe outbreaks caused by ByWay and DieHard2.
In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one person thought to run an antivirus check. He discovered that the discs were infected by From and testing was put off until clean discs were issued.
In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman Virus Control). These companies, both with their own very strong independent antivirus products, decided to combine efforts to develop a single antivirus system. Later on, in 1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian company.
In August, the Concept virus struck MS Windows: the virus circled the globe in only a month and was number one on antivirus vendors lists of most common viruses.
In the first half of September, one of the world's largest computer manufacturers, Digital Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was quickly detected and the outbreak contained. Over a hundred known versions of the Concept virus are still in circulation today.
Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread rapidly. The source code for Green Strip was published as a free supplement to Mark Ludwig's magazine Underground Technology Review.
The advent of macro viruses posed a new set of challenges for antivirus vendors. New technologies were needed to detect macro viruses; first in MS Word and eventually in other MS Office applications.
The English affiliate of the Ziff-Davis publishing house distinguished itself twice in 1995. The first time was in September when the publishing house's PC Magazine (English version) distributed a diskette containing the Sampo virus to its subscribers. This was soon discovered and the company offered its apologies and offered readers a free antivirus utility. The irony of the event lay in the fact that the diskette was a supplement for an issue which contained articles the results of antivirus tests for Novell NetWare products.
Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the diskette also contained the Parity Boot virus.
Law enforcement agencies also pressed onward in the struggle against cyber crime. On January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he was known in the underground was accused of authoring the Queeg and Pathogen viruses as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and was sentenced to 18 months in prison.
1997
In February of 1997, Linux Bliss, the first virus for the Linux operating system appeared. Viruses had moved to yet another environment. Although Linux viruses are a rarity, they have evolved since their first appearance. Viruses which run in the background have been developed for Linux, as well as a number of viable Trojans for this platform. If Linux were even half as popular asWindows obtained, the number of viruses for Linux would be far greater than the actual number of viruses which exist for this platform.The release of Microsoft's Office 97 was noteable for the fact that macro viruses almost immediately migrated towards this application. The limited payloads (or in some cases the total absence thereof) of macro viruses created for MS Word 5.0 and Excel 5.0 resulted from a completely new version of Visual Basic for Applications, VBA 5.0 which differed significantly from Word Basic and VBA 3.0. The first viruses for MS Office 97 turned out to be almost identical to their predecessors, simply converted into a new format. Nevertheless soon new macro viruses developed exclusively for MS Office 97 appeared.
March 1997 was notable for the appearance of the 'ShareFun' macro virus for MS Word 6/7 which started a new chapter in computer history It became the first virus of its kind to spread using email, in particular MS Mail.
In April of 1997 the Homer virus was detected; this was the first network worm which used FTP to propagate.June 1997 brought the first self_encrypting virus for Windows 95, Win95.Mad. The virus, of Russian origin, was sent out to several BBS stations in Moscow causing a major epidemic.The 'Esperanto' virus was born in November 1997. It was an attempt, fortunately unsuccessful, to create a multi-platform virus which would be able to infect DOS, Windows and MacOS.The development of the Internet, and in particular the appearance of mIRC (Internet Relay Chat) sparked a great deal of interest, including that of virus writers. It didn't take long for the malicious programs to start appearing.In December of 1997, the antivirus world publicized the appearance of a fundamentally new type of computer worm which spread via IRC channels. An analysis of mIRC, one of the more popular IRC utilities showed a dangerous security loophole. The directory for files downloaded via IRC coincided with the directory which held the SCRIPT:INI command file. The SCRIPT:INI file , which contained the body of the worm, could therefore be transferred to a remote computer, where it would automatically replace the original command file. When restarted, mIRC would activate the malicious code, and the worm would then send itself to other users. This error was quickly corrected and the rather primitive IRC worms had disappeared by summer. However, multi-component IRC worms which actively searched for SCRIPT.INI files (in mIRC clients), EVENTS.INI (in pIRCh) clients, and others. later appeared, working in a similar way to email worms; the user would receive anEXE, COM, BAT, file, which when launched, would replace the original command file.One of the more important events of 1997 was the split-off of one of the KAMI firm's divisions led by Evgenii Kaspersky. This division became an independent company known as 'Kaspersky Labs' which is, today, recommended as a recognized technical leader in the antivirus industry. Since 1994, the company's main product, AntiViral Toolkit Pro, consistently shows high results in numerous tests conducted by various testing laboratories across the world. The formation of an independent legal entity allowed a small group of developers to become, within two years, one of the its own country's domestic leaders in addition to being generally well-known internationally. Little time was required to develop and release versions with new antivirus security technologies for virtually all popular platforms, and create a network of international distribution and technical support.
In October 1997, Kaspersky Lab and Finnish company Data Fellows (later renamed as F-Secure Corporation) signed an agreement to licensing an antivirus engine in their newest development product, FSAV (F-Secure Anti-Virus). Prior to this, Data Fellows had been well-known as the developer of F-PROT antivirus.
1997 will also long be remembered as a year of petty squabbles. Several scandals evolved at the same time between some of the larger antivirus manufacturers. Atthe beginning of the year, McAfee announced that they had discovered a 'bookmark' in the programs of one of their main competitors, antivirus firm Dr. Solomon's. McAfee's announcement continued in saying that if Dr. Solomon's antivirus program discovered several viruses during a scan-check, then it completed its work in an elevated mode. In other words, if the program worked in a normal mode in normal conditions, then in testing for several viruses it switched to an intense mode (or in McAfee's words, a 'cheat mode') which allowed the detection of viruses previously invisible to Dr. Solomon's in normal scanning mode. As a result, the testing of uninfected discs showed good speed results and the scan tests of virus collections showed good detection results.
Dr. Solomon's response was not long in the waiting, and the company soon filed suit against McAfree's recent marketing campaign which claimed that McAfee was, 'The Number One Choice Worldwide. No Wonder The Doctor's Left Town'. This was an obvious reference to Alan Solomon, the founder of Dr. Solomon's who had in fact, earlier transferred control of his company to its senior management.
Perhaps even more scandalous was the affair of the Taiwanese developer Trend Micro who accused two of the leading antivirus companies, McAfee and Symantec, of violating its patent on virus scan-checking technology via Internet and electronic mail. Shortly afterward Symantec leapt into the fray with its own accusations, alleging that McAfee was guilty of using code from Symantec's Norton AntiVirus.
The year came to a close with MacAfee Associates and Network General announcing their intent to merge into a single Network Associates Inc (NAI) in order to diversify into other computer security systems as well (such as encryption, multi-networked screens, network scans, etc. However, at the end of 1999 NAI's management decides to bring new life into the McAfee brand and line of antivirus products and the company reverted to its old name.
1998
Virus attacks on MS Windows, MS Office and network applications continued apace, with viruses exploiting new infection vectors and using ever more complex technologies. A wide range of Trojan programs designed to steal passwords (PSW family) and remote adminstration utilities (Backdoor) appeared. Several computer magazines distributed discs which were infected with Windows viruses, CIH and Marburg. Specifically, compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC Gamer contained the Marbug virus. This virus was contained in the electronic registration program of an MGM Interactive disc with the game, Wargames PC. At the end of September, the AutoStart virus was discovered on discs which were to be distributed with the Corel DRAW 8.1 for Mac OS.
The beginning of the year borught an epidemic caused by a whole family of viruses Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of transmitting information about victim machines to the author of the virus. Because the virus exploited system libraries used only in the French version of Windows, the the epidemic affected only French-speaking countries.
In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus install itself in Excel tables by using an unusual macro area of formulas which were capable of containing self-replicating code. Later the same month, polymorphic Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were detected in the wild. Antivirus developers were forced to rapidly develop new methods of detection for polymorphic viruses which, until then, had been only for DOS.
AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had come to accept that Microsoft applications are highly vulnerable. At approximately the same time, another virus called Cross surfaced This was the first multi-platform macro virus capable of infecting documents simultaneously in two Microsoft Office applications, Word and Access. On the heels of Cross several other macro-viruses materialized, transferring their code from one Office application to another. The most notable of these was Triplicate (also known as Tristate) which was capable of infecting Word, Excel and PowerPoint.
In May of 1998, the Red Team virus became the first virus to infect Windows EXE files and distribute itself using the Eudora email client. June brought the Win95.CIH virus, which caused an epidemic of mass and then later global proportions, infecting computer networks and home computers by the thousand. The beginning of the epidemic was pin-pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-serve. From there the virus spread to the States where infected files made it onto several popular web-servers and spread the virus to gaming programs. It was most likely the game servers that acted as the primary reason for the large-scale epidemic, which continued throughout the year. The virus leap-frogged in 'popularity' over earlier virus superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload: depending on the day of infection, the virus would erase Flash BIOS, which in some cases could make it necessary to replace the motherboard. CIH's complex procedures caused antivirus products to significantly increase their speed of development.In August of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was designed to be a secret utility to be used for remote host administration across networks. Other similar viruses such as NetBus and Phase appeared shortly thereafter.
August also saw the emergence of the first malicious executable Java module, Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did illustrate the fact that viruses can also be found in applications actively used in viewing Web servers.
In November 1998, malicious programs continued to evolve hwith three viruses infecting the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At the time, Kaspersky Labs released an in-depth study on the potential threat of VBS viruses. However, many specialists were too quick to label the company as a panic inciter and criticized the study for provoking virus hysteria. Half a year later when the LoveLetter epidemic broke, it became clear that Kaspersky's prognosis was completely accurate. To this day, this type of virus holds onto first place in the list of most widespread and dangerous virus types.
The logical culmination of VBScript viruses were full-fledged HTML viruses like HTML.Internal. It became patently clear that virus-writers' efforts are beginning to focus more and more on network applications. Virus writers were moving towards a networks worm which exploited flaws in MS Windows and Office and infectted remote computers through Web servers or via email.
The next MS Office application to fall victim to a virus was PowerPoint. In December 1998, a virus of unknown origins, Attach, was the first to attack. It was immediately followed by two more, ShapeShift and ShapeMaster, the author of which was likely one and the same. The appearance of PowerPoint viruses caused yet another headache for antivirus vendors. Files of this MS application use an OLE2 format which determines the way in which viruses can be scanned for in DOS and XLS files. However, the VBA modules in PPT format are stored in compressed format which meant that it was necessary to design new algorithms to decompress them and facilitate antivirus searches. Despite the complexity of what would seem like a simple task, almost all antivirus companies have integrated into their products the necessary functionality to defend against PowerPoint viruses.
In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing of antivirus products is designed to determine whether the solutions can detect 100% of viruses from the wild. VB 100% is now regarded as one of the more respected independent testers.Significant changes occurred in the antivirus vendor market as well. In May, Symantec and IBM announced their unified efforts to develop an antivirus product. The combined product was to be distributed by Symantec under the same name, while IBM's product, IBM Anti-Virus would cease to exist. Towards the end of September, Symantec announced its purchase of the antivirus business from Intel Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the industry yet again with another purchase, this time of QuarterDeck for $65 million. The company's product range included such antivirus products as ViruSweep.
Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which on August 13th, announced its purchase of one of its primary competitors, English company, Dr. Solomon's. The latter was bought for the record amount of $640 million by means of a stock swap. These events evoked true shock in the antivirus industry. A previous conflict between two large players of the industry had ended in a buy-sell deal the result of which was the disappearance of one of the more noticeable and technologically strong developers of antivirus software.
Also interesting was the purchase of EliaShim, a developer of the antivirus product E-Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-known developer of equipment and software for computer security.
A curious incident occurred with the publication of computer virus warning in the December 21st edition of The New York Times. The author warned users about the appearance of a virus which spread via email and was already being detected in some networks. It later became evident that this scary virus was none other than the already well-known macro virus, Class.
1999
Strange as it may seem, the most significant news to come out of this year was not the emergence of a new computer virus, but an announcement about the long-planned purchase of Australian antivirus vendor Cybec, by software giant, Computer Associates (CA). In was with that With this purchase, CA added another antivirus product to its collection, having purchased Cheyenne Software at the end of 1996. Both products still exist to this day: CA Vet Anti-Virus and CA InnoculateIT.
Viruses, however, did not sit idly by, and in January we witnessed the emergence of a global epidemic with the Happy99 virus (also known as Ska). This was actually the first modern-day worm, which once again opened a new chapter in the history of malware evolution. It used MS Outlook, which had become a corporate standard in Europe and the US to spread. Despite the fact that Happy99 first appeared at the beginning of 1999, it still regularly shows up as one of the top ten most widespread harmful programs to this day.
At almost the same time, a very interesting macrovirus for MS Word was detected: Caligula. It searched the system registry, forkeys corresponding to PGP (Pretty Good Privacy) programs and searched for the appropriate databases. If such databases were found, the virus initiated an FTP-Session and secretly sent files to a remote server.At the end of February. SK; the first virus which infected files using Windows HLP files.On the 26th of March, a global epidemic was caused by Melissa, the first macro virus for MS Word combining Internet worm functionality as well. Immediately after infection, Melissa scanned the address book in MS Outlook and sent copies of itself to the first 50 found addresses. Like Happy99, Melissa did this without the knowledge or consent of the user, but messages still seemed to be in the user's name. Fortunately, this macro virus was not complex and antivirus developers quickly released the necessary additions to their databases. The epidemic was contained quickly. Despite this, Melissa still managed to inflict significant damage on a range of computer systems:industry giants like Microsoft, Intel and Lockheed Martin were forced to temporarily shut down their corporate email systems. Estimates placethe damage caused by the virus at several tens of millions of US dollars.
Law enforcement agencies in the US (or, cybercrime units, to be more precise) reacted exceptionally quickly to the Melissa virus. A short while thereafter, the author of the virus was discovered and arrested. He was 31 year old David L. Smith, a programmer from New Jersey. On December 9th, he was found guilty and sentenced to 10 years in prison and fined $400,000.
Law enforcement agencies were equally active on the other side of the Pacific ocean as well. In Taiwan, the author of the CIH virus, earlier known only as Chernobyl, was exposed as Chen Ing Hao (notice the initials), a student at the Taiwan Technical Institute. However, due to a lack of charges from any of the local companies, the police had no basis for an arrest.
On May 7th, a virus intruded on the Canadian company, Corel. Under threat was its cash cow, Corel DRAW. The Gala virus (also known as GaLaDRieL) was written in Corel SCRIPT language and became the first virus capable of infecting Corel DRAW files as well as Corel PHOTO-PAINT and Corel VENTURA.
Another epidemic broke at the very beginning of the summer with the dangerous Internet worm, ZippedFiles (also known as ExploreZip). The virus came in the form of an EXE file, which once installated would destroy files of some of the more popular applications. While the worm was not as widespread as Melissa, the damage incurred was estimated to be several times higher. Despite a quick reaction from antivirus companies in neutralizing the virus, a relapse was recorded in December. The modified version was changed so that the body of the virus was compressed using the Neolite compression utility. If the antivirus program didn't recognize this compression format then the worm escaped unnoticed. At the time, none of the antivirus programs recognized this format. It was only in June of 2000 that AntiViral Toolkit Pro (AVP) was integrated with file-support for Neolite.
In August, an Internet worm named Toadie (or Termite) was detected. In addition to infecting files in DOS or Windows, the virus attached copies of itself to emails sent via Pegasus and attempted to spread through IRC channels.
October brought the computer industry three new surprises. First was the discovery of the Infis virus which was the first virus for this operating system, installing itself at the highest levels of platform security and affecting system drivers. This made the virus difficult to contain. The second surprise consisted of antivirus companies warning users about the first computer virus for MS Project. In actuality, this was a multiplatform virus that infected files of MS Word just as well as Ms Project. The third surprise was the emergence in July of yet another script virus, Freelinks was one of the predecessors of the well-known LoveLetter virus.
In November, the world was shaken by the emergence of a new generation of worms which spread via email without attached files and penetrated computers when infected messages were read. The first of these was Bubbleboy which was immediately followed by KakWorm. Viruses of this type exploited an Internet Explorer loophole, and although Microsoft issued a patch the same month, KakWorm remained widespread for a long time.That same month, the USA and Europe recorded several incidents of infection by FunLove, a Windows virus.
December 7th was noteable for the detection of the latest of a long line of Trojans authored by a Brazilian virus writer known as Vecna. The very dangerous and complex Babylonia virus turned a new page in the history of virus creation. It was the first worm which was capable of remote self-rejuvenation. Every minute it would connect to a server in Japan and download a list of virus modules. If it found viruses there fresher than on the infected computer, then it immediately downloaded them. Later, this same technique would be employed by Sonic, Hybris, and other viruses.
In the middle of the year, the antivirus industry officially divided into two camps in regard to their approach to potential Y2K threats. One camp strongly promoted the belief that the computer underground had prepared a surprise in the form of several hundred thousand viruses capable of shaking human civilization to its core. The subtext of this warning was clear: install antivirus software and you would be saved from attack. The second camp of antivirus companies logically opposed the first and attempted to maintain calm among scared users. Later, the warnings were proved baseless, and the year 2000 came in in the same way as any other year.A few curious stories were abroad as well. A compact disc distributed with the November edition of the Hungarian magazine, Uj Alaplap, contained, in addition to useful information, a distinctly unpleasant surprise: two macro viruses for MS Word, Class.B and Opey.A.
2000
The year began unexpectedly for users of Windows 2000 and Visio, a popular application for creating diagrams and flow-charts. Microsoft had not even finished announcing the release of a fully functional commercial version of their operating system when members of the underground group 29A set Inta loose. The virus was the first to infect Windows 2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and Radiant which marked Visio's demise. The second incident brought to light a sick joke: the viruses had been released by Microsoft which not long after Unstable and Radiant purchased Visio Corporation.
In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was detected in 10 Downing Street, the office of the British prime minister. It can only be hoped that English authorities heeded the advice of the Russian proverb, 'Don't put off 'till tomorrow what you can drink today'.
May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter. Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998. Naïve users couldn't even imagine that harmless VBS files and TXT files could contain a harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in the MS Outlook address book. The transparency of the source code more or less guaranteed that new modifications of the virus would appear throughout the year, and currently, there are more than 90 of them in circulation.
On the 6th of June, the Timofonica virus was detectedö this was the first computer virus that employed, in a limited manner, mobile phones. In addition to spreading via email, the virus sent messages to random mobile phone numbers in the MoviStar cellular network, which belonged to the global telecommunications giant, Telefonica. The virus had no other effect on mobile phones despite the fact that many mass media outlets were quick to name Timifonica the first 'cellular' virus.
The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned. While this period is usually a vacation time for virus writers and antivirus experts alike, the former, by all accounts, decided to surprise the latter. In July, a group known as the Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred at the annual DefCon conference (in a jab at Microsoft's DevCon) and evoked a flood of messages from frightened users to antivirus vendors. In reality, the new version posed little harm more than its predecessor and was promptly added to leading antivirus vendors' databases. The distinguishing feature of BO2K was its drift towards legitimate commercial utilities of remote administration; the program was visible upon installation. Despite this it could still be used for illicit purposes and was classified by antivirus companies as a BackdoorTrojan.
July saw the appearance of three exceptionally interesting viruses. Star was the first virus designed for AutoCAD packages. Dilber was distinguished by the fact that it containedcode from five other viruses including CIH, SK, and Bolzano. Depending on the date, Dilber activated processes from one of its components, earning it the nickname, Shuttle Virus. The third interesting virus was an Internet worm called Jer which employed a relatively clumsy means of penetrating computers. Script programs (the worm's body) were uploaded to a website which were automatically activated when the corresponding HTML page was opened. After this, users received a warning that an unidentified file was found on the disc. It was a calculated risk assuming human error: it was hoped that users would inadvertantly answer 'yes' to be rid of the script program. The appearance of this worm confirmed a new fashion in the spread of viruses through the Internet. First, the worm is placed on a website, and then a mass marketing campaign is conducted to attract users. The calculated risk paid off: for every thousand users, a few dozen would let the virus in.
In August, the Liberty virus was discovered - the first harmful Trojan program to affect the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was incapable of replicating. In September, this new class of harmful programs was extended with the first true virus for PalmOS, Phage. It represented a classic virus-parasite program which after installing and infecting files proceeded to delete them and record its own code.
In the beginning of September, a computer virus by the name of Stream was discovered which was capable of manipulating the ADS of NTFS file systems. This virus posed no particular threat. More dangerous was the technology of accessing ADS insofar as no antivirus program was capable of scanning this location. Unfortunately, the virus evoked an insufficient reaction among some large antivirus firms which accused Kaspersky Lab of scaremongering. Despite the accusations, none of the opponents were able to offer any concrete arguments confirming the position they put forth regarding the safety of ADS in NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue insofar as only a few antivirus scans have learned to search for viruses in ADS.
October saw the appearance of the first virus for PIF files (Fable), and the first virus written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered 'in the wild'. At the same time, a scandal arose when Microsoft's internal systems were hacked and left open for several months by a group of unknown hackers from St. Petersburg. The entry was gained through a simple loophole using a network worm called QAZ. What was curious about this incident was the fact that at the time the system hack was discovered, the worm in question was already included in practically all antivirus databases. This caused some misgivings about the competency of Microsoft personnel, or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty parties have yet to be located.
A notable event occurs in November. Kaspersky Labs, having become one of the antivirus industry's major players in three short years, changes the name of its flagship product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new logotype.
This same month brought the detection of a technologically complex and dangerous virus called Hybris. This virus was written by the Brazilian virus writer Vecna. He further developed his first self-rejuvenating virus, Babylonia taking into account earlier errors. The main innovation was the use of websites and list servers (alt.comp.virus in particular) to load new modules of the virus to infected computers. If it was easy to simply take a website down, then list servers were an ideal alternative for spreading as they were less easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules actually written by the author.
As a whole, 2000 was the year that email again proved itself to be the best way to transmit viruses. According to Kaspersky Labs' support statistics, approximately 85% of all registered infection occurred via email. The year was also notable for a wave of activity among virus creators with Linux. Altogether, there were37 registered new viruses and Trojan programs created for the Linux operating system. Consequently, the overall quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000 alone. Finally, a change in the most widespread viruses occurred. Up until this year, macro viruses had been the most common, but once 2000 was over, this place was taken by script viruses.
Saturday, June 7, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment