Saturday, June 7, 2008
Once you Are attacked by a Virus Hub
This summary is not available. Please
click here to view the post.
The Venture Capital Win 32 ViroHistory
History of 4th Decade In Virus History
2001
2001 was a mixed bag: antivirus vendors took significant strides forward, but the number of virus attacks rose nevertheless. The changeover from classic viruses to worms continued as Internet use exploded. Virus writers demonstrated a definite preference for malicious code that propagated by sending their files across local networks and the Internet.
Significant outbreaks
Malicious programs that exploited vulnerabilities in applications and operating systems caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale epidemics caused by these worms changed the face of computer security and set trends for malware evolution for several years to come.
Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the malware landscape, keeping users and antivirus vendors on their toes.
Vulnerablities
A vulnerability is a hole in a legitimate application or operating system that can be exploited by a virus writer: malicious code penetrates the system via such loopholes.
Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are installed and activated automatically regardless of user action. For instance, Nimda penetrated computers even when the infected email was simply viewed through the preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for vulnerable machines and infected them. According to Kaspersky Virus Lab statistics, malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.
The interest displayed by virus writers in vulnerabilities was justified. Traditional infection techniques used by classic file viruses, where the user initiated the infection cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted the new technique.
Email and the Internet - primary sources of new threats
Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in comparison with 2000 and made up almost 90% of the total number of virus incidents in 2001.
2001 proved to be a watershed in the evolution of virus attacks via the Internet. Previously, most Internet-related infections occurred when users downloaded and executed files from untrustworthy web sites. In 2001 a new infection technique appeared: users no longer needed to download files - a visit to an infected web site was enough. Virus writers substituted infected pages for clean ones. Most users were infected by malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered free programs that turned out to be malicious.
Attacks via non-Internet technologies
2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading malicious code. A spate of worm infections turned these services into further traps for unwary users. The Internet worm Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw a proliferation of worms designed to propagate via IRC channels.
More attacks on Linux
A significant number of malicious programs targeting Linux appeared in 2001. Ramen opened the season on January 19 and penetrated a large number of corporate networks within days. Victims included NASA (USA), A&M University (USA) and hardware vendor Supermicro (Taiwan).
The attacks swelled into an avalanche with Ramen clones and new Linux worms appearing one after another. Most of these malicious programs exploited vulnerabilities in the operating system. The rapid spread of these threats underlined the lack of preparation by Linux developers, who had been sleeping peacefully, sure that Linux was a completely secure environment. Many Linux users hadn't even bothered to install the patches that were available for some of the exploited vulnerabilities and fell easy prey for these worms.
Fileless worms - a new challenge
So-called fileless worms turned out to be one of the nastiest surprises of 2001. These worms were able to self-replicate and function on infected machines without using files. These worms exist only in RAM and spread as specially configured data packets.
This new technique gave antivirus experts some difficult moments. Traditional antivirus scanners and monitors proved helpless against this new threat, since up to that time antivirus engines had detected malicious programs during file operations. Kaspersky Lab was the first to develop a new antivirus filter that scanned incoming data packets in background mode and deleted fileless worms.
Worms for Windows increase
While classic viruses, (predominantly macro and script viruses) visibly dominated throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these worms had caused about 90% of all registered virus infections.
The reasons for this trend were two-fold: on the one hand new technologies allowed virus writers to create better worms, and on the other, antivirus vendors had developed effective protection against macro and script viruses.
Virus hoaxes
Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new virus registered by March. And nervous users, frightened by the large-scale outbreaks in 2000 scrambled to forward these warnings to friends and relatives. California IBM and Girl Thing proved especially effective. A letter warning users about a new ILoveYou outbreak scheduled for Valentine's day was also extremely effective.
Some of these hoaxes were so effective that copies of the messages were still circulating around the Internet several years later.
2001 in review:
Email and the Internet move to the fore environments for new threats;
Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks also gain prominence;
Fileless worms appear on the scene;
Worms for Windows make up the majority of new threats by mid-year, with macro- and script-viruses losing ground significantly.
2002
There were 12 significant and 34 less serious virus outbreaks in 2002, along with continuing activity caused by viruses from previous years. Virus writers actively penetrated new platforms, applications and technologies.
2002 Highlights
Two new flash worms, LFM and Donut, appeared in January: both of these worms were designed to spread in the .NET environment. Fortunately, both worms turned out to be only proof of concept viruses and no infections were registered.
In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.
Malware for Linux
The worm Slapper finally convinced all remaining skeptics that Linux users need to be just as aware of security issues as users of all other operating systems. Slapper penetrated thousands of machines running Linux within a few days. Users of FreeBSD also got a timely reminder about security: a new worm called Scalper struck FreeBSD machines in September, though the damage did not escalate to the proportions caused by Slapper.
Professional virus writers
This was the year professional writers got down to business: there was a significant increase in malicious programs designed to commit financial fraud. These programs stole passwords, confidential data, Internet access information and other data that allowed virus writers to make money by using the harvested data.
Worms
Email worms, such as Klez and Lentin had already been popular prior to 2002. However, a new breed of email worms superseded the older versions: these new email worms spread by connecting directly to built-in SMTP servers on infected machines.
This development grew out of increased security measures which prevented worms from spreading via MS Outlook and other email clients. Email system developers integrated either antivirus protection or special functionality preventing unauthorized mailings. As a result, virus writers focused on worms that were able to avoid these measures.
Worms multiplying in other environments, such as LANs, P2P, IRC and so forth, disappeared almost entirely in this year.
Klez
An Internet worm named Klez caused the most serious outbreak of the year. Klez was first detected on 26 October and remained on the list of the most widespread malicious programs for the next two years. This is a record in virusology that is yet to be broken. New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by the end of 2002, 6 out of 10 registered infections were caused by Klez.
Though Klez caused the most serious outbreak during 2002, several other worms provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin surpassed Klez in the number of incidents by the end of the year.
Vulnerabilities
The trend to exploit vulnerabilities that first became significant in 2001 continued: virus writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.
Classic viruses
Interestingly enough, macro viruses rose to the fore among classic viruses this year. Macro viruses for MS Word - Thus, TheSecond, Marker and Flop were the most widespread. These viruses had first appeared in the late 1990s, but they resurfaced in 2002. The most likely reason is increased numbers of Windows users who were all sure that macro viruses were a thing of the past. Inconvenient security measures were abandoned and the result was a second round of old viruses. The majority of infections were caused by Elkern, CIH, FunLove and Spaces.
On the plus side, script viruses and other classic viruses almost disappeared in 2002.
Virus hoaxes
The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card for You, California IBM and Girl Thing.
2002 summary
By the end of the year, an interesting pattern emerged in the spread of malicious programs. In previous years, the overwhelming majority of virus incidents were connected to a small number of viruses, typically 2-3. By September 2002, however, this pattern was broken: more and more infections were caused by viruses which did not make it to the top twenty.
Increased end user awareness regarding security issues and willingness to adopt precautionary methods undoubtedly played a role in this development. Correct protective techniques implemented by end users led to a decrease in number of incidents caused by individual viruses.
And yet, the overall number of infections did not decrease, meaning that the overall number of malicious programs in the wild had grown. Even though no single virus caused a significant outbreak, together they constituted an impressive volume.
2003
In 2003 two global Internet attacks took place that could be called the biggest in the history of the Internet. The Internet worm Slammer laid the foundation for the attacks, and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic fileless worm, which fully illustrated the capabilities of a flash-worm - capabilities which had been foreseen several years before.
On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of thousands of computers throughout the world, and increased network traffic to the point where several national segments of the Internet crashed. Experts estimate that traffic increased from 40% - 80% in a variety of networks. The worm attacked computers through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk, but simply remained in computer memory. If we analyse the dynamics of the epidemic, we can assert that the worm originated in the Far East.
The second, more important epidemic was caused by the Lovesan worm, which appeared in August 2003. The worm demonstrated just how vulnerable Windows is. Just as Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself. The difference was that Lovesan used a loophole in the RPC DCOM service working under Windows 2000/XP. This led to almost every Internet user being attacked by the worm.
As for viruses penetrating new platforms and applications, the year was surprisingly quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs. This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus was undoubtedly written by a Russian.
2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron were first detected in January. The former was written in Sweden and is still one of the most widespread email worms in Scandinavia despite the fact that the Swedish police arrested the autour of the worm at the end of March.
Avron was the first worm to be created in the former USSR capable of causing a significant worldwide epidemic. The source code for the worm was published on the Internet and this has led to the appearance of a number of less effective versions.
Another important event in 2003 was the appearance of the first Sobig worm in January. Worms from this family all caused significant virus outbreaks but it was version 'f' which broke all records, becoming the most widely distributed worm in network traffic in Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August, could be found in every 20th email message. The virus writers who created the Sobig family, were aiming to create a network of infected machines with the aim of conducting DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.
The Tanatos.b email worm was also a notable event in virusology. The first version of Tanatos was written in the middle of 2002, but version 'b' appeared only a year later. The worm exploited the well-known IFRAME loophole in MS Outlook to automatically launch itself from infected messages. Tanatos caused one of the most significant email epidemics of 2003, coming second to that caused by Sobig.f, which probably has the record for the most machines infected by an email worm.
Worms from the Lentin family continued to appear. All these worms were written in India by a local hacker group as part of the 'virtual war' between Indian and Pakistani hackers. The most widespread versions were 'm' and 'o', where the virus replicated in the form of a ZIP archive file attached to infected messages.
Russian writers remained active; the second worm from the former USSR, which also caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet Explorer to activate itself. The vulnerability allowed binary code to be extracted from HTML files and executed. This was first used in Russia in May 2003 (Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail family and several other Trojan programs. The authors of the Mimail worm published the source code on the Internet, which led to the appearance of several new varieties of the worm in November 2003, written by other virus writers.
September was the month of Swen. I-Worm.Swen, masquerading as a patch from Microsoft, managed to infect several hundred thousand computers throughout the world and to date remains one of the most widespread email worms. The author of the virus exploited frightened users who were still nervous after the recent Lovesan and Sobig.f epidemics.
A recent significant epidemic was caused by Sober, a relatively simple mail worm written by a German, it is an imitation of the year's leader, Sobig.f.
In 2002, the trend was towards an increase in the number of backdoor and spy Trojan programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were most notable. There are now more than 40 varieties of Agobot in existence, since the author of the original version created a network of websites and IRC channels where anyone who wanted could, for a fee starting from $150, become the owner of an 'exclusive' version of Backdoor-a, which would be created in accordance with the client's wishes.
Afcore is slightly less widespread. However, in order to mask its presence in the system, it uses an unusual method; it places itself in additional file systems of the NTFS systems, i.e. in the catalogue stream, not the file streams.
A new and potentially dangerous trend was identified at the end of 2003; a new type of Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers uniting. Spammers began using machines infected by such Trojan programs for mass spammer attacks. It is also clear that spammers participated in a number of epidemics as malicious programs were spread using spamming technology.
Internet worms constituted the second most active class of viruses in 2003; specifically I-Worms which replicated by seizing passwords to remote network resources. As a rule, such worms are based on IRC clients, and scan the addresses of IRC users. They then attempt to penetrate computers using the NetBIOS protocol and port 445. One of the most notable viruses in this class was the Randon family of Internet worms.
Throughout the year Internet worms remained the dominant type of malicious software.
Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However, Trojan programs overtook viruses in the autumn, and this trend continues through today.
Where We've Been and Where We're Going
Worms - trendsetting in 2003
The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.
Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.
Lovesan
Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.
To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.
Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.
Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.
To summarize, Lovesan set the following trends:
Exploiting critical vulnerabilities in MS Windows
Propagation via the Internet through direct connections to victim machines
Organising DoS and DDos attacks on key websites
Sobig.f
Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.
Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.
Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity. Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.
Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:
The creation of networks of infected machines to serve as epidemic platforms
Mass mailing of malware using spammer techniques
Swen
Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.
At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.
The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.
Sober
Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.
2004
2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.
January 2004
A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:
Mass mailings of links to infected sites via email or ICQ
Trojan proxies become a separate class of malware closely linked to spammers
Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.
Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.
And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).
This concatenation of features copied from three highly viable worms broke all records. Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.
Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.
Thus, we saw yet another technique gain popularity:
Using vulnerabilities or holes created by other viruses
February 2004
NetSky.b
This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.
NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.
Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:
Active deletion of competitor viruses
Propagation in archived files (Bagle & NetSky variants)
Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)
The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.
The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).
March - May 2004
Snapper and Wallon
These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.
Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.
Sasser
The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.
The arrest of a virus writer so soon after the release of a new malicious program made history.
Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.
Plexus
Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.
Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.
Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.
Beyond worms
The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.
Other Malware
Trojans
Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.
Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.
Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.
Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.
Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.
Trojan droppers and downloaders
Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.
Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.
Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.
Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.
Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.
Classic File Viruses
Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.
On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.
Other Environments
Linux
To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.
Handhelds
PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.
Mobile Phones
Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.
2001
2001 was a mixed bag: antivirus vendors took significant strides forward, but the number of virus attacks rose nevertheless. The changeover from classic viruses to worms continued as Internet use exploded. Virus writers demonstrated a definite preference for malicious code that propagated by sending their files across local networks and the Internet.
Significant outbreaks
Malicious programs that exploited vulnerabilities in applications and operating systems caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale epidemics caused by these worms changed the face of computer security and set trends for malware evolution for several years to come.
Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the malware landscape, keeping users and antivirus vendors on their toes.
Vulnerablities
A vulnerability is a hole in a legitimate application or operating system that can be exploited by a virus writer: malicious code penetrates the system via such loopholes.
Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are installed and activated automatically regardless of user action. For instance, Nimda penetrated computers even when the infected email was simply viewed through the preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for vulnerable machines and infected them. According to Kaspersky Virus Lab statistics, malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.
The interest displayed by virus writers in vulnerabilities was justified. Traditional infection techniques used by classic file viruses, where the user initiated the infection cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted the new technique.
Email and the Internet - primary sources of new threats
Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in comparison with 2000 and made up almost 90% of the total number of virus incidents in 2001.
2001 proved to be a watershed in the evolution of virus attacks via the Internet. Previously, most Internet-related infections occurred when users downloaded and executed files from untrustworthy web sites. In 2001 a new infection technique appeared: users no longer needed to download files - a visit to an infected web site was enough. Virus writers substituted infected pages for clean ones. Most users were infected by malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered free programs that turned out to be malicious.
Attacks via non-Internet technologies
2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading malicious code. A spate of worm infections turned these services into further traps for unwary users. The Internet worm Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw a proliferation of worms designed to propagate via IRC channels.
More attacks on Linux
A significant number of malicious programs targeting Linux appeared in 2001. Ramen opened the season on January 19 and penetrated a large number of corporate networks within days. Victims included NASA (USA), A&M University (USA) and hardware vendor Supermicro (Taiwan).
The attacks swelled into an avalanche with Ramen clones and new Linux worms appearing one after another. Most of these malicious programs exploited vulnerabilities in the operating system. The rapid spread of these threats underlined the lack of preparation by Linux developers, who had been sleeping peacefully, sure that Linux was a completely secure environment. Many Linux users hadn't even bothered to install the patches that were available for some of the exploited vulnerabilities and fell easy prey for these worms.
Fileless worms - a new challenge
So-called fileless worms turned out to be one of the nastiest surprises of 2001. These worms were able to self-replicate and function on infected machines without using files. These worms exist only in RAM and spread as specially configured data packets.
This new technique gave antivirus experts some difficult moments. Traditional antivirus scanners and monitors proved helpless against this new threat, since up to that time antivirus engines had detected malicious programs during file operations. Kaspersky Lab was the first to develop a new antivirus filter that scanned incoming data packets in background mode and deleted fileless worms.
Worms for Windows increase
While classic viruses, (predominantly macro and script viruses) visibly dominated throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these worms had caused about 90% of all registered virus infections.
The reasons for this trend were two-fold: on the one hand new technologies allowed virus writers to create better worms, and on the other, antivirus vendors had developed effective protection against macro and script viruses.
Virus hoaxes
Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new virus registered by March. And nervous users, frightened by the large-scale outbreaks in 2000 scrambled to forward these warnings to friends and relatives. California IBM and Girl Thing proved especially effective. A letter warning users about a new ILoveYou outbreak scheduled for Valentine's day was also extremely effective.
Some of these hoaxes were so effective that copies of the messages were still circulating around the Internet several years later.
2001 in review:
Email and the Internet move to the fore environments for new threats;
Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks also gain prominence;
Fileless worms appear on the scene;
Worms for Windows make up the majority of new threats by mid-year, with macro- and script-viruses losing ground significantly.
2002
There were 12 significant and 34 less serious virus outbreaks in 2002, along with continuing activity caused by viruses from previous years. Virus writers actively penetrated new platforms, applications and technologies.
2002 Highlights
Two new flash worms, LFM and Donut, appeared in January: both of these worms were designed to spread in the .NET environment. Fortunately, both worms turned out to be only proof of concept viruses and no infections were registered.
In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.
Malware for Linux
The worm Slapper finally convinced all remaining skeptics that Linux users need to be just as aware of security issues as users of all other operating systems. Slapper penetrated thousands of machines running Linux within a few days. Users of FreeBSD also got a timely reminder about security: a new worm called Scalper struck FreeBSD machines in September, though the damage did not escalate to the proportions caused by Slapper.
Professional virus writers
This was the year professional writers got down to business: there was a significant increase in malicious programs designed to commit financial fraud. These programs stole passwords, confidential data, Internet access information and other data that allowed virus writers to make money by using the harvested data.
Worms
Email worms, such as Klez and Lentin had already been popular prior to 2002. However, a new breed of email worms superseded the older versions: these new email worms spread by connecting directly to built-in SMTP servers on infected machines.
This development grew out of increased security measures which prevented worms from spreading via MS Outlook and other email clients. Email system developers integrated either antivirus protection or special functionality preventing unauthorized mailings. As a result, virus writers focused on worms that were able to avoid these measures.
Worms multiplying in other environments, such as LANs, P2P, IRC and so forth, disappeared almost entirely in this year.
Klez
An Internet worm named Klez caused the most serious outbreak of the year. Klez was first detected on 26 October and remained on the list of the most widespread malicious programs for the next two years. This is a record in virusology that is yet to be broken. New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by the end of 2002, 6 out of 10 registered infections were caused by Klez.
Though Klez caused the most serious outbreak during 2002, several other worms provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin surpassed Klez in the number of incidents by the end of the year.
Vulnerabilities
The trend to exploit vulnerabilities that first became significant in 2001 continued: virus writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.
Classic viruses
Interestingly enough, macro viruses rose to the fore among classic viruses this year. Macro viruses for MS Word - Thus, TheSecond, Marker and Flop were the most widespread. These viruses had first appeared in the late 1990s, but they resurfaced in 2002. The most likely reason is increased numbers of Windows users who were all sure that macro viruses were a thing of the past. Inconvenient security measures were abandoned and the result was a second round of old viruses. The majority of infections were caused by Elkern, CIH, FunLove and Spaces.
On the plus side, script viruses and other classic viruses almost disappeared in 2002.
Virus hoaxes
The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card for You, California IBM and Girl Thing.
2002 summary
By the end of the year, an interesting pattern emerged in the spread of malicious programs. In previous years, the overwhelming majority of virus incidents were connected to a small number of viruses, typically 2-3. By September 2002, however, this pattern was broken: more and more infections were caused by viruses which did not make it to the top twenty.
Increased end user awareness regarding security issues and willingness to adopt precautionary methods undoubtedly played a role in this development. Correct protective techniques implemented by end users led to a decrease in number of incidents caused by individual viruses.
And yet, the overall number of infections did not decrease, meaning that the overall number of malicious programs in the wild had grown. Even though no single virus caused a significant outbreak, together they constituted an impressive volume.
2003
In 2003 two global Internet attacks took place that could be called the biggest in the history of the Internet. The Internet worm Slammer laid the foundation for the attacks, and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic fileless worm, which fully illustrated the capabilities of a flash-worm - capabilities which had been foreseen several years before.
On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of thousands of computers throughout the world, and increased network traffic to the point where several national segments of the Internet crashed. Experts estimate that traffic increased from 40% - 80% in a variety of networks. The worm attacked computers through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk, but simply remained in computer memory. If we analyse the dynamics of the epidemic, we can assert that the worm originated in the Far East.
The second, more important epidemic was caused by the Lovesan worm, which appeared in August 2003. The worm demonstrated just how vulnerable Windows is. Just as Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself. The difference was that Lovesan used a loophole in the RPC DCOM service working under Windows 2000/XP. This led to almost every Internet user being attacked by the worm.
As for viruses penetrating new platforms and applications, the year was surprisingly quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs. This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus was undoubtedly written by a Russian.
2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron were first detected in January. The former was written in Sweden and is still one of the most widespread email worms in Scandinavia despite the fact that the Swedish police arrested the autour of the worm at the end of March.
Avron was the first worm to be created in the former USSR capable of causing a significant worldwide epidemic. The source code for the worm was published on the Internet and this has led to the appearance of a number of less effective versions.
Another important event in 2003 was the appearance of the first Sobig worm in January. Worms from this family all caused significant virus outbreaks but it was version 'f' which broke all records, becoming the most widely distributed worm in network traffic in Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August, could be found in every 20th email message. The virus writers who created the Sobig family, were aiming to create a network of infected machines with the aim of conducting DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.
The Tanatos.b email worm was also a notable event in virusology. The first version of Tanatos was written in the middle of 2002, but version 'b' appeared only a year later. The worm exploited the well-known IFRAME loophole in MS Outlook to automatically launch itself from infected messages. Tanatos caused one of the most significant email epidemics of 2003, coming second to that caused by Sobig.f, which probably has the record for the most machines infected by an email worm.
Worms from the Lentin family continued to appear. All these worms were written in India by a local hacker group as part of the 'virtual war' between Indian and Pakistani hackers. The most widespread versions were 'm' and 'o', where the virus replicated in the form of a ZIP archive file attached to infected messages.
Russian writers remained active; the second worm from the former USSR, which also caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet Explorer to activate itself. The vulnerability allowed binary code to be extracted from HTML files and executed. This was first used in Russia in May 2003 (Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail family and several other Trojan programs. The authors of the Mimail worm published the source code on the Internet, which led to the appearance of several new varieties of the worm in November 2003, written by other virus writers.
September was the month of Swen. I-Worm.Swen, masquerading as a patch from Microsoft, managed to infect several hundred thousand computers throughout the world and to date remains one of the most widespread email worms. The author of the virus exploited frightened users who were still nervous after the recent Lovesan and Sobig.f epidemics.
A recent significant epidemic was caused by Sober, a relatively simple mail worm written by a German, it is an imitation of the year's leader, Sobig.f.
In 2002, the trend was towards an increase in the number of backdoor and spy Trojan programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were most notable. There are now more than 40 varieties of Agobot in existence, since the author of the original version created a network of websites and IRC channels where anyone who wanted could, for a fee starting from $150, become the owner of an 'exclusive' version of Backdoor-a, which would be created in accordance with the client's wishes.
Afcore is slightly less widespread. However, in order to mask its presence in the system, it uses an unusual method; it places itself in additional file systems of the NTFS systems, i.e. in the catalogue stream, not the file streams.
A new and potentially dangerous trend was identified at the end of 2003; a new type of Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers uniting. Spammers began using machines infected by such Trojan programs for mass spammer attacks. It is also clear that spammers participated in a number of epidemics as malicious programs were spread using spamming technology.
Internet worms constituted the second most active class of viruses in 2003; specifically I-Worms which replicated by seizing passwords to remote network resources. As a rule, such worms are based on IRC clients, and scan the addresses of IRC users. They then attempt to penetrate computers using the NetBIOS protocol and port 445. One of the most notable viruses in this class was the Randon family of Internet worms.
Throughout the year Internet worms remained the dominant type of malicious software.
Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However, Trojan programs overtook viruses in the autumn, and this trend continues through today.
Where We've Been and Where We're Going
Worms - trendsetting in 2003
The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.
Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.
Lovesan
Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.
To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.
Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.
Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.
To summarize, Lovesan set the following trends:
Exploiting critical vulnerabilities in MS Windows
Propagation via the Internet through direct connections to victim machines
Organising DoS and DDos attacks on key websites
Sobig.f
Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.
Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.
Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity. Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.
Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:
The creation of networks of infected machines to serve as epidemic platforms
Mass mailing of malware using spammer techniques
Swen
Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.
At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.
The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.
Sober
Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.
2004
2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.
January 2004
A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:
Mass mailings of links to infected sites via email or ICQ
Trojan proxies become a separate class of malware closely linked to spammers
Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.
Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.
And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).
This concatenation of features copied from three highly viable worms broke all records. Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.
Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.
Thus, we saw yet another technique gain popularity:
Using vulnerabilities or holes created by other viruses
February 2004
NetSky.b
This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.
NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.
Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:
Active deletion of competitor viruses
Propagation in archived files (Bagle & NetSky variants)
Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)
The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.
The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).
March - May 2004
Snapper and Wallon
These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.
Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.
Sasser
The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.
The arrest of a virus writer so soon after the release of a new malicious program made history.
Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.
Plexus
Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.
Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.
Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.
Beyond worms
The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.
Other Malware
Trojans
Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.
Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.
Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.
Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.
Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.
Trojan droppers and downloaders
Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.
Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.
Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.
Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.
Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.
Classic File Viruses
Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.
On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.
Other Environments
Linux
To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.
Handhelds
PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.
Mobile Phones
Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.
The Third decade of Malware History
1991-1992
1991
The computer virus population continues to grow, reaching the 300 mark. As the number and severity of virus incidents escalated, the need for reliable security rose proportionally. Early 1991 saw the appearance of more AV products: Norton AntiVirus from Peter Norton who now believed in viruses; Central Point Antivirus; Untouchable from Fifth Generation System. The latter were bought out by Symantec in 1993 and 1994.
Other virus writer bulletin boards modeled after the VX BBS and new personalities emerged from the computer underground: Cracker Jack (Italy - the Italian research Laboratory BBS), Gonorrhea (Germany); Demoralized Youth (Switzerland), Hellpit (USA) and Dead on Arrival and Semaj (UK). The computer underground was forming.
Tequila, a polymorphic boot infector, caused a significant epidemic in April of this year. It was created by a Swiss programmer exclusively for research purposes and without malicious intent. However, one copy of the virus was stolen by an acquaintance who consciously infected other users.
The summer of 1991 saw a virus epidemic with Dir_II using a fundamentally new means of infecting files: link-technology. This virus, to this day, remains the only example of this type detected in the wild.
Altogether, 1991 was relatively calm; a calm before the storm that broke in 1992.
1992
Viruses for non IBM-compatible and non MS-DOS systems fade from the foreground at this time. Loopholes in global networks were closed, errors corrected, and network worms lost the conditions they required to spread - at least for the time being!
Instead, boot sector viruses were gaining popularity on the more commonly used operating systems (MS-DOS) on the most widely used platforms (IBM-PC). The number of viruses grew astronomically and security incidents occurred almost every day. New antivirus programs continued to appears as did several books and a number of regular publications dedicated to viruses. This was the background for some important developments in virus writing.
In the beginning of 1992 the first polymorphic generator, MTE appeared. Its primary purpose is to integrate with other viruses to facilitate their polymorphism. The author of this program, the infamous Dark Avenger, did everything possible to ease the work of his colleagues in this area. The MTE generator was delivered in the form of a ready to use module and was accompanied by documentation.
Due to MTE, several polymorphic viruses immediately appeared. MTE was also the forerunner of several other polymorphic generators, creating a headache for many antivirus companies. Even after months of work, many antivirus companies were unable to reach 100% results in detecting well-known versions of polymorphic viruses created with the help of MTE.
The first anti-antivirus programs appeared during this year. Peach was one of the first: it deleted the database of Central Point AntiVirus's change inspector. If the antivirus program was unable to locate its database, then it acted as if it had been installed for the first time, recreating the database. In this way viruses avoided detection, and slowly infected the entire system.
Law enforcement agencies worldwide began developing departments specializing exclusively in computer crimes. For example, the Computer Crime Unit of The New Scotland Yard successfully disarmed the English virus group, ARCV (Association for Really Cruel Viruses). Great Britain's proactive law enforcement position practically neutralized computer underground activity and even now, we are unaware of any serious organized groups of virus-writers there.
In March of 1992, we witnessed the Michelangelo (or March6) outbreak and the media hype in advance (the virus itself was first detected in 1991, but caused an outbreak in 1992) Though some experts predicted that over 5 million machines would be infected, only a few thousand machines actually suffered.
The VCL and PS-MPC virus constructors first appeared in July 1992. They allowed people to create their own viruses by adding a range of malicious payloads to the constructors This increased the number and potentially destructive effect of viruses, as did MTE.
1992 also brought Win.Vir_1_4, the first virus for Windows. Win.Wir_1_4 infected operating system executable files Despite the fact that the virus was poorly coded, had limited propagation ability, and had no special Windows functionality, it nevertheless opened a new chapter in the history of computer viruses.
On the antivirus vendor front, Symantec bought Certus International along with their proprietary antivirus product, Novi.
1993-1995
1993
Virus writers began to take their work seriously. The computer underground had already mastered an array of new polymorphic generators and constructors, and founded new electronic publications. This year saw new viruses which employed new techniques to infect files, penetrate systems, destroy data and conceal themselves from antivirus applications.
One such example is the PMBS virus which worked in the secure regime of Intel 80386 processors. Another example was the Strange (or Hmm) virus, the only stealth virus, however, executed on the level of device interruption at INT 0Dh and INT76h.
Carbuncle signaled a new generation of companion viruses. A number of other viruses like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to conceal themselves in the code of infected files.
The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors: Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based on the former Central Point AntiVirus (CPAV). The program was included in the standard delivery of MS-DOS and Windows operating systems. The first tests conducted by independent testing laboratories showed a high level of effectiveness. However, later on, its quality began to slowly decline and the project was discontinued.
1994
More and more significance is attached to the problem of viruses on CDs. Having quickly become popular, this removable storage media became one of the primary ways of spreading viruses. Several incidents were registered when a virus was discovered on the master-disc of a compact disc producer. As a result, the computer market was flooded with relatively large shipments (tens of thousands) of infected discs. Naturally, such carriers could not be disinfected, they can only be destroyed.
At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able detect these programs with 100% certainty. The virus writer placed the infected files on BBS boards and caused both an outbreak and a panic in the mass media.
The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the Internet and infected computers via email. However, sometime later, an ordinary DOS virus containing the text Good Times appeared and was named GT-Spoof.
Many other unusual viruses appear this year:
January: Shifter - the first virus to infect OBJ files.
Phantom1 becomes the first polymorphic virus in Moscow
April - ScrVir-a family of viruses which infects source code programs in C and Pascal.
June - OneHalf - a complex and dangerous polymorphic virus causes a significant outbreak: in fact, this virus is still active and can cause real damage to this day.
September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak by using a unique installation method: the new technique temporarily stumped the antivirus experts.
This year also marked several significant developments in the antivirus field.
In June, one of the leading antivirus vendors was purchased by Symantec, who had already earned a reputation for aquiring other antivirus projects.
AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product immediately won top marks in a series of independent tests conducted by Hamburg University.
1995
Nothing significant occurred in the field of DOS-viruses this year, although several complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus, Winstart. There were also two widespread, but not severe outbreaks caused by ByWay and DieHard2.
In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one person thought to run an antivirus check. He discovered that the discs were infected by From and testing was put off until clean discs were issued.
In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman Virus Control). These companies, both with their own very strong independent antivirus products, decided to combine efforts to develop a single antivirus system. Later on, in 1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian company.
In August, the Concept virus struck MS Windows: the virus circled the globe in only a month and was number one on antivirus vendors lists of most common viruses.
In the first half of September, one of the world's largest computer manufacturers, Digital Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was quickly detected and the outbreak contained. Over a hundred known versions of the Concept virus are still in circulation today.
Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread rapidly. The source code for Green Strip was published as a free supplement to Mark Ludwig's magazine Underground Technology Review.
The advent of macro viruses posed a new set of challenges for antivirus vendors. New technologies were needed to detect macro viruses; first in MS Word and eventually in other MS Office applications.
The English affiliate of the Ziff-Davis publishing house distinguished itself twice in 1995. The first time was in September when the publishing house's PC Magazine (English version) distributed a diskette containing the Sampo virus to its subscribers. This was soon discovered and the company offered its apologies and offered readers a free antivirus utility. The irony of the event lay in the fact that the diskette was a supplement for an issue which contained articles the results of antivirus tests for Novell NetWare products.
Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the diskette also contained the Parity Boot virus.
Law enforcement agencies also pressed onward in the struggle against cyber crime. On January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he was known in the underground was accused of authoring the Queeg and Pathogen viruses as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and was sentenced to 18 months in prison.
1997
In February of 1997, Linux Bliss, the first virus for the Linux operating system appeared. Viruses had moved to yet another environment. Although Linux viruses are a rarity, they have evolved since their first appearance. Viruses which run in the background have been developed for Linux, as well as a number of viable Trojans for this platform. If Linux were even half as popular asWindows obtained, the number of viruses for Linux would be far greater than the actual number of viruses which exist for this platform.The release of Microsoft's Office 97 was noteable for the fact that macro viruses almost immediately migrated towards this application. The limited payloads (or in some cases the total absence thereof) of macro viruses created for MS Word 5.0 and Excel 5.0 resulted from a completely new version of Visual Basic for Applications, VBA 5.0 which differed significantly from Word Basic and VBA 3.0. The first viruses for MS Office 97 turned out to be almost identical to their predecessors, simply converted into a new format. Nevertheless soon new macro viruses developed exclusively for MS Office 97 appeared.
March 1997 was notable for the appearance of the 'ShareFun' macro virus for MS Word 6/7 which started a new chapter in computer history It became the first virus of its kind to spread using email, in particular MS Mail.
In April of 1997 the Homer virus was detected; this was the first network worm which used FTP to propagate.June 1997 brought the first self_encrypting virus for Windows 95, Win95.Mad. The virus, of Russian origin, was sent out to several BBS stations in Moscow causing a major epidemic.The 'Esperanto' virus was born in November 1997. It was an attempt, fortunately unsuccessful, to create a multi-platform virus which would be able to infect DOS, Windows and MacOS.The development of the Internet, and in particular the appearance of mIRC (Internet Relay Chat) sparked a great deal of interest, including that of virus writers. It didn't take long for the malicious programs to start appearing.In December of 1997, the antivirus world publicized the appearance of a fundamentally new type of computer worm which spread via IRC channels. An analysis of mIRC, one of the more popular IRC utilities showed a dangerous security loophole. The directory for files downloaded via IRC coincided with the directory which held the SCRIPT:INI command file. The SCRIPT:INI file , which contained the body of the worm, could therefore be transferred to a remote computer, where it would automatically replace the original command file. When restarted, mIRC would activate the malicious code, and the worm would then send itself to other users. This error was quickly corrected and the rather primitive IRC worms had disappeared by summer. However, multi-component IRC worms which actively searched for SCRIPT.INI files (in mIRC clients), EVENTS.INI (in pIRCh) clients, and others. later appeared, working in a similar way to email worms; the user would receive anEXE, COM, BAT, file, which when launched, would replace the original command file.One of the more important events of 1997 was the split-off of one of the KAMI firm's divisions led by Evgenii Kaspersky. This division became an independent company known as 'Kaspersky Labs' which is, today, recommended as a recognized technical leader in the antivirus industry. Since 1994, the company's main product, AntiViral Toolkit Pro, consistently shows high results in numerous tests conducted by various testing laboratories across the world. The formation of an independent legal entity allowed a small group of developers to become, within two years, one of the its own country's domestic leaders in addition to being generally well-known internationally. Little time was required to develop and release versions with new antivirus security technologies for virtually all popular platforms, and create a network of international distribution and technical support.
In October 1997, Kaspersky Lab and Finnish company Data Fellows (later renamed as F-Secure Corporation) signed an agreement to licensing an antivirus engine in their newest development product, FSAV (F-Secure Anti-Virus). Prior to this, Data Fellows had been well-known as the developer of F-PROT antivirus.
1997 will also long be remembered as a year of petty squabbles. Several scandals evolved at the same time between some of the larger antivirus manufacturers. Atthe beginning of the year, McAfee announced that they had discovered a 'bookmark' in the programs of one of their main competitors, antivirus firm Dr. Solomon's. McAfee's announcement continued in saying that if Dr. Solomon's antivirus program discovered several viruses during a scan-check, then it completed its work in an elevated mode. In other words, if the program worked in a normal mode in normal conditions, then in testing for several viruses it switched to an intense mode (or in McAfee's words, a 'cheat mode') which allowed the detection of viruses previously invisible to Dr. Solomon's in normal scanning mode. As a result, the testing of uninfected discs showed good speed results and the scan tests of virus collections showed good detection results.
Dr. Solomon's response was not long in the waiting, and the company soon filed suit against McAfree's recent marketing campaign which claimed that McAfee was, 'The Number One Choice Worldwide. No Wonder The Doctor's Left Town'. This was an obvious reference to Alan Solomon, the founder of Dr. Solomon's who had in fact, earlier transferred control of his company to its senior management.
Perhaps even more scandalous was the affair of the Taiwanese developer Trend Micro who accused two of the leading antivirus companies, McAfee and Symantec, of violating its patent on virus scan-checking technology via Internet and electronic mail. Shortly afterward Symantec leapt into the fray with its own accusations, alleging that McAfee was guilty of using code from Symantec's Norton AntiVirus.
The year came to a close with MacAfee Associates and Network General announcing their intent to merge into a single Network Associates Inc (NAI) in order to diversify into other computer security systems as well (such as encryption, multi-networked screens, network scans, etc. However, at the end of 1999 NAI's management decides to bring new life into the McAfee brand and line of antivirus products and the company reverted to its old name.
1998
Virus attacks on MS Windows, MS Office and network applications continued apace, with viruses exploiting new infection vectors and using ever more complex technologies. A wide range of Trojan programs designed to steal passwords (PSW family) and remote adminstration utilities (Backdoor) appeared. Several computer magazines distributed discs which were infected with Windows viruses, CIH and Marburg. Specifically, compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC Gamer contained the Marbug virus. This virus was contained in the electronic registration program of an MGM Interactive disc with the game, Wargames PC. At the end of September, the AutoStart virus was discovered on discs which were to be distributed with the Corel DRAW 8.1 for Mac OS.
The beginning of the year borught an epidemic caused by a whole family of viruses Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of transmitting information about victim machines to the author of the virus. Because the virus exploited system libraries used only in the French version of Windows, the the epidemic affected only French-speaking countries.
In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus install itself in Excel tables by using an unusual macro area of formulas which were capable of containing self-replicating code. Later the same month, polymorphic Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were detected in the wild. Antivirus developers were forced to rapidly develop new methods of detection for polymorphic viruses which, until then, had been only for DOS.
AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had come to accept that Microsoft applications are highly vulnerable. At approximately the same time, another virus called Cross surfaced This was the first multi-platform macro virus capable of infecting documents simultaneously in two Microsoft Office applications, Word and Access. On the heels of Cross several other macro-viruses materialized, transferring their code from one Office application to another. The most notable of these was Triplicate (also known as Tristate) which was capable of infecting Word, Excel and PowerPoint.
In May of 1998, the Red Team virus became the first virus to infect Windows EXE files and distribute itself using the Eudora email client. June brought the Win95.CIH virus, which caused an epidemic of mass and then later global proportions, infecting computer networks and home computers by the thousand. The beginning of the epidemic was pin-pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-serve. From there the virus spread to the States where infected files made it onto several popular web-servers and spread the virus to gaming programs. It was most likely the game servers that acted as the primary reason for the large-scale epidemic, which continued throughout the year. The virus leap-frogged in 'popularity' over earlier virus superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload: depending on the day of infection, the virus would erase Flash BIOS, which in some cases could make it necessary to replace the motherboard. CIH's complex procedures caused antivirus products to significantly increase their speed of development.In August of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was designed to be a secret utility to be used for remote host administration across networks. Other similar viruses such as NetBus and Phase appeared shortly thereafter.
August also saw the emergence of the first malicious executable Java module, Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did illustrate the fact that viruses can also be found in applications actively used in viewing Web servers.
In November 1998, malicious programs continued to evolve hwith three viruses infecting the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At the time, Kaspersky Labs released an in-depth study on the potential threat of VBS viruses. However, many specialists were too quick to label the company as a panic inciter and criticized the study for provoking virus hysteria. Half a year later when the LoveLetter epidemic broke, it became clear that Kaspersky's prognosis was completely accurate. To this day, this type of virus holds onto first place in the list of most widespread and dangerous virus types.
The logical culmination of VBScript viruses were full-fledged HTML viruses like HTML.Internal. It became patently clear that virus-writers' efforts are beginning to focus more and more on network applications. Virus writers were moving towards a networks worm which exploited flaws in MS Windows and Office and infectted remote computers through Web servers or via email.
The next MS Office application to fall victim to a virus was PowerPoint. In December 1998, a virus of unknown origins, Attach, was the first to attack. It was immediately followed by two more, ShapeShift and ShapeMaster, the author of which was likely one and the same. The appearance of PowerPoint viruses caused yet another headache for antivirus vendors. Files of this MS application use an OLE2 format which determines the way in which viruses can be scanned for in DOS and XLS files. However, the VBA modules in PPT format are stored in compressed format which meant that it was necessary to design new algorithms to decompress them and facilitate antivirus searches. Despite the complexity of what would seem like a simple task, almost all antivirus companies have integrated into their products the necessary functionality to defend against PowerPoint viruses.
In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing of antivirus products is designed to determine whether the solutions can detect 100% of viruses from the wild. VB 100% is now regarded as one of the more respected independent testers.Significant changes occurred in the antivirus vendor market as well. In May, Symantec and IBM announced their unified efforts to develop an antivirus product. The combined product was to be distributed by Symantec under the same name, while IBM's product, IBM Anti-Virus would cease to exist. Towards the end of September, Symantec announced its purchase of the antivirus business from Intel Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the industry yet again with another purchase, this time of QuarterDeck for $65 million. The company's product range included such antivirus products as ViruSweep.
Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which on August 13th, announced its purchase of one of its primary competitors, English company, Dr. Solomon's. The latter was bought for the record amount of $640 million by means of a stock swap. These events evoked true shock in the antivirus industry. A previous conflict between two large players of the industry had ended in a buy-sell deal the result of which was the disappearance of one of the more noticeable and technologically strong developers of antivirus software.
Also interesting was the purchase of EliaShim, a developer of the antivirus product E-Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-known developer of equipment and software for computer security.
A curious incident occurred with the publication of computer virus warning in the December 21st edition of The New York Times. The author warned users about the appearance of a virus which spread via email and was already being detected in some networks. It later became evident that this scary virus was none other than the already well-known macro virus, Class.
1999
Strange as it may seem, the most significant news to come out of this year was not the emergence of a new computer virus, but an announcement about the long-planned purchase of Australian antivirus vendor Cybec, by software giant, Computer Associates (CA). In was with that With this purchase, CA added another antivirus product to its collection, having purchased Cheyenne Software at the end of 1996. Both products still exist to this day: CA Vet Anti-Virus and CA InnoculateIT.
Viruses, however, did not sit idly by, and in January we witnessed the emergence of a global epidemic with the Happy99 virus (also known as Ska). This was actually the first modern-day worm, which once again opened a new chapter in the history of malware evolution. It used MS Outlook, which had become a corporate standard in Europe and the US to spread. Despite the fact that Happy99 first appeared at the beginning of 1999, it still regularly shows up as one of the top ten most widespread harmful programs to this day.
At almost the same time, a very interesting macrovirus for MS Word was detected: Caligula. It searched the system registry, forkeys corresponding to PGP (Pretty Good Privacy) programs and searched for the appropriate databases. If such databases were found, the virus initiated an FTP-Session and secretly sent files to a remote server.At the end of February. SK; the first virus which infected files using Windows HLP files.On the 26th of March, a global epidemic was caused by Melissa, the first macro virus for MS Word combining Internet worm functionality as well. Immediately after infection, Melissa scanned the address book in MS Outlook and sent copies of itself to the first 50 found addresses. Like Happy99, Melissa did this without the knowledge or consent of the user, but messages still seemed to be in the user's name. Fortunately, this macro virus was not complex and antivirus developers quickly released the necessary additions to their databases. The epidemic was contained quickly. Despite this, Melissa still managed to inflict significant damage on a range of computer systems:industry giants like Microsoft, Intel and Lockheed Martin were forced to temporarily shut down their corporate email systems. Estimates placethe damage caused by the virus at several tens of millions of US dollars.
Law enforcement agencies in the US (or, cybercrime units, to be more precise) reacted exceptionally quickly to the Melissa virus. A short while thereafter, the author of the virus was discovered and arrested. He was 31 year old David L. Smith, a programmer from New Jersey. On December 9th, he was found guilty and sentenced to 10 years in prison and fined $400,000.
Law enforcement agencies were equally active on the other side of the Pacific ocean as well. In Taiwan, the author of the CIH virus, earlier known only as Chernobyl, was exposed as Chen Ing Hao (notice the initials), a student at the Taiwan Technical Institute. However, due to a lack of charges from any of the local companies, the police had no basis for an arrest.
On May 7th, a virus intruded on the Canadian company, Corel. Under threat was its cash cow, Corel DRAW. The Gala virus (also known as GaLaDRieL) was written in Corel SCRIPT language and became the first virus capable of infecting Corel DRAW files as well as Corel PHOTO-PAINT and Corel VENTURA.
Another epidemic broke at the very beginning of the summer with the dangerous Internet worm, ZippedFiles (also known as ExploreZip). The virus came in the form of an EXE file, which once installated would destroy files of some of the more popular applications. While the worm was not as widespread as Melissa, the damage incurred was estimated to be several times higher. Despite a quick reaction from antivirus companies in neutralizing the virus, a relapse was recorded in December. The modified version was changed so that the body of the virus was compressed using the Neolite compression utility. If the antivirus program didn't recognize this compression format then the worm escaped unnoticed. At the time, none of the antivirus programs recognized this format. It was only in June of 2000 that AntiViral Toolkit Pro (AVP) was integrated with file-support for Neolite.
In August, an Internet worm named Toadie (or Termite) was detected. In addition to infecting files in DOS or Windows, the virus attached copies of itself to emails sent via Pegasus and attempted to spread through IRC channels.
October brought the computer industry three new surprises. First was the discovery of the Infis virus which was the first virus for this operating system, installing itself at the highest levels of platform security and affecting system drivers. This made the virus difficult to contain. The second surprise consisted of antivirus companies warning users about the first computer virus for MS Project. In actuality, this was a multiplatform virus that infected files of MS Word just as well as Ms Project. The third surprise was the emergence in July of yet another script virus, Freelinks was one of the predecessors of the well-known LoveLetter virus.
In November, the world was shaken by the emergence of a new generation of worms which spread via email without attached files and penetrated computers when infected messages were read. The first of these was Bubbleboy which was immediately followed by KakWorm. Viruses of this type exploited an Internet Explorer loophole, and although Microsoft issued a patch the same month, KakWorm remained widespread for a long time.That same month, the USA and Europe recorded several incidents of infection by FunLove, a Windows virus.
December 7th was noteable for the detection of the latest of a long line of Trojans authored by a Brazilian virus writer known as Vecna. The very dangerous and complex Babylonia virus turned a new page in the history of virus creation. It was the first worm which was capable of remote self-rejuvenation. Every minute it would connect to a server in Japan and download a list of virus modules. If it found viruses there fresher than on the infected computer, then it immediately downloaded them. Later, this same technique would be employed by Sonic, Hybris, and other viruses.
In the middle of the year, the antivirus industry officially divided into two camps in regard to their approach to potential Y2K threats. One camp strongly promoted the belief that the computer underground had prepared a surprise in the form of several hundred thousand viruses capable of shaking human civilization to its core. The subtext of this warning was clear: install antivirus software and you would be saved from attack. The second camp of antivirus companies logically opposed the first and attempted to maintain calm among scared users. Later, the warnings were proved baseless, and the year 2000 came in in the same way as any other year.A few curious stories were abroad as well. A compact disc distributed with the November edition of the Hungarian magazine, Uj Alaplap, contained, in addition to useful information, a distinctly unpleasant surprise: two macro viruses for MS Word, Class.B and Opey.A.
2000
The year began unexpectedly for users of Windows 2000 and Visio, a popular application for creating diagrams and flow-charts. Microsoft had not even finished announcing the release of a fully functional commercial version of their operating system when members of the underground group 29A set Inta loose. The virus was the first to infect Windows 2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and Radiant which marked Visio's demise. The second incident brought to light a sick joke: the viruses had been released by Microsoft which not long after Unstable and Radiant purchased Visio Corporation.
In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was detected in 10 Downing Street, the office of the British prime minister. It can only be hoped that English authorities heeded the advice of the Russian proverb, 'Don't put off 'till tomorrow what you can drink today'.
May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter. Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998. Naïve users couldn't even imagine that harmless VBS files and TXT files could contain a harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in the MS Outlook address book. The transparency of the source code more or less guaranteed that new modifications of the virus would appear throughout the year, and currently, there are more than 90 of them in circulation.
On the 6th of June, the Timofonica virus was detectedö this was the first computer virus that employed, in a limited manner, mobile phones. In addition to spreading via email, the virus sent messages to random mobile phone numbers in the MoviStar cellular network, which belonged to the global telecommunications giant, Telefonica. The virus had no other effect on mobile phones despite the fact that many mass media outlets were quick to name Timifonica the first 'cellular' virus.
The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned. While this period is usually a vacation time for virus writers and antivirus experts alike, the former, by all accounts, decided to surprise the latter. In July, a group known as the Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred at the annual DefCon conference (in a jab at Microsoft's DevCon) and evoked a flood of messages from frightened users to antivirus vendors. In reality, the new version posed little harm more than its predecessor and was promptly added to leading antivirus vendors' databases. The distinguishing feature of BO2K was its drift towards legitimate commercial utilities of remote administration; the program was visible upon installation. Despite this it could still be used for illicit purposes and was classified by antivirus companies as a BackdoorTrojan.
July saw the appearance of three exceptionally interesting viruses. Star was the first virus designed for AutoCAD packages. Dilber was distinguished by the fact that it containedcode from five other viruses including CIH, SK, and Bolzano. Depending on the date, Dilber activated processes from one of its components, earning it the nickname, Shuttle Virus. The third interesting virus was an Internet worm called Jer which employed a relatively clumsy means of penetrating computers. Script programs (the worm's body) were uploaded to a website which were automatically activated when the corresponding HTML page was opened. After this, users received a warning that an unidentified file was found on the disc. It was a calculated risk assuming human error: it was hoped that users would inadvertantly answer 'yes' to be rid of the script program. The appearance of this worm confirmed a new fashion in the spread of viruses through the Internet. First, the worm is placed on a website, and then a mass marketing campaign is conducted to attract users. The calculated risk paid off: for every thousand users, a few dozen would let the virus in.
In August, the Liberty virus was discovered - the first harmful Trojan program to affect the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was incapable of replicating. In September, this new class of harmful programs was extended with the first true virus for PalmOS, Phage. It represented a classic virus-parasite program which after installing and infecting files proceeded to delete them and record its own code.
In the beginning of September, a computer virus by the name of Stream was discovered which was capable of manipulating the ADS of NTFS file systems. This virus posed no particular threat. More dangerous was the technology of accessing ADS insofar as no antivirus program was capable of scanning this location. Unfortunately, the virus evoked an insufficient reaction among some large antivirus firms which accused Kaspersky Lab of scaremongering. Despite the accusations, none of the opponents were able to offer any concrete arguments confirming the position they put forth regarding the safety of ADS in NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue insofar as only a few antivirus scans have learned to search for viruses in ADS.
October saw the appearance of the first virus for PIF files (Fable), and the first virus written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered 'in the wild'. At the same time, a scandal arose when Microsoft's internal systems were hacked and left open for several months by a group of unknown hackers from St. Petersburg. The entry was gained through a simple loophole using a network worm called QAZ. What was curious about this incident was the fact that at the time the system hack was discovered, the worm in question was already included in practically all antivirus databases. This caused some misgivings about the competency of Microsoft personnel, or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty parties have yet to be located.
A notable event occurs in November. Kaspersky Labs, having become one of the antivirus industry's major players in three short years, changes the name of its flagship product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new logotype.
This same month brought the detection of a technologically complex and dangerous virus called Hybris. This virus was written by the Brazilian virus writer Vecna. He further developed his first self-rejuvenating virus, Babylonia taking into account earlier errors. The main innovation was the use of websites and list servers (alt.comp.virus in particular) to load new modules of the virus to infected computers. If it was easy to simply take a website down, then list servers were an ideal alternative for spreading as they were less easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules actually written by the author.
As a whole, 2000 was the year that email again proved itself to be the best way to transmit viruses. According to Kaspersky Labs' support statistics, approximately 85% of all registered infection occurred via email. The year was also notable for a wave of activity among virus creators with Linux. Altogether, there were37 registered new viruses and Trojan programs created for the Linux operating system. Consequently, the overall quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000 alone. Finally, a change in the most widespread viruses occurred. Up until this year, macro viruses had been the most common, but once 2000 was over, this place was taken by script viruses.
1991
The computer virus population continues to grow, reaching the 300 mark. As the number and severity of virus incidents escalated, the need for reliable security rose proportionally. Early 1991 saw the appearance of more AV products: Norton AntiVirus from Peter Norton who now believed in viruses; Central Point Antivirus; Untouchable from Fifth Generation System. The latter were bought out by Symantec in 1993 and 1994.
Other virus writer bulletin boards modeled after the VX BBS and new personalities emerged from the computer underground: Cracker Jack (Italy - the Italian research Laboratory BBS), Gonorrhea (Germany); Demoralized Youth (Switzerland), Hellpit (USA) and Dead on Arrival and Semaj (UK). The computer underground was forming.
Tequila, a polymorphic boot infector, caused a significant epidemic in April of this year. It was created by a Swiss programmer exclusively for research purposes and without malicious intent. However, one copy of the virus was stolen by an acquaintance who consciously infected other users.
The summer of 1991 saw a virus epidemic with Dir_II using a fundamentally new means of infecting files: link-technology. This virus, to this day, remains the only example of this type detected in the wild.
Altogether, 1991 was relatively calm; a calm before the storm that broke in 1992.
1992
Viruses for non IBM-compatible and non MS-DOS systems fade from the foreground at this time. Loopholes in global networks were closed, errors corrected, and network worms lost the conditions they required to spread - at least for the time being!
Instead, boot sector viruses were gaining popularity on the more commonly used operating systems (MS-DOS) on the most widely used platforms (IBM-PC). The number of viruses grew astronomically and security incidents occurred almost every day. New antivirus programs continued to appears as did several books and a number of regular publications dedicated to viruses. This was the background for some important developments in virus writing.
In the beginning of 1992 the first polymorphic generator, MTE appeared. Its primary purpose is to integrate with other viruses to facilitate their polymorphism. The author of this program, the infamous Dark Avenger, did everything possible to ease the work of his colleagues in this area. The MTE generator was delivered in the form of a ready to use module and was accompanied by documentation.
Due to MTE, several polymorphic viruses immediately appeared. MTE was also the forerunner of several other polymorphic generators, creating a headache for many antivirus companies. Even after months of work, many antivirus companies were unable to reach 100% results in detecting well-known versions of polymorphic viruses created with the help of MTE.
The first anti-antivirus programs appeared during this year. Peach was one of the first: it deleted the database of Central Point AntiVirus's change inspector. If the antivirus program was unable to locate its database, then it acted as if it had been installed for the first time, recreating the database. In this way viruses avoided detection, and slowly infected the entire system.
Law enforcement agencies worldwide began developing departments specializing exclusively in computer crimes. For example, the Computer Crime Unit of The New Scotland Yard successfully disarmed the English virus group, ARCV (Association for Really Cruel Viruses). Great Britain's proactive law enforcement position practically neutralized computer underground activity and even now, we are unaware of any serious organized groups of virus-writers there.
In March of 1992, we witnessed the Michelangelo (or March6) outbreak and the media hype in advance (the virus itself was first detected in 1991, but caused an outbreak in 1992) Though some experts predicted that over 5 million machines would be infected, only a few thousand machines actually suffered.
The VCL and PS-MPC virus constructors first appeared in July 1992. They allowed people to create their own viruses by adding a range of malicious payloads to the constructors This increased the number and potentially destructive effect of viruses, as did MTE.
1992 also brought Win.Vir_1_4, the first virus for Windows. Win.Wir_1_4 infected operating system executable files Despite the fact that the virus was poorly coded, had limited propagation ability, and had no special Windows functionality, it nevertheless opened a new chapter in the history of computer viruses.
On the antivirus vendor front, Symantec bought Certus International along with their proprietary antivirus product, Novi.
1993-1995
1993
Virus writers began to take their work seriously. The computer underground had already mastered an array of new polymorphic generators and constructors, and founded new electronic publications. This year saw new viruses which employed new techniques to infect files, penetrate systems, destroy data and conceal themselves from antivirus applications.
One such example is the PMBS virus which worked in the secure regime of Intel 80386 processors. Another example was the Strange (or Hmm) virus, the only stealth virus, however, executed on the level of device interruption at INT 0Dh and INT76h.
Carbuncle signaled a new generation of companion viruses. A number of other viruses like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to conceal themselves in the code of infected files.
The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors: Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based on the former Central Point AntiVirus (CPAV). The program was included in the standard delivery of MS-DOS and Windows operating systems. The first tests conducted by independent testing laboratories showed a high level of effectiveness. However, later on, its quality began to slowly decline and the project was discontinued.
1994
More and more significance is attached to the problem of viruses on CDs. Having quickly become popular, this removable storage media became one of the primary ways of spreading viruses. Several incidents were registered when a virus was discovered on the master-disc of a compact disc producer. As a result, the computer market was flooded with relatively large shipments (tens of thousands) of infected discs. Naturally, such carriers could not be disinfected, they can only be destroyed.
At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able detect these programs with 100% certainty. The virus writer placed the infected files on BBS boards and caused both an outbreak and a panic in the mass media.
The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the Internet and infected computers via email. However, sometime later, an ordinary DOS virus containing the text Good Times appeared and was named GT-Spoof.
Many other unusual viruses appear this year:
January: Shifter - the first virus to infect OBJ files.
Phantom1 becomes the first polymorphic virus in Moscow
April - ScrVir-a family of viruses which infects source code programs in C and Pascal.
June - OneHalf - a complex and dangerous polymorphic virus causes a significant outbreak: in fact, this virus is still active and can cause real damage to this day.
September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak by using a unique installation method: the new technique temporarily stumped the antivirus experts.
This year also marked several significant developments in the antivirus field.
In June, one of the leading antivirus vendors was purchased by Symantec, who had already earned a reputation for aquiring other antivirus projects.
AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product immediately won top marks in a series of independent tests conducted by Hamburg University.
1995
Nothing significant occurred in the field of DOS-viruses this year, although several complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus, Winstart. There were also two widespread, but not severe outbreaks caused by ByWay and DieHard2.
In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one person thought to run an antivirus check. He discovered that the discs were infected by From and testing was put off until clean discs were issued.
In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman Virus Control). These companies, both with their own very strong independent antivirus products, decided to combine efforts to develop a single antivirus system. Later on, in 1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian company.
In August, the Concept virus struck MS Windows: the virus circled the globe in only a month and was number one on antivirus vendors lists of most common viruses.
In the first half of September, one of the world's largest computer manufacturers, Digital Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was quickly detected and the outbreak contained. Over a hundred known versions of the Concept virus are still in circulation today.
Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread rapidly. The source code for Green Strip was published as a free supplement to Mark Ludwig's magazine Underground Technology Review.
The advent of macro viruses posed a new set of challenges for antivirus vendors. New technologies were needed to detect macro viruses; first in MS Word and eventually in other MS Office applications.
The English affiliate of the Ziff-Davis publishing house distinguished itself twice in 1995. The first time was in September when the publishing house's PC Magazine (English version) distributed a diskette containing the Sampo virus to its subscribers. This was soon discovered and the company offered its apologies and offered readers a free antivirus utility. The irony of the event lay in the fact that the diskette was a supplement for an issue which contained articles the results of antivirus tests for Novell NetWare products.
Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the diskette also contained the Parity Boot virus.
Law enforcement agencies also pressed onward in the struggle against cyber crime. On January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he was known in the underground was accused of authoring the Queeg and Pathogen viruses as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and was sentenced to 18 months in prison.
1997
In February of 1997, Linux Bliss, the first virus for the Linux operating system appeared. Viruses had moved to yet another environment. Although Linux viruses are a rarity, they have evolved since their first appearance. Viruses which run in the background have been developed for Linux, as well as a number of viable Trojans for this platform. If Linux were even half as popular asWindows obtained, the number of viruses for Linux would be far greater than the actual number of viruses which exist for this platform.The release of Microsoft's Office 97 was noteable for the fact that macro viruses almost immediately migrated towards this application. The limited payloads (or in some cases the total absence thereof) of macro viruses created for MS Word 5.0 and Excel 5.0 resulted from a completely new version of Visual Basic for Applications, VBA 5.0 which differed significantly from Word Basic and VBA 3.0. The first viruses for MS Office 97 turned out to be almost identical to their predecessors, simply converted into a new format. Nevertheless soon new macro viruses developed exclusively for MS Office 97 appeared.
March 1997 was notable for the appearance of the 'ShareFun' macro virus for MS Word 6/7 which started a new chapter in computer history It became the first virus of its kind to spread using email, in particular MS Mail.
In April of 1997 the Homer virus was detected; this was the first network worm which used FTP to propagate.June 1997 brought the first self_encrypting virus for Windows 95, Win95.Mad. The virus, of Russian origin, was sent out to several BBS stations in Moscow causing a major epidemic.The 'Esperanto' virus was born in November 1997. It was an attempt, fortunately unsuccessful, to create a multi-platform virus which would be able to infect DOS, Windows and MacOS.The development of the Internet, and in particular the appearance of mIRC (Internet Relay Chat) sparked a great deal of interest, including that of virus writers. It didn't take long for the malicious programs to start appearing.In December of 1997, the antivirus world publicized the appearance of a fundamentally new type of computer worm which spread via IRC channels. An analysis of mIRC, one of the more popular IRC utilities showed a dangerous security loophole. The directory for files downloaded via IRC coincided with the directory which held the SCRIPT:INI command file. The SCRIPT:INI file , which contained the body of the worm, could therefore be transferred to a remote computer, where it would automatically replace the original command file. When restarted, mIRC would activate the malicious code, and the worm would then send itself to other users. This error was quickly corrected and the rather primitive IRC worms had disappeared by summer. However, multi-component IRC worms which actively searched for SCRIPT.INI files (in mIRC clients), EVENTS.INI (in pIRCh) clients, and others. later appeared, working in a similar way to email worms; the user would receive anEXE, COM, BAT, file, which when launched, would replace the original command file.One of the more important events of 1997 was the split-off of one of the KAMI firm's divisions led by Evgenii Kaspersky. This division became an independent company known as 'Kaspersky Labs' which is, today, recommended as a recognized technical leader in the antivirus industry. Since 1994, the company's main product, AntiViral Toolkit Pro, consistently shows high results in numerous tests conducted by various testing laboratories across the world. The formation of an independent legal entity allowed a small group of developers to become, within two years, one of the its own country's domestic leaders in addition to being generally well-known internationally. Little time was required to develop and release versions with new antivirus security technologies for virtually all popular platforms, and create a network of international distribution and technical support.
In October 1997, Kaspersky Lab and Finnish company Data Fellows (later renamed as F-Secure Corporation) signed an agreement to licensing an antivirus engine in their newest development product, FSAV (F-Secure Anti-Virus). Prior to this, Data Fellows had been well-known as the developer of F-PROT antivirus.
1997 will also long be remembered as a year of petty squabbles. Several scandals evolved at the same time between some of the larger antivirus manufacturers. Atthe beginning of the year, McAfee announced that they had discovered a 'bookmark' in the programs of one of their main competitors, antivirus firm Dr. Solomon's. McAfee's announcement continued in saying that if Dr. Solomon's antivirus program discovered several viruses during a scan-check, then it completed its work in an elevated mode. In other words, if the program worked in a normal mode in normal conditions, then in testing for several viruses it switched to an intense mode (or in McAfee's words, a 'cheat mode') which allowed the detection of viruses previously invisible to Dr. Solomon's in normal scanning mode. As a result, the testing of uninfected discs showed good speed results and the scan tests of virus collections showed good detection results.
Dr. Solomon's response was not long in the waiting, and the company soon filed suit against McAfree's recent marketing campaign which claimed that McAfee was, 'The Number One Choice Worldwide. No Wonder The Doctor's Left Town'. This was an obvious reference to Alan Solomon, the founder of Dr. Solomon's who had in fact, earlier transferred control of his company to its senior management.
Perhaps even more scandalous was the affair of the Taiwanese developer Trend Micro who accused two of the leading antivirus companies, McAfee and Symantec, of violating its patent on virus scan-checking technology via Internet and electronic mail. Shortly afterward Symantec leapt into the fray with its own accusations, alleging that McAfee was guilty of using code from Symantec's Norton AntiVirus.
The year came to a close with MacAfee Associates and Network General announcing their intent to merge into a single Network Associates Inc (NAI) in order to diversify into other computer security systems as well (such as encryption, multi-networked screens, network scans, etc. However, at the end of 1999 NAI's management decides to bring new life into the McAfee brand and line of antivirus products and the company reverted to its old name.
1998
Virus attacks on MS Windows, MS Office and network applications continued apace, with viruses exploiting new infection vectors and using ever more complex technologies. A wide range of Trojan programs designed to steal passwords (PSW family) and remote adminstration utilities (Backdoor) appeared. Several computer magazines distributed discs which were infected with Windows viruses, CIH and Marburg. Specifically, compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC Gamer contained the Marbug virus. This virus was contained in the electronic registration program of an MGM Interactive disc with the game, Wargames PC. At the end of September, the AutoStart virus was discovered on discs which were to be distributed with the Corel DRAW 8.1 for Mac OS.
The beginning of the year borught an epidemic caused by a whole family of viruses Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of transmitting information about victim machines to the author of the virus. Because the virus exploited system libraries used only in the French version of Windows, the the epidemic affected only French-speaking countries.
In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus install itself in Excel tables by using an unusual macro area of formulas which were capable of containing self-replicating code. Later the same month, polymorphic Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were detected in the wild. Antivirus developers were forced to rapidly develop new methods of detection for polymorphic viruses which, until then, had been only for DOS.
AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had come to accept that Microsoft applications are highly vulnerable. At approximately the same time, another virus called Cross surfaced This was the first multi-platform macro virus capable of infecting documents simultaneously in two Microsoft Office applications, Word and Access. On the heels of Cross several other macro-viruses materialized, transferring their code from one Office application to another. The most notable of these was Triplicate (also known as Tristate) which was capable of infecting Word, Excel and PowerPoint.
In May of 1998, the Red Team virus became the first virus to infect Windows EXE files and distribute itself using the Eudora email client. June brought the Win95.CIH virus, which caused an epidemic of mass and then later global proportions, infecting computer networks and home computers by the thousand. The beginning of the epidemic was pin-pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-serve. From there the virus spread to the States where infected files made it onto several popular web-servers and spread the virus to gaming programs. It was most likely the game servers that acted as the primary reason for the large-scale epidemic, which continued throughout the year. The virus leap-frogged in 'popularity' over earlier virus superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload: depending on the day of infection, the virus would erase Flash BIOS, which in some cases could make it necessary to replace the motherboard. CIH's complex procedures caused antivirus products to significantly increase their speed of development.In August of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was designed to be a secret utility to be used for remote host administration across networks. Other similar viruses such as NetBus and Phase appeared shortly thereafter.
August also saw the emergence of the first malicious executable Java module, Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did illustrate the fact that viruses can also be found in applications actively used in viewing Web servers.
In November 1998, malicious programs continued to evolve hwith three viruses infecting the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At the time, Kaspersky Labs released an in-depth study on the potential threat of VBS viruses. However, many specialists were too quick to label the company as a panic inciter and criticized the study for provoking virus hysteria. Half a year later when the LoveLetter epidemic broke, it became clear that Kaspersky's prognosis was completely accurate. To this day, this type of virus holds onto first place in the list of most widespread and dangerous virus types.
The logical culmination of VBScript viruses were full-fledged HTML viruses like HTML.Internal. It became patently clear that virus-writers' efforts are beginning to focus more and more on network applications. Virus writers were moving towards a networks worm which exploited flaws in MS Windows and Office and infectted remote computers through Web servers or via email.
The next MS Office application to fall victim to a virus was PowerPoint. In December 1998, a virus of unknown origins, Attach, was the first to attack. It was immediately followed by two more, ShapeShift and ShapeMaster, the author of which was likely one and the same. The appearance of PowerPoint viruses caused yet another headache for antivirus vendors. Files of this MS application use an OLE2 format which determines the way in which viruses can be scanned for in DOS and XLS files. However, the VBA modules in PPT format are stored in compressed format which meant that it was necessary to design new algorithms to decompress them and facilitate antivirus searches. Despite the complexity of what would seem like a simple task, almost all antivirus companies have integrated into their products the necessary functionality to defend against PowerPoint viruses.
In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing of antivirus products is designed to determine whether the solutions can detect 100% of viruses from the wild. VB 100% is now regarded as one of the more respected independent testers.Significant changes occurred in the antivirus vendor market as well. In May, Symantec and IBM announced their unified efforts to develop an antivirus product. The combined product was to be distributed by Symantec under the same name, while IBM's product, IBM Anti-Virus would cease to exist. Towards the end of September, Symantec announced its purchase of the antivirus business from Intel Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the industry yet again with another purchase, this time of QuarterDeck for $65 million. The company's product range included such antivirus products as ViruSweep.
Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which on August 13th, announced its purchase of one of its primary competitors, English company, Dr. Solomon's. The latter was bought for the record amount of $640 million by means of a stock swap. These events evoked true shock in the antivirus industry. A previous conflict between two large players of the industry had ended in a buy-sell deal the result of which was the disappearance of one of the more noticeable and technologically strong developers of antivirus software.
Also interesting was the purchase of EliaShim, a developer of the antivirus product E-Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-known developer of equipment and software for computer security.
A curious incident occurred with the publication of computer virus warning in the December 21st edition of The New York Times. The author warned users about the appearance of a virus which spread via email and was already being detected in some networks. It later became evident that this scary virus was none other than the already well-known macro virus, Class.
1999
Strange as it may seem, the most significant news to come out of this year was not the emergence of a new computer virus, but an announcement about the long-planned purchase of Australian antivirus vendor Cybec, by software giant, Computer Associates (CA). In was with that With this purchase, CA added another antivirus product to its collection, having purchased Cheyenne Software at the end of 1996. Both products still exist to this day: CA Vet Anti-Virus and CA InnoculateIT.
Viruses, however, did not sit idly by, and in January we witnessed the emergence of a global epidemic with the Happy99 virus (also known as Ska). This was actually the first modern-day worm, which once again opened a new chapter in the history of malware evolution. It used MS Outlook, which had become a corporate standard in Europe and the US to spread. Despite the fact that Happy99 first appeared at the beginning of 1999, it still regularly shows up as one of the top ten most widespread harmful programs to this day.
At almost the same time, a very interesting macrovirus for MS Word was detected: Caligula. It searched the system registry, forkeys corresponding to PGP (Pretty Good Privacy) programs and searched for the appropriate databases. If such databases were found, the virus initiated an FTP-Session and secretly sent files to a remote server.At the end of February. SK; the first virus which infected files using Windows HLP files.On the 26th of March, a global epidemic was caused by Melissa, the first macro virus for MS Word combining Internet worm functionality as well. Immediately after infection, Melissa scanned the address book in MS Outlook and sent copies of itself to the first 50 found addresses. Like Happy99, Melissa did this without the knowledge or consent of the user, but messages still seemed to be in the user's name. Fortunately, this macro virus was not complex and antivirus developers quickly released the necessary additions to their databases. The epidemic was contained quickly. Despite this, Melissa still managed to inflict significant damage on a range of computer systems:industry giants like Microsoft, Intel and Lockheed Martin were forced to temporarily shut down their corporate email systems. Estimates placethe damage caused by the virus at several tens of millions of US dollars.
Law enforcement agencies in the US (or, cybercrime units, to be more precise) reacted exceptionally quickly to the Melissa virus. A short while thereafter, the author of the virus was discovered and arrested. He was 31 year old David L. Smith, a programmer from New Jersey. On December 9th, he was found guilty and sentenced to 10 years in prison and fined $400,000.
Law enforcement agencies were equally active on the other side of the Pacific ocean as well. In Taiwan, the author of the CIH virus, earlier known only as Chernobyl, was exposed as Chen Ing Hao (notice the initials), a student at the Taiwan Technical Institute. However, due to a lack of charges from any of the local companies, the police had no basis for an arrest.
On May 7th, a virus intruded on the Canadian company, Corel. Under threat was its cash cow, Corel DRAW. The Gala virus (also known as GaLaDRieL) was written in Corel SCRIPT language and became the first virus capable of infecting Corel DRAW files as well as Corel PHOTO-PAINT and Corel VENTURA.
Another epidemic broke at the very beginning of the summer with the dangerous Internet worm, ZippedFiles (also known as ExploreZip). The virus came in the form of an EXE file, which once installated would destroy files of some of the more popular applications. While the worm was not as widespread as Melissa, the damage incurred was estimated to be several times higher. Despite a quick reaction from antivirus companies in neutralizing the virus, a relapse was recorded in December. The modified version was changed so that the body of the virus was compressed using the Neolite compression utility. If the antivirus program didn't recognize this compression format then the worm escaped unnoticed. At the time, none of the antivirus programs recognized this format. It was only in June of 2000 that AntiViral Toolkit Pro (AVP) was integrated with file-support for Neolite.
In August, an Internet worm named Toadie (or Termite) was detected. In addition to infecting files in DOS or Windows, the virus attached copies of itself to emails sent via Pegasus and attempted to spread through IRC channels.
October brought the computer industry three new surprises. First was the discovery of the Infis virus which was the first virus for this operating system, installing itself at the highest levels of platform security and affecting system drivers. This made the virus difficult to contain. The second surprise consisted of antivirus companies warning users about the first computer virus for MS Project. In actuality, this was a multiplatform virus that infected files of MS Word just as well as Ms Project. The third surprise was the emergence in July of yet another script virus, Freelinks was one of the predecessors of the well-known LoveLetter virus.
In November, the world was shaken by the emergence of a new generation of worms which spread via email without attached files and penetrated computers when infected messages were read. The first of these was Bubbleboy which was immediately followed by KakWorm. Viruses of this type exploited an Internet Explorer loophole, and although Microsoft issued a patch the same month, KakWorm remained widespread for a long time.That same month, the USA and Europe recorded several incidents of infection by FunLove, a Windows virus.
December 7th was noteable for the detection of the latest of a long line of Trojans authored by a Brazilian virus writer known as Vecna. The very dangerous and complex Babylonia virus turned a new page in the history of virus creation. It was the first worm which was capable of remote self-rejuvenation. Every minute it would connect to a server in Japan and download a list of virus modules. If it found viruses there fresher than on the infected computer, then it immediately downloaded them. Later, this same technique would be employed by Sonic, Hybris, and other viruses.
In the middle of the year, the antivirus industry officially divided into two camps in regard to their approach to potential Y2K threats. One camp strongly promoted the belief that the computer underground had prepared a surprise in the form of several hundred thousand viruses capable of shaking human civilization to its core. The subtext of this warning was clear: install antivirus software and you would be saved from attack. The second camp of antivirus companies logically opposed the first and attempted to maintain calm among scared users. Later, the warnings were proved baseless, and the year 2000 came in in the same way as any other year.A few curious stories were abroad as well. A compact disc distributed with the November edition of the Hungarian magazine, Uj Alaplap, contained, in addition to useful information, a distinctly unpleasant surprise: two macro viruses for MS Word, Class.B and Opey.A.
2000
The year began unexpectedly for users of Windows 2000 and Visio, a popular application for creating diagrams and flow-charts. Microsoft had not even finished announcing the release of a fully functional commercial version of their operating system when members of the underground group 29A set Inta loose. The virus was the first to infect Windows 2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and Radiant which marked Visio's demise. The second incident brought to light a sick joke: the viruses had been released by Microsoft which not long after Unstable and Radiant purchased Visio Corporation.
In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was detected in 10 Downing Street, the office of the British prime minister. It can only be hoped that English authorities heeded the advice of the Russian proverb, 'Don't put off 'till tomorrow what you can drink today'.
May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter. Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998. Naïve users couldn't even imagine that harmless VBS files and TXT files could contain a harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in the MS Outlook address book. The transparency of the source code more or less guaranteed that new modifications of the virus would appear throughout the year, and currently, there are more than 90 of them in circulation.
On the 6th of June, the Timofonica virus was detectedö this was the first computer virus that employed, in a limited manner, mobile phones. In addition to spreading via email, the virus sent messages to random mobile phone numbers in the MoviStar cellular network, which belonged to the global telecommunications giant, Telefonica. The virus had no other effect on mobile phones despite the fact that many mass media outlets were quick to name Timifonica the first 'cellular' virus.
The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned. While this period is usually a vacation time for virus writers and antivirus experts alike, the former, by all accounts, decided to surprise the latter. In July, a group known as the Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred at the annual DefCon conference (in a jab at Microsoft's DevCon) and evoked a flood of messages from frightened users to antivirus vendors. In reality, the new version posed little harm more than its predecessor and was promptly added to leading antivirus vendors' databases. The distinguishing feature of BO2K was its drift towards legitimate commercial utilities of remote administration; the program was visible upon installation. Despite this it could still be used for illicit purposes and was classified by antivirus companies as a BackdoorTrojan.
July saw the appearance of three exceptionally interesting viruses. Star was the first virus designed for AutoCAD packages. Dilber was distinguished by the fact that it containedcode from five other viruses including CIH, SK, and Bolzano. Depending on the date, Dilber activated processes from one of its components, earning it the nickname, Shuttle Virus. The third interesting virus was an Internet worm called Jer which employed a relatively clumsy means of penetrating computers. Script programs (the worm's body) were uploaded to a website which were automatically activated when the corresponding HTML page was opened. After this, users received a warning that an unidentified file was found on the disc. It was a calculated risk assuming human error: it was hoped that users would inadvertantly answer 'yes' to be rid of the script program. The appearance of this worm confirmed a new fashion in the spread of viruses through the Internet. First, the worm is placed on a website, and then a mass marketing campaign is conducted to attract users. The calculated risk paid off: for every thousand users, a few dozen would let the virus in.
In August, the Liberty virus was discovered - the first harmful Trojan program to affect the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was incapable of replicating. In September, this new class of harmful programs was extended with the first true virus for PalmOS, Phage. It represented a classic virus-parasite program which after installing and infecting files proceeded to delete them and record its own code.
In the beginning of September, a computer virus by the name of Stream was discovered which was capable of manipulating the ADS of NTFS file systems. This virus posed no particular threat. More dangerous was the technology of accessing ADS insofar as no antivirus program was capable of scanning this location. Unfortunately, the virus evoked an insufficient reaction among some large antivirus firms which accused Kaspersky Lab of scaremongering. Despite the accusations, none of the opponents were able to offer any concrete arguments confirming the position they put forth regarding the safety of ADS in NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue insofar as only a few antivirus scans have learned to search for viruses in ADS.
October saw the appearance of the first virus for PIF files (Fable), and the first virus written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered 'in the wild'. At the same time, a scandal arose when Microsoft's internal systems were hacked and left open for several months by a group of unknown hackers from St. Petersburg. The entry was gained through a simple loophole using a network worm called QAZ. What was curious about this incident was the fact that at the time the system hack was discovered, the worm in question was already included in practically all antivirus databases. This caused some misgivings about the competency of Microsoft personnel, or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty parties have yet to be located.
A notable event occurs in November. Kaspersky Labs, having become one of the antivirus industry's major players in three short years, changes the name of its flagship product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new logotype.
This same month brought the detection of a technologically complex and dangerous virus called Hybris. This virus was written by the Brazilian virus writer Vecna. He further developed his first self-rejuvenating virus, Babylonia taking into account earlier errors. The main innovation was the use of websites and list servers (alt.comp.virus in particular) to load new modules of the virus to infected computers. If it was easy to simply take a website down, then list servers were an ideal alternative for spreading as they were less easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules actually written by the author.
As a whole, 2000 was the year that email again proved itself to be the best way to transmit viruses. According to Kaspersky Labs' support statistics, approximately 85% of all registered infection occurred via email. The year was also notable for a wave of activity among virus creators with Linux. Altogether, there were37 registered new viruses and Trojan programs created for the Linux operating system. Consequently, the overall quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000 alone. Finally, a change in the most widespread viruses occurred. Up until this year, macro viruses had been the most common, but once 2000 was over, this place was taken by script viruses.
Malicious De History
History of Malicious Programs
Malicious software may seem like a relatively new concept. The epidemics of the past few years have introduced the majority of computer users to viruses, worms and Trojans - usually because their computers were attacked. The media has also played a role, reporting more and more frequently on the latest cyber threats and virus writer arrests.
However, malicious software is not really new. Although the first computers were not attacked by viruses, this does not mean they were not potentially vulnerable. It was simply that when information technology was in its infancy, not enough people understood computer systems to exploit them.
But once computers became slightly more common, the problems started. Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent.
As technology has evolved, so have viruses. In the space of a couple of decades, we have seen computers change almost beyond recognition. The extremely limited machines which booted from a floppy disk are now powerful systems that can send huge volumes of data almost instantaneously, route email to hundreds or thousands of addresses, and entertain individuals with movies, music and interactive Web sites. And virus writers have kept pace with these changes.
While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.
So malicious software has turned into big business. An understanding of contemporary threats is vital for safe computing. This section gives an overview of the evolution of malware: it offers a glimpse of some historical curiosities, and provides a framework to help understand the origins of today's cyber-threats.
Historians are still debating when the first computer virus really appeared. We do know a few things for certain, however: the first computer, which is generally considered to have been invented by Charles Babbadge, did not have any viruses. By the mid-1970s, Univax 1108 and IBM 360/370 did.
Nevertheless, the idea for computer viruses actually appeared much earlier. Many consider the starting point to be the work of John von Neumann in his studies on self-reproducing mathematical automata, famous in the 1940s. By 1951, Neumann had already proposed methods for demonstrating how to create such automata.
In 1959, the British mathematician Lionel Penrose presented his view on automated self-replication in his Scientific American article 'Self-Reproducing Machines'. Unlike Neumann, Penrose described a simple two dimensional model of this structure which could be activated, multiply, mutate and attack. Shortly after Penrose's article appeared, Frederick G. Stahl reproduced this model in machine code on an IBM 650.
It should be noted that these studies were never intended to providing a basis for the future development of computer viruses. On the contrary, these scientists were striving to perfect this world and make it more suitable for human life. And it was these works that laid the foundation for many later studies on robotics and artificial intelligence.
In 1962, a group of engineers from America's Bell Telephone Laboratories, V. Vyssotsky, G. McIlroy, and Robert Morris, created a game called 'Darwin.' The game consisted of a so-called umpire in the memory of the computer that determined the rules and order of battle between competing programs created by the players. The programs could track and destroy opponents' programs and, more importantly, multiply. The point of the game was to delete your opponent's programs and gain control over the battle field.
The theoretical suppositions of scientists' and the engineers' harmless game were shadowed by the moment when the world realized that the theory of self-multiplying units could be used, equally successfully, for completely different purposes.
1970s
Sometime in the early 1970s, the Creeper virus was detected on ARPANET, a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, 'I'M THE CREEPER : CATCH ME IF YOU CAN.'
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
1974
A virus dubbed Rabbit appeared: it was called Rabbit because it didn't do anything except multiply and spread to other machines. The name was a comment on the speed with which the program multiplied. It clogged the system with copies of itself, impairing system performance. Once Rabbit multiplied to a certain level on an infected machine, the virus would crash.
1975
Pervading Animal, another game, this time written for a Univac 1108, appeared in 1975. To this day, analysts argue about whether this was another virus or the first Trojan.
The rules of the game were simple: the player would think of an animal and the program asked questions in an attempt to identify it. The game was equipped with a self-correction function; if the program was unable to guess the animal, it would update itself and enter new questions. The new modernized version overwrote the old version but, in addition to this, copied itself to other directories. After some time, as a result, all directories would contain copies of 'Pervading Animal.' It is unlikely that engineers appreciated this because the combined volume of the game's copies occupied a significant amount of disc space.
Was this simply a mistake by the game's creator or a conscious attempt to clutter up the system? It is difficult to say. The boundary between programs functioning incorrectly and malicious code was unclear in those days.
Univac programmers attempted to use the Creeper-Reaper model to control Pervading Animal: a new version of the game scanned for older versions and destroyed them. However, the issue was resolved fully only when Exec 8, a new version of the operating system, was released. The file system was modified and the game was unable to multiply.
Early 1980s
As computers gained in popularity, more and more individuals started writing their own programs. Advances in telecommunications provided convenient channels for sharing programs through open-access servers such as BBS - the Bulletin Board System. Eventually university BBS servers evolved into a global data bank and were available in all developed countries. The first Trojans appeared in large quantities; programs that couldn't self-replicate or spread, but did damage systems once downloaded and installed.
1981
The widespread use of Apple II computers predetermined this machine's fate in attracting the attention of virus writers. It is not surprising that the first large-scale computer virus outbreak in history occurred on the Apple II platform.
Elk Cloner spread by infecting the Apple II's operating system, stored on floppy disks. When the computer was booted from an infected floppy, a copy of the virus would automatically start. The virus would not normally affect the running of the computer, except for monitoring disk access. When an uninfected floppy was accessed, the virus would copy itself to the disk, thus infecting it, too, slowly spreading from floppy to floppy.
The Elk Cloner virus infected the boot sector for Apple II computers. In those days, operating systems were stored on floppy disks: as a result the floppies were infected and the virus was launched every time the machine was booted up. Users were startled by the side effects and often infected friends by sharing floppies, since most people had no idea what viruses were, much less how they spread.
The Elk Cloner payload included rotating images, blinking text and joke messages:
ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES, IT'S CLONER
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM, TOO
SEND IN THE CLONER!
1983
Len Eidelmen first coined the term 'virus' in connection with self-replicating computer programs. On November 10th, 1983, at a seminar on computer safety at Lehigh Unversity, this grandfather of modern computer virology demonstrated a virus-like program on a VAX11/750 system. The program was able to install itself to other system objects. A year later, at the 7th annual information security conference, he defined the phrase 'computer virus' as a program which is able to 'infect' other programs by modifying them to install copies of itself.
1986
The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.
The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.
Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.
That same year, a German programmer, Ralf Burger, invented the first programs that could copy themselves by adding their code executable DOS files in COM format. The working model of the program, named Virdem, was introduced by Burger in December 1986 in Hamburg at an underground computer forum, the Chaos Computer Club. Though most of the hackers at the event specialised in attacking VAX/VMS systems, they were still interested in the concept.
1987
The Vienna virus appeared: its appearance and subsequent spread around the world was hotly debated as the global community tried to discover the identity of the author. Franz Swoboda was the first person to detect the virus: his warning about the discovery of a self-replicating program named Charlie publicized by many information technology companies and attracted the attention of the media as well. As could be expected, many people were interested in discovering the author and the source of the epidemic. Information leaked out that Swoboda had received the virus from Ralf Burger, who completely denied Swoboda's story, and claimed that, on the contrary, he had received the virus from Swoboda. It was never revealed who had actually created the malicious program.
Despite the confusion surrounding the author of Vienna, its appearance was noteable for another reason. One of its potential authors, Rolf Burger, forwarded a copy to Bernt Fix, who was able to neutralize the virus. This was the first occasion when someone was able to neutralize a virus. Thus Fix was a precursor of modern anitvirus professionals, although contemporary antivirus experts not only analyze and neutralize viruses, but more importantly release protection, detection and disnfection modules.
Burger capitalized on Fix's work, and published the code used to neutralize Vienna in his book, Computer Viruses: The Disease of High Technology, which was analogous to B. Khizhnyak's Writing Viruses and Anti-Viruses. In his book, Burger explained how the virus code could be modified to eliminate its ability to replicate. However, the book probably gained popularity for explaining how viruses are created, serving as a stimulus for thousands of viruses which were partly or completely developed from ideas expressed in this book.
Several other IBM-compatible computer viruses appeared this year as well:
the famous Lehigh virus, named in honor of the university in Pennsylvania where it was first detected; this university is ironically the alma mater of the father of modern computer virology;
the Suriv family of viruses;
a number of boot-sector viruses in various countries;Yale in the US, Stoned in New Zealand, Ping Pong in Italy;
the first self-encrypting file virus, Cascade.
Lehigh made history as the first virus that caused direct damage to data: the virus destroyed information on discs. Fortunately, there were several computer experts at Lehigh Univeristy who were skilled at analyzing viruses. As a result, the virus never left the university, and Lehigh was never detected in the wild.
The Lehigh virus initiated a destructive routine that eventually deleted the virus as well as valuable data. Lehigh first infected only the command.com system files. After infecting four files it began destroying data, i.e. it eventually destroyed itself as well.
By this time, users had began taking security more seriously and learning how to protect themselves against viruses. More cautious users quickly learned to monitor the command.com file size once they knew that an increase in the file size of command.com was the first sign of potential infection.
The Suriv family of viruses (try reading the name backwards) written by an unidentified programmer from Israel was just as interesting. As with the Brain virus, it is difficult to determine whether this was merely an experiment that span out of control or the premeditated creation of a malicious program. Many antivirus experts were inclined to think that it was an experiment . The discovery at Yisrael Radai University of code fragments supported this version. The university was able to show that the virus's author was attempting to change the process for installing files in EXE format and the last modification of the virus was only a debugging version.
The first member of this virus family, aptly named by the author Suriv-1, was able to infect accessed COM files in real time. To do this, the virus loaded itself into the computer's memory and remained active until the computer was turned off. This allowed the virus to intercept file operations and, if the user loaded the COM file, to immediately infect it. This facilitated the almost instant spread of the virus to removable storage media.
Suriv-2, as opposed to its predecessor, targeted EXE files. It was, to all intents and purposes, the first virus able to penetrate EXE files. The third incarnation, Suriv-3, combined characteristics from the first and second versions and was able to infect both COM and EXE files.
The fourth modification of the virus, named Jerusalem, appeared shortly thereafter and was able to spread quickly worldwide; Jerusalem caused a worldwide virus epidemic in 1988.
The last significant event of 1987 was the appearance of the encrypted Cascade virus, which was named after part of its payload. Once the virus was activated, the symbols on the screen cascaded down to the bottom line (see cascade.bmp). The virus consisted of two parts - the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the encryption routine which decoded the virus body and transferred control to it.
This virus can be considered the predecessor of polymorphic viruses which have no permanent program code yet maintain their functionality. However, unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as a decryption key. The decryption routine remained unchanged which allows modern antivirus solutions to detect the virus with ease.
In 1988, Cascade caused a serious incident in IBM's Belgian office and served as the impetus for IBM's own antivirus product development. Prior to this, any antivirus solutions developed at IBM had been intended for internal use only.
Later, Mark Washburn combined information published by Ralf Burger on the Vienna virus with the concept of self-encryption used in Cascade and created the first family of polymorphic viruses: the Chameleon family.
IBM computers were not alone: viruses were written for Apple Macintosh, Commodore Amiga, and Atari ST.
In December 1987, the first major local network epidemic occurred: the Christmas Tree Worm, which was written in REXX spread on VM/CMS-9 operating systems. The worm was unleashed on the Bitnet network on December 9th from a West German university through a European Academic Research Network (EARN) portal and then onto IBM's Vnet. Within four days (on December 13th), the virus had flooded the network. Upon loading, the virus displayed a Christmas tree on-screen and sent copies of itself to all network users whose addresses were listed in the NAMES and NETLOG system files.
1988
Suriv-3, or the Jerusalem virus, as it is known today, caused a major epidemic in 1988. It was detected in many enterprises, government offices and academic institutions on Friday, May 13th. The virus struck all over the world, but the US, Europe and the Near East were hit hardest. Jerusalem destroyed all loaded files on infected machines.
May 13th 1988 came to be known as Black Friday. Ironically, antivirus experts and virus writers all pay close attention when the 13th of any month falls on a Friday. Virus writers are more active, while virus analysts treat it as a professional mini-holiday.
By this time, many antivirus companies had been established around the world. Generally, these were small firms, usually with two or three people. The software consisted of simple scanners that performed context searches to detect unique virus code sequences.
Users also appreciated the immunizers that came with the scanners. These immunizers would modify programs in such a way that a virus would think the computer was already infected and leave them untouched. Later, when the quantity of viruses increased into the hundreds, immunizers were rendered ineffective, as the number of immunizers required for the viruses in the wild was simply unrealistic to manufacture.
Both types of antivirus programs were either distributed for free or were sold for ridiculously low prices. Despite this, they failed to gain enough popularity effectively counter virus epidemics. Furthermore, the antivirus programs were completely helpless in the face of new viruses: imperfect channels for data transmission and the lack of a unified worldwide computer network like the modern Internet made the delivery of updated versions of antivirus programs extremely difficult.
The spread of viruses like Jerusalem, Cascade, Stoned and Vienna was also facilitated by human factors. First, users of that era did not know enough about the need for antivirus protection. Second, many users, and even professionals, didn't believe in the existence of computer viruses.
For instance, even Peter Norton, whose name is synonymous today with many products of US-based Symantec, was skeptical about computer viruses at one stage in his career. He declared their existence to be a myth and compared them to stories of large crocodiles inhabiting the sewers of New York. This incident didn't stop Symantec, however, from shortly after developing its own antivirus project, Norton AntiVirus.
This was an important year for the antivirus community as well: the first electronic forum devoted to antivirus security was opened on April 22. This was the Virus-L forum on the Usenet network created by Ken van Wyk, a university colleague of Fred Cohen's.
The first widespread virus hoax was also registered in 1988. This very interesting phenomenon refers to the spread of rumors about dangerous new viruses. Actually, in some cases, these rumors worked liked a virus. Scared users would spread these rumors at the speed of light. It goes without saying that these hoaxes did not harm anyone, however, they used up bandwidth and users' nerves and discredited those that initially believed the rumours.
Mike RoChennel (a pseudonym derived from the word 'Microchannel'), was the author of one of the first hoaxes.In October 1988, Mike sent a large number of messages to BBSs regarding an virus which could transfer from one 2400 baud modem to another. A suggested antidote to this virus was to use modems with a speed of 1200 bauds. However ridiculous this may have sounded, many users did indeed heed this advice.
Another such hoax was released by Robert Morris about a virus spreading over networks and changing port and drive configurations. According to the warning, the alleged virus infected 300,000 computers in the Dakotas in under 12 minutes. November 1988: a network epidemic caused by the Morris Worm. The virus infected over 600 computer systems in the US (including the NASA research center) and almost brought some to a complete standstill. Like the Christmas Tree worm, the virus sent unlimited copies of itself and completely overloaded the networks.
In order to multiply, the Morris Worm exploited a vulnerability in UNIX operating systems on VAX and Sun Microsystems platforms. As well as exploiting the UNIX vulnerability, the virus used several innovative methods to gain system access such as harvesting passwords.
The overall losses caused by the 'Morris Worm' virus were estimated at US $96 million dollars - a significant sum at the time.
Finally, a popular antivirius program; Dr. Solomon's Anti-Virus Toolkit was released onto the market in 1988. The program was created by UK programmer, Alan Solomon, and was widely used until 1998 when the company was taken over by US-based Network Associates (NAI).
1989
The Datacrime and FuManchu (a Jerusalem modification) viruses as well as virus families Vacsina and Yankee appeared.
The Datacrime virus was extremely dangerous: from October 13th through December 31st, it initiated low-level formatting of a hard disc's zero cylinder which led to the destruction of tables stored in FAT files and irrevocable loss of data.
The first warning about the virus came out of the Netherlands in March from Fred Vogel. Despite the relatively low infection rate, Datacrime evoked a hysterical reaction worldwide. The repeated warnings resulted in significantly distorted descriptions of how the virus really worked and what damage it caused.. In the US, the virus was named Columbus Day because many speculated that the virus had been written by Norwegian terrorists attempting to punish Americans for crediting Columbus instead of Eric the Red with the discovery of America.
An interesting incident occurred in Holland. The local police decided to begin a proactive fight against cyber-crime. They developed an antivirus program capable of neutralizing Datacrime and sold it directly to local precincts for a mere $1. There was tremendous demand for the antivirus program, but it was soon discovered that the program was unreliable and had a high false positive rate. A second version was produced to correct the mistakes; however, it was also riddled with bugs.
October 16th, 1989 saw the appearance of the WANK worm on VAX/VMS computers on the SPAN network. The worm spread via the DECNet protocol and changed system messages to read, 'WORMS AGAINST NUCLEAR KILLERS' accompanied by the message, 'Your System Has Been Officially WANKed.' WANK also changed system passwords to random symbols and sent them to a user by the name of GEMPAK on the SPAN network.
December 1989 witnessed the Aids Information Diskette incident. 20,000 discs containing a Trojan were sent to addresses in Eurpose, Africa, Australia and the WHO. The addresses had been stolen from the database of PC Business World. Once an infected disk has been loaded, the program would automatically install itself on the system, creating its own concealed files and directories and modifying system files. After 90 loads, the operating system encoded the names of all files, rendering them invisible and leaving only one file accessible. This file recommended paying money to a specified bank account. As a result, it was relatively easy to identify the Trojan's author as one Joseph Popp who had earlier been declared insane. Despite this, he was convicted in absentia by Italian authorities.
It is interesting to note that 1989 marked the beginning of virus epidemics in Russia as well. Towards the end of 1989, approximately 10 viruses (listed in the order they arrived) appeared in Russian cyber-space: 2 versions of Cascade, several modifications of Vacsina and Yankee, Jerusalem, Vienna, Eddie, and PingPong.
The spread of high technology worldwide predetermined the appearance of new antivirus projects throughout the world, just as it did in Russia-or at that time, the USSR. In 1989, antivirus expert Eugene Kaspersky, who would later found Kaspersky Lab, first ran into a virus: his work computer was infected by Cascade in October 1989. It was this incident that led Eugene to devote his life to antivirus research.
Only a month later, Eugene detected the Vascina virus using the first version of the -V antivirus program he had just written. Years later, -V turned into AVP Antiviral Toolkit Pro.
In fact, 1989 saw a bumper crop of antivirus companies: F-Prot, ThunderBYTE, and Norman Virus Control.
So many people became so nervous about viruses that various groups and individuals asked IBM, then undisputed leader in the IT market, to provide an antivirus solution. IBM in turn decided to commercialize the internal antivirus project they were running. IBM Virscan for MS-DOS went on sale in October 1989.
After brief consideration and market research, IBM decided to 'declassify' its antivirus project as developed in its TJ Watson Research Center and turn it into a full commercial product. IBM Virscan for MS DOS was first made available for purchase in October 1989 for only $35 dollars.
April of 1989 marked another landmark in the antivirus field: the first antivirus publications were founded. UK-based Sophos sponsored Virus Bulletin, whereas Dr. Solomon's founded Virus Fax International. Virus Bulletin exists to this day, while Virus Fax International was first renamed as Virus News International and eventually metamorphosed into Secure Computing.
Today, Secure Computing is considered one of the most popular sources in information technology security and specializes not only in antivirus programs but also in computer and device safety. Secure Computing conducts annual contests under the 'Secure Computing Awards' title for the best developments in various fields, including antivirus safety, cryptology, access-control, intranet screens, and others.
1990
1990 saw several important developments in virus writing. Virus writers developed new features and establish well-publicized communities to share information.
To start with, the first polymorphic viruses appeared in 1990: the Chameleon family (1260, V2P1, V2P2, and V2P6), which evolved from two earlier well-known viruses, Vienna and Cascade. Chameleon's author, Mark Washburn, used Burger's book on the Vienna virus and then added features from the self-encoding Cascade virus. Unlike Cascade, Chameleon was not only encrypted, but the virus code also changed with every infection. This particular feature rendered contemporary antivirus programs useless. Up to that point, antivirus programs had depended on an ordinary context search, for pieces of known virus code. Chameleon did not have permanent code which made the development of new types of antivirus programs priority number one. These developments were not long in coming. Soon thereafter, antivirus experts invented special algorithims to identify polymorphic viruses. Later, in 1992, Eugene Kaspersky developed an even more effective method for neutralizing polymorphic viruses: a processor-emulator for deciphering codes. Today, this technology is an integral attribute of all antivirus programs.
The second important milestone was the appearance of the Bulgarian Virus Producing Factory. Throughout this year and for a number of years afterwards, a large number of viruses of Bulgarian origin were detected in the wild. They included entire virus families such as Murphy, Nomenclatura, Beast (or 512 or Number of Beast), new modifications of Eddie, and many more.
A virus writer named Dark Avenger was particularly active: he released several viruses a year, which incorporated new infection and concealment techniques. It was Dark Avenger who first employed a technique where the virus, when detected, would automatically infect all files in the computer, even if the file was opened for read-only purposes. Dark Avenger demonstrated exceptional ability, not only in creating viruses, but in spreading them as well. He actively loaded infected programs onto BBSs, distributed source codes for his viruses, and advocated the creation of new viruses in every way possible.
The first BBS (VX BBS) aiming to provide an open forum for the exchange of viruses and information for virus writers was established in Bulgaria, probably by Dark Avenger. The philosophy behind the board was simple: if a user uploaded a virus, then in exchange he was allowed to download one from the board's catalog. If the user submitted a new and interesting virus, then he was granted full access to the board's resources and could download an unlimited quantity of viruses from the collection. It almost goes without saying what a powerful effect VX BBS had on the development of viruses, especially since the board was open to the whole world, not just Bulgaria.
In July of 1990, a serious incident occurred with the English computer magazine PC Today. Each issue of the magazine contained a free floppy disc which turned out to be infected with a copy of DiskKiller. More than 50,000 copies of the magazine were sold. The resulting epidemic made virology history!
Two innovative stealth viruses appeared in the second half of 1990: Frodo and Whale. Both used an incredibly complex algorithm to conceal themselves in the system. The nine kilobyte Whale, in addition, employed several levels of encryption and whole array of tricky anti-debugging techniques.
The first Russian viruses appeared: Peterburg, Voronezh, and LoveChild.
In December of 1990, EICAR (European Institute for Computer Antivirus Research) was established in Hamburg, Germany. The institute is still considered one of the most respected international organizations, uniting professionals from practically all major antivirus companies.
Malicious software may seem like a relatively new concept. The epidemics of the past few years have introduced the majority of computer users to viruses, worms and Trojans - usually because their computers were attacked. The media has also played a role, reporting more and more frequently on the latest cyber threats and virus writer arrests.
However, malicious software is not really new. Although the first computers were not attacked by viruses, this does not mean they were not potentially vulnerable. It was simply that when information technology was in its infancy, not enough people understood computer systems to exploit them.
But once computers became slightly more common, the problems started. Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent.
As technology has evolved, so have viruses. In the space of a couple of decades, we have seen computers change almost beyond recognition. The extremely limited machines which booted from a floppy disk are now powerful systems that can send huge volumes of data almost instantaneously, route email to hundreds or thousands of addresses, and entertain individuals with movies, music and interactive Web sites. And virus writers have kept pace with these changes.
While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.
So malicious software has turned into big business. An understanding of contemporary threats is vital for safe computing. This section gives an overview of the evolution of malware: it offers a glimpse of some historical curiosities, and provides a framework to help understand the origins of today's cyber-threats.
Historians are still debating when the first computer virus really appeared. We do know a few things for certain, however: the first computer, which is generally considered to have been invented by Charles Babbadge, did not have any viruses. By the mid-1970s, Univax 1108 and IBM 360/370 did.
Nevertheless, the idea for computer viruses actually appeared much earlier. Many consider the starting point to be the work of John von Neumann in his studies on self-reproducing mathematical automata, famous in the 1940s. By 1951, Neumann had already proposed methods for demonstrating how to create such automata.
In 1959, the British mathematician Lionel Penrose presented his view on automated self-replication in his Scientific American article 'Self-Reproducing Machines'. Unlike Neumann, Penrose described a simple two dimensional model of this structure which could be activated, multiply, mutate and attack. Shortly after Penrose's article appeared, Frederick G. Stahl reproduced this model in machine code on an IBM 650.
It should be noted that these studies were never intended to providing a basis for the future development of computer viruses. On the contrary, these scientists were striving to perfect this world and make it more suitable for human life. And it was these works that laid the foundation for many later studies on robotics and artificial intelligence.
In 1962, a group of engineers from America's Bell Telephone Laboratories, V. Vyssotsky, G. McIlroy, and Robert Morris, created a game called 'Darwin.' The game consisted of a so-called umpire in the memory of the computer that determined the rules and order of battle between competing programs created by the players. The programs could track and destroy opponents' programs and, more importantly, multiply. The point of the game was to delete your opponent's programs and gain control over the battle field.
The theoretical suppositions of scientists' and the engineers' harmless game were shadowed by the moment when the world realized that the theory of self-multiplying units could be used, equally successfully, for completely different purposes.
1970s
Sometime in the early 1970s, the Creeper virus was detected on ARPANET, a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, 'I'M THE CREEPER : CATCH ME IF YOU CAN.'
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
1974
A virus dubbed Rabbit appeared: it was called Rabbit because it didn't do anything except multiply and spread to other machines. The name was a comment on the speed with which the program multiplied. It clogged the system with copies of itself, impairing system performance. Once Rabbit multiplied to a certain level on an infected machine, the virus would crash.
1975
Pervading Animal, another game, this time written for a Univac 1108, appeared in 1975. To this day, analysts argue about whether this was another virus or the first Trojan.
The rules of the game were simple: the player would think of an animal and the program asked questions in an attempt to identify it. The game was equipped with a self-correction function; if the program was unable to guess the animal, it would update itself and enter new questions. The new modernized version overwrote the old version but, in addition to this, copied itself to other directories. After some time, as a result, all directories would contain copies of 'Pervading Animal.' It is unlikely that engineers appreciated this because the combined volume of the game's copies occupied a significant amount of disc space.
Was this simply a mistake by the game's creator or a conscious attempt to clutter up the system? It is difficult to say. The boundary between programs functioning incorrectly and malicious code was unclear in those days.
Univac programmers attempted to use the Creeper-Reaper model to control Pervading Animal: a new version of the game scanned for older versions and destroyed them. However, the issue was resolved fully only when Exec 8, a new version of the operating system, was released. The file system was modified and the game was unable to multiply.
Early 1980s
As computers gained in popularity, more and more individuals started writing their own programs. Advances in telecommunications provided convenient channels for sharing programs through open-access servers such as BBS - the Bulletin Board System. Eventually university BBS servers evolved into a global data bank and were available in all developed countries. The first Trojans appeared in large quantities; programs that couldn't self-replicate or spread, but did damage systems once downloaded and installed.
1981
The widespread use of Apple II computers predetermined this machine's fate in attracting the attention of virus writers. It is not surprising that the first large-scale computer virus outbreak in history occurred on the Apple II platform.
Elk Cloner spread by infecting the Apple II's operating system, stored on floppy disks. When the computer was booted from an infected floppy, a copy of the virus would automatically start. The virus would not normally affect the running of the computer, except for monitoring disk access. When an uninfected floppy was accessed, the virus would copy itself to the disk, thus infecting it, too, slowly spreading from floppy to floppy.
The Elk Cloner virus infected the boot sector for Apple II computers. In those days, operating systems were stored on floppy disks: as a result the floppies were infected and the virus was launched every time the machine was booted up. Users were startled by the side effects and often infected friends by sharing floppies, since most people had no idea what viruses were, much less how they spread.
The Elk Cloner payload included rotating images, blinking text and joke messages:
ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES, IT'S CLONER
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM, TOO
SEND IN THE CLONER!
1983
Len Eidelmen first coined the term 'virus' in connection with self-replicating computer programs. On November 10th, 1983, at a seminar on computer safety at Lehigh Unversity, this grandfather of modern computer virology demonstrated a virus-like program on a VAX11/750 system. The program was able to install itself to other system objects. A year later, at the 7th annual information security conference, he defined the phrase 'computer virus' as a program which is able to 'infect' other programs by modifying them to install copies of itself.
1986
The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.
The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.
Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.
That same year, a German programmer, Ralf Burger, invented the first programs that could copy themselves by adding their code executable DOS files in COM format. The working model of the program, named Virdem, was introduced by Burger in December 1986 in Hamburg at an underground computer forum, the Chaos Computer Club. Though most of the hackers at the event specialised in attacking VAX/VMS systems, they were still interested in the concept.
1987
The Vienna virus appeared: its appearance and subsequent spread around the world was hotly debated as the global community tried to discover the identity of the author. Franz Swoboda was the first person to detect the virus: his warning about the discovery of a self-replicating program named Charlie publicized by many information technology companies and attracted the attention of the media as well. As could be expected, many people were interested in discovering the author and the source of the epidemic. Information leaked out that Swoboda had received the virus from Ralf Burger, who completely denied Swoboda's story, and claimed that, on the contrary, he had received the virus from Swoboda. It was never revealed who had actually created the malicious program.
Despite the confusion surrounding the author of Vienna, its appearance was noteable for another reason. One of its potential authors, Rolf Burger, forwarded a copy to Bernt Fix, who was able to neutralize the virus. This was the first occasion when someone was able to neutralize a virus. Thus Fix was a precursor of modern anitvirus professionals, although contemporary antivirus experts not only analyze and neutralize viruses, but more importantly release protection, detection and disnfection modules.
Burger capitalized on Fix's work, and published the code used to neutralize Vienna in his book, Computer Viruses: The Disease of High Technology, which was analogous to B. Khizhnyak's Writing Viruses and Anti-Viruses. In his book, Burger explained how the virus code could be modified to eliminate its ability to replicate. However, the book probably gained popularity for explaining how viruses are created, serving as a stimulus for thousands of viruses which were partly or completely developed from ideas expressed in this book.
Several other IBM-compatible computer viruses appeared this year as well:
the famous Lehigh virus, named in honor of the university in Pennsylvania where it was first detected; this university is ironically the alma mater of the father of modern computer virology;
the Suriv family of viruses;
a number of boot-sector viruses in various countries;Yale in the US, Stoned in New Zealand, Ping Pong in Italy;
the first self-encrypting file virus, Cascade.
Lehigh made history as the first virus that caused direct damage to data: the virus destroyed information on discs. Fortunately, there were several computer experts at Lehigh Univeristy who were skilled at analyzing viruses. As a result, the virus never left the university, and Lehigh was never detected in the wild.
The Lehigh virus initiated a destructive routine that eventually deleted the virus as well as valuable data. Lehigh first infected only the command.com system files. After infecting four files it began destroying data, i.e. it eventually destroyed itself as well.
By this time, users had began taking security more seriously and learning how to protect themselves against viruses. More cautious users quickly learned to monitor the command.com file size once they knew that an increase in the file size of command.com was the first sign of potential infection.
The Suriv family of viruses (try reading the name backwards) written by an unidentified programmer from Israel was just as interesting. As with the Brain virus, it is difficult to determine whether this was merely an experiment that span out of control or the premeditated creation of a malicious program. Many antivirus experts were inclined to think that it was an experiment . The discovery at Yisrael Radai University of code fragments supported this version. The university was able to show that the virus's author was attempting to change the process for installing files in EXE format and the last modification of the virus was only a debugging version.
The first member of this virus family, aptly named by the author Suriv-1, was able to infect accessed COM files in real time. To do this, the virus loaded itself into the computer's memory and remained active until the computer was turned off. This allowed the virus to intercept file operations and, if the user loaded the COM file, to immediately infect it. This facilitated the almost instant spread of the virus to removable storage media.
Suriv-2, as opposed to its predecessor, targeted EXE files. It was, to all intents and purposes, the first virus able to penetrate EXE files. The third incarnation, Suriv-3, combined characteristics from the first and second versions and was able to infect both COM and EXE files.
The fourth modification of the virus, named Jerusalem, appeared shortly thereafter and was able to spread quickly worldwide; Jerusalem caused a worldwide virus epidemic in 1988.
The last significant event of 1987 was the appearance of the encrypted Cascade virus, which was named after part of its payload. Once the virus was activated, the symbols on the screen cascaded down to the bottom line (see cascade.bmp). The virus consisted of two parts - the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the encryption routine which decoded the virus body and transferred control to it.
This virus can be considered the predecessor of polymorphic viruses which have no permanent program code yet maintain their functionality. However, unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as a decryption key. The decryption routine remained unchanged which allows modern antivirus solutions to detect the virus with ease.
In 1988, Cascade caused a serious incident in IBM's Belgian office and served as the impetus for IBM's own antivirus product development. Prior to this, any antivirus solutions developed at IBM had been intended for internal use only.
Later, Mark Washburn combined information published by Ralf Burger on the Vienna virus with the concept of self-encryption used in Cascade and created the first family of polymorphic viruses: the Chameleon family.
IBM computers were not alone: viruses were written for Apple Macintosh, Commodore Amiga, and Atari ST.
In December 1987, the first major local network epidemic occurred: the Christmas Tree Worm, which was written in REXX spread on VM/CMS-9 operating systems. The worm was unleashed on the Bitnet network on December 9th from a West German university through a European Academic Research Network (EARN) portal and then onto IBM's Vnet. Within four days (on December 13th), the virus had flooded the network. Upon loading, the virus displayed a Christmas tree on-screen and sent copies of itself to all network users whose addresses were listed in the NAMES and NETLOG system files.
1988
Suriv-3, or the Jerusalem virus, as it is known today, caused a major epidemic in 1988. It was detected in many enterprises, government offices and academic institutions on Friday, May 13th. The virus struck all over the world, but the US, Europe and the Near East were hit hardest. Jerusalem destroyed all loaded files on infected machines.
May 13th 1988 came to be known as Black Friday. Ironically, antivirus experts and virus writers all pay close attention when the 13th of any month falls on a Friday. Virus writers are more active, while virus analysts treat it as a professional mini-holiday.
By this time, many antivirus companies had been established around the world. Generally, these were small firms, usually with two or three people. The software consisted of simple scanners that performed context searches to detect unique virus code sequences.
Users also appreciated the immunizers that came with the scanners. These immunizers would modify programs in such a way that a virus would think the computer was already infected and leave them untouched. Later, when the quantity of viruses increased into the hundreds, immunizers were rendered ineffective, as the number of immunizers required for the viruses in the wild was simply unrealistic to manufacture.
Both types of antivirus programs were either distributed for free or were sold for ridiculously low prices. Despite this, they failed to gain enough popularity effectively counter virus epidemics. Furthermore, the antivirus programs were completely helpless in the face of new viruses: imperfect channels for data transmission and the lack of a unified worldwide computer network like the modern Internet made the delivery of updated versions of antivirus programs extremely difficult.
The spread of viruses like Jerusalem, Cascade, Stoned and Vienna was also facilitated by human factors. First, users of that era did not know enough about the need for antivirus protection. Second, many users, and even professionals, didn't believe in the existence of computer viruses.
For instance, even Peter Norton, whose name is synonymous today with many products of US-based Symantec, was skeptical about computer viruses at one stage in his career. He declared their existence to be a myth and compared them to stories of large crocodiles inhabiting the sewers of New York. This incident didn't stop Symantec, however, from shortly after developing its own antivirus project, Norton AntiVirus.
This was an important year for the antivirus community as well: the first electronic forum devoted to antivirus security was opened on April 22. This was the Virus-L forum on the Usenet network created by Ken van Wyk, a university colleague of Fred Cohen's.
The first widespread virus hoax was also registered in 1988. This very interesting phenomenon refers to the spread of rumors about dangerous new viruses. Actually, in some cases, these rumors worked liked a virus. Scared users would spread these rumors at the speed of light. It goes without saying that these hoaxes did not harm anyone, however, they used up bandwidth and users' nerves and discredited those that initially believed the rumours.
Mike RoChennel (a pseudonym derived from the word 'Microchannel'), was the author of one of the first hoaxes.In October 1988, Mike sent a large number of messages to BBSs regarding an virus which could transfer from one 2400 baud modem to another. A suggested antidote to this virus was to use modems with a speed of 1200 bauds. However ridiculous this may have sounded, many users did indeed heed this advice.
Another such hoax was released by Robert Morris about a virus spreading over networks and changing port and drive configurations. According to the warning, the alleged virus infected 300,000 computers in the Dakotas in under 12 minutes. November 1988: a network epidemic caused by the Morris Worm. The virus infected over 600 computer systems in the US (including the NASA research center) and almost brought some to a complete standstill. Like the Christmas Tree worm, the virus sent unlimited copies of itself and completely overloaded the networks.
In order to multiply, the Morris Worm exploited a vulnerability in UNIX operating systems on VAX and Sun Microsystems platforms. As well as exploiting the UNIX vulnerability, the virus used several innovative methods to gain system access such as harvesting passwords.
The overall losses caused by the 'Morris Worm' virus were estimated at US $96 million dollars - a significant sum at the time.
Finally, a popular antivirius program; Dr. Solomon's Anti-Virus Toolkit was released onto the market in 1988. The program was created by UK programmer, Alan Solomon, and was widely used until 1998 when the company was taken over by US-based Network Associates (NAI).
1989
The Datacrime and FuManchu (a Jerusalem modification) viruses as well as virus families Vacsina and Yankee appeared.
The Datacrime virus was extremely dangerous: from October 13th through December 31st, it initiated low-level formatting of a hard disc's zero cylinder which led to the destruction of tables stored in FAT files and irrevocable loss of data.
The first warning about the virus came out of the Netherlands in March from Fred Vogel. Despite the relatively low infection rate, Datacrime evoked a hysterical reaction worldwide. The repeated warnings resulted in significantly distorted descriptions of how the virus really worked and what damage it caused.. In the US, the virus was named Columbus Day because many speculated that the virus had been written by Norwegian terrorists attempting to punish Americans for crediting Columbus instead of Eric the Red with the discovery of America.
An interesting incident occurred in Holland. The local police decided to begin a proactive fight against cyber-crime. They developed an antivirus program capable of neutralizing Datacrime and sold it directly to local precincts for a mere $1. There was tremendous demand for the antivirus program, but it was soon discovered that the program was unreliable and had a high false positive rate. A second version was produced to correct the mistakes; however, it was also riddled with bugs.
October 16th, 1989 saw the appearance of the WANK worm on VAX/VMS computers on the SPAN network. The worm spread via the DECNet protocol and changed system messages to read, 'WORMS AGAINST NUCLEAR KILLERS' accompanied by the message, 'Your System Has Been Officially WANKed.' WANK also changed system passwords to random symbols and sent them to a user by the name of GEMPAK on the SPAN network.
December 1989 witnessed the Aids Information Diskette incident. 20,000 discs containing a Trojan were sent to addresses in Eurpose, Africa, Australia and the WHO. The addresses had been stolen from the database of PC Business World. Once an infected disk has been loaded, the program would automatically install itself on the system, creating its own concealed files and directories and modifying system files. After 90 loads, the operating system encoded the names of all files, rendering them invisible and leaving only one file accessible. This file recommended paying money to a specified bank account. As a result, it was relatively easy to identify the Trojan's author as one Joseph Popp who had earlier been declared insane. Despite this, he was convicted in absentia by Italian authorities.
It is interesting to note that 1989 marked the beginning of virus epidemics in Russia as well. Towards the end of 1989, approximately 10 viruses (listed in the order they arrived) appeared in Russian cyber-space: 2 versions of Cascade, several modifications of Vacsina and Yankee, Jerusalem, Vienna, Eddie, and PingPong.
The spread of high technology worldwide predetermined the appearance of new antivirus projects throughout the world, just as it did in Russia-or at that time, the USSR. In 1989, antivirus expert Eugene Kaspersky, who would later found Kaspersky Lab, first ran into a virus: his work computer was infected by Cascade in October 1989. It was this incident that led Eugene to devote his life to antivirus research.
Only a month later, Eugene detected the Vascina virus using the first version of the -V antivirus program he had just written. Years later, -V turned into AVP Antiviral Toolkit Pro.
In fact, 1989 saw a bumper crop of antivirus companies: F-Prot, ThunderBYTE, and Norman Virus Control.
So many people became so nervous about viruses that various groups and individuals asked IBM, then undisputed leader in the IT market, to provide an antivirus solution. IBM in turn decided to commercialize the internal antivirus project they were running. IBM Virscan for MS-DOS went on sale in October 1989.
After brief consideration and market research, IBM decided to 'declassify' its antivirus project as developed in its TJ Watson Research Center and turn it into a full commercial product. IBM Virscan for MS DOS was first made available for purchase in October 1989 for only $35 dollars.
April of 1989 marked another landmark in the antivirus field: the first antivirus publications were founded. UK-based Sophos sponsored Virus Bulletin, whereas Dr. Solomon's founded Virus Fax International. Virus Bulletin exists to this day, while Virus Fax International was first renamed as Virus News International and eventually metamorphosed into Secure Computing.
Today, Secure Computing is considered one of the most popular sources in information technology security and specializes not only in antivirus programs but also in computer and device safety. Secure Computing conducts annual contests under the 'Secure Computing Awards' title for the best developments in various fields, including antivirus safety, cryptology, access-control, intranet screens, and others.
1990
1990 saw several important developments in virus writing. Virus writers developed new features and establish well-publicized communities to share information.
To start with, the first polymorphic viruses appeared in 1990: the Chameleon family (1260, V2P1, V2P2, and V2P6), which evolved from two earlier well-known viruses, Vienna and Cascade. Chameleon's author, Mark Washburn, used Burger's book on the Vienna virus and then added features from the self-encoding Cascade virus. Unlike Cascade, Chameleon was not only encrypted, but the virus code also changed with every infection. This particular feature rendered contemporary antivirus programs useless. Up to that point, antivirus programs had depended on an ordinary context search, for pieces of known virus code. Chameleon did not have permanent code which made the development of new types of antivirus programs priority number one. These developments were not long in coming. Soon thereafter, antivirus experts invented special algorithims to identify polymorphic viruses. Later, in 1992, Eugene Kaspersky developed an even more effective method for neutralizing polymorphic viruses: a processor-emulator for deciphering codes. Today, this technology is an integral attribute of all antivirus programs.
The second important milestone was the appearance of the Bulgarian Virus Producing Factory. Throughout this year and for a number of years afterwards, a large number of viruses of Bulgarian origin were detected in the wild. They included entire virus families such as Murphy, Nomenclatura, Beast (or 512 or Number of Beast), new modifications of Eddie, and many more.
A virus writer named Dark Avenger was particularly active: he released several viruses a year, which incorporated new infection and concealment techniques. It was Dark Avenger who first employed a technique where the virus, when detected, would automatically infect all files in the computer, even if the file was opened for read-only purposes. Dark Avenger demonstrated exceptional ability, not only in creating viruses, but in spreading them as well. He actively loaded infected programs onto BBSs, distributed source codes for his viruses, and advocated the creation of new viruses in every way possible.
The first BBS (VX BBS) aiming to provide an open forum for the exchange of viruses and information for virus writers was established in Bulgaria, probably by Dark Avenger. The philosophy behind the board was simple: if a user uploaded a virus, then in exchange he was allowed to download one from the board's catalog. If the user submitted a new and interesting virus, then he was granted full access to the board's resources and could download an unlimited quantity of viruses from the collection. It almost goes without saying what a powerful effect VX BBS had on the development of viruses, especially since the board was open to the whole world, not just Bulgaria.
In July of 1990, a serious incident occurred with the English computer magazine PC Today. Each issue of the magazine contained a free floppy disc which turned out to be infected with a copy of DiskKiller. More than 50,000 copies of the magazine were sold. The resulting epidemic made virology history!
Two innovative stealth viruses appeared in the second half of 1990: Frodo and Whale. Both used an incredibly complex algorithm to conceal themselves in the system. The nine kilobyte Whale, in addition, employed several levels of encryption and whole array of tricky anti-debugging techniques.
The first Russian viruses appeared: Peterburg, Voronezh, and LoveChild.
In December of 1990, EICAR (European Institute for Computer Antivirus Research) was established in Hamburg, Germany. The institute is still considered one of the most respected international organizations, uniting professionals from practically all major antivirus companies.
Subscribe to:
Posts (Atom)