Definition:
A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Most viruses can also replicate themselves and spread to other computers. All computer viruses are man made.Antivirus programs periodically check your computer system for the best-known types of viruses.
|
THE HISTORY OF COMPUTER VIRUSES
A Bit of Archeology
There are many opinions on the date of birth of the first computer virus. I know for sure just that there were no viruses on the Babbidge machine, but the Univac 1108 and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree"). Therefore the first virus was born in the very beginning of 1970s or even in the end of 1960s, although nobody was calling it a virus then. And with that consider the topic of the extinct fossil species closed.
Journey's Start
Let's talk of the latest history: "Brain" , "Vienna" , "Cascade" , etc. Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 1987-1989. Letters were dropping from displays, crowds of users rushing towards monitor service people (unlike of these days, when hard disk drives die from old age but yet some unknown modern viruses are to blame). Their computers started playing a hymn called "Yankee Doodle", but by then people were already clever, and nobody tried to fix their speakers - very soon it became clear that this problem wasn't with the hardware, it was a virus, and not even a single one, more like a dozen.
And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Ping-pong" virus marked the victory of viruses over the boot sector. IBM PC users of course didn't like all that at all. And so there appeared antidotes. Which was the first? I don't know, there were many of them. Only few of them are still alive, and all of these anti-viruses did grow from single project up to the major software companies playing big roles on the software market.
There is also an notable difference in conquering different countries by viruses. The first vastly spread virus in the West was a bootable one called "Brain" , the "Vienna" and "Cascade" file viruses appeared later. Unlike that in East Europe and Russia file viruses came first followed by bootable ones a year later.
Time went on, viruses multiplied. They all were all alike in a sense, tried to get to RAM, stuck to files and sectors, periodically killing files, diskettes and hard disks. One of the first "revelations" was the "Frodo.4096" virus, which is far as I know was the first invisible virus (Stealth). This virus intercepted INT 21h, and during DOS calls to the infected files it changed the information so that the file appeared to the user uninfected. But this was just an overhead over MS-DOS. In less than a year electronic bugs attacked the DOS kernel ("Beast.512" Stealth virus). The idea of in visibility continued to bear its fruits: in summer of 1991 there was a plague of "Dir_II". "Yeah!", said everyone who dug into it.
But it was pretty easy to fight the Stealth ones: once you clean RAM, you may stop worrying and just search for the beast and cure it to your hearts content. Other, self encrypting viruses, sometimes appearing in software collections, were more troublesome. This is because to identify and delete them it was necessary to write special subroutines, debug them. But then nobody paid attention to it, until ... Until the new generation of viruses came, those called polymorphic viruses. These viruses use another approach to invisibility: they encrypt themselves (in most cases), and to decrypt themselves later they use commands which may and may not be repeated in different infected files.
Polymorphism - Viral Mutation
The first polymorphic virus called "Chameleon" became known in the early '90s, but the problem with polymorphic viruses became really serious only a year after that, in April 1991, with the worldwide epidemic of the polymorphic virus "Tequila" (as far as I know Russia was untouched by the epidemic; the first epidemic in Russia, caused by a polymorphic virus, happened as late as in 1994, in three years, the virus was called "Phantom1" ).
The idea of self encrypting polymorphic viruses gained popularity and brought to life generators of polymorphic code - in early 1992 the famous "Dedicated" virus appears, based on the first known polymorphic generator MtE and the first in a series of MtE-viruses; shortly after that there appears the polymorphic generator itself. It is essentially an object module (OBJ file), and now to get a polymorphic mutant virus from a conventional non-encrypting virus it is sufficient to simply link their object modules together - the polymorphic OBJ file and the virus OBJ file. Now to create a real polymorphic virus one doesn't have to dwell on the code of his own encryptor/decryptor. He may now connect the polymorphic generator to his virus and call it from the code of the virus when desired.
Luckily the first MtE-virus wasn't spread and did not cause epidemics. In their turn the anti-virus developers had sometime in store to prepare for the new attack.
In just a year production of polymorphic viruses becomes a "trade", followed by their "avalanche" in 1993. Among the viruses coming to my collection the volume of polymorphic viruses increases. It seems that one of the main directions in this uneasy job of creating new viruses becomes creation and debugging of polymorphic mechanism, the authors of viruses compete not in creating the toughest virus but the toughest polymorphic mechanism instead.
This is a partial list of the viruses that can be called 100 percent polymorphic (late 1993):
Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).
These viruses require special methods of detection, including emulation of the viruses executable code, mathematical algorithms of restoring parts of the code and data in virus etc. Ten more new viruses may be considered non-100 percent polymorphic (that is they do encrypt themselves but in decryption routine there always exist some nonchanging bytes):
Basilisk, Daemaen, Invisible (two versions), Mirea (several versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.
However to detect them and to restore the infected objects code decrypting is still required, because the length of nonchanging code in the decryption routine of those viruses is too small.
Polymorphic generators are also being developed together with polymorphic viruses. Several new ones appear utilizing more complex methods of generating polymorphic code. They become widely spread over the bulletin board systems as archives containing object modules, documentation and examples of use. By the end of 1993 there are seven known generators of polymorphic code.
They are:
MTE 0.90 (Mutation Engine),
TPE (Trident Polymorphic Engine), four versions
NED (Nuke Encryption Device),
DAME (Dark Angel's Multiple Encryptor)
Since then every year brought several new polymorphic generators, so there is little sense in publishing the entire lists.
Automating Production and Viral Construction Sets
Laziness is the moving force of progress (to construct the wheel because that's too lazy to carry mammoths to the cave). This traditional wisdom needs no comments. But only in the middle of 1992 progress in the form of automating production touched the world of viruses. On the fifth of July 1992 the first viral code construction set for IBM PC compatibles called VCL (Virus Creation Laboratory) version 1.00 is declared for production and shipping.
This set allows to generate well commented source texts of viruses in the form or assembly language texts, object modules and infected files themselves. VCL uses standard windowed interface. With the help of a menu system one can choose virus type, objects to infect (COM or/and EXE), presence or absence of self encryption, measures of protection from debugging, inside text strings, optional 10 additional effects etc. Viruses can use standard method of infecting a file by adding their body to the end of file, or replace files with their body destroying the original content of a file, or become companion viruses.
And then it became much easier to do wrong: if you want somebody to have some computer trouble just run VCL and within 10 to 15 minutes you have 30-40 different viruses you may then run on computers of your enemies. A virus to every computer!
The further the better. On the 27th of July the first version of PS-MPC (Phalcon/Skism Mass-Produced Code Generator). This set does not have windowed interface, it uses configuration file to generate viral source code. This file contains description of the virus: the type of infected files (COM or EXE); resident capabilities (unlike VCL, PS-MPC can also produce resident viruses); method of installing the resident copy of the virus; self encryption capabilities; the ability to infect COMMAND.COM and lots of other useful information.
Another construction set G2 (Phalcon/Skism's G2 0.70 beta) has been created. It supported PS-MPC configuration files, however allowing much more options when coding the same functions.
The version of G2 I have is dated the first of January 1993. Apparently the authors of G2 spent the New Year's Eve in front of their computers. They'd better have some champagne instead, this wouldn't hurt anyway.
So in what way did the virus construction sets influence electronic wildlife? In my virus collection there are:
So we have another tendency in development of computer viruses: the increasing number of "construction set" viruses; more unconcealably lazy people join the ranks of virus makers, downgrading a respectable and creative profession of creating viruses to a mundane rough trade.
Outside DOS
The year 1992 brought more than polymorphic viruses and virus construction sets. The end of the year saw the first virus for Windows, which thus opened a new page in the history of virus making. Being small (less than 1K in size) and absolutely harmless this non resident virus quite proficiently infected executables of new Windows format (NewEXE); a window into the world of Windows was opened with its appearance on the scene.
After some time there appeared viruses for OS/2, and January 1996 brought the first Windows95 virus. Presently not a single week goes by without new viruses infecting non-DOS systems; possibly the problem of non-DOS viruses will soon become more important than the problem of DOS viruses. Most likely the process of changing priorities will resemble the process of DOS dying and new operating systems gaining strength together with their specific programs. As soon as all the existing software for DOS will be replaced by their Windows, Windows95 and OS/2 analogues, the problem of DOS viruses becomes nonexistent and purely theoretical for computer society.
The first attempt to create a virus working in 386 protected mode was also made in 1993. It was a boot virus "PMBS" named after a text string in its body. After boot up from infected drive this virus switched to protected mode, made itself supervisor and then loaded DOS in virtual window mode V86. Luckily this virus was born dead - its second generation refused to propagate due to several errors in the code. Besides that the infected system "hanged" if some of the programs tried to reach outside the V86 mode, for example to determine the presence of extended memory.
This unsuccessful attempt to create supervisor virus remained the only one up to spring of 1997, when one Moscow prodigy released "PM.Wanderer" - a quite successful implementation of a protected mode virus.
It is unclear now whether those supervisor viruses might present a real problem for users and anti-virus program developers in the future. Most likely not because such viruses must "go to sleep" while new operating systems (Windows 3.xx, Windows95/NT, OS/2) are up and running, allowing for easy detection and killing of the virus. But a full-scale stealth supervisor virus may mean a lot of trouble for "pure" DOS users, because it is absolutely impossible to detect such a stealth virus under pure DOS.
Macro Virus Epidemics
August 1995. All the progressive humanity, The Microsoft and Bill Gates personally celebrate the release of a new operating system Windows95. With all that noise the message about a new virus using basically new methods of infection came virtually unnoticed. The virus infected Microsoft Word documents.
Frankly it wasn't the first virus infecting Word documents. Earlier before anti-virus companies had the first experimental example of a virus on their hands, which copied itself from one document to another. However nobody paid serious attention to that not quite successful experiment. As a result virtually all the anti-virus companies appeared not ready to what came next - macro virus epidemics - and started to work out quick but inadequate steps in order to put an end to it. For example several companies almost simultaneously released documents- anti-viruses, acting along about the same lines as did the virus, but destroying it instead of propagation.
By the way it became necessary to correct anti-virus literature in a hurry because earlier the question, "Is it possible to infect a computer by simply reading a file" had been answered by a definite "No way!" with lengthy proofs of that.
As for the virus which by that time got its name, "Concept" , continued its ride of victory over the planet. Having most probably been released in some division of Microsoft "Concept" ran over thousands if not millions of computers in no time it all. It's not unusual, because text exchange in the format of Microsoft Word became in fact one of the industry standards, and to get infected by the virus it is sufficient just to open the infected document, then all the documents edited by infected copy of Word became infected too. As a result having received an infected file over the Internet and opened it, the unsuspecting user became "infection peddler", and if his correspondence was made with the help of MS Word, it also became infected! Therefore the possibility of infecting MS Word multiplied by the speed of Internet became one of the most serious problems in all the history of existence of computer viruses.
In less than a year, sometime in summer of 1996, there appeared the "Laroux" virus, infecting Microsoft Excel spreadsheets. As it had been with "Concept" , these new virus was discovered almost simultaneously in several companies.
The same 1996 witnessed the first macro virus construction sets, then in the beginning of 1997 came the first polymorphic macro viruses for MS Word and the first viruses for Microsoft Office97. The number of various macro viruses also increased steadily reaching several hundreds by the summer of 1997.
Macro viruses, which have opened a new page in August 1995, using all the experience in virus making accumulated for almost 10 years of continuous work and enhancements, actually do present the biggest problem for modern virology.
Sequence of events
It's time to give a more detailed description of events. Let's start from the very beginning.
Late 1960s - early 1970s
Periodically on the mainframes at that period of time there appeared programs called "the rabbit". These programs cloned themselves, occupied system resources, thus lowering the productivity of the system. Most probably "rabbits" did not copy themselves from system to system and were strictly local phenomena - mistakes or pranks by system programmers servicing these computers. The first incident which may be well called an epidemic of "a computer virus", happened on the Univax 1108 system. The virus called "Pervading Animal" merged itself to the end of executable files - virtually did the same thing as thousands of modern viruses do.
The first half of 1970s
"The Creeper" virus created under the Tenex operating system used global computer networks to spread itself. The virus was capable of entering a network by itself by modem and transfer a copy of itself to remote system. "The Reeper" anti-virus program was created to fight this virus, it was the first known anti-virus program.
Early 1980s
Computers become more and more popular. An increasing number of program appears written not by software companies but by private persons, moreover, these programs may be freely distributed and exchanged through general access servers - BBS. As a result there appears a huge number of miscellaneous "Trojan horses", programs, doing some kind of harm to the system when started.
1981
"Elk Cloner" bootable virus epidemics started on Apple II computers. The virus attached itself to the boot sector of diskettes to which there were calls. It showed itself in many ways - turned over the display, made text displays blink and showed various messages.
1986
The first IBM PC virus "Brain" pandemic began. This virus infecting 360 KB diskettes became spread over the world almost momentarily. The secret of a "success" like this late probably in total unpreparedness of computer society to such a phenomenon as computer virus.
The virus was created in Pakistan by brothers Basit and Amjad Farooq Alvi. They left a text message inside the virus with their name, address and telephone number. According to the authors of the virus they were software vendors, and would like to know the extent of piracy in their country. Unfortunately their experiment left the borders of Pakistan.
It is also interesting that the "Brain" virus was the first stealth virus, too - if there was an attempt to read the infected sector, the virus substituted it with a clean original one.
Also in 1986 a programmer named Ralph Burger found out that a program can create copies of itself by adding its code to DOS executables. His first virus called "VirDem" was the demonstration of such a capability. This virus was announced in December 1986 at an underground computer forum, which consisted of hackers, specializing at that time on cracking VAX/VMS systems (Chaos Computer Club in Hamburg).
continue ...
|
