Where did they come from?
Since the dawn of the computer age the potential for computer viruses to harm your system has been a reality. Though virus attacks seem like a relatively new concept, the vulnerability to those attacks have been around as long as computers could connect to a network, whether a simple computer to computer connection or the wide web connection that is the Internet. In any case the advent of virus attacks seems to have surged because of more media coverage and more users logging on to the Internet. Historically, viruses were directed at a variety of operating systems. Currently though, viruses prey mainly on Microsoft Windows systems. Another difference between viruses of the past and those of the present is the severity of the effect. Pre-1990's viruses affected computers by causing erratic behavior. Today, not only do viruses cause computers to operate differently, they also steal valuable user information like credit card numbers and social security numbers. You can probably understand now why the virus creation industry is bigger now than it ever was before. The new generation of viruses are more dangerous and thus more lucrative to its creators.
THE HISTORY OF COMPUTER VIRUSES
A Bit of Archeology
There are lots and lots of opinions on the date of birth of the first computer virus. I know for sure just that there were no viruses on the Babbidge machine, but the Univac 1108 and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree"). Therefore the first virus was born in the very beginning of 1970s or even in the end of 1960s, although nobody was calling it a virus then. And with that consider the topic of the extinct fossil species closed.
Journey's Start
Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 1987-1989. Letters were dropping from displays, crowds of users rushing towards monitor service people (unlike of these days, when hard disk drives die from old age but yet some unknown modern viruses are to blame). Their computers started playing a hymn called "Yankee Doodle", but by then people were already clever, and nobody tried to fix their speakers - very soon it became clear that this problem wasn't with the hardware, it was a virus, and not even a single one, more like a dozen.
And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Ping-pong" virus marked the victory of viruses over the boot sector. IBM PC users of course didn't like all that at all. And so there appeared antidotes. Which was the first? I don't know, there were many of them. Only few of them are still alive, and all of these anti-viruses did grow from single project up to the major software companies playing big roles on the software market.
Polymorphism - Viral Mutation
The first polymorphic virus called "Chameleon" became known in the early '90s, but the problem with polymorphic viruses became really serious only a year after that, in April 1991, with the worldwide epidemic of the polymorphic virus "Tequila" (as far as I know Russia was untouched by the epidemic; the first epidemic in Russia, caused by a polymorphic virus, happened as late as in 1994, in three years, the virus was called "Phantom1").
In just a year production of polymorphic viruses becomes a "trade", followed by their "avalanche" in 1993. Among the viruses coming to my collection the volume of polymorphic viruses increases. It seems that one of the main directions in this uneasy job of creating new viruses becomes creation and debugging of polymorphic mechanism, the authors of viruses compete not in creating the toughest virus but the toughest polymorphic mechanism instead.
This is a partial list of the viruses that can be called 100 percent polymorphic (late 1993):
Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).
These viruses require special methods of detection, including emulation of the viruses executable code, mathematical algorithms of restoring parts of the code and data in virus etc. Ten more new viruses may be considered non-100 percent polymorphic (that is they do encrypt themselves but in decryption routine there always exist some nonchanging bytes):
Basilisk, Daemaen, Invisible (two versions), Mirea (several versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.
However to detect them and to restore the infected objects code decrypting is still required, because the length of nonchanging code in the decryption routine of those viruses is too small.
After some time there appeared viruses for OS/2, and January 1996 brought the first Windows95 virus. Presently not a single week goes by without new viruses infecting non-DOS systems; possibly the problem of non-DOS viruses will soon become more important than the problem of DOS viruses. Most likely the process of changing priorities will resemble the process of DOS dying and new operating systems gaining strength together with their specific programs. As soon as all the existing software for DOS will be replaced by their Windows, Windows95 and OS/2 analogues, the problem of DOS viruses becomes nonexistent and purely theoretical for computer society.
The first attempt to create a virus working in 386 protected mode was also made in 1993. It was a boot virus "PMBS" named after a text string in its body. After boot up from infected drive this virus switched to protected mode, made itself supervisor and then loaded DOS in virtual window mode V86. Luckily this virus was born dead - its second generation refused to propagate due to several errors in the code. Besides that the infected system "hanged" if some of the programs tried to reach outside the V86 mode, for example to determine the presence of extended memory.
This unsuccessful attempt to create supervisor virus remained the only one up to spring of 1997, when one Moscow prodigy released "PM.Wanderer" - a quite successful implementation of a protected mode virus.
It is unclear now whether those supervisor viruses might present a real problem for users and anti-virus program developers in the future. Most likely not because such viruses must "go to sleep" while new operating systems (Windows 3.xx, Windows95/NT, OS/2) are up and running, allowing for easy detection and killing of the virus. But a full-scale stealth supervisor virus may mean a lot of trouble for "pure" DOS users, because it is absolutely impossible to detect such a stealth virus under pure DOS.
Macro Virus Epidemics
August 1995. All the progressive humanity, The Microsoft and Bill Gates personally celebrate the release of a new operating system Windows95. With all that noise the message about a new virus using basically new methods of infection came virtually unnoticed. The virus infected Microsoft Word documents.
As for the virus which by that time got its name, "Concept", continued its ride of victory over the planet. Having most probably been released in some division of Microsoft "Concept" ran over thousands if not millions of computers in no time it all. It's not unusual, because text exchange in the format of Microsoft Word became in fact one of the industry standards, and to get infected by the virus it is sufficient just to open the infected document, then all the documents edited by infected copy of Word became infected too. As a result having received an infected file over the Internet and opened it, the unsuspecting user became "infection peddler", and if his correspondence was made with the help of MS Word, it also became infected! Therefore the possibility of infecting MS Word multiplied by the speed of Internet became one of the most serious problems in all the history of existence of computer viruses.
In less than a year, sometime in summer of 1996, there appeared the "Laroux" virus, infecting Microsoft Excel spreadsheets. As it had been with "Concept", these new virus was discovered almost simultaneously in several companies.
Chronology of Events
It's time to give a more detailed description of events. Let's start from the very beginning.
NEW
Late 1960s - early 1970s
Periodically on the mainframes at that period of time there appeared programs called "the rabbit". These programs cloned themselves, occupied system resources, thus lowering the productivity of the system. Most probably "rabbits" did not copy themselves from system to system and were strictly local phenomena - mistakes or pranks by system programmers servicing these computers. The first incident which may be well called an epidemic of "a computer virus", happened on the Univax 1108 system. The virus called "Pervading Animal" merged itself to the end of executable files - virtually did the same thing as thousands of modern viruses do.
The first half of 1970s
"The Creeper" virus created under the Tenex operating system used global computer networks to spread itself. The virus was capable of entering a network by itself by modem and transfer a copy of itself to remote system. "The Reeper" anti-virus program was created to fight this virus, it was the first known anti-virus program.
Early 1980s
Computers become more and more popular. An increasing number of program appears written not by software companies but by private persons, moreover, these programs may be freely distributed and exchanged through general access servers - BBS. As a result there appears a huge number of miscellaneous "Trojan horses", programs, doing some kind of harm to the system when started.
1981
"Elk Cloner" bootable virus epidemics started on Apple II computers. The virus attached itself to the boot sector of diskettes to which there were calls. It showed itself in many ways - turned over the display, made text displays blink and showed various messages.
1986
The first IBM PC virus "Brain" pandemic began. This virus infecting 360 KB diskettes became spread over the world almost momentarily. The secret of a "success" like this late probably in total unpreparedness of computer society to such a phenomenon as computer virus.
The virus was created in Pakistan by brothers Basit and Amjad Farooq Alvi. They left a text message inside the virus with their name, address and telephone number. According to the authors of the virus they were software vendors, and would like to know the extent of piracy in their country. Unfortunately their experiment left the borders of Pakistan.
It is also interesting that the "Brain" virus was the first stealth virus, too - if there was an attempt to read the infected sector, the virus substituted it with a clean original one.
Also in 1986 a programmer named Ralph Burger found out that a program can create copies of itself by adding its code to DOS executables. His first virus called "VirDem" was the demonstration of such a capability. This virus was announced in December 1986 at an underground computer forum, which consisted of hackers, specializing at that time on cracking VAX/VMS systems (Chaos Computer Club in Hamburg).
1987
"Vienna" virus appears. Ralph Burger, whom we already now, gets a copy of this virus, disassembles it, and publishes the result in his book "Computer Viruses: a High-tech Disease". Burger's book made the idea of writing viruses popular, explained how to do it, and therefore stimulated creating up hundreds and in thousands of computer viruses, in which some of the ideas from his book were implemented.
1988
On Friday the 13 1988 several companies and universities in many countries of the world "got acquainted" with the "Jerusalem" virus. On that day the virus was destroying files which were attempted to be run. Probably this is one of the first MS-DOS viruses which caused a real pandemic, there were news about infected computers from Europe, America and the Middle East. Incidentally the virus got its name after one of the places it stroke - the Jerusalem University.
"Jerusalem" together with several other viruses ("Cascade", "Stoned", "Vienna") infected thousands of computers still being unnoticed - anti-virus programs were not as common then as they are now, many users and even professionals did not believe in the existence of computer viruses. It is notable that in the same year the legendary computer guru Peter Norton announced that computer viruses did not exist. He declared them to be a myth of the same kind as alligators in New York sewers. Nevertheless this delusion did not prevent Symantec from starting its own anti-virus project Norton Anti-virus after some time.
Notoriously false messages about new computer viruses started to appear, causing panic among the computer users. One of the first virus hoaxes of this kind belongs to a Mike RoChenle (pronounced very much like "Microchannel"), who uploaded a lot of messages to the BBS systems, describing the supposed virus copying itself from one BBS to another via modem using speed 2400 baud for that. Funny as it may seem many users gave up 2000 baud standard of that time and lowered the speed of their modems to 1200 baud.
November 1988: a total epidemic of a network virus of Morris (a.k.a. Internet Worm). This virus infected more than 6000 computer systems in USA (including NASA research Institute) and practically paralyzed their work. Because of erratic code of the virus it sent unlimited copies of itself to other network computers, like the "Christmas Tree" worm virus, and for that reason completely paralyzed all the network resources. Total losses caused by the Morris virus were estimated at 96 millions of dollars.
This virus used errors in operating systems Unix for VAX and Sun Microsystems to propagate. Besides the errors in Unix the virus utilized several more original ideas, for example picking up user passwords. A more detailed story of this virus and the corresponding incidents may be found in a rather detailed and interesting articles.
December 1988: the season of worm viruses continues this time in DECNet. Worm virus called HI.COM output and image of spruce and informed users that they should "stop computing and have a good time at home!!!"
There also appeared new anti-virus programs for example, Doctors Solomon's Anti-virus Toolkit, being one of the most powerful anti-virus software presently.
1989
New viruses "Datacrime", "FuManchu" appear, as do the whole families like "Vacsina" and "Yankee". The first one acted extremely dangerously - from October 13th to December 31st it formatted hard disks. This virus "broke free" and caused total hysteria in the mass media in Holland and Great Britain.
September 1989: 1 more anti-virus program begins shipping - IBM Anti-virus.
October 1989: one more epidemic in DECNet, this time it was worm virus called "WANK Worm".
December 1989: an incident with a "Trojan horse" called "AIDS". 20,000 copies were shipped on diskettes marked as "AIDS Information Diskette Version 2.0". After 90 boot-ups the "Trojan" program encrypted all the filenames on the disk, making them invisible (setting a "hidden" attribute) and left only one file readable - bill for $189 payable to the address P.O. Box 7, Panama. The author of this program was apprehended and sent to jail.
1990
This year brought several notable events. The first one was the appearance of the first polymorphic viruses "Chameleon" (a.k.a. "V2P1", "V2P2", and "V2P6"). Until then the anti-virus programs used "masks" - fragments of virus code - to look for viruses. After "Chameleon"'s appearance anti-virus program developers had to look for different methods of virus detection.
The second event was the appearance of Bulgarian "virus production factory": enormous amounts of new viruses were created in Bulgaria. Disease wears the entire families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), the modifications of the "Eddie" virus etc. A certain Dark Avenger became extremely active, making several new viruses a year, utilizing fundamentally new algorithms of infecting and covering of the tracks in the system. It was also in Bulgaria that the first BBS opens, dedicated to exchange of virus code and information for virus makers.
In July 1990 there was an incident with "PC Today" computer magazine (Great Britain). It contained a floppy disk infected with "DiskKiller" virus. More than 50,000 copies were sold.
In the second half of 1990 there appeared two Stealth monsters - "Frodo" and "Whale". Both viruses utilized extremely complicated stealth algorithms; on top of that the 9KB "Whale" used several levels of encrypting and anti-debugging techniques.
BETWEEN ADS
Your Ad Here
1991
Computer virus population grows continuously, reaching several hundreds now. Anti-viruses also show increasing activity: two software monsters at once (Symantec and Central Point) issue their own anti-virus programs - Norton Anti-virus and Central Point Anti-virus. They are followed by less known anti-viruses from Xtree and Fifth Generation.
In April a full-scale epidemic broke out, caused by file and boot polymorphic virus called "Tequila", and in September the same kind of story happened with "Amoeba" virus.
1992
Non-IBM PC and non-MS-DOS viruses are virtually forgotten: "holes" in global access network are closed, errors corrected, and network worm viruses lost the ability to spread themselves. File-, boot- and file-boot viruses for the most widely spread operating system (MS-DOS) on the most popular computer model (IBM PC) are becoming more and more important. The number of viruses increases in geometrical to progression; various virus incidents happen almost every day. Miscellaneous anti-virus programs are being developed, dozens of books and several periodic magazines on anti-viruses are being printed. A few things stand out:
Early 1992: the first polymorphic generator MtE, serving as a base for several polymorphic viruses which follow almost immediately. Mte was also the prototype for a few forthcoming polymorphic generators.
March 1992: "Michelangelo" virus epidemics (a.k.a. "March6") and the following hysteria took place. Probably this is the first known case when anti-virus companies made fuss about this virus not to protect users from any kind of danger, but attract attention to their product, that is to create profits. One American anti-virus company actually announced that on the 6th of March the information on over five million computers will be destroyed. As a result of the fuss after that the profits of different anti-virus companies jumped several times; in reality only about 10,000 computers suffered from that virus.
July 1992: The first virus construction sets were made, VCL and PS-MPC. They made large flow of new viruses even larger. They also stimulated virus makers to create other, more powerful, construction sets, as it was done by MtE in its area.
Late 1992: The first Windows virus appears, infecting this OS's executables, and starts a new page in virus making.
1993
Virus makers are starting to do some serious damage: besides hundreds of mundane viruses which are no different than their counterparts, besides the whole polymorphic generators and construction sets, besides new electronic editions of virus makers there appear more and more viruses, using highly unusual ways of infecting files, introducing themselves into the system etc. The main examples are:
1994
The problem of CD viruses is getting more important. Having quickly gained popularity CD disks became one of the main means of spreading viruses. There are several simultaneous cases when a virus got to the master disk when preparing the batch CDs. As a result of that a fairly large number (tens of thousands) of infected CDs hit the market. Of course they cannot be cured, they just have to be destroyed.
Early in the year in Great Britain there popped out two extremely complicated polymorphic viruses, "SMEG.Pathogen" and "SMEG.Queeg" (even now not all the anti-virus programs are able to give 100% correct detection of these viruses). Their author placed infected files to a BBS, causing real panic and fear of epidemics in mass media.
There appear some new unusual enough viruses:
January 1994: "Shifter" - the first virus infecting object modules (OBJ files). "Phantom1" - the cause of the first epidemic of polymorphic virus in Moscow.
April 1994: "SrcVir" -- the virus family infecting program source code (C and Pascal).
June 1994: "OneHalf" - one of the most popular viruses in Russia so far starts a total epidemics.
September 1994: "3APA3A" - a boot-file virus epidemic. This virus uses a highly unusual way of incorporating into MS-DOS. No anti-virus was ready to meet such kind of a monster.
1995
Nothing in particular among DOS viruses happens, although there appear several complicated enough monster viruses like "NightFall", "Nostardamus", "Nutcracker", also some funny viruses like "bisexual" virus "RMNS" and BAT virus "Winstart". The "ByWay" and "DieHard2" viruses become widespread, with news about infected computers coming from all over the world.
February 1995: an incident with Microsoft: Windows95 demos disks are infected by "Form". Copies of these disks were sent to beta testers by Microsoft; one of the testers was not that lazy and tested the disks for viruses.
Spring 1995: two anti-virus companies - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control) announce their alliance. These companies, each making powerful enough anti- viruses, joined efforts and started working on a joint anti-virus system.
August 1995: one of the turning points in the history of viruses and anti-viruses: there has actually appeared the first "alive" virus for Microsoft Word ("Concept"). In some month the virus "tripped around the world", pesting the computers of the MS Word users and becoming a firm No. 1 in statistic research held by various computer titles.
1996
January 1996: two notable events - the appearance of the first Windows95 virus ("Win95.Boza") and the epidemics of the extremely complicated polymorphic virus "Zhengxi" in St. Petersburg (Russia).
March 1996: the first Windows 3.x virus epidemic. The name of the virus is "Win.Tentacle". This virus infected a computer network a hospital and in several other institutions in France. This event is especially interesting because this was the FIRST Windows virus on a spree. Before that time (as far as I know) all the Windows viruses had been living only in collections and electronic magazines of virus makers, only boot viruses, DOS viruses and macro viruses were known to ride free.
June 1996: "OS2.AEP" - the first virus for OS/2, correctly infecting EXE files of this operating system. Earlier under OS/2 there existed only the viruses writing themselves instead of file, destroying it or acting as companions.
July 1996: "Laroux" - the first virus for Microsoft Excel caught live (originally at the same time in two oil making companies in Alaska and in southern African Republic). The idea of "Laroux", like that of Microsoft Word viruses, was based on the presence of so-called macros (or Basic programs) in the files. Such programs can be included into both electronic spreadsheets of Microsoft Excel and Microsoft Word documents. As it turned out the Basic language built into Microsoft Excel also allows to create viruses.
December 1996: "Win95.Punch" - the first "memory resident" virus for Windows95. It stays in the Windows memory as a VxD driver, hooks file access and infects Windows EXE files that are opened.
1997
February 1997: "Linux.Bliss" - the first virus for Linux (a Unix clone). This way viruses occupied one more "biological" niche.
February-April 1997: macro viruses migrated to Office97. The first of them turned out to be only "converted" to the format macro viruses for Microsoft Word 6/7, but also virtually immediately there appeared viruses aimed at Office97 documents exclusively.
March 1997: "ShareFun" - macro-virus hitting Microsoft Word 6/7. It uses is not only standard features of Microsoft Word to propagate but also sends copies of itself via MS-Mail.
April 1997: "Homer" - the first network worm virus, using File Transfer Protocol (FTP) for propagation.
June 1997: There appears the first self encrypting virus for Windows95. This virus of Russian origin has been sent to several BBS is in Moscow which caused an epidemic.
November 1997: The "Esperanto" virus. This is the first virus that intends to infect not only DOS and Windows32 executable files, but also spreads into the Mac OS (Macintosh). Fortunately, the virus is not able to spread cross the platforms because of bugs.
December 1997: new virus type, the so-called "mIRC Worms", came into being. The most popular Windows Internet Relay Chat (IRC) utility known as mIRC proved to be "hole" allowing virus scripts to transmit themselves along the IRC-channels. The next IRC version blocked the hole and the mIRC Worms vanished.
October 1997: the agreement on licensing of AVP technologies use in F-Secure Anti-Virus (FSAV) was signed. The F-Secure Anti-Virus (FSAV) package was the DataFellows (Finland) new anti-virus product. Before DataFellows was known as the F-PROT anti-virus package manufacturer.
1998
The virus attack on MS Windows, MS Office and the network applications does not weaken. There arose new viruses employing still more complex strokes while infecting computers and advanced methods of network-to-computer penetration. Besides numerous the so-called Trojans, stealing Internet access passwords, and several kinds of the latent administration utilities came into the computer world. Several incidents with the infected CDs were revealed - Some computer media publishers distributed CIH and Marburg (the Windows viruses) through CDs attached to the covers of their issues, with infected.
The year beginning: Epidemic of the "Win32.HLLP.DeTroie" virus family, not just infecting Windows32 executed files but also capable to transmit to the "owner" the information on the computer that was infected, shocked the computer world. As the viruses used specific libraries attached only to the French version of Windows, the epidemic has affected just the French speaking countries.
February 1998: One more virus type infecting the Excel tables "Excel4.Paix" (aka "Formula.Paix) was detected. This type of a macro virus while rooting into the Excel tables does not employ the usual for the kind of viruses macro area but formulas that proved to be capable of the self-reproduction code accommodation.
February - March 1998: "Win95.HPS" and "Win95.Marburg" - the first polymorphous Windows32-viruses were detected and furthermore they were "in-the-wild". The anti-virus programs developers had nothing to do but rush to adjust the polymorphous viruses detecting technique, designed so far just for DOS-viruses, to the new conditions.
March 1998: "AccessiV" - the first Microsoft Access virus was born. There was no any boom about that (as it was with "Word.Concept" and "Excel.Laroux" viruses) as the computer society already got used to that the MS Office applications go down thick and fast.
March 1998: The "Cross" macro-virus, the first virus infecting two different MS Office applications - Access and Word, is detected. Hereupon several more viruses transferring their codes from one MS Office application to the other have emerged.
May 1998 - The "RedTeam" virus infects Windows EXE-files and dispatches the infected files through Eudora e-mail.
June 1998 - The "Win95.CIH" virus epidemic at the beginning was mass, then became global and then turned to a kind of computer holocaust - quantity of messages on computer networks and home personal computers infection came to the value of hundreds if not thousands pierces. The epidemic beginning was registered in Taiwan where some unknown hacker mailed the infected files to local Internet conferences. Therefrom virus has made the way to USA where through the staff oversight infected at once several popular Web servers that started to distribute infected game programs. Most likely these infected files on game servers brought about this computer holocaust that dominated the computer world all the year. According to the "popularity" ratings the virus pushed "Word.CAP" and "Excel.Laroux" to second cabin. One should also pay attention to the virus dangerous manifestation - depending on the current date the virus erased Flash BIOS what in some conditions could kill motherboard.
August 1998: Nascence of the sensational "BackOrifice" ("Backdoor.BO") - utility of latent (hacker's) management of remote computers and networks. After "BackOrifice" some other similar programs - "NetBus", "Phase" and other - came into being.
Also in August the first virus infecting the Java executed files - "Java.StangeBrew" - was born. The virus was not any danger to the Internet users as there was no way to employ critical for the virus replication functions on any remote computer. However it revealed that even the Web servers browsers could be attacked by viruses.
November 1998: "VBScript.Rabbit" - The Internet expansion of computer parasites proceeded by three viruses infecting VisualBasic scripts (VBS files), which being actively used in Web pages development. As the logical consequence of VBScript-viruses the full value HTML-virus ("HTML.Internal") was born to life. Virus-writers obviously turned their efforts to the network applications and to the creation of full value Network Worm-Virus that could employ the MS Windows and Office options, infect remote computers and Web-servers or/and could aggressively replicate itself through e-mail.
What Will be Tomorrow?
What can be expected from computer underground in subsequent years? Most probably the main problems will remain the following:
1) polymorphic DOS viruses, with additional problems of polymorphism in macro viruses and viruses for Windows and maybe OS/2;
2) macro viruses with new and improved ways of infecting and covering tracks of their code in the system;
3) network viruses, using network protocols and commands for spreading.
The type 3) is now only in the earliest state of developments - viruses make their first faint attempts to spread their code by themselves via Microsoft Mail and using FTP, but the best is yet to come.
There may appear other problems who which might bring a lot of trouble to users and enough extra work to the developers of anti-virus programs. However I look to the future optimistically: every problem in the history of the development of viruses has been more or less successfully solved.
Future problems, which are now just ideas in the sick minds of virus makers, will most probably be solved in the same way!
Since the dawn of the computer age the potential for computer viruses to harm your system has been a reality. Though virus attacks seem like a relatively new concept, the vulnerability to those attacks have been around as long as computers could connect to a network, whether a simple computer to computer connection or the wide web connection that is the Internet. In any case the advent of virus attacks seems to have surged because of more media coverage and more users logging on to the Internet. Historically, viruses were directed at a variety of operating systems. Currently though, viruses prey mainly on Microsoft Windows systems. Another difference between viruses of the past and those of the present is the severity of the effect. Pre-1990's viruses affected computers by causing erratic behavior. Today, not only do viruses cause computers to operate differently, they also steal valuable user information like credit card numbers and social security numbers. You can probably understand now why the virus creation industry is bigger now than it ever was before. The new generation of viruses are more dangerous and thus more lucrative to its creators.
THE HISTORY OF COMPUTER VIRUSES
A Bit of Archeology
There are lots and lots of opinions on the date of birth of the first computer virus. I know for sure just that there were no viruses on the Babbidge machine, but the Univac 1108 and IBM 360/370 already had them ("Pervading Animal" and "Christmas tree"). Therefore the first virus was born in the very beginning of 1970s or even in the end of 1960s, although nobody was calling it a virus then. And with that consider the topic of the extinct fossil species closed.
Journey's Start
Let's talk of the latest history: "Brain", "Vienna", "Cascade", etc. Those who started using IBM PCs as far as in mid-80s might still remember the total epidemic of these viruses in 1987-1989. Letters were dropping from displays, crowds of users rushing towards monitor service people (unlike of these days, when hard disk drives die from old age but yet some unknown modern viruses are to blame). Their computers started playing a hymn called "Yankee Doodle", but by then people were already clever, and nobody tried to fix their speakers - very soon it became clear that this problem wasn't with the hardware, it was a virus, and not even a single one, more like a dozen.
And so viruses started infecting files. The "Brain" virus and bouncing ball of the "Ping-pong" virus marked the victory of viruses over the boot sector. IBM PC users of course didn't like all that at all. And so there appeared antidotes. Which was the first? I don't know, there were many of them. Only few of them are still alive, and all of these anti-viruses did grow from single project up to the major software companies playing big roles on the software market.
Polymorphism - Viral Mutation
The first polymorphic virus called "Chameleon" became known in the early '90s, but the problem with polymorphic viruses became really serious only a year after that, in April 1991, with the worldwide epidemic of the polymorphic virus "Tequila" (as far as I know Russia was untouched by the epidemic; the first epidemic in Russia, caused by a polymorphic virus, happened as late as in 1994, in three years, the virus was called "Phantom1").
In just a year production of polymorphic viruses becomes a "trade", followed by their "avalanche" in 1993. Among the viruses coming to my collection the volume of polymorphic viruses increases. It seems that one of the main directions in this uneasy job of creating new viruses becomes creation and debugging of polymorphic mechanism, the authors of viruses compete not in creating the toughest virus but the toughest polymorphic mechanism instead.
This is a partial list of the viruses that can be called 100 percent polymorphic (late 1993):
Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions).
These viruses require special methods of detection, including emulation of the viruses executable code, mathematical algorithms of restoring parts of the code and data in virus etc. Ten more new viruses may be considered non-100 percent polymorphic (that is they do encrypt themselves but in decryption routine there always exist some nonchanging bytes):
Basilisk, Daemaen, Invisible (two versions), Mirea (several versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.
However to detect them and to restore the infected objects code decrypting is still required, because the length of nonchanging code in the decryption routine of those viruses is too small.
After some time there appeared viruses for OS/2, and January 1996 brought the first Windows95 virus. Presently not a single week goes by without new viruses infecting non-DOS systems; possibly the problem of non-DOS viruses will soon become more important than the problem of DOS viruses. Most likely the process of changing priorities will resemble the process of DOS dying and new operating systems gaining strength together with their specific programs. As soon as all the existing software for DOS will be replaced by their Windows, Windows95 and OS/2 analogues, the problem of DOS viruses becomes nonexistent and purely theoretical for computer society.
The first attempt to create a virus working in 386 protected mode was also made in 1993. It was a boot virus "PMBS" named after a text string in its body. After boot up from infected drive this virus switched to protected mode, made itself supervisor and then loaded DOS in virtual window mode V86. Luckily this virus was born dead - its second generation refused to propagate due to several errors in the code. Besides that the infected system "hanged" if some of the programs tried to reach outside the V86 mode, for example to determine the presence of extended memory.
This unsuccessful attempt to create supervisor virus remained the only one up to spring of 1997, when one Moscow prodigy released "PM.Wanderer" - a quite successful implementation of a protected mode virus.
It is unclear now whether those supervisor viruses might present a real problem for users and anti-virus program developers in the future. Most likely not because such viruses must "go to sleep" while new operating systems (Windows 3.xx, Windows95/NT, OS/2) are up and running, allowing for easy detection and killing of the virus. But a full-scale stealth supervisor virus may mean a lot of trouble for "pure" DOS users, because it is absolutely impossible to detect such a stealth virus under pure DOS.
Macro Virus Epidemics
August 1995. All the progressive humanity, The Microsoft and Bill Gates personally celebrate the release of a new operating system Windows95. With all that noise the message about a new virus using basically new methods of infection came virtually unnoticed. The virus infected Microsoft Word documents.
As for the virus which by that time got its name, "Concept", continued its ride of victory over the planet. Having most probably been released in some division of Microsoft "Concept" ran over thousands if not millions of computers in no time it all. It's not unusual, because text exchange in the format of Microsoft Word became in fact one of the industry standards, and to get infected by the virus it is sufficient just to open the infected document, then all the documents edited by infected copy of Word became infected too. As a result having received an infected file over the Internet and opened it, the unsuspecting user became "infection peddler", and if his correspondence was made with the help of MS Word, it also became infected! Therefore the possibility of infecting MS Word multiplied by the speed of Internet became one of the most serious problems in all the history of existence of computer viruses.
In less than a year, sometime in summer of 1996, there appeared the "Laroux" virus, infecting Microsoft Excel spreadsheets. As it had been with "Concept", these new virus was discovered almost simultaneously in several companies.
Chronology of Events
It's time to give a more detailed description of events. Let's start from the very beginning.
NEW
Late 1960s - early 1970s
Periodically on the mainframes at that period of time there appeared programs called "the rabbit". These programs cloned themselves, occupied system resources, thus lowering the productivity of the system. Most probably "rabbits" did not copy themselves from system to system and were strictly local phenomena - mistakes or pranks by system programmers servicing these computers. The first incident which may be well called an epidemic of "a computer virus", happened on the Univax 1108 system. The virus called "Pervading Animal" merged itself to the end of executable files - virtually did the same thing as thousands of modern viruses do.
The first half of 1970s
"The Creeper" virus created under the Tenex operating system used global computer networks to spread itself. The virus was capable of entering a network by itself by modem and transfer a copy of itself to remote system. "The Reeper" anti-virus program was created to fight this virus, it was the first known anti-virus program.
Early 1980s
Computers become more and more popular. An increasing number of program appears written not by software companies but by private persons, moreover, these programs may be freely distributed and exchanged through general access servers - BBS. As a result there appears a huge number of miscellaneous "Trojan horses", programs, doing some kind of harm to the system when started.
1981
"Elk Cloner" bootable virus epidemics started on Apple II computers. The virus attached itself to the boot sector of diskettes to which there were calls. It showed itself in many ways - turned over the display, made text displays blink and showed various messages.
1986
The first IBM PC virus "Brain" pandemic began. This virus infecting 360 KB diskettes became spread over the world almost momentarily. The secret of a "success" like this late probably in total unpreparedness of computer society to such a phenomenon as computer virus.
The virus was created in Pakistan by brothers Basit and Amjad Farooq Alvi. They left a text message inside the virus with their name, address and telephone number. According to the authors of the virus they were software vendors, and would like to know the extent of piracy in their country. Unfortunately their experiment left the borders of Pakistan.
It is also interesting that the "Brain" virus was the first stealth virus, too - if there was an attempt to read the infected sector, the virus substituted it with a clean original one.
Also in 1986 a programmer named Ralph Burger found out that a program can create copies of itself by adding its code to DOS executables. His first virus called "VirDem" was the demonstration of such a capability. This virus was announced in December 1986 at an underground computer forum, which consisted of hackers, specializing at that time on cracking VAX/VMS systems (Chaos Computer Club in Hamburg).
1987
"Vienna" virus appears. Ralph Burger, whom we already now, gets a copy of this virus, disassembles it, and publishes the result in his book "Computer Viruses: a High-tech Disease". Burger's book made the idea of writing viruses popular, explained how to do it, and therefore stimulated creating up hundreds and in thousands of computer viruses, in which some of the ideas from his book were implemented.
1988
On Friday the 13 1988 several companies and universities in many countries of the world "got acquainted" with the "Jerusalem" virus. On that day the virus was destroying files which were attempted to be run. Probably this is one of the first MS-DOS viruses which caused a real pandemic, there were news about infected computers from Europe, America and the Middle East. Incidentally the virus got its name after one of the places it stroke - the Jerusalem University.
"Jerusalem" together with several other viruses ("Cascade", "Stoned", "Vienna") infected thousands of computers still being unnoticed - anti-virus programs were not as common then as they are now, many users and even professionals did not believe in the existence of computer viruses. It is notable that in the same year the legendary computer guru Peter Norton announced that computer viruses did not exist. He declared them to be a myth of the same kind as alligators in New York sewers. Nevertheless this delusion did not prevent Symantec from starting its own anti-virus project Norton Anti-virus after some time.
Notoriously false messages about new computer viruses started to appear, causing panic among the computer users. One of the first virus hoaxes of this kind belongs to a Mike RoChenle (pronounced very much like "Microchannel"), who uploaded a lot of messages to the BBS systems, describing the supposed virus copying itself from one BBS to another via modem using speed 2400 baud for that. Funny as it may seem many users gave up 2000 baud standard of that time and lowered the speed of their modems to 1200 baud.
November 1988: a total epidemic of a network virus of Morris (a.k.a. Internet Worm). This virus infected more than 6000 computer systems in USA (including NASA research Institute) and practically paralyzed their work. Because of erratic code of the virus it sent unlimited copies of itself to other network computers, like the "Christmas Tree" worm virus, and for that reason completely paralyzed all the network resources. Total losses caused by the Morris virus were estimated at 96 millions of dollars.
This virus used errors in operating systems Unix for VAX and Sun Microsystems to propagate. Besides the errors in Unix the virus utilized several more original ideas, for example picking up user passwords. A more detailed story of this virus and the corresponding incidents may be found in a rather detailed and interesting articles.
December 1988: the season of worm viruses continues this time in DECNet. Worm virus called HI.COM output and image of spruce and informed users that they should "stop computing and have a good time at home!!!"
There also appeared new anti-virus programs for example, Doctors Solomon's Anti-virus Toolkit, being one of the most powerful anti-virus software presently.
1989
New viruses "Datacrime", "FuManchu" appear, as do the whole families like "Vacsina" and "Yankee". The first one acted extremely dangerously - from October 13th to December 31st it formatted hard disks. This virus "broke free" and caused total hysteria in the mass media in Holland and Great Britain.
September 1989: 1 more anti-virus program begins shipping - IBM Anti-virus.
October 1989: one more epidemic in DECNet, this time it was worm virus called "WANK Worm".
December 1989: an incident with a "Trojan horse" called "AIDS". 20,000 copies were shipped on diskettes marked as "AIDS Information Diskette Version 2.0". After 90 boot-ups the "Trojan" program encrypted all the filenames on the disk, making them invisible (setting a "hidden" attribute) and left only one file readable - bill for $189 payable to the address P.O. Box 7, Panama. The author of this program was apprehended and sent to jail.
1990
This year brought several notable events. The first one was the appearance of the first polymorphic viruses "Chameleon" (a.k.a. "V2P1", "V2P2", and "V2P6"). Until then the anti-virus programs used "masks" - fragments of virus code - to look for viruses. After "Chameleon"'s appearance anti-virus program developers had to look for different methods of virus detection.
The second event was the appearance of Bulgarian "virus production factory": enormous amounts of new viruses were created in Bulgaria. Disease wears the entire families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), the modifications of the "Eddie" virus etc. A certain Dark Avenger became extremely active, making several new viruses a year, utilizing fundamentally new algorithms of infecting and covering of the tracks in the system. It was also in Bulgaria that the first BBS opens, dedicated to exchange of virus code and information for virus makers.
In July 1990 there was an incident with "PC Today" computer magazine (Great Britain). It contained a floppy disk infected with "DiskKiller" virus. More than 50,000 copies were sold.
In the second half of 1990 there appeared two Stealth monsters - "Frodo" and "Whale". Both viruses utilized extremely complicated stealth algorithms; on top of that the 9KB "Whale" used several levels of encrypting and anti-debugging techniques.
BETWEEN ADS
Your Ad Here
1991
Computer virus population grows continuously, reaching several hundreds now. Anti-viruses also show increasing activity: two software monsters at once (Symantec and Central Point) issue their own anti-virus programs - Norton Anti-virus and Central Point Anti-virus. They are followed by less known anti-viruses from Xtree and Fifth Generation.
In April a full-scale epidemic broke out, caused by file and boot polymorphic virus called "Tequila", and in September the same kind of story happened with "Amoeba" virus.
1992
Non-IBM PC and non-MS-DOS viruses are virtually forgotten: "holes" in global access network are closed, errors corrected, and network worm viruses lost the ability to spread themselves. File-, boot- and file-boot viruses for the most widely spread operating system (MS-DOS) on the most popular computer model (IBM PC) are becoming more and more important. The number of viruses increases in geometrical to progression; various virus incidents happen almost every day. Miscellaneous anti-virus programs are being developed, dozens of books and several periodic magazines on anti-viruses are being printed. A few things stand out:
Early 1992: the first polymorphic generator MtE, serving as a base for several polymorphic viruses which follow almost immediately. Mte was also the prototype for a few forthcoming polymorphic generators.
March 1992: "Michelangelo" virus epidemics (a.k.a. "March6") and the following hysteria took place. Probably this is the first known case when anti-virus companies made fuss about this virus not to protect users from any kind of danger, but attract attention to their product, that is to create profits. One American anti-virus company actually announced that on the 6th of March the information on over five million computers will be destroyed. As a result of the fuss after that the profits of different anti-virus companies jumped several times; in reality only about 10,000 computers suffered from that virus.
July 1992: The first virus construction sets were made, VCL and PS-MPC. They made large flow of new viruses even larger. They also stimulated virus makers to create other, more powerful, construction sets, as it was done by MtE in its area.
Late 1992: The first Windows virus appears, infecting this OS's executables, and starts a new page in virus making.
1993
Virus makers are starting to do some serious damage: besides hundreds of mundane viruses which are no different than their counterparts, besides the whole polymorphic generators and construction sets, besides new electronic editions of virus makers there appear more and more viruses, using highly unusual ways of infecting files, introducing themselves into the system etc. The main examples are:
1994
The problem of CD viruses is getting more important. Having quickly gained popularity CD disks became one of the main means of spreading viruses. There are several simultaneous cases when a virus got to the master disk when preparing the batch CDs. As a result of that a fairly large number (tens of thousands) of infected CDs hit the market. Of course they cannot be cured, they just have to be destroyed.
Early in the year in Great Britain there popped out two extremely complicated polymorphic viruses, "SMEG.Pathogen" and "SMEG.Queeg" (even now not all the anti-virus programs are able to give 100% correct detection of these viruses). Their author placed infected files to a BBS, causing real panic and fear of epidemics in mass media.
There appear some new unusual enough viruses:
January 1994: "Shifter" - the first virus infecting object modules (OBJ files). "Phantom1" - the cause of the first epidemic of polymorphic virus in Moscow.
April 1994: "SrcVir" -- the virus family infecting program source code (C and Pascal).
June 1994: "OneHalf" - one of the most popular viruses in Russia so far starts a total epidemics.
September 1994: "3APA3A" - a boot-file virus epidemic. This virus uses a highly unusual way of incorporating into MS-DOS. No anti-virus was ready to meet such kind of a monster.
1995
Nothing in particular among DOS viruses happens, although there appear several complicated enough monster viruses like "NightFall", "Nostardamus", "Nutcracker", also some funny viruses like "bisexual" virus "RMNS" and BAT virus "Winstart". The "ByWay" and "DieHard2" viruses become widespread, with news about infected computers coming from all over the world.
February 1995: an incident with Microsoft: Windows95 demos disks are infected by "Form". Copies of these disks were sent to beta testers by Microsoft; one of the testers was not that lazy and tested the disks for viruses.
Spring 1995: two anti-virus companies - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control) announce their alliance. These companies, each making powerful enough anti- viruses, joined efforts and started working on a joint anti-virus system.
August 1995: one of the turning points in the history of viruses and anti-viruses: there has actually appeared the first "alive" virus for Microsoft Word ("Concept"). In some month the virus "tripped around the world", pesting the computers of the MS Word users and becoming a firm No. 1 in statistic research held by various computer titles.
1996
January 1996: two notable events - the appearance of the first Windows95 virus ("Win95.Boza") and the epidemics of the extremely complicated polymorphic virus "Zhengxi" in St. Petersburg (Russia).
March 1996: the first Windows 3.x virus epidemic. The name of the virus is "Win.Tentacle". This virus infected a computer network a hospital and in several other institutions in France. This event is especially interesting because this was the FIRST Windows virus on a spree. Before that time (as far as I know) all the Windows viruses had been living only in collections and electronic magazines of virus makers, only boot viruses, DOS viruses and macro viruses were known to ride free.
June 1996: "OS2.AEP" - the first virus for OS/2, correctly infecting EXE files of this operating system. Earlier under OS/2 there existed only the viruses writing themselves instead of file, destroying it or acting as companions.
July 1996: "Laroux" - the first virus for Microsoft Excel caught live (originally at the same time in two oil making companies in Alaska and in southern African Republic). The idea of "Laroux", like that of Microsoft Word viruses, was based on the presence of so-called macros (or Basic programs) in the files. Such programs can be included into both electronic spreadsheets of Microsoft Excel and Microsoft Word documents. As it turned out the Basic language built into Microsoft Excel also allows to create viruses.
December 1996: "Win95.Punch" - the first "memory resident" virus for Windows95. It stays in the Windows memory as a VxD driver, hooks file access and infects Windows EXE files that are opened.
1997
February 1997: "Linux.Bliss" - the first virus for Linux (a Unix clone). This way viruses occupied one more "biological" niche.
February-April 1997: macro viruses migrated to Office97. The first of them turned out to be only "converted" to the format macro viruses for Microsoft Word 6/7, but also virtually immediately there appeared viruses aimed at Office97 documents exclusively.
March 1997: "ShareFun" - macro-virus hitting Microsoft Word 6/7. It uses is not only standard features of Microsoft Word to propagate but also sends copies of itself via MS-Mail.
April 1997: "Homer" - the first network worm virus, using File Transfer Protocol (FTP) for propagation.
June 1997: There appears the first self encrypting virus for Windows95. This virus of Russian origin has been sent to several BBS is in Moscow which caused an epidemic.
November 1997: The "Esperanto" virus. This is the first virus that intends to infect not only DOS and Windows32 executable files, but also spreads into the Mac OS (Macintosh). Fortunately, the virus is not able to spread cross the platforms because of bugs.
December 1997: new virus type, the so-called "mIRC Worms", came into being. The most popular Windows Internet Relay Chat (IRC) utility known as mIRC proved to be "hole" allowing virus scripts to transmit themselves along the IRC-channels. The next IRC version blocked the hole and the mIRC Worms vanished.
October 1997: the agreement on licensing of AVP technologies use in F-Secure Anti-Virus (FSAV) was signed. The F-Secure Anti-Virus (FSAV) package was the DataFellows (Finland) new anti-virus product. Before DataFellows was known as the F-PROT anti-virus package manufacturer.
1998
The virus attack on MS Windows, MS Office and the network applications does not weaken. There arose new viruses employing still more complex strokes while infecting computers and advanced methods of network-to-computer penetration. Besides numerous the so-called Trojans, stealing Internet access passwords, and several kinds of the latent administration utilities came into the computer world. Several incidents with the infected CDs were revealed - Some computer media publishers distributed CIH and Marburg (the Windows viruses) through CDs attached to the covers of their issues, with infected.
The year beginning: Epidemic of the "Win32.HLLP.DeTroie" virus family, not just infecting Windows32 executed files but also capable to transmit to the "owner" the information on the computer that was infected, shocked the computer world. As the viruses used specific libraries attached only to the French version of Windows, the epidemic has affected just the French speaking countries.
February 1998: One more virus type infecting the Excel tables "Excel4.Paix" (aka "Formula.Paix) was detected. This type of a macro virus while rooting into the Excel tables does not employ the usual for the kind of viruses macro area but formulas that proved to be capable of the self-reproduction code accommodation.
February - March 1998: "Win95.HPS" and "Win95.Marburg" - the first polymorphous Windows32-viruses were detected and furthermore they were "in-the-wild". The anti-virus programs developers had nothing to do but rush to adjust the polymorphous viruses detecting technique, designed so far just for DOS-viruses, to the new conditions.
March 1998: "AccessiV" - the first Microsoft Access virus was born. There was no any boom about that (as it was with "Word.Concept" and "Excel.Laroux" viruses) as the computer society already got used to that the MS Office applications go down thick and fast.
March 1998: The "Cross" macro-virus, the first virus infecting two different MS Office applications - Access and Word, is detected. Hereupon several more viruses transferring their codes from one MS Office application to the other have emerged.
May 1998 - The "RedTeam" virus infects Windows EXE-files and dispatches the infected files through Eudora e-mail.
June 1998 - The "Win95.CIH" virus epidemic at the beginning was mass, then became global and then turned to a kind of computer holocaust - quantity of messages on computer networks and home personal computers infection came to the value of hundreds if not thousands pierces. The epidemic beginning was registered in Taiwan where some unknown hacker mailed the infected files to local Internet conferences. Therefrom virus has made the way to USA where through the staff oversight infected at once several popular Web servers that started to distribute infected game programs. Most likely these infected files on game servers brought about this computer holocaust that dominated the computer world all the year. According to the "popularity" ratings the virus pushed "Word.CAP" and "Excel.Laroux" to second cabin. One should also pay attention to the virus dangerous manifestation - depending on the current date the virus erased Flash BIOS what in some conditions could kill motherboard.
August 1998: Nascence of the sensational "BackOrifice" ("Backdoor.BO") - utility of latent (hacker's) management of remote computers and networks. After "BackOrifice" some other similar programs - "NetBus", "Phase" and other - came into being.
Also in August the first virus infecting the Java executed files - "Java.StangeBrew" - was born. The virus was not any danger to the Internet users as there was no way to employ critical for the virus replication functions on any remote computer. However it revealed that even the Web servers browsers could be attacked by viruses.
November 1998: "VBScript.Rabbit" - The Internet expansion of computer parasites proceeded by three viruses infecting VisualBasic scripts (VBS files), which being actively used in Web pages development. As the logical consequence of VBScript-viruses the full value HTML-virus ("HTML.Internal") was born to life. Virus-writers obviously turned their efforts to the network applications and to the creation of full value Network Worm-Virus that could employ the MS Windows and Office options, infect remote computers and Web-servers or/and could aggressively replicate itself through e-mail.
What Will be Tomorrow?
What can be expected from computer underground in subsequent years? Most probably the main problems will remain the following:
1) polymorphic DOS viruses, with additional problems of polymorphism in macro viruses and viruses for Windows and maybe OS/2;
2) macro viruses with new and improved ways of infecting and covering tracks of their code in the system;
3) network viruses, using network protocols and commands for spreading.
The type 3) is now only in the earliest state of developments - viruses make their first faint attempts to spread their code by themselves via Microsoft Mail and using FTP, but the best is yet to come.
There may appear other problems who which might bring a lot of trouble to users and enough extra work to the developers of anti-virus programs. However I look to the future optimistically: every problem in the history of the development of viruses has been more or less successfully solved.
Future problems, which are now just ideas in the sick minds of virus makers, will most probably be solved in the same way!