A computer virus is a program that is written specifically to replicate, spread from computer to computer. Viruses are distinguished from worms in that viruses require a host. In the case of a computer virus you must run an infected program, open an infected file, or boot from an infected floppy (all host actions) in order to initiate the viral instructions and replication. Trojan Horse programs, often installed by a dropper program, are not viruses since they do not replicate. Droppers don’t replicate, they just ‘drop,’ and aren’t computer viruses either.
Boot sector viruses have been the most common type of virus for over 10 years. Macro viruses, debuting in 1995, are quickly becoming the most common type of virus, looking to ‘boot’ many of the boot sector viruses out of the top ten most prevalent viruses listing by the end of this year. There is an average of 5-7 new viruses a day, with over 18,000 viruses having been created to date. How did this malicious activity begin?
Perhaps the first real study of viral creation and impact was performed by Fred Cohen in 1983, as an experiment in computer security. It was 3 years later, 1986, when the first PC virus, Brain, was authored and then later found in the wild. Brain is a boot sector and stealth virus that only infects 360K floppy disks. By the end of 1986 three file infecting demonstration viruses were created: Virdem, Burger, and Rush Hour. The fascination of security holes and the ability for a program to replicate on it’s own begin to take hold.
In 1987 Brain was discovered in “the wild,” at the University of Delaware. Viruses begin popping up all over the world, primarily at Universities. By November the Lehigh virus, which infects command.com and runs in memory, was discovered at Lehigh University in the United States. One of the oldest and most prevalent viruses up to today was then discovered in December at the Hebrew University of Israel, the Jerusalem virus.
Jerusalem was the first file infecting virus designed to run in memory, deleting infected files on Friday the 13th. Jerusalem reportedly stems from three generations of the Suriv (virus spelled backwards) virus, authored by a programmer in Tel Aviv or Italy. It didn’t take long for people to fall into the challenge of creating a malicious virus.
In 1988 a large amount of media started reporting on viruses, including Byte, Business Week, Fortune, PC-Computing, Time, and US News and World Report. Part of the media coverage reportedly resulted from a large financial institution being widely infected with viruses. Most top antivirus researches of today got their start in 1988. A serious look at the threats of viral code, and how to provide a product to protect the consumer, began to emerge in the commercial market. IBM found that it was infected with Cascade and hired High Integrity Computing Laboratory in Yorktown to take up antivirus research and protection for the company.
By 1989 there were about 30 viruses that had been discovered in the wild or created as a demonstration. Joe Wells, a leading antivirus consultant today, got his start in antivirus by creating a heuristic scanner that identified the Jerusalem.1808.Standard virus and Trojan Horse programs. The press began to run skeptical articles about viruses that wreak havoc on a computer on Friday the 13th, and more. A leading virus author, Dark Avenger, reportedly from Sophia, Bulgaria, authored the Avenger.1800 virus which is very good as spreading through a system unnoticed and overwriting data to a hard drive. WDEF (boot sector infector), probably the most prolific Macintosh virus ever, came out in December of 1989. Datacrime, even though it was not very good at replication, was one of the more popularized viruses in the media during 1989 and 1990. IBM was pressured about virus threats and subsequently released their previously internal antivirus software to the public in September of 1989.
1990 brought out the SPAM viruses; Stealth, Polymorphic, Armored, Multipartite. Viruses started getting good at avoiding detection (stealth), using mathematical algorithms to encrypting new and different strains of a virus (polymorphic), protection themselves against antivirus disassembly (armor), and spreading quickly by infecting both boot sectors and files/programs (multipartite). Anthrax and V1 were two examples of this concept, but neither was very successful in the wild. Unfortunately, Usenet newsgroups began hosting huge collections of viruses for people to download and upload. Apple released System 7.0, a 32 bit operating system, which effectively eliminated most viral and malicious code threats from the Macintosh system. Only HyperCard and a few system related viruses remained for Macintosh users to worry about. Unfortunately, PC users were dancing to a different tune.
The European Institute for Computer Antivirus Research (EICAR) was created in Hamburg, in December of 1990. EICAR worked to pull the antivirus community together to exchange ideas and viral codes. At the time there were about 150 viruses in the wild. Later, EICAR released the EICAR test file which is still being used to validate the correct function and installation of antivirus software on a PC.
By the end of 1990 there were lots of antivirus products made available to the consumer commercially to remove the 200+ viruses in the wild, including: AntiVirus Plus from Iris, Certus from Certus International, Data Physician from Digital Dispatch, Turbo Antivirus from Carmel, Virex-PC from Microcom, Virucide (McAfee’s Pro-Scan) from Parsons, Virusafe from EliaShim, ViruScan from McAfee, Dr. Solomon’s Anti-Virus Toolkit from S&S, F-Prot from Frisk Software, ThunderByte from ESaSS, Vaccine from Sophos, Vaccine from World Wide Data, V-Analyst from BRM, Vet from Cybec, VirusBuster from Hunix, Virscan from IBM, Vi-Spy from RG Software, and Norton AntiVirus from Symantec.
In 1991 the Michelangelo virus was discovered. Dark Avenger announced on a bulleting board that he was working on a new virus that would mutate in 1 of 4,000,000,000 different ways. Later, in January of 1992, it turned out that Dark Avenger had created an object file linked to viruses, a mutation engine (MtE). A Viral Creation Laboratory (VCL), by Nowhere Man, and Phalcon/Skism Mass-Produced Code Generator by Dark Angel provided users with point and click authoring of viruses!
Tequila, the epitemy of SPAM viruses, debuted in April of 1991. It employed retrovirus and tunneling to combat antivirus software. Tequila was reportedly created in Switzerland and was subsequently stolen by a friend of the author. The ‘friend’ then planted the virus on his father’s machine, a shareware vendor, resulting in the widespread distribution of Tequila overnight. The Maltese Amoeba spread through Europe and the DirII virus came out, a cluster infecting virus, which forced antivirus software developers to take a new look at how viruses infect and how to identify and protect against them. Viral growth was on the rise, with over 1,000 in the wild by the end of the year.
In 1992 Dark Avenger’s MtE was easily combated by antivirus software but resulted in some of the first false alarms for identification of a viral infection. Dark Avenger responded by authoring Commander Bomber, a highly polymorphic virus that did not encrypt. It was coined a polymorphic, permutation virus. Other important viral creations included a CMOS modification from the EXEBug virus to prevent clean booting; Invol infected .sys files for the first time; WinVer 1.4 was the first ever Windows virus. The press blew Michelangelo out of proportion, with one company spokesman reportedly estimating a total of 5 million systems going down on March 6th (Michelangelo’s payload date to erase hard drives). The end of 1992 marked the sale of viral collections by John Buchanan, in America, and the Virus Clinic overseas.
1993 featured a release of MS-DO 6.0, from Microsoft, with built-in antivirus software. On July 1 Joe Well’s posted his first official “WildList,” a listing of verified viruses that have been found on PC’s around the world. Tremor, a common virus in Europe, was found in the wild and was found to have code that disabled the Microsoft Antivirus (MSAV) software running in memory. SatanBug was discovered in Washington, DC, in the United States, with the author being found by the FBI – the author was a minor. Monkey also debuted, featuring full stealth capabilities and a nasty technique of encrypting the master boot record of hard drive. Monkey threw a loop in the standard FDISK removal of viruses. The standard removal method of Monkey resulted in the destruction of the virus, and the encryption key to partition information for the hard disk, effectively wiping out the hard drive upon removal of the virus. Cruncher also came out in 1993, described as a “good virus” since it compressed infected programs, resulting in more disk space being made available to the user.
1993 also featured the first ever program specific type virus, merryxmas, discovered by your guide, Ken Dunham, in the Macintosh authoring program HyperCard.
1994 featured a large increase in the growth of the Internet and the release of many viruses, including Junkie, One_Half, Natas (Satan backwards), and Pathogen. Pathogen was authored by Black Baron, a member of Association of Really Cruel Viruses (ARCV), who was later identified by New Scotland Yard’s Computer Crime Unit and jailed. Several mutations to the merryxmas virus began to pop up, with malicious HyperCard viruses debuting by the end of the year. Merryxmas was distributed on a commercial CD from Apple, proving that antivirus protection for this new type of virus were still inadequate.
1995 featured the release of Windows 95, a 32 bit operating system, and macro viruses. Concept, the first ever macro virus, was authored in WordBASIC and was found to be the first application specific type virus that could infect both Mac and PC operating systems for users of MicroSoft Word (MS Word). Because MS Word normally uses macro command sets antivirus developers were presented with a significant challenge – how to distinguish between viral and non-viral macro command sets.
Antivirus software developers were still struggling with how to successfully deal with macro viruses in 1996. Virus Bulletin’s test of 24 scanners indicated that 8 of them didn’t even detect the Concept macro virus. Meanwhile, macro viruses in the wild were on the rise, exponentially. By the end of 1996, Concept became the most common virus in the world. The media began to cover viruses with more hype and mystery than ever before. Viruses, like Hare, began to be over publicized when the actual threat of the virus was very unlikely. Laroux, with only two reports in the wild to date, was identified as the first ever Microsoft Excel macro virus.
1997 showed continued exponential growth in the Internet and macro viruses. Macro viruses began to replace the most common viruses, boot sector viruses, and grow out of control. By the end of the year there were more than 1,000 macro viruses in existence (in just over 15 months of time).
An Autostart Worm for the Macintosh came out in Asia in 1998, proving to be the first malicious program to be authored for the Macintosh operating system for 4 years. Esparanto also debuted, with the ability to infect the Macintosh with a virus when a user ran a PC emulation system such as SoftWindows on a PowerPC Macintosh. However, Esparanto is rare and is not very successful in spreading or in carrying out it’s payload. Macro viruses rise above 2,000 in existence while antivirus software developers work to develop automatic update systems through networks, heuristics, and security programs that require no updates and are able to identify non-standard system and application type executions.