It wasn't until 1986 that the world saw its first real virus, christened '(c) Brain'. (c) Brain also went under various other aliases including '(c) ashar', and spawned variants such as 'Ohio' and 'Den Zuk'. All were based on the same code written by Brain Computer Services, a company in Pakistan - a fact verified by unencrypted text contained within the virus. No one knows for sure what the purpose of the virus was, other than it infected MS-DOS boot sectors. Like Elk Cloner, it was not destructive. It did exhibit 'stealthing' capabilities, and would hide itself from view, if for some reason the boot sector was examined.
The year 1987 saw the first file infectors; in 1988 the Morris worm was released into the wild and brought parts of the internet to its knees. Trojans made their debut in 1989; and from there, virus numbers began to increase. Concept, the first macro virus for Office, reared its head in 1995. The viral horror of today - the mass-mailing worm - was born in 1999 in the form of Melissa.
Distribution methods, techniques and payloads have changed over the years. Perhaps the most memorable are macro viruses, which were particularly virulent thanks to their cross-platform nature. Due to a combination of changes in Microsoft's Office suite of applications, and user education, macro viruses are almost a thing of the past.
Early in their history, most viruses were mischievous and non-destructive. About six years ago, they started deleting and corrupting files. Today, they are perhaps at their most malevolent - stealing personal information, hijacking systems, and causing millions of dollars worth of damage to businesses. Worst of all, virus writers are starting to make money from their craft, an unheard of phenomenon until now.
In short, they have grown up.
Cash for crashes'The stereotypical profile of a virus writer is an 18-25 year old male with a Mohawk, nose ring, drinks too much Coke and has an overpowered computer with too much time on their hands. While this may be true in some cases it isn't always,' says Zatz.
Thirty-three year old network programmer David Smith, author of the first mass-mailing worm Melissa, never intended for his virus to be destructive. Nor had he planned to gain anything financially from it; indeed, Smith was eventually fined US$5,000 for his crime. This did not change the fact that the virus caused an estimated US$80 million worth in damages, simply because it clogged up mail servers and made working online impossible for many businesses. Like Sasser, Melissa contained no actual payload.
Have infection, will travel Before the days of the information superhighway, virus writers had to rely on floppy disks and hard drives in order to propagate. These days, the net provides the perfect medium for viral infection. Back when this wondrous logistical solution didn't exist, viruses had to employ various methods in order to avoid detection and to spread - a few of which we still see use today.
The easiest way a virus can increase its longevity is by hiding itself. Commonly referred to as 'stealthing', a virus will 'look out' for telltale signs that it is being examined, such as when certain programs load or particular system calls are made to the operating system. More sophisticated viruses can detect that they are in a debugging or disassembling environment - a dead giveaway that someone is trying to see how the viral code works. Upon sensing this, a virus can try to hide itself, pretending to be a legitimate program or even go as far as to attack the system trying to debug it. This type of stealthing, which tries to foil attempts to take the virus apart, is called 'hardening'.
Viruses can also be 'polymorphic' - that is, they change their structural appearance while retaining the same functionality. This is designed to fool virus scanners, which rely on matching patterns to detect infections. 'A simple case: a virus implements another layer of code on top of its normal functional code and encrypts the main virus body ... The encryption with variable “keys” enables a virus to look different in each generation or each new infected file,' says Jakub Kaminski, anti-virus research manager at CA's Richmond Development Lab in Victoria.
An important fact is that most polymorphic viruses do not have the capacity to create entirely new code. 'These viruses “do not rewrite themselves”, but simply follow the pre-defined program,' says Kaminski. A common misconception is that viruses cannot damage hardware. The infamous CIH virus could irreparably damage the Basic Input/Output System (BIOS) chips on motherboards, rendering the entire board useless. Thankfully, these sorts of 'destructive' viruses a rare today, with virus writers focusing more on 'phishing' viruses - those that reveal or find out banking details, or trick users into providing other delicate information.
More and more, viruses are using 'multiple vectors' to infect computers. Code Red, for example, not only made use of its own mailing engine to spread, it also sent itself via HTTP requests and infected machines running Microsoft's Internet Information Service, taking advantage of a buffer exploit in the software. Older viruses, such as Junkie, were also multi-vector on a smaller scale. Junkie would infect a system's boot sector, memory and COM executable files, making it highly virulent for its time. Boot sector viruses and file infectors are rare today - you could say modern viruses writers have evolved beyond them.
Issue: 133 | February, 2012