What is a computer virus? / Part III

What Is A Virus
Author
TQI

Let's get nerdy bout the history of computer viruses?

Today's malware authors owe a lot to the cybercriminals of yesteryear. All the tactics and techniques employed by cybercriminals creating modern malware were first seen in early viruses. Things like Trojans, ransomware, and polymorphic code. These all came from early computer viruses. To understand the threat landscape of today, we need to peer back through time and look at the viruses of yesteryear.

1949, John von Neumann and "self-reproducing machines" 

It was in those salad days of computing that mathematician, engineer, and polymath John von Neumann delivered a lecture on the Theory and Organization of Complicated Automata in which he first argued that computer programs could "self-reproduce." In an era where computers were the size of houses, and programs were stored on mile-long punch tapes, Neumann's ideas must've sounded like something from a sci-fi pulp novel.

1982, The proto computer-virus

In 1982 a fifteen-year-old boy pranking his friends proved Neumann's theory a reality. Rich Skrenta's Elk Cloner is widely regarded as the first proto-computer virus (the term "computer virus" didn't exist just yet). Elk Cloner targeted Apple II computers, causing infected machines to display a poem from Skrenta:

Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!

Other notable firsts—Elk Cloner was the first virus to spread via detachable storage media (it wrote itself to any floppy disk inserted into the computer). For many years to come, that's how viruses travelled across systems—via infected floppy disk passed from user to user.

1984, Computer virus, defined

In 1984 computer scientist Fred Cohen handed in his graduate thesis paper, Computer Viruses – Theory and Experiments in which he coined the term "computer virus," which is great because "complicated self-reproducing automata" is a real mouthful. In the same paper, Cohen also gave us our first definition of "computer virus" as "a program that can ‘infect' other programs by modifying them to include a possibly evolved copy of itself."

1984, Core War

Up to this point, most talk about computer viruses happened only in the rarified air of college campuses and research labs. But a 1984 Scientific American article let the virus out of the lab. In the piece, author and computer scientist A.K. Dewdney shared the details of an exciting new computer game of his creation called Core War. In the game, computer programs vie for control of a virtual computer. The game was essentially a battle arena where computer programmers could pit their viral creations against each other. For two dollars Dewdney would send detailed instructions for setting up your own Core War battles within the confines of a virtual computer. What would happen if a battle program was taken out of the virtual computer and placed on a real computer system? In a follow-up article for Scientific American, Dewdney shared a letter from two Italian readers who were inspired by their experience with Core War to create a real virus on the Apple II. It's not a stretch to think other readers were similarly inspired. 

1986, the first PC virus

The Brain virus was the first to target Microsoft's text-based Windows precursor, MS-DOS. The brainchild of Pakistani brothers and software engineers, Basit and Amjad Farooq, Brain acted like an early form of copyright protection, stopping people from pirating their heart monitoring software. If the target system contained a pirated version of the brother's software, the "victim" would receive the on-screen message, "WELCOME TO THE DUNGEON . . . CONTACT US FOR VACCINATION" along with the brothers' names, phone number, and business address in Pakistan. Other than guilt tripping victims in to paying for their pirated software, Brain had no harmful effects.

Speaking with F-Secure, Basit called Brain a "very friendly virus." Amjad added that today's viruses, the descendants of Brain, are "a purely criminal act."

1986, Viruses go into stealth mode

Also in 1986, the BHP virus was the first to target the Commodore 64 computer. Infected computers displayed a text message with the names of the multiple hackers who created the virus—the digital equivalent of scrawling "(your name) was here" on the side of a building. BHP also has the distinction of being the first stealth virus; that is, a virus that avoids detection by hiding the changes it makes to a target system and its files.

1988, Computer virus of the year

1988, one could argue, was the year computer viruses went mainstream. In September of that year, a story on computer viruses appeared on the cover of TIME magazine. The cover image depicted viruses as cute, googly eyed cartoon insects crawling all over a desktop computer. Up to this point, computer viruses were relatively harmless. Yes, they were annoying, but not destructive. So how did computer viruses go from nuisance threat to system destroying plague?

"Viruses were all about peace and love—until they started crashing people's computers."

1988, A message of peace goes haywire

Viruses were all about peace and love—until they started crashing people's computers. The MacMag virus caused infected Macs to display an onscreen message on March 2, 1988:

RICHARD BRANDOW, publisher of MacMag, and its entire staff
would like to take this opportunity to convey their
UNIVERSAL MESSAGE OF PEACE
to all Macintosh users around the world

Unfortunately, a bug in the virus caused infected Macs to crash well before Brandow's day of "universal peace." The virus was also designed to delete itself after displaying Brandow's message but ended up deleting other user files along with it. One of the victims, a software executive working for Aldus Corp, inadvertently copied the virus to a pre-production version of Aldus' Freehand illustration software. The infected Freehand was then copied and shipped to several thousand customers, making MacMag the first virus spread via legitimate commercial software product.

Drew Davidson, the person who actually coded the MacMag virus (Brandow wasn't a coder), told TIME he created his virus to draw attention to his programming skills.

"I just thought we'd release it and it would be kind of neat," Davidson said.

1988, front page of The New York Times

A little over a month after the TIME magazine piece, a story about the "most serious computer ‘virus' attack" in US history appeared on the front page of The New York Times. It was Robert Tappan Morris' Internet worm, erroneously referred to as a "virus." In all fairness, no one knew what a worm was. Morris's creation was the archetype. The Morris worm knocked out more than 6,000 computers as it spread across the ARPANET, a government operated early version of the Internet restricted to schools and military installations. The Morris worm was the first known use of a dictionary attack. As the name suggests, a dictionary attack involves taking a list of words and using it to try and guess the username and password combination of a target system.

Robert Morris was the first person charged under the newly enacted Computer Fraud and Abuse Act, which made it illegal to mess with government and financial systems, and any computer that contributes to US commerce and communications. In his defense, Morris never intended his namesake worm to cause so much damage. According to Morris, the worm was designed to test security flaws and estimate the size of the early Internet. A bug caused the worm to infect targeted systems over and over again, with each subsequent infection consuming processing power until the system crashed.

1989, Computer viruses go viral

In 1989 the AIDS Trojan was the first example of what would later come to be known as ransomware. Victims received a 5.25-inch floppy disk in the mail labelled "AIDS Information" containing a simple questionnaire designed to help recipients figure out if they were at risk for the AIDS virus (the biological one). 

While an apt (albeit insensitive) metaphor, there's no indication the virus' creator, Dr. Joseph L. Popp, intended to draw parallels between his digital creation and the deadly AIDS virus. Many of the 20,000 disk recipients, Medium reported, were delegates for the World Health Organization (WHO). The WHO previously rejected Popp for an AIDS research position. 

Loading the questionnaire infected target systems with the AIDS Trojan. The AIDS Trojan would then lay dormant for the next 89 boot ups. When victims started their computer for the 90th time, they'd be presented with an on-screen message ostensibly from "PC Cyborg Corporation" demanding payment for "your software lease," similar to the Brain virus from three years earlier. Unlike the Brain virus, however, the AIDS Trojan encrypted the victims' files. 

In an era before Bitcoin and other untraceable cryptocurrencies, victims had to send ransom funds to a PO box in Panama in order to receive the decryption software and regain access to their files. Funds, Popp claimed after his arrest, were destined for AIDS virus research.

1990s, Rise of the Internet

By 1990 ARPANET was decommissioned in favor of its public, commercially accessible cousin the Internet. And thanks to Tim Berners-Lee's pioneering work on web browsers and web pages, the Internet was now a user-friendly place anyone could explore without special technical knowledge. There were 2.6 million users on the Internet in 1990, according to Our World in Data. By the end of the decade, that number would surpass 400 million. 

With the rise of the Internet came new ways for viruses to spread. 

1990, Mighty morphin' 1260 virus

Cybersecurity researcher Mark Washburn wanted to demonstrate the weaknesses in traditional antivirus (AV) products. Traditional AV works by comparing the files on your computer with a giant list of known viruses. Every virus on the list is made of computer code and every snippet of code has a unique signature—like a fingerprint. If a snippet of code found on your computer matches that of a known virus in the database, the file is flagged. Washburn's 1260 virus avoided detection by constantly changing its fingerprint every time it replicated itself across a system. While each copy of the 1260 virus looked and acted the same, the underlying code was different. This is called polymorphic code, making 1260 the first polymorphic virus.

1999, "You've got mail (and also a virus)"

Think back to 1999. If someone you knew sent you an email that read "Here is the document you requested ... don't show anyone else ;-)," you opened the attachment. This was how the Melissa virus spread and it played on the public's naiveté about how viruses worked up to that point. Melissa was a macro virus. Viruses of this type hide within the macro language commonly used in Microsoft Office files. Opening up a viral Word doc, Excel spreadsheet, etc. triggers the virus. Melissa was the fastest spreading virus up to that point, infecting approximately 250,000 computers, Medium reported.

2012, A full Shamoon over Saudi Arabia

By the turn of the 21st century, the roadmap for future malware threats had been set. Viruses paved the way for a whole new generation of destructive malware. Cryptojackers stealthily used our computers to mine cryptocurrencies like Bitcoin. Ransomware held our computers hostage. Banking Trojans, like Emotet, stole our financial information. Spyware and keyloggers shoulder surfed us from across the web, stealing our usernames and passwords.

Old-school viruses were, for the most part, a thing of the past. In 2012, however, viruses made one last grab at the world's attention with the Shamoon virus. Shamoon targeted computers and network systems belonging to Aramco, the state-owned Saudi Arabian oil company, in response to Saudi government policy decisions in the Middle East. The attack stands as one of the most destructive malware attacks on a single organization in history, completely wiping out three-quarters of Aramco's systems, The New York Times reported. In a perfect example of what comes around goes around, cybersecurity researchers have suggested the attack started with an infected USB storage drive—the modern equivalent of the floppy disks used to carry the very first virus, Elk Cloner.

Today, tech support scams

 Decades have passed since computer viruses reached their destructive zenith but there's a related threat you should know about. Commonly referred to as a tech support scam or a virus hoax, this modern threat isn't a virus at all.

Here's how tech support scams work. The victim is served up a bogus pop-up ad after landing on a spoofed website or as a result of an adware infection. In a recent example, scammers used malvertising to link victims to malicious support sites after victims searched for things like cooking tips and recipes. We've also seen hacked WordPress sites redirecting to support scam sites. The bogus ad is designed to look like a system alert generated by the operating system, and it may say something like, "Security alert: Your computer might be infected by harmful viruses," along with contact information for "Technical Support." There's no virus and no technical support—just scammers who will make it seem like you have a virus and demand payment to "fix" it.

According to the Federal Trade Commission there were 143,000 reports about tech support scams in 2018, with total losses reaching $55 million. What makes this scam particularly insidious is that cybercriminals frequently target the most vulnerable part of the world's population. People 60-years-old and over were five times more likely to report being a victim of a tech support scam.

What is a Computer Virus - Part 4