Many (un)happy returns

The PC virus is celebrating its 20th birthday – and my, hasn’t it grown! By Neil Davey

“A few years ago you might measure the speed of a virus or worm infection in days, but today the units have dropped to hours or even minutes”
-Eric Allman, Chief Science Officer and Co-Founder at Sendmail

This year may have marked an important 20th anniversary for the IT sector, but there were no champagne corks being popped or cigars being lit for this particular remembrance. The PC virus turned 20 years old in January, with two decades now having passed since the detection of the first boot sector virus. The virus, known as ‘Brain’, infected computers via floppy disk and it was a relatively harmless affair, merely renaming the disk on which it found itself. In fact, the writers of the virus, brothers Amjad and Basit Alvi, were so unconcerned about the ramifications that they even included their address in the viruses code. Yet who could have forecast that this simple code would evolve into the kinds of viruses that today bring mayhem and misery to business and home users around the world?

For some years boot sector viruses were the most commonly encountered types of viruses, infecting the boot sectors of floppy disks (initially 5.25 inch floppies and then 3.5 inch stiffies) and the partition sector (also known as the Master Boot Record or MBR) of hard drives. These early viruses pale in comparison to the malicious character of their modern relatives. The Stoned virus, for instance, claimed your computer was ‘stoned’ one in every eight times you booted up. Another, Form, beeped at every key press on the 18th of the month, whilst the Parity virus faked a memory parity error message.

“These viruses knew nothing of e-mail and could not spread to other computers via network connections,” says Graham Cluley, Senior Technology Consultant at security firm Sophos. “But they were still encountered relatively commonly as they spread via ‘sneakernet’ – people shared floppy disks much more commonly in those days because networks were rare and internet e-mail was largely unheard of inside business. You could catch a boot sector virus simply by leaving a floppy in your A: drive and booting up your computer. What's more, if a boot sector virus was residing on the floppy, it would have copied itself onto the hard disk – meaning that the virus would be memory-resident whenever the PC was booted up – and would try to infect any write-enabled floppy subsequently used on the machine.”

Since transmission was via disk from computer to computer, infection by a boot sector virus could take months or even years after its release to reach significant levels. Nevertheless, these early viruses were, understandably, still irritating for users and this prompted the first antivirus efforts via bootable antivirus disks. But there were other simple tricks that the IT community learnt to protect themselves, such as write-protecting floppy disks before using them in another computer or changing the CMOS settings so that the computer would boot from the hard drive rather than the A: drive, even if a floppy disk has been left there.

By 1995, floppy disks had effectively become extinct and the age of the boot sector virus had ended. Nevertheless, it had enjoyed a relatively long reign. “Viruses that replicate and run by infecting the MBR had their biggest day when bootable floppies were still in use,” agrees Dennis Szerszen, VP of SecureWave. “They are still around today – in fact, I suspect lots of spyware uses this mechanism – but they are not as common. There are way too many other viruses to be executed that can better avoid detection than an MBR virus, since it must modify either the MBR itself or the OS bootstrap.”

Macro viruses

But the era of the boot sector virus was truly ended by the emergence of a new breed of virus. 1995 witnessed the spread of the first macro virus, which exploited vulnerabilities in early Windows operating systems and rapidly became the most prolific virus in history. It has been reported that the first widespread macro virus, WM/Concept, was actually accidentally spread when it appeared on a software compatibility testing CD sent by Microsoft to hundreds of companies in August 1995. Other virus writers subsequently jumped on the bandwagon and produced their own versions and the virus ran rampant for years after.

Macro viruses were pioneering for a number of reasons. For a start, they infected files that were often shared by e-mail (such as Word documents). They were also written in a language that was easy to understand (MS Office's macro language rather than assembler code) so more people were able to write and understand the malware. Furthermore, each infected file came complete with the macro source code, making it easier to create new variants and to learn how to write macro malware. Some macro viruses, such as Melissa written by David L Smith, were e-mail-aware and would send themselves to other e-mail users.

Macro viruses became widespread, were malicious, and were a serious issue for businesses and home users alike. “The proliferation of macro viruses was in response to the prolific use of Microsoft products – i.e. it was a huge target for the virus writers to aim at,” says Nick Frost, a Research Consultant at the Information Security Forum. “As it was common for staff to spread these files around (Word/Excel, etc.), it further increased the infection rate – and notoriety of the virus writer. From my experience in the past I would say that macro viruses were particularly nasty to the business, the simple reason being that a lot of business critical data, such as financial spreadsheets, was stored in an Excel file and having your key assets exposed to such threats caused a lot of concern – it wasn't uncommon for CFOs to be asking questions about the reliability of financial figures as a result of the increasing profile of these viruses.”

As propagation times shrank to around a month from the moment when the virus was found to when it was a global problem, the IT community was stretched in its efforts to tackle the problem. Along with updating antiviruses with new signatures, enterprises responded to macro viruses by making their end users disable macro and script use in their spreadsheets, browsers and word processors.

Up to this point, the focus had typically been on prevention – deploying antiviruses so that companies needn’t worry about the threat. However, with the increasing number of attacks and media stories of companies being hit, the attitude soon shifted. “It became common practice to adopt the attitude of "We are likely to experience a virus attack – how do we respond?"” says Frost. “A typical response was to focus on quarantining the network to reduce the spread of infection. Whilst this impaired day-to-day operations it was in some cases the only approach to take. However, this led to lobbying by industry for antivirus vendors to speed up the delivery of a patch to deal with new macro viruses and improve the updating functions on antivirus software.”

Worms in the network

Today, macro viruses pose less of a threat since there are whitelist enforcement solutions that simply prevent unauthorised executable files from running on the corporate IT network. But other network nasties have taken their place as primary threats. In particular, as e-mail has become more prevalent over the past ten years, so e-mail worms and individual worms have thrived. By the end of the 90s, worms could reach global epidemic levels in under a day – one of the first and most infamous e-mail worms, Loveletter (or ILOVEYOU), caused widespread mayhem and financial loss in 1999 before it was brought under control.

Eric Allman is Chief Science Officer and Co-Founder at Sendmail, and inventor of the first commercial e-mail program 25 years ago. He believes that the advent of ‘active content’ in e-mail, rather than plain text, signalled the beginning of the problem. “Previously the consumer market for networked systems was workgroups – small groups of people known to one another collaborating on a common goal,” he explains. “As a result, the software was rife with active content (e.g. macros in spreadsheets and text documents), which made total sense for that environment. But when we plugged this software into the internet we changed the rules of the game: suddenly we weren't dealing with small groups of trusted users, we were dealing with large groups of untrusted users, and active content was a major virus vector.”

In 2001, the transmission time window shrank from one day to one hour with the introduction of network worms such as Blaster and Sasser, which automatically infected every online computer without adequate protection.
“Most e-mail viruses still require the end user to take some action to enable the infection, although that may be as simple as opening an attachment,” Allman continues. “Once activated they can send themselves to everyone in your address book, which allows them to spread. I would say the most serious viruses today are those that can propagate by themselves (hence they are actually worms) by attacking other system services. These can spread very quickly: a few years ago you might measure the speed of a virus or worm infection in days, but today the units have dropped to hours or even minutes.”

For the IT community, it soon became apparent that desktop virus protection wasn't the only answer, and that it was sensible – because of the sheer quantity of virus-infected e-mail – to also scan e-mail gateways for incoming malicious content. Nevertheless, e-mail and network worms still continue to cause havoc in the IT world. To make the job of the virus writers even easier, some users still fall for the oldest tricks in the book. “Companies are putting up firewalls and employing detection software but the other thing that malicious people do is purposely leave CDs, DVDs and memory sticks around that are infected,” says Professor Peter Cochrane, Co-Founder of ConceptLabs, and former CTO at BT. “And once they are infected and they are on the inside of the firewall then they can run rampant of course.”

Organised crime

To make matters worse, it isn’t just the viruses that have become more malicious. The virus writers themselves have evolved from the virus writing hobbyists of the past into criminally-operated gangs bent on financial gain. “The typical virus writer always used to be a young man, bright and intelligent and into computers but without, perhaps, as much of a social life as some would consider healthy,” Cluley highlights. “Most of their relationships with peers would revolve around computers, and they often used viruses to boost their self esteem, show off to others, and build a fantasy image of themselves. Part of this was calling themselves names like The Black Baron, Dark Avenger, Nowhere Man, and – my personal favourite – Colostomy BagBoy.

“So, they essentially did it ‘for kicks’, even though the impact could be substantial. Today, although some of these old school ‘teenage’ virus writers are undoubtedly active and doing it for kicks, an increasing number of malware authors are part of organized criminal gangs, using viruses and Trojan horses to steal information and make money.”

Frost agrees that the motivation has recently changed from that of notoriety – i.e. being hailed as someone who wrote a successful virus – to financial gain, profiting by writing a virus that acts in a stealth-like manner. “I'm not sure if the true term ‘virus’ rings true anymore,” he adds. “I'm personally happier calling it malware – i.e. its code and it carries out actions that are unauthorised on an organisation’s systems/networks. Development of malware is constantly evolving and spyware represents, I believe, a new (relatively!) breed of unauthorized code.”

At present there are over 150,000 viruses and the number is still growing rapidly. From boot sector viruses, to macro viruses, to worms and spyware, it has been a painful 20 years for PC users. But the evolution of the virus continues, and we can only speculate what will characterize its next stage of development. There are already suggestions, for instance, that malware authors may target laptop WLANs as the next vector for automatically spreading worms.

Cochrane believes that as the threat evolves, we will need to respond with force. “The first viruses were extremely simple,” he explains. “They just got themselves into a computer and sat there. They didn’t worm their way in. They didn’t distribute very well. They were very, very crude. The viruses today are getting increasingly sophisticated, as are the methods of penetration. The thing that really worries me is that viruses have not yet taken on all the attributes of a biological virus. And sooner or later these things are going to start mutating and breeding and becoming very adaptive indeed and we will lose complete control. So I am an advocate of building a white cell antivirus software in the network that hunts down these viruses and kills them, but also backtracks from where they came from and takes care of the people who generated them in the first place. This is well within the scope of the industry.”

“Whatever the next step might be, it will be interesting to see what kind of viruses we will be talking about in another 20 years,” concludes Mikko Hypponen, Chief Research Officer at F-Secure. “Computer viruses infecting household appliances, perhaps?”

“An increasing number of malware authors are part of organised criminal gangs, using viruses and Trojan horses to steal information and make money”
Graham Cluley, Senior Technology Consultant at Sophos

“Sooner or later these things are going to start mutating and breeding and becoming very adaptive indeed and we will lose complete control”
Professor Peter Cochrane, Co-Founder of ConceptLabs, and former CTO at BT

“The proliferation of macro viruses was in response to the prolific use of Microsoft products – i.e. it was a huge target for the virus writers to aim at”
Nick Frost, Research Consultant at the Information Security Forum