|Research Home >>||
1986 Up from the ooze
1987 University outbreaks
1988 Variations on a theme
1989 Media feeding frenzy
1990 S.P.A.M. viruses
1991 Corporate takeover of the anti-virus industry
1992 Michelangelo and MtE
1993 AV-DOS appears
1994 Outbreak on the Internet
1995 A whole new concept
1996 Boza, Laroux and Hare
Where were you in January of 1986?
I remember exactly where I was on January 28. I was driving a truck up the California coast, delivering pet supplies to pet shops. I had stopped briefly in Nipomo and
was watching television with the store owner. We watched as Challenger lifted off from Cape Canaveral and exploded. My computer experience at the time was limited to programming assembly language on a Z80 and a
Commodore 128. I didn't get a PC until I started an online research service in 1987.
My computer experience at the time was limited to programming assembly language on a Z80 and a
Commodore 128. I didn't get a PC until I started an online research service in 1987.
In 1986, the first PC virus was created. It was the Brain virus from Pakistan. Brain was a boot sector virus and only infected 360k floppy disks. Interestingly, even though it was the first virus, it had full-stealth capability.
In December of 1986, a file infecting demo virus was introduced. It was called Virdem and was created in Germany.
Two other demo virus have 1986 copyright notices. These are the Burger
virus (Program Virus ver. 1.1 by R. Burger) and the Rush Hour virus by B. Fix.
In October of 1987, Brain was discovered in the wild, at the University of Delaware.
Other viruses were first discovered in 1987 at Universities around the world. In November, the Lehigh Virus was discovered at Lehigh University in the United States. The virus only infected Command.com. Since Command.com remains resident, this was technically the first memory resident file infector.
In December, the Jerusalem virus, appeared at the Hebrew University of Israel. It was the first file infector designed to go memory-resident. It is possible that Jerusalem was the fourth in a series of viruses by the same author. The other three were the Suriv variants 1, 2, and 3. (Suriv is Virus spelled backwards). These however came to light after Jerusalem did. Jerusalem was also the first virus discovered that infected programs with either .COM or .EXE extensions (and the first to contain a bug which causes it to re-infect already infected programs).
Reportedly, around this time, Stoned (the first MBR infector) was written by a student at the University of Wellington in New Zealand and the Vienna Virus was written by an Austrian high school student.
In 1987 a book was released with a disassembly of the Vienna virus. Also in that book was source code for other viruses, including the Burger and Number One viruses.
A virus appeared in South Africa that deleted files on Friday the 13th.
The Den Zuk viruses (two versions) were created in March by Denny Yanuar Ramdhani in Bandung, Indonesia. The virus will detect and remove the Brain virus. It also immunizes the disk against Brain infection. This was evidently the first anti-virus virus. (A letter from the virus's creator was published in the Virus Bulletin of February, 1991)
The Cascade Virus is found in Germany. It is a memory-resident virus and introduced self-encryption using a random key. Cascade was evidently the first encrypted virus.
Ping Pong Virus was found at the university of Turin in Italy in March.
During 1988, viruses started getting media attention. Magazines with articles included:
In addition, PC Week had over 20 articles on viruses during the year. Some of today's top antivirus researchers got started before 1989.
By the time I examined my first virus on August 16, 1989, there were about 30 known viruses. Until then I had only read about them. I had been writing security and copy protection programs in assembler at the time and had made a program to detect viruses and Trojans. I ran it on the virus (Jerusalem.1808.Standard) and several alarms sounded. Today the program would be called a heuristic scanner. It had very limited distribution on a couple of local BBS's and a total of one registered user.
Not long after I got the virus, that one registered user (Rick Mendosa) offered me a job at a business magazine where I became the research editor. One day soon after that he handed me a clipping about a virus that people thought would soon wreak havoc on civilization.
The Washington Post of September 17, 1989 reported, under the headline "Computer Virus Sparks a User Scare; Some Analysts Say the 'Friday the 13th' Fears Are Overblown" "A computer 'virus' that springs to life destructively on Friday the 13th is on the loose, and across the country computer users are rushing helter-skelter to protect their machines against it." There was actually some confusion in the flurry of news reports and quoted "experts". Actually two viruses were being described in the reports. One was DataCrime, which would trigger any day after October 12th. The other was Jerusalem, which triggers on any Friday the 13th. And this October 13th was on a Friday.
Here are some other headlines from other stories about DataCrime from this period:
Yet, although DataCrime was blown all out of proportion, several important viruses did first appear during 1989. One in particular was mentioned in the headline: "'Dark Avenger' wreaks havoc at software firm" - PC Week, December 25, 1989
The Dark Avenger.1800 virus, unlike DataCrime, actually could represent a threat worldwide. The virus was reportedly written in Sophia, Bulgaria in January of 1989, by an individual calling himself Dark Avenger. It well represented the coming escalation in the virus vs. anti-virus war.
This virus introduced two worrisome features. First, it was designed to do slow, insidious damage to the system rather than sudden obvious damage. It would randomly write garbage to sectors of the drive. So damage would tend to go unnoticed. In turn damaged files would be backed up.
Second, it was a fast-infector. Resident viruses before this would infect programs as they were run. Dark Avenger also infects programs if they are opened. Therefore, if the virus as in memory and you ran an anti-virus scanner (that wasn't aware of the virus) on the system, the virus would piggyback on the scanner and infect every program the scanner looked at.
In October of 1989, another important virus was discovered in Haifa, Israel. This was the Frodo virus. Frodo was the first full-stealth file infector. It was designed to damage the hard disk if run on or after September 22 of any year. However, in all reported samples of the virus the damage routine is corrupted and Frodo simply hangs the system.
Frodo got its press coverage the following year with the headline:
Other interesting viruses in 1989 were:
Research and Development
A few months before I got my first virus, Steve White organized the High Integrity Computing Laboratory at IBM's Thomas J. Watson Research Center. About the same time, IBM released its first antivirus product.
One month before I got my first virus, a journal called Virus Bulletin began. It was and is an excellent source of accurate, timely information on viruses.
In retrospect, it seems that many seeds sprouted around this time that grew into today's antivirus industry. For example, in these early days before 1990, most of today's top antivirus professionals got started.
Among these are:
Bill Arnold, Tjark Auerbach, Pavel Baudis,
Vesselin Bontchev, David Chess, Paul Ducklin, Richard Ford, Ray Glath,
Ross Greenberg, Dmitry Gryaznov, Jan Hruska, Eugene
Kaspersky, Jeff Kephart, Mike Lambert, Igor Muttik, Roger Riordan, Fridrik Skulason, Alan Solomon, Wolfgang Stiller, Morton
Swimmer, Roger Thompson, Frans Veldman, Joe Wells, Steve White, and Righard Zwienenberg.
Have you ever seen a Stealth, Polymorphic, Armored, Multipartite virus?
Stealth is a mechanism by which a virus hides size increase and/or its own code.
Polymorphism involves encrypted viruses where the decryption routine code is variable.
Armoring is used to prevent anti-virus researchers from disassembling a virus.
Multipartite is a virus that can infect both programs and boot sectors.
Well, 1990 was the year of mix and match. Demo viruses from two separate researchers in the United States introduced advanced polymorphism as well as armoring (these were the V2Px viruses, Virus-90 and Virus-101). The Fish virus was full stealth and encrypted with a very short decryptor (14 bytes).
Joshi took boot sector stealthing to new levels.
The title of "first successful multipartite virus" should probably go to the Flip virus (which is also polymorphic). There were however two multipartite viruses that probably predate Flip. They were Anthrax and V1, but neither was very successful.
Then we found out what armor really was. A new virus appeared that was more armored than a M1A1 Abrams tank.
The Mother of all Viruses
I was still a magazine editor in 1990. I asked a well known anti-virus developer about a new virus and he predicted some degree of doom and gloom. Good thing I never published his prediction. It was the Whale virus, and a better description of its effectiveness was given at a virus conference in early 1991. There, Steve White of IBM said that he could give the Whale virus to everyone in the audience and it still wouldn't spread.
While there was not much frenzy in the press about Whale, there was way too much paper and ink wasted on it in the anti-virus industry. Even more time was wasted by anti-virus researchers.
During 1990, a new threat arose in the form of virus exchange BBS's. These boards had huge virus collections for download. But to download viruses, the user had to upload viruses first. This resulted in hundreds of viruses being created just for upload. Moreover, many hacked viruses, non-viruses, attempts at viruses, and completely innocent programs were being uploaded. In turn, these unwieldy conglomerate masses made their way into antivirus research collections. Worse still, such horrific "test collections" fell into the hands of product reviewers. (During 1992, one of these sets was sold in the United States for $100.)
By the end of 1990 there were a number of anti-virus products available. While researching this timeline, I found a list of scanners I was going to test for a magazine review. The list is dated December 18, 1990. The products I had for testing were:
At the time, I felt this list was fairly complete. It isn't. Other anti-virus scanners from 1990 include:
One other product appeared in December of 1990 of which I had heard rumors. Its release foreshadowed a new direction the antivirus industry would take in 1991. The product was Norton AntiVirus.
I never finished that review. Instead, one of the companies I had been dealing with hired me as a programmer. In January of1991 I accepted a job with Certus. I moved my family (wife and four kids) from sunny southern California to snowy northern Ohio and began my career in anti-virus research.
Also in January of 1991, Roger Riordan of Cybec in Australia discovered a Stoned variant. He found that it triggered on the birthday of a Max Telfer. Max, evidently not wanting the thing named after him, suggested the name of someone else born on that day. So Roger named it Michelangelo.
In March, at an anti-virus conference, Roger gave me a copy of the virus. I really didn't think much about it at the time. I had no inkling at all of the magnitude of media mayhem that Michelangelo would cause.
Also in March, Dark Avenger announced on a Bulgarian BBS that he and his friends were working on a new virus that would mutate in 1 of 4,000,000,000 different ways. That "virus" didn't appear until January of 1992 and actually turned out to be something that hit the anti-virus community harder than Michelangelo hit the press. It wasn't actually a virus, it was a object file to link to viruses. It was a mutation engine (MtE).
Additionally in March of 1991, the VCS V1.0 was discovered. VCS stands for Virus Construction Set. The set allowed the user to build viruses. Other virus construction kits followed. Nowhere Man's VCL (Virus Construction Lab) had a nice Borland-like DOS interface and allowed the user to build viruses by pointing and clicking. Later, Phalcon/Skism's PS-MPC also allowed virus mass-production. Look in any anti-virus products virus list and you're sure to see lots and lots of VCL and PS-MPC viruses.
April of 1991 saw the discovery of the ultimate SPaM virus. Tequila is not only Stealth, Polymorphic, and Multipartite, it is also an anti-anti-virus virus (or retrovirus) and uses tunneling.
On a plane ride with Peter Tippett, returning from that conference in March, we discussed anti-virus techniques and problems. The result of that discussion was a new product called Novi. We designed it so that it detected common viruses during installation and thereafter prevented infection by known and unknown viruses. The box said "No Updates Required." Novi was released in September of 1991. In the following month a new type of virus was discovered and we had to update Novi.
The DirII virus did not infect in the traditional ways. It has been termed a "linking virus" and "cluster virus." It actually places a single copy of itself on the disk. Then it infects by setting the cluster pointers in directory sectors to point to itself.
The antivirus industry started to look, smell, and taste like money.
The big news in the antivirus industry in 1991 involved the utility software companies in the United States. After Symantec released Norton AntiVirus, their competitors jumped in by repackaging Israeli anti-virus products.
The last two were actually released in January of 1992. The other main anti-virus product from Israel, AntiVirus Plus from Iris, was later licensed by Cheyenne Software.
In the years that followed 1991, an amazing consolidation occurred. It seemed to start when Symantec bought Certus. I moved back to California and worked on Norton AntiVirus 3.0.
The consolidation went like this:
1992 - Symantec acquires Certus (and I move back to California).
During this time I often thought of the phrase "Resistance is futile. You will be assimilated."
In January of 1992 we received Dark Avenger's mutation engine. Not too long before this Fridrik Skulason and Alan Solomon had wrestled with descriptions of variably modified decryption routines and coined the term "polymorphic" as it applies to computer viruses. Here was polymorphism incarnate.
In February, I traveled to California for meeting with other anti-virus vendors. I liked the term "polymorphic" so much that I drilled it into everyone else's psyches. The trip included a dinner with John Dvorak. Soon after, he wrote an article pushing the MtE, polymorphism, and multipartitism.
It is of interest that Dark Avenger took several months to produce his mutation engine and most anti-virus developers had detection for it in a day or two. Well, actually, many had detection that was too good. They could detect 101 percent (all MtE samples and a few other files). MtE brought to light the high risk of false positives in polymorphic viruses. Many of us went back to the drawing boards.
As if this wasn't enough, before 1992 was over, Dark Avenger sent us his next nightmare creation. Commander Bomber was highly polymorphic, but not encrypted. Moreover, we had to coin another term to describe the way it infected. It was the first polymorphic, permutation virus.
Other innovative viruses appeared in 1992:
March meant Michelangelo media mayhem. As in the case of the DataCrime virus in 1989, Michelangelo hit the headlines in early 1992. The differences were that Michelangelo actually was in the wild and that there were more anti-virus companies competing for user dollars. Predictions of destruction ranged from one company spokesman who allegedly claimed that as many as 5 million systems would go down, to another company spokesman who said that it was more likely that you'd spill coffee in your keyboard than get the virus. Below is an example of how the headlines paralleled the DataCrime frenzy. The relevant headlines just in the Los Angeles Times were:
The full extent of this media mayhem was documented by Pamela Kane in an article titled "Anatomy of a Virus Scare" (ISPNews of May/June 1992) and in her book P.C. Security and Virus Protection Handbook.
of the virus were few, anti-virus software sales soared. Because of this, some anti-virus companies appear to have thought that this feast would continue. Some overextended themselves and were unready for the sales famine that
followed later in the year. Some of those companies no longer exist.
In mid-1993 I moved back to California to work at Symantec's Peter Norton Product Group. About this same time I started a personal project to document exactly which viruses were being reported in the wild. I compiled a list of 100 viruses from various lists of "common viruses" and posted it to other members of CARO. I asked them to confirm or challenge each virus on the list.
In July I posted the first official WildList.
A number of significant new viruses appeared in 1993.
Soon after the release of MS-DOS 6.0, which contained Central Point Anti-Virus (CPAV) under the name Microsoft Anti-Virus (MSAV), a virus appeared in Germany that contained code to disable the resident portion of this anti-virus product. That virus was Tremor, which is still fairly common in Europe.
A buggy, bloated new virus appeared in the wild in the Washington, DC area that was called SatanBug. The virus got some minor press coverage. With the assistance of the anti-virus industry, federal agents tracked down its author and paid him a visit. Since he was a minor nothing came of the investigation.
Another virus that appeared was Monkey. Monkey is loosely based on the Stoned virus, but is full-stealth and stores the original master boot record (MBR) in an encrypted form. Unlike Stoned the virus does not leave the original partition table for the infected drive in place. The result is that the drive is invisible to DOS if the system is booted from an infected floppy diskette.
An additional problem with Monkey involved a "cure-all" technique that was publicized and became popular after Michelangelo became well known. The technique involves using an undocumented option with FDISK (a partitioning utility shipped with DOS). Using the command "fdisk /mbr" writes the code portion of the master boot record, but doesn't make any changes to the partition table in the MBR.
For viruses like Stoned and Michelangelo this overwrites the start of the virus code and leaves the partition information. The technique does "kill" the virus. In the case of Monkey-like viruses that don't preserve the partition information using this command "kills" the virus and leaves virus code in the partition table. The drive is then inaccessible to DOS.
Other interesting viruses this year were:
Strange, a boot virus that exploits an undocumented bug in DOS versions (early versions of PC-DOS and all versions of MS-DOS).
Cruncher, touted as a
"good" virus because it compresses infected programs and gives the user more disk space.
During 1994 there were a number of interesting new viruses as well as some non-incidents.
A virus called Kaos4 was posted to the alt.binaries.pictures.erotica news group in a file called Sexotica.
The virus, which was encoded as text, was downloaded by a number of users, decoded into an executable program and run on their systems. In this way, visitors to this particular location along the superhighway, launched a small epidemic.
Fortunately, Kaos4 is a truly mediocre virus. Had it been a more effective virus, it could easily have become pandemic. As it is, the virus is still reported in the wild in many countries.
Another virus called Chill, or Chill Touch, was found in some games on ZiffNet. Few were downloaded via Compuserve and the virus, like Kaos4, was mediocre, so the virus never really spread.
A virus called Junkie appeared and there was some initial press release hype about it. The virus was not initially wide spread, but has slowly taken hold and has become slightly common.
A destructive virus called Pathogen appeared in England. It contained a polymorphic engine called SMEG and was written by Black Baron. The author was later tracked down by New Scotland Yard's Computer Crime Unit and jailed.
Two notable viruses appeared during 1994 that have since become quite common. Both are polymorphic and
multipartite. These are One_Half and Natas (Satan spelled backwards).
The year began quietly enough. Things were continuing as in the past. Everyone was waiting for the release of Chicago (Windows 95) and wondering what effect the new operating system would have on the future of anti-virus.
It was known that the most common viruses were boot viruses which would not replicate under Windows 95. Some anti-virus companies were starting to foresee the death of their anti-virus products as DOS died. Then in August every thing changed.
Sarah Gordon at Command Software Systems discovered and analyzed a new type of virus. Jimmy Kuo suggested a name the next day. Since that time it has been called Concept. Concept was a macro virus.
Concept is a macro virus written in WordBASIC (an interpreted programming language similar to Visual Basic for Applications). The language is built into the Microsoft Word environment. Specifically, the virus is written in the English-language implementation of WordBASIC. Therefore, Concept will not run within the MS-Word environment if WordBASIC has been implemented in another language.
DOS viruses run in the DOS environment, Mac viruses run in the Mac environment, and Concept runs in the MS-Word environment. Thus, Concept appears to be cross-platform. It runs on systems that MS-Word runs on (Windows 95,Windows NT, Macintosh, etc.). But, Concept is not a Windows virus or a Macintosh virus. It is an MS-Word virus. The MS-Word environment is the operating system that Concepts replicates within.
Although the anti-virus community has pointed out that the idea of macro viruses is nothing new, most of the product developers were quite unprepared for Concept.
Dealing with Concept involves more than simply releasing a signature or a new database. Most anti-virus product developers have had to make major code changes in their products. That the anti-virus community was unprepared is illustrated by the fact that Virus Bulletin's July, 1996 testing reported that eight of twenty-four scanners they tested (using default mode) failed to detect Concept. One third of these anti-virus products missed the world's most common virus.
By the end of 1995, several other macro viruses were produced. While this new type of virus required a rethinking of viruses, it actually also breathed new life into the anti-virus field.
The new operating systems are no longer a hostile environment for viruses.
1996 - Lions and Tigers and Hares
During 1996 many more macro viruses have appeared. A few (Nuclear, NOP, and Wazzu) have become fairly common, but by no means a common as Concept. By the middle of the year, Concept was clearly the most common virus in the
world. Also in 1996 the first virus specifically for Windows 95 appeared. The virus, Boza, is a pitiful virus and is highly unlikely to spread. It was, however, widely publicized by anti-virus vendors and the press. (See our
Hype Alert on Boza.) In like manner, another virus called Hare was also trumpeted far and wide by the publicists. It became wide spread by being downloaded from the Internet, but is also buggy, mediocre, and unlikely to spread.
(See our Hype Alert on Hare.) Still another notable virus caught the attention of the anti-virus marketing community. This was Laroux. Laroux is notable as the first virus to successfully infect Microsoft Excel
spreadsheets. It was first discovered and analyzed by Sarah Gordon of Command Software Systems. However, like Hare, only a few reports of the virus in the wild have been received (actually, only two sites at this writing).
Joe Wells, 30 August 1996.
During 1996 many more macro viruses have appeared. A few (Nuclear, NOP, and Wazzu) have become fairly common, but by no means a common as Concept. By the middle of the year, Concept was clearly the most common virus in the world.
Also in 1996 the first virus specifically for Windows 95 appeared. The virus, Boza, is a pitiful virus and is highly unlikely to spread. It was, however, widely publicized by anti-virus vendors and the press. (See our Hype Alert on Boza.)
In like manner, another virus called Hare was also trumpeted far and wide by the publicists. It became wide spread by being downloaded from the Internet, but is also buggy, mediocre, and unlikely to spread. (See our Hype Alert on Hare.)
Still another notable virus caught the attention of the anti-virus marketing community. This was Laroux. Laroux is notable as the first virus to successfully infect Microsoft Excel spreadsheets. It was first discovered and analyzed by Sarah Gordon of Command Software Systems. However, like Hare, only a few reports of the virus in the wild have been received (actually, only two sites at this writing).
Joe Wells, 30 August 1996.