The History of Computer Viruses

The History of Computer Viruses
Early Theories, Implementations, and Motives
By: Chris DiGiamo

I. Introduction

Although computers have been widely used since the 1960's, the first computer virus is usually attributed to one released in the mid 1980's. To account for this discrepancy, one must explain the factors surrounding computer use before the first computer virus and how they evolved into the pandemic that we deal with today.

Even though the modern ancestor of our computer dates back to the early 1940's, it wasn't until the mid 1960's that organizations with computing power needs begin to use them. Computers were very large and expensive and had to be manually loaded with programs through punch cards or other archaic mediums. As technology advanced, computers became smaller and faster.

If we flash forward to the 1980's, computers completely shifted from large centralized processors to distributed personal computers. With the rise of these personal computers such as the Apple II and IBM 8086 PC, a computer could be placed discretely in the home of anyone who could afford it. Through the emergence of high level languages such as C, Fortran, and Pascal, a user could easily develop their own software for the machine. With the advent of the floppy drive and bulletin boards (BBS), computers now had an acceptable means of data transportation from one machine to another.

II. The Road to the First Virus

In 1949: Famous 'Celebrity' Mathematician John Von Neumann, the co-creator of the architecture that we use today for virtually all computers in existence, theorized about a program that could create copies of itself in memory. A simple illustration of such a program, known as a Quine, can be seen in this High Level javascript code taken from Wikipedia.org:

function a() { alert (a + "\na();"); } a();

What this program will accomplish is a call to a function which prints itself, and a call to the new function again so it can be run somewhere else. You can see a running example of the program here.

The first practical implementation of self reproducing and malicious code appeared sometime between the 1950's and 1960's. The existence of such a program was only admitted by the authors in the early 1980's. The program was named Core Wars, where the word "Core" came from a semi-outdated term based on computer memory (Think: UNIX Core Dumps). The idea was fairly simple, you have two programmers who can use a limited instruction set to create programs. These programs compete for complete occupancy of the core (which in programming terms is just a large array of words in a sequential order). Core Wars attackers employed tactics that wrote code directly into memory to try and create as many copies of themselves as possible to win.

In 1983, Fred Cohen in his Graduate Thesis coined the term "Computer Virus" to refer to any program who would copy itself. He based this off of research work he performed on several UNIX, and VMS machines which simulated an infection by a virus which hogged memory resources. Fred also grouped viruses into two specific categories. Research Viruses like the ones he documented were solely created for educational purposes. The second group was referred to as "In the Wild", a term that is wildly popular in the computer security field to describe anything that is spread outside of where it was created.

III. The First Virus?

The first report of a well-documented computer virus that actually spread outside of where it was created appeared in 1982 and used Floppy Discs as a spreading. The virus, named "Elk Cloner", was written by 15 year old Richard Skrenta and worked on the Apple II systems. If a computer was booted with an infected floppy in its drive, the virus would copy itself to the computer's memory and monitor for floppy drive access. If an uninfected floppy was put into the drive the virus would then be copied over to it. On every 50th boot from an infected floppy the following poem would be displayed:

Elk Cloner: The program with a personality

It will get on all your disks It will infiltrate your chips Yes it's Cloner!It will stick to you like glue It will modify ram too Send in the Cloner!

One might ask what the purpose of creating such a program could be. Apparently Richard Skrenta was just a very bored programmer who found tons of excitement in annoying his friends. It has been said that prior to the virus's existence he used to distribute games to his friends, via floppy disk, that eventually stopped working after a certain amount of loads. Richard should be unofficially credited with being the first person who put a cryptic and useless message inside a virus. Almost every virus ever documented is named based on some random tidbit of code left in by the programmer.

The first PC virus found in the wild was called Brain. Brain was created by two Pakistani programmers, Basit and Amjad Farooq Alvi. Like Elk Cloner, it did not have an intentionally malicious or damaging purpose. Basit and Amjad were programmers of medical software that was distributed in Pakistan. To combat against piracy of their own software in a proactive fashion, they created Brain to overwrite the disk boot sector of the computer with a copy of the Brain program. The program was supposed to be targeted only towards copyright infringes and even provided three telephone numbers and their real names as contact information for removing the virus from the computer. As soon as Basit and Amjad began receiving phone calls from the USA and Britain, they knew something went terribly wrong. It is mainly unknown how a small virus, distributed by floppy disks on very selective copies of Pakistani medical software, made its way that far.

Overwriting the disk boot sector code ensures that whenever another disk was in the system during the boot routine that the malicious code would be executed on that disk. Without a strong means of reproduction such as this, a virus simply cannot perpetuate. Another factor that remains very important in comparing viruses is survivability. A virus that overwrites sensitive storage information that cannot easily be modified will certainly last longer and consequently affect more systems, than one that can be destroyed by a simple reboot.

IV. Survivability and Distribution

The Brain virus set a hurdle that all future virus makers could do nothing but improve upon. The success of a virus in my opinion can be broken down into 3 distinct categories that can be improved on individually.

In 1987, the Lehigh virus was discovered at none other than Lehigh University in Pennsylvania. The Lehigh virus infected MS-DOS machines and spread through floppy disk. Lehigh improved on survivability from Brain, but created some serious distribution problems. Lehigh first added its code to a system-required file called "command.com", which appears on every MS-DOS formatted drive (such as floppys, and the hard drive itself) and is loaded into memory at boot time. Once the infection count hit 4 it would start maliciously overwriting vital hard disk information which would usually destroy the host computer fairly fast. The Lehigh virus never actually left Lehigh University due to their very well trained computer staff who figured out a way to neutralize the virus on all infected machines.

It is here that we notice that a virus which quickly disposes of its host organism (in this case our computer) simply cannot spread as well as a virus which does not. Lehigh achieves much of its fame from being the first memory-resident virus. Once it is loaded into the command.com it stays in memory waiting for other command.com files to be opened so it can do its counting. Most modern viruses are also memory resident, and eliminating a memory resident virus is extremely hard. Lehigh also introduced a concept that would be copied in excess with other virus writers. This concept is a Logic Bomb, a version of which, known as a Time Bomb, is sometimes referenced with dates. A Logic Bomb usually represents the malicious second phase of a virus, with the first phase being distribution. The Logic Bomb in the Lehigh virus was the number of infected command.com files.

From Lehigh onwards, viruses only became more survivable and distributive:

Jerusalem (1987) - Memory resident like Lehigh, but it infected any .com or .exe files. It is also the first virus to contain a bug in its code so that it automatically re-infects files that are already infected. Since each infection causes the file to contain a copy of the virus, files soon began to have multiple copies of the virus inside of them, thus increasing the size of frequently accessed files. The second phase of this virus was a Time Bomb that went off every Friday the 13th, and made the system run very slow after execution and caused some visual glitches.
Stoned (1988) - The first MBR-infecting virus. The MBR or Master Boot Record is a small program on the hard drive that finds the boot locations of all of the partitions. Once added to the MBR, the virus remains memory resident after the OS is booted.
Den Zuk Virus (1988) - A virus which removes all occurrences of the Brain virus from your computer and immunizes it against Brain viruses in the future. This made the Den Zuk Virus the first anti-virus virus. The idea is simple; a virus needs to compete for complete control of the system, and competition, be it positive or negative, needs to be removed to achieve this goal. Den Zuk replaced all Brain infected floppies with itself. The virus was named after the text that appeared on the screen immediately following a ctrl-alt-delete:

Cascade (1988) - The cascade virus introduced one of the most beneficial improvements in survivability in the history virus writing. The author of cascade knew that people looking to detect viruses could easily detect most viruses because their code is exactly the same every time, and produces the exact same bytes every time when it is placed into files. To solve this problem, the author of Cascade invented a method to self-encrypt the virus with a random key. Pseudo code for this idea is as follows:

LOAD VIRUS INTO MEMORY

      READ KEY STORED WITH VIRUS

      UNENCRYPT THE REST OF THE VIRUS

      EXECUTE THE VIRUS

Cascade paid homage to Richard Skrenta in the annoyance department by showcasing one of its signs of infection. It was named Cascade because it caused the text on the console to fall to the bottom of the screen into piles:

Frodo (1989) is the first Full-Stealth virus discovered. Frodo was a memory resident virus that infected files while also trying as hard as possible to completely hide its presence from the user. The skill it used to hide the infection was to make everything appear as if nothing had changed. Files had their original size when checked, and even the bytes of the virus were hidden when the file was opened. It also displayed this hilarious message every September 22nd.

3 New Techniques emerged onto the virus screen in the early 1990s to avoid detection by programs that are now emerging to detect viruses onto systems.

Polymorphism: Similar to self-encrypting viruses which try to alter their detection by changing their signature constantly. Another method of achieving polymorphism is switching around instructions inside a program that won't alter the overall outcome. Consider the example of a virus trying to overwrite memory address 1024, it could be changed equivalently to :

OFFSET = 2 OFFSET = (OFFSET & 0x2) << 9 OFFSET = OFFSET * 2

Armoring: A process to prevent debugging or disassembling of the code so that an anti-virus writer cannot figure out the attack vectors of the virus. A simple armoring technique is preventing certain debuggers that would allow low level access to the virus from running.
Multiparte: The idea of attacking both the boot sector and files.

These techniques were all necessary as the list of anti-virus software grew fairly fast. In a list compiled by a fellow at IBM on December 18th, 1990, all of the available anti-virus software was presented:

Michaelangelo Virus (1992) - Most notably for the mass-hysteria it produced, was just a normal MBR/Boot sector virus. One notable point is that it was distributed with some real software by actual companies.

The Concept Virus (1995) - The first macro virus. A macro language that is not compiled directly into system code. Due to the complex scripting engine in Windows 95, the macro virus has a large vector of attacks. The Concept Virus itself doesn't really do much. Take note that both Windows 95 and the popularity of the internet are beginning to change viruses completely.

The Melissa Worm (1999) - The first highly successful macro virus. The macro language was written in the one provided in Microsoft Word 97/2000 and distributes itself through Microsoft Outlook 97/98 by sending itself to everyone on its buddy list. The Melissa Virus was first posted on an internet pornography newsgroup and required the victims to download and open a word document containing the virus. The virus can also spread through other word documents on the system. The second phase of the virus would just insert random "The Simpsons" quotes into word documents on certain times of the day if they were open.

V. The New Millennium

The Melissa Virus set a precedence for the future of all viruses. The internet quickly became a large medium, if not the only medium for the future spread of all viruses. Unfortunately, in a split-timeline a much craftier opponent to viruses began to make the scene. This opponent became known as the internet worm. Although one usually clumps Viruses and Worms into a similar category there is a very distinct difference between them, which is their attack vectors. Viruses always depended on user interaction to propagate. Whether it was downloading the virus from the internet, running a pirated piece of infected software, or inserting an infected floppy disk into your system, the infection was basically caused by the user.

Worms changed everything. The first worm ever created, The Morris Worm in 1989, spread from DEC VAX computer to computer through nothing but ARPAnet (pre-internet) connections. Just by being online, your machine could be infected and begin infecting other machines. Worms are programmed to infect as many computers as possible as fast as possible, while viruses were programmed to reproduce quickly and last long. .

References:
1. History of Computer Viruses Timeline
2. Brief History of Computer Viruses
3. Antivirus History
4. Antivirus Timeline by IBM Employee
5. Virus/Antivurs History
Chris DiGiamo
Stony Brook University
CSE 301 - History of Computing
Fall 2006