The Windows Special – viruses and other malware

(Status of the text: mostly done)

The computer and the knife
A knife can be used to kill people, when used by a murderer. It can also be used to save people's lives, when used by a doctor. A computer is rather similar in this sense. Computers and Internet have brought us lots of benefits - one can buy things from another continent from home, read news from all the wide world, communicate with more people than it was ever possible. And yet we have the negative side too.

Early days
Before there were viruses, there used to be Trojan horses (now mostly simply called trojans, although it would not be accurate considering the origin of the 'Trojan horse' - In the Homeros' epic, Trojans did not use the horse, it was used against them!). In the 80s, there was no widespread Internet yet: it was the privilege of universities and government agencies. The network of the young hackers of the day was Fidonet (and other similar bulletin board systems) - this was a dial-up based system where the network 'nodes' were ordinary PC-s dialing to each other. Usually at least two phone lines were used at nodes - one for periodically exchanging messages with other nodes, the other for users to dial in; heavy line use was the reason why Fidonet was popular mostly in the places with free local calls like the US and also the former USSR (Fidonet was popular in Estonia too). Fidonet messages allowed attachment of a single file and it was soon used for smaller-scale file transfer as well.

Besides decent users, there were also bad guys, who made malicious programs that would e.g. erase files from the user's drive, but labelled them as something beneficial (like compression software; one of the known Trojan horses of the day tried to pass as a new version of popular PKZIP program). These evil pieces of code got to be known as Trojan horses. Actually the term was first used (in computer context) as early as 1972 and the first similar program was found in Multics system in 1974.

Early Trojan horses were mostly simple and easily detected, so their influence was limited. But then, a new kind of malicious software appeared which was able to copy itself. They were soon dubbed 'computer viruses'. Internestingly enough, the first freely-spreading virus did not run on Microsoft platform - the Elk Cloner used Apple DOS 3.3. But it was IBM PC and Microsoft operating system that became the main playground for viruses.

A note: the following examples are but a few from the large army of malware which has been spreading since the 80s - also the new century worm epidemics have been much more numerous than described here.

Brain (Pakistani Brain, (c)Brain, Pakistani Flu, Lahore, UIUC)
Dating back to 1986 and considered to be the first PC virus. It was written by two Pakistani brothers initially to make it harder for people to copy their software illegally. Brain was a boot sector virus, infecting the starting sector of diskettes. The brothers included their contact data to the virus body - soon they had to regret it as a large number of users from other countries contacted them and demanded disinfection. The virus, while being otherwise relatively simple, did attempt to hid itself (being what nowadays is called a stealth virus).

Lehigh
Lehigh, named after a university in the US where it was first spotted in November 1987. It was one of the first viruses to attack the central part of MS-DOS, the COMMAND.COM file. A typical file virus, it was the first one to use TSR (Terminate and Stay Resident) technology - after running an infected program, the virus stayed in the computer memory, infecting all the subsequently run programs.

Jerusalem
Found in Jerusalem at the end of 1987, it was a resident file virus which infected all running programs except COMMAND.COM (as the countermeasures started to develop, the 'heart of the system' was among the first places to be checked - so the virus did not touch it). On a Friday the 13th, the virus would delete all programs attempting to run. Jerusalem infection also slowed the machine very noticeably down.

Stoned
First discovered in 1989 and most widespread in Australia and New Zealand around 1991, Stoned was named after the message it used to display when an infected computer was started: "Your PC is now stoned." It was the first real MBR (Master Boot Record; the place on a disk where reading starts at) virus, being also able to infect hard disks.

Happens in better families, too: the Morris worm
The infamous Morris worm of 1988 hit the U.S. computing landscape in a shocking way and is in fact considered the starting point of computer security as a separate discipline. Contrary to the PC's and Fidonet of the time, it spread in the 'serious systems' of the real Internet, infecting DEC and Sun computers running Unix. It was written by Robert Morris, a student at Cornell University. The worm made use of some known security holes as well as exploited weak passwords.

The author did not foresee the virulent spread, miscalculating the spreading speed to be 10 times lower. The worm did not have any destructive features either. The spreading was however so epidemic that about 6000 computers were infected and many machines were slowed down by traffic to the point of halt. As a result, the author was sentenced to 3 years of probation, had to do 400 hours of community service and pay $10 050 in fines.

Although vulnerabilities have occurred in Unix-based systems later as well, the Morris worm remains a single event - since then, similar attempts have had only limited influence (see Ramen below).

Yankee Doodle (Yankee)
The virus was probably written in Bulgaria (which at that time was one of the major sources of viruses) and was discovered in 1989. It had many variants and was very widespread, also perhaps due to be seen as 'harmless' - its only effect besides spreading was playing 'Yankee Doodle' from the PC speakers. It was not uncommon to see whole university computer labs to burst into singing.

Cascade (Falling Letters)
Cascade appeared at the end of 80s and was probably written in Yugoslavia of the days. Similarly to the Yankee Doodle, it did not have destructive payload, even if its 'special effect' was even more annoying: after the infected computer had been running for some time, letters started to randomly fall from their original positions down to the edge of the screen, finally presenting an empty screen and a nice pile of letters. While funny, it made working quite difficult... Cascade spread widely until the mid-90s.

Dark Avenger (Eddie)
One of the most advanced as well as most destructive early viruses. Written in 1989 by a Bulgarian using the same alias, it was a resident file infector, which was able to infect the program not only during running, but also during reading (even during a virus scan!). After infecting every 16th file, it destroyed a random sector on disk, overwriting it with its code and making the files located in the sector permanently damaged. Thus the virus combined fast spreading speed with slow, unnoticed until large-scale, yet permanent damage.

Some versions also used stealth features - in 1992, the same author released MtE (the Mutation Engine), which was a virus-writing kit for creating new stealthy (mutating) viruses which were hard to detect with the scanners of the time which relied on certain 'signatures' of viruses.

DIR II
The full-stealth, resident file infector appeared in 1991 in Bulgaria (other sources cite India) and spread widely during the first half of 90s. The virus changed directory structure on disks and wrote parts of it over, causing permanent damage. When it was usually possible to fight memory-resident viruses by booting the computer from a clean, read-only system disk, doing so actually destroyed the files in case of DIR II.

Michelangelo
A derivative of Stoned which first surfaced in 1991 and created an unseen-before media hype (on viruses) at the beginning of 1992. It was to activate on Michelangelo Buonarroti's birthday (March 6) and wreak massive havoc. In reality, the damage was very modest, so it is considered one of the largest hoaxes in the virus world.

CIH (Chernobyl, Spacefiller)
One of the most destructive viruses from 1998. Upon activating, it would write over the beginning of disk with zeroes, and also write over some BIOSes (the read-only part of memory containing the initial data for launching a computer; the BIOS overwriting does not work with all computers). Like many older viruses, did not work on Windows NT/2000/XP, limiting its lifespan somewhat.

MS Office vs the macro viruses
Macro viruses were a whole new concept - they did not rely on operating system, but rather MS Office package, which has its own programming language called VBA (Visual Basic for Applications) which permeates all MSO components. As Windows and Office are both closed-source, proprietary applications, nobody except Microsoft knows the exact amount of intermingling between the VBA, the MSO and the Windows system. However, there must be some - otherwise it would not have been possible to wreak such a havoc as the macro viruses did. It has been guessed that the creators of MS Office used some programs for creating macro systems which were used to build the whole office package, thus giving a skilled programmer access to the 'bones' of the system.

Most of the viruses targetted Word as it was probably the most used component. While the first attempts had relatively little impact, two best-known macro viruses created a full epidemic.

Melissa (Kwyjibo, Simpsons)
Melissa was a macro virus which had an epidemic spread in 1999. Melissa was first found on March 26 and spread all over the world in a just few days. It was actually a hybrid of a virus and a worm - once activated (Originating from New Jersey and named after a stripper in Florida, it started off suitably from the Usenet newsgroup alt.sex, as a document supposed to contain porn site passwords), it would spread on its own, mass-mailing its copies. It is notable that Melissa needed either Word 97 or 2000 to work and either Outlook 97 or 98 to spread - it did not work with other kinds of software. Yet these were more than enough. As a result, many mail servers were knocked out by overload.

A funny detail: the 1999 Linux Timeline contains a notice "Melissa creates difficulties worldwide. Linux users yawn." While being perhaps a bit ill-mannered, it makes the point - Melissa-like cases are next to unknown in Unix/Linux world.

Melissa author, David L. Smith, was later arrested, fined 5000$ and imprisoned for 20 months.

ILoveYou (VBS/Loveletter, Love Bug)
The Melissa havoc repeated itself the next year, when the I Love You virus (actually it was mostly a worm) written by a Philippine student spread all over the world in about five hours on May 4. Like Melissa, it mailed itself, using the address book data. The virus clogged mail systems, resulting in about 10 billion US$ economic losses.

The virus uncovered more widely a weird 'feature' in Microsoft Windows - by default, all file extensions are hidden, yet it is possible to use double extensions. In this case, the first, shown extension is something harmless, e.g. '.txt', while the second, the invisible yet the practically used one is e.g. '.vbs' (Visual Basic script - the virus was one of the first VBScript viruses). Therefore, it is strongly advised to make Windows show the extensions.

Hijackers
Around the turn of the century, a special kind of Trojan horse -type software appeared - the hijackers or remote administration software. Once installed to a Windows machine, these packages allowed to manipulate the computer as it was one's own, local machine.

Back Orifice
Probably an evil pun on the Microsoft's BackOffice server package (and also having some sexual undertones), the BO was released in 1998 by a cracker group called The Cult of the Dead Cow. BO consisted of a server (to be installed to the controlled machine) and client (installed at the controller's side). It was actually openly presented at the DEFCON security event, to show the lack of security in Windows 98 (as early Windowses really did not have any). However, it soon gained popularity to be used in an illicit way to control the computers of clueless users. Installed with the help of social engineering ('Hey, this is a new game!'), over spam e-mail or using a Trojan horse, it gave complete control over many computers of unsuspecting Windows users which had potential for very serious consequences (see the NetBus below).

NetBus
[NetBus http://en.wikipedia.org/wiki/Netbus] was a remote administration program similar to the Back Orifice described above. Released in 1998 it spread widely but was gradually pushed aside by the BO. However, one of the most severe cases of illicit remote administration occurred with this software.

In 1999, NetBus was used to plant child pornography on the work computer of Magnus Eriksson, a law scholar at Lund University. The 3,500 images were discovered by system administrators, and Eriksson was assumed to have downloaded them knowingly. Eriksson lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer. 

SubSeven
SubSeven was released in 1999 to be an 'improved NetBus'. Of author, only the alias 'Mobman' is known. The system has been since then steadily developed, making it a long-lived 'product' in terms of malware.

Code Red
Code Red originated from China in July 2001 and attacked Microsoft-based web servers running IIS (Internet Information Server). The infected web server'f front page got added the text "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" (which added the phrase 'Hacked by Chinese!' to hacker slang to denote an online defeat), and the machine attempted to hit some IP addresses (which included the White House) with a DOS (Denial Of Service) attack. Besides infecting IIS servers, it also tried to attack others (e.g. Apache) as the worm did not test for server type before attempts. Microsoft issued a patch about a week later which eventually helped to bring things under control although the excessive traffic caused by the worm remained an issue for a period.

Nimda (W32.Nimda)
The worm appeared in September 2001, attacking nearly all versions of Windows used at the time. Instead of typical e-mail address harvesting and mass-mailing itself, it performed some 'administration' (Nimda is 'admin' backwards!) too - enabled sharing on the C-drive, created a 'guest' account on NT and 2000 machines and gave it admin privileges (making the machine wide open to further attacks). It also searched for security holes left by previous worms (like Code Red). Finally it was possible to get infected, browsing web pages of an infected server with Internet Explorer.

Blaster (Lovesan, Lovsan)
Hit Windows 2000 and XP in August 2003 and infected more than 8 million machines. It made a DOS attack against the Microsoft update service, making it difficult to download patches. One of the variants was probably created by Jeffrey Parsons in Minnesota, U.S., who was subsequently imprisoned for 18 months.

MyDoom
Considered one of the fastest-spreading worms to date, it was discovered in January 2004. Among other things, it was used to send spam and attack the SCO.com website with a DOS attack (the SCO proposed that it was a revenge of open source supporters for their groundless claims on code in Linux kernel - these suggestions were later overturned). Later it gradually disappeared, but in July, a variant took down most of the widely-used search engines (Google, AltaVista, Lycos) for a day, using a DOS attack.

Sasser
Another epidemic started on April 30, 2004. According to Wikipedia, the effects of Sasser include the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also all had issues with the virus. The author appeared to be a young German student, Sven Jaschan, who received 21 months of probation (as it came out that a bit earlier in February, he also created another widespread worm, Netsky), but (like many other notorious 'bad guys' before) was finally employed by a computer security firm later that year.

Zotob (W32.Zotob)
One of the recent epidemic worms from August 2005. The authors are believed to be from Morocco and Turkey (according to SecurityFocus, they were arrested in August 2006), the payload includes spyware installed to the infected computers (so it is one of the purely economically-motivated worms which seem to be a rising trend).

The situation in 2006 is summarised by the Sophos report which gives a good overview of the current virus and worm landscape.

Finally, two a bit different examples:

Welchia (Nachia)
August 2003 brought an interesting example of a 'helpful worm', which actually helped to secure the infected machines - it attempted to download Microsoft's updates and remove the Blaster infection. Moreover, it was designed to kill itself in 120 days (on on January 1, 2004). However, it still created extra traffic by spreading and some (mismanaged?) systems became unstable after the 'unasked help'.

Ramen
Ramen, that appeared briefly in January 2001, was a rare case of what could be called a Linux worm. It appeared to infect Red Hat Linux 6.2 and 7.0 installations via security holes in some services (it has been characterised as a quite similar to the Morris worm described above). While some skeptics used to say 'Well, I said that Linux will get its own viruses too', its spread remained short and damage negligible (the worm did not have any destructive payload too).

Why?
First, it was perhaps a bit misguided kind of hacker's thirst for new things and exploration, sort of 'what is in there?'. Then it became a kind of clueless 'what will happen, if I...'. Then it became a way to express frustration for some and a way to express their (usually extreme) views for some. Then it became a weapon (as seen in the Sasser and Blaster cases). And today, it is increasingly just a way to do business.

The Windows Special
The question remains - why is the malware a 99% MS Windows problem? The Microsoft argument - because it is the most widespread platform - has some truth in it, but not much. Unix has been around much longer, and except some rare cases like Morris, has never had the problem in similar scale. Early Macintoshes had some malware, but later the share is negligible, compared to their market share (especially after Apple took BSD Unix as the base of their MacOS X operating system).

Likely, the reason may be a combination of the following:
 * the abovesaid largest market share
 * the chronic security problems in Microsoft products
 * the most clueless user base
 * the security industry which has created its shadow counterpart in malware industry

For discussion

 * Try to outline the main techniques used in malware from the 80s to today
 * Some people say it would help to fight malware if MS Windows was open-source. Do you agree? Explain.
 * Uneducated users are often quoted as one of the main reasons to the malware pest in Windows. Propose some ways to improve the situation.
 * Propose some solutions to decrease the malware business (especially commercial worms like Zotob)

Terms

 * BIOS
 * boot sector
 * Fidonet
 * macro virus
 * memory-resident
 * remote administration
 * Trojan horse
 * worm

Links

 * BUTLER, James, SPARKS, Sherri (2005) Windows rootkits of 2005, part one. SecurityFocus, November 4, 2005
 * BUTLER, James, SPARKS, Sherri (2005) Windows rootkits of 2005, part two. SecurityFocus, November 17, 2005
 * BUTLER, James, SPARKS, Sherri (2006) Windows rootkits of 2005, part three. SecurityFocus, January 5, 2006
 * CERT
 * Sophos
 * F-Secure
 * Computer Incident Advisory Capability