The Windows Special – viruses and other malware

Allikas: KakuWiki
Redaktsioon seisuga 2. august 2006, kell 22:31 kasutajalt Kakk (arutelu | kaastöö)
Mine navigeerimisribaleMine otsikasti

The computer and the knife

A knife can be used to kill people, when used by a murderer. It can also be used to save people's lives, when used by a doctor. A computer is rather similar in this sense. Computers and Internet have brought us lots of benefits - one can buy things from another continent from home, read news from all the wide world, communicate with more people than it was ever possible. And yet we have the negative side too.

Looking back

Early days

Before there were viruses, there used to be Trojan horses (now mostly simply called trojans, although it would not be accurate considering the origin of the 'Trojan horse' - Trojans did not use the horse, it was used against them!). In the 80s, there was no widespread Internet yet: it was the privilege of universities and government agencies. The network of the young hackers of the day was Fidonet (and other similar bulletin board systems) - this was a dial-up based system where the network 'nodes' were ordinary PC-s dialing to each other. Usually at least two phone lines were used at nodes - one for periodically exchanging messages with other nodes, the other for users to dial in; heavy line use was the reason why Fidonet was popular mostly in the places with free local calls like the US and also the former USSR (Fidonet was popular in Estonia too). Fidonet messages allowed attachment of a single file and it was soon used for smaller-scale file transfer as well.

Besides decent users, there were also bad guys, who made malicious programs that would e.g. erase files from the user's drive, but labelled them as something beneficial (like compression software; one of the known Trojan horses of the day tried to pass as a new version of popular PKZIP program). These evil pieces of code got to be known as Trojan horses. Actually the term was first used (in computer context) as early as 1972 and the first similar program was found in Multics system in 1974 [1].

Early Trojan horses were mostly simple and easily detected, so their influence was limited. But then, a new kind of malicious software appeared which was able to copy itself. They were soon dubbed 'computer viruses'. Internestingly enough, the first freely-spreading virus did not run on Microsoft platform - the Elk Cloner used Apple DOS 3.3. But it was IBM PC and Microsoft operating system that became the main playground for viruses.

Brain (Pakistani Brain, (c)Brain, Pakistani Flu, Lahore, UIUC)

Dating back to 1986 and considered to be the first PC virus. It was written by two Pakistani brothers initially to make it harder for people to copy their software illegally. Brain was a boot sector virus, infecting the starting sector of diskettes. The brothers included their contact data to the virus body - soon they had to regret it as a large number of users from other countries contacted them and demanded disinfection. The virus, while being otherwise relatively simple, did attempt to hid itself (being what nowadays is called a stealth virus).

Lehigh

Lehigh, named after a university in the US where it was first spotted in November 1987. It was one of the first viruses to attack the central part of MS-DOS, the COMMAND.COM file. A typical file virus, it was the first one to use TSR (Terminate and Stay Resident) technology - after running an infected program, the virus stayed in the computer memory, infecting all the subsequently run programs.

Jerusalem

Found in Jerusalem at the end of 1987, it was a resident file virus which infected all running programs except COMMAND.COM (as the countermeasures started to develop, the 'heart of the system' was among the first places to be checked - so the virus did not touch it). On a Friday the 13th, the virus would delete all programs attempting to run. Jerusalem infection also slowed the machine very noticeably down.

Stoned

First discovered in 1989 and most widespread in Australia and New Zealand around 1991, Stoned was named after the message it used to display when an infected computer was started: "Your PC is now stoned." It was the first real MBR (Master Boot Record; the place on a disk where reading starts at) virus, being also able to infect hard disks.


The PC falls ill: the first virus outbreaks

Yankee Doodle (Yankee)

The virus was probably written in Bulgaria (which at that time was one of the major sources of viruses) and was discovered in 1989. It had many variants and was very widespread, also perhaps due to be seen as 'harmless' - its only effect besides spreading was playing 'Yankee Doodle' from the PC speakers. It was not uncommon to see whole university computer labs to burst into singing.

Cascade (Falling Letters)

Cascade appeared at the end of 80s and was probably written in Yugoslavia of the days. Similarly to the Yankee Doodle, it did not have destructive payload, even if its 'special effect' was even more annoying: after the infected computer had been running for some time, letters started to randomly fall from their original positions down to the edge of the screen, finally presenting an empty screen and a nice pile of letters. While funny, it made working quite difficult... Cascade spread widely until the mid-90s.

Dark Avenger (Eddie)

One of the most advanced as well as most destructive early viruses. Written in 1989 by a Bulgarian using the same alias, it was a resident file infector, which was able to infect the program not only during running, but also during reading (even during a virus scan!). After infecting every 16th file, it destroyed a random sector on disk, overwriting it with its code and making the files located in the sector permanently damaged. Thus the virus combined fast spreading speed with slow, unnoticed until large-scale, yet permanent damage.

Some versions also used stealth features - in 1992, the same author released MtE (the Mutation Engine), which was a virus-writing kit for creating new stealthy (mutating) viruses which were hard to detect with the scanners of the time which relied on certain 'signatures' of viruses.

DIR II

The full-stealth, resident file infector appeared in 1991 in Bulgaria (other sources cite India) and spread widely during the first half of 90s. The virus changed directory structure on disks and wrote parts of it over, causing permanent damage. When it was usually possible to fight memory-resident viruses by booting the computer from a clean, read-only system disk, doing so actually destroyed the files in case of DIR II.

Michelangelo

A derivative of Stoned which first surfaced in 1991 and created an unseen-before media hype (on viruses) at the beginning of 1992. It was to activate on Michelangelo Buonarroti's birthday (March 6) and wreak massive havoc. In reality, the damage was very modest, so it is considered one of the largest hoaxes in the virus world.


MS Office vs the macro viruses

Macro viruses were a whole new concept - they did not rely on operating system, but rather MS Office package, which has its own programming language called VBA (Visual Basic for Applications) which permeates all MSO components. As Windows and Office are both closed-source, proprietary applications, nobody except Microsoft knows the exact amount of intermingling between the VBA, the MSO and the Windows system. However, there must be some - otherwise it would not have been possible to wreak such a havoc as the macro viruses did.

Most of the viruses targetted Word as it was probably the most used component.


Hijackers

  • Back Orifice
  • NetBus
  • SubSeven

In 1999, NetBus was used to plant child pornography on the work computer of Magnus Eriksson, a law scholar at Lund University. The 3,500 images were discovered by system administrators, and Eriksson was assumed to have downloaded them knowingly. Eriksson lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer. [2] [3] [4]


I Love You, Melissa

  • I Love You
  • Melissa
  • CIH


The New Millennium: worms and spyware

Why?

The motivation of virus writers


The Windows Special

Windows vs other systems: why does it get beaten so hard?


References

Links