At around the same time, H. Douglas McIlroy, Victor Vysottsky, and Robert Morris, programmers at Bell Laboratories, invent the game of Core Wars. The game's objective: to steal valuable CPU time from the opponent.
Professor Len Adleman employs the term "virus" to describe self-copying programs when discussing them with Fred Cohen, his computer science student.
At the same time, Joe Dellinger, a student at Texas A&M University, writes several self-reproducing programs for Apple II disks, naming them Virus 1, Virus 2 and Virus 3.
Jon Hepps and John Shock of Xerox PARC generate worms for divided computer programs; these are designed for internal use. Unfortunately, a programming error slips in, allowing the worm uncontrolled self-copying, and the affected programs must be shut down.
1985 also witnesses publication in "Apples" magazine of a source code virus for Apple II.
CHRISTMAS EXEC spreads throughout IBM VM/CMS systems. It shows a Christmas tree on the desktop and then secretly sends itself via e-mail. Although this worm is dependent on human assistance, it forces a number of systems to shut down.
Jerusalem: This virus, also known as Friday the Thirteenth, is the first virus to establish itself in the main memory (RAM). It affects the computer in two ways: On any thirteenth day of the month falling on a Friday, it deletes all COM and EXE files. On all other days, the virus reduces computer speed after 30 minutes.
The notorious Stoned virus, the first master boot sector virus, is the brainchild of a student at the University of Wellington in New Zealand. In addition to a "Your PC is now stoned!" message, the virus also proclaims “Legalize Marijuana!”.
The first virus construction kit, designed for the Atari ST, is presented. This tool allows even beginners to easily "assemble" viruses with characteristics specified by the user.
Robert T. Morris, a Cornell University computer science student, starts a worm which takes advantage of gaps in the UNIX operating system to reproduce itself on Internet computers. However, a program error results in such a proliferation of the worm's progeny that thousands of computers are brought to a halt just a few hours later.
An anonymous German lets the first self-encoding memory-resident virus, Cascade, loose into the wilderness. When infection is successful, this virus produces a waterfall effect, with letters raining down on the display screen.
The Dark Avenger.1800 virus, written in Sofia, Bulgaria, is the first quick-infecting virus which, however, impairs data very slowly.
The Frodo virus is discovered in Haifa, Israel. This is the first stealth virus which can infect files. On 22 September, the virus issues the message “Frodo lives!”
The PC Cyborg Corporation, registered in Panama, sends disks to participants at an international AIDS conference. These disks supposedly contain important informational material which must first be installed on the hard disk. Enclosed is the manufacturer's licence, which states that a longer period of use will require payment of USD 378.00. Non-payment will result in the encoding of critical data. Program installation places a Trojan horse in the computer, which encodes the contents of the hard disk when the computer is started for the ninetieth time. Shortly thereafter, one of the company's owners is sentenced and then committed to a psychiatric institution.
This is the year that the marijuana virus turns up in Australia and New Zealand, a virus calling for the legalization of marijuana every eighth time that the program is run. Via e-mail, the Internet worm attempts to send itself to Microsoft Outlook address book entries with “check this out!!!” in the subject line.
AIDS is the first Trojan horse to spread via mailing lists. It overwrites the beginning of documents and issues the message: “Your computer now has AIDS”. After this message appears on the screen, the system collapses and the computer must be restarted.
A McAfee virus scanner is put on the market. This version is already capable of recognizing 44 viruses. IBM's comparable virus-search program recognizes a mere 28.
Other polymorphic viruses appear in the USA, including Virus-90 and Virus-101.
Anthrax and V1 represent the discovery of the first compound viruses. The Flip virus is the first of this type to spread successfully.
Symantec introduces Norton AntiVirus, one of the first anti-virus programs developed by a large Internet company.
Discovery of the first cluster virus: DirII.
The Tequila virus from Switzerland remains active four months after infection. This is a so-called multipartite virus, which infects the master boot sector and DOS-EXE files. It conceals itself by outputting the guest program's original length when queried, so that it appears unchanged.
WinVir 1.4, the first Windows virus, is discovered. The first virus to infect SYS files appears on the screen and is given the name Involuntary.
The first virus collection phenomenon is announced: John Buchanan offers his collection, which includes more than 1000 files, for USD 100.00.
GDE (Generic Description Device) appears as the anti-virus industry's first tool capable of recognizing polymorphic viruses.
The SMEG.Paragon virus spreads throughout England. Scotland Yard arrests Christopher Pile, also known as Black Baron.
Good Times is the first hoax: An e-mail with "Good Times" in the subject line warns of a new virus, which supposedly causes the entire contents of the hard disk to be deleted – merely by reading the message. This warning ends with the request “Forward this to all your friends”, by which means the hoax is spread throughout the Internet.
Black Baron admits guilt and is sentenced to 18 months in prison.
Boza, the first Windows 95 virus, is written by Quantum, a member of the VLAD virus programming group in Australia. When an infected program is started, it searches for up to three executable files which have not yet been infected, and infects them. On the 31st of each month it issues a message regarding its creators.
The first Excel macro virus, XM.Laroux, makes its appearance in Alaska and Africa. It infects Microsoft Excel documents containing a hidden "laroux" table.
Staog, the first Linux virus, is found in the lab, but is never spotted in the wild.
Virus programmers write mIRC scripts, which, in a worm-like manner, are automatically spread amongst Internet Relay Chat users.
Win95/Marburg, the polymorphic Windows virus, spreads via the "Wargames" computer game and by means of a CD-ROM included in the Australian "PC Power Play" magazine. It infects Win32 EXE and SCR (screen saver) files and is activated three months after the file is originally infected. If an infected application is started, the virus is displayed as a standard Windows error (a white "X" on a red circle), distributed over the entire screen. Marburg deletes databases from a variety of anti-virus programs and prevents discovery by infecting all EXE files with a "V" in their name (Scanvirus.exe, etc.) This enables it to infect the self-test of most anti-virus programs.
The first Excel formula virus, named XF.Paix.A, appears. This virus does not use Excel's standard macro capabilities, but a special formula sheet instead, which can contain the malicious code.
Carl-Fredrik Neikter presents NetBus, a back-door program which provides hackers with access to infected computers.
The first Microsoft Access virus and variants are discovered: A2M.Accessiv for Access 2.0; AM.Accessiv.A,B, AM.Tox.A,B for Access 97.
AOL Trojan horses make their appearance. The first of many Trojan horses steals information from AOL users. AOL e-mail addresses are flooded with infected document attachments.
Strange.Brew is the first virus capable of infecting Java applications; however, it is unable to spread via web-based Java.
The Cult of the Dead Cow group presents Back.Orifice, a disguised remote control program with permits both program execution as well as computer monitoring. The media turn their attention to NetBus, which has already appeared and which displays similar behaviour.
The first VB script: VBS.Rabbit first goes into action when an infected script is run. The viral code searches certain Windows directories and the current directory for additional script files (VBS) and writes itself at the beginning of these files. The infected scripts can still run, thus continuing the spread of the virus. On the second day of each month between nine and ten o'clock, the script searches for all texts containing ".txt - und .doc" extensions and replaces these texts with a drawing of an obscene gesture.
The HTML.Internal-Virus, also known as HTML.Prepend, is based on VBS, but only occurs when Internet Explorer is used. If the user views a web site which has been infected by the virus, a visual basic script is activated; this inserts a text into HTML documents on the user's PC. An infected text is relatively easy to spot, because the header begins, "<html> <!--1nternal-->".
Discovery of P97M.Vic.A, the first Microsoft PowerPoint virus. This virus infects the "User Form", which is attached to a command button. If the button is clicked, the virus infects all PowerPoint documents under C:\My Documents.
NetBus 2 Pro is presented as a commercial program. In order to prevent anti-virus manufacturers from reporting it as a virus, author Carl-Fredrik Neikter demands payment for his product. The manufacturers nonetheless insert a recognition routine, as this is a malicious program.
W32/ExploreZip is an e-mail worm which, together with an attached worm file, sends itself to the senders of all unread e-mail in the incoming mailbox. Even computers not using Outlook can be infected with W32/ExploreZip.
2000 is presented by Cult of the Dead Cow at DefCon in Las
Vegas. The new version of the remote control program now works under
NT as well.
VBS/BubbleBoy is a worm which takes advantage of Internet security gaps using Explorer and Outlook. It is the first virus capable of infecting systems without requiring a user to open an e-mail attachment. The worm runs as soon as the user opens e-mail in Outlook.
Y2K fix is a Trojan which, on some computers, has the program crash before any damage can be done. On other computers, it claims to solve Y2K-related problems while in reality it is overwriting the hard disk.
VBS.Stages is an Internet worm which spreads via e-mail and which is concealed in what appears to be a text file. All e-mails sent by the virus are deleted to conceal its movements.
W32.Pokey.Worm is the name of the worm which appears as an e-mail attachment. If the user opens the pikachupokemon.exe document attachment, an animated Pokemon character appears. In addition, the worm automatically sends itself to all entries in the Outlook address book. The worm deletes all important system files and the operating system can no longer be started.
The first PDA (Personal Digital Assistant) Trojan horse appears. Palm.Liberty.A does not spread on its own, but reaches the synchronization process on the small-sized computer and deletes updates. Palm.Liberty.A was accidentally created by Aaron Ardiri, employed at the University of Gavle in Sweden.
Navidad.EXE is a worm using Outlook or Express to spread. All types of Windows computers can be infected.
W32/Naked disguises itself as flash animation and, once activated, sends itself as an e-mail worm with the NakedWife.exe to the entire MS Outlook address book. By deleting various Windows and system directories, the system is rendered unusable and the computer must be restarted.
Mass mailers Code Red and Code Red II take advantage of a security leak in Microsoft's "Internet Information Server" web software, which runs under Windows NT or 2000. Unlike the original, Code Red II does not attack the White House web site; instead, it installs a back door to the system, through which hackers gain control of the computer.
The W32/SirCam worm spreads via MS Outlook Express. Once it is run, it places itself in the system directory and is reactivated any time the user starts a program using the EXE filename extension. It can also independently copy itself onto shared network drives, from there to be activated by the respective user. SirCam does not only send itself, but also sends personal data which it finds on the infected computer. It is also the first worm equipped with its own mail server.
The aggressive Nimda computer worm races through the World Wide Web. What is novel about it is that user intervention is no longer required for it to spread. Instead, it utilizes known software weak spots and different types of infection. It spreads via e-mail and can also implant itself in outside computers by means of the Internet. This worm's rapid spread affects Internet traffic, leads to the collapse of affected web sites and compromises file system security, in that it releases local network drives.
The memory-resident W32.Badtrans.B@mm Internet worm is a variant of WORM_BADTRANS.A, which avails itself of a known security gap in e-mail applications (MS Outlook/ Express). Once infection has taken place, the worm registers itself as a system service and replies to incoming e-mail, spies out passwords and installs a key logger (this records each key pressed by the user and records which program is being used).
Peachy is a VBS worm
which hides in PDF files and spreads via MS Outlook. If a user opens
this PDF file in Adobe Acrobat, a picture with a tiny game appears where
a peach must be found. Double-clicking an icon with the supposed solution
starts the VBS file. The worm attempts to send itself to the first 100
addresses which it finds in Outlook.
W32.YARNER.B was the first virus attached to an official newsletter. Unfortunately, the newsletters came from the antivirus sector, so that the e-mail recipients felt no reason to be suspicious. Upon arrival, the virus disguised its presence by renaming the NOTEPAD.EXE application. It copied itself into a new NOTEPAD.EXE. When the virus was invoked, this also happened to the renamed original file – with the respective consequences. The virus then deleted a randomly chosen number of the files from the Windows directory.
the most widely spread destructive mass mailer of the year 2002 into
the systems. The virus activates itself automatically on the 6th day
of every odd month. All variations of W32.KLEZ are located in the memory
and are distributed via e-mail and the network.
W32.YAHA.E reached the users as .SCR and .BAT e-mail attachments with double file endings. It is not marked by a specific subject line or message text. Once in the system, it creates a copy of itself in the Recycle Bin folder, assigning itself a randomly chosen, four-character name. The file attribute is set to "hidden".
W32.FRETHEM.K is a non-destructive,
memory-resident virus. It is spread as an attachment with the e-mail
reading as follows:
W32.BRAID.A is a memory-resident computer worm, storing a file virus called PE_FUNLOVE.4099 on the system. It infects all executable files and ActiveX objects in a system or network. W32.BRAID.A also independently sends copies via SMTP to all e-mail addresses found in .HTM and .DBX files.
W32.BUGBEAR.A opens port 36794 and thus makes it possible for a remote user to obtain information without permission. Furthermore, it can now manipulate data and carry out program changes on the affected system. Since the virus does not check the file source at port 36794 it can also copy itself into the printer queue and cause a printer jam. Or the devices print out the virus' binary code.
W32.FRIENDGREET reaches its victims not directly via e-mail but as a URL link to a specific download site. The virus can only establish and spread itself after interaction with the user. The user hereby agrees to a kind of licence agreement with the consequence that the infected program gains access to the Microsoft Outlook Contacts list. Thus it can send e-mails to all addresses listed there. Without the agreement of the user (it is actually asked for several times) this virus cannot infect the computer.
The war in Iraq which began in March
also had an indirect impact on public information networks. The phenomena
were not caused by any official network war between the US and Iraqi
forces but by the activities of single hackers who wanted to express
their own opinions.
The virus problems of 2003 were concentrated on the Windows platform. No new viruses were discovered in Linux or Mac environments.
BUGBEAR.B: The e-mail worm Bugbear.B was discovered on June 5th. The most interesting thing about this virus is that it tried to steal information from banks and other financial institutions. As soon as Bugbear.B had infected a computer, it checked whether the computer in question was connected to the internal network of a well-known financial institution. If so, the virus collected information and passwords from the system and sent them to ten predetermined e-mail addresses. For this purpose, the worm had a list of network addresses of more than 1,300 banks in all five continents.
MSBLAST WORM: Blaster
(or Lovsan) was discovered on August 11th. This was also an automatic
network worm that was very similar to Slammer but could infect a far
greater number of computers. Blaster exploited a security leak in the
Windows 2000 and XP operating systems. The RPC weak point was discovered
on July 16th, just under a month before the worm made its appearance.
July and August are the main holiday season and many companies had simply
omitted to install security patches before the worm appeared.
As a consequence of the Blaster worm a virus was developed that was supposed to fight Blaster. This virus was known as Welchi or Nachi, and it infected computers that had already been infected by Blaster. As soon as Welchi entered a system, it destroyed Blaster and tried to download and install the Windows security updates. So it could be called an anti-virus virus. It's a pity, then, that in this case the treatment was worse than the disease. Welchi generated far more network traffic than Blaster and was the cause of most of the serious systems collapses that hit companies in mid-August.
Various airlines reported problems caused by Blaster and Welchi in their systems. As a result, flights had to be cancelled. Welchi also infected Diebold cash dispensers that were based on Windows XP, hindering cash transactions. The operation of the US State Department's visa system was also affected by the virus. The railway operator CSX reported that the virus caused a malfunction in its signaling system so that all passenger and goods traffic had to be stopped. All commuter trains in the Washington D.C. area were halted on the lines.
W32/Sobig.F: Just one week after Blaster a new variation of the Sobig family of viruses appeared. This was the worst e-mail worm yet seen, and it sent more than 300 million infected e-mail messages around the whole world. Apart from spreading via e-mail, the various Sobig versions have something else in common; they wait for a few days after infecting a computer before transforming the affected computers into e-mail proxy servers. The reason for this quickly became clear. Spammers used the proxy servers set up by Sobig to start massive spam mail actions. The worm had taken control of the computers of unwitting private users to send thousands upon thousands of advertising mails in their names.
SWEN WORM: The e-mail
worm Swen was found on September 18th 2003. E-mail messages sent by
Swen looked deceptively similar to genuine security updates from Microsoft.
BAGLE.A WORM: Bagle.A
was discovered on January 19th. It started by checking the current system
date and ending itself if the date was January 28th 2004 or later. Once
it was activated, the worm opened Port 6777, thus rendering the system
vulnerable to hacker attacks.
MYDOOM.A WORM: This
worm (also known as MIMAIL.R or Novarg.A) made its public appearance
on January 26th. It was a mass-mailing worm that used a list with various
entries for subject lines, message texts and names of attached files
to send infected e-mails. The sender address was also falsified (spoofing).
As a result the e-mails appeared to come from a lot of different users,
but the identity of the actual sender and of the infected system was
concealed. In addition, the worm used the Kazaa peer-to-peer (P2P) network
to spread itself.
Mydoom.A caused a heavy increase in data traffic in the Internet and in corporate networks, especially at e-mail server level. The worm also spread more rapidly than SOBIG.F. The exceptionally high propagation speed justifies a closer look at the technologies used. Most users received Mydoom.A as a file attachment to an e-mail. No specific weak points in the system were exploited to start the malicious code automatically; instead it is necessary for the user to execute the infected file manually. MYDOOM.A employs social engineering by disguising itself as a system notice or a friendly message to get the user to open the file attachment.
NETSKY.B WORM: On February 18th a virus alarm was set off due to Netsky.B. This worm, too, used social engineering to get users to open the infected file attachments. In order to propagate itself, Netsky.B moreover stored copies of itself in public directories of the P2P application Kazaa. The idea was to induce Kazaa users to download the virus by using tempting file names such as photoshop9crack.exe or how to hack.doc.exe.
Worm activity in March and April was marked by new variants of Netsky and Bagle. All these worms use the same method of propagation and attack computers via infected e-mails. To increase the chances of spreading more quickly, worms of the Netsky and Bagle families avoid sending infected e-mails to known manufacturers of security solutions.
The possibility was widely discussed that the programmers of the Netsky and Bagle worms were conducting a feud against each other. Several observations lend weight to this scenario:
• The large number of new Netsky
and Bagle variants within a short space of time.
SASSER WORM: The biggest threat of the year so far came from Sasser, which was discovered in May. The Sasser family variants, just like Nimda, Code Red, Slammer or Blaster, are network worms that spread without e-mails, web contents or file-sharing documents. Any computer that is connected to the Internet and does not have the latest security patches installed for the operating system is a potential target for an attack by the worm, which deliberately exploits security leaks in programs or in the operating system.
Sasser exploits an error in the Local
Security Authority Subsystem Service (LSASS) of computers using Windows
2000 and XP, one of the roles of which is the authentication of systems
in networks. The worm generates random IP addresses and contacts the
systems to which these addresses belong. It injects code into vulnerable
computers which then loads the actual worm from systems that are already
infected, running an FTP server on Port 5554 on infected computers.
Moreover, the worm is supposed to spy on incoming connections on other
ports from 1068 upwards. Sasser, like the worm Blaster/Lovsan before
it, sometimes also makes the LSA Service crash, which results in the
rebooting of the computer by the NT Authorization Service within 60
Intriguingly, the worm itself has a security leak which in turn allows others to gain full access to any computer infected with Sasser.
The programmer of the worm, an 18-year-old German schoolboy, was arrested on May 7th. Examination of the data that was seized has revealed that he is also responsible for the various Netsky variants. If he is convicted, Microsoft will pay 250,000 US dollars to the person whose information led to the arrest
copyright © 2004 digitalcraft.org