The History of Computer Viruses
BEWARE!!! Bug Inside. Ever
wondered about the history of computer viruses and their transition? How about
some tactics of countering them? As you hook yourself up with the internet
this holidays (be it DOTA or FacebookĄ), equip yourself with some knowledge,
as our IT guru Yeo Kheng Meng unveils the secrets of computer Security in
a three-part series to be updated throughout the holidays.
Computer security
When we think of computer security, viruses and spyware immediately come
to mind. In most cases, these two methods are the most common in terms of
breaching corporate networks, causing inconvenience and intruding into personal
privacy. In my article here, I shall focus more on viruses and worms since
they usually cause the most damage today.
This article is divided into 3 parts
1. History of viruses
2. Methods end-users can take to prevent "infection"
3. Future roadmap of computer security
As such, let me dive into the history of the evolution of viruses and several key ones that redefined the landscape of computer security.
According to Wikipedia, the first virus that appeared was the Creeper
worm in 1971. Its code was fairly rudimentary. All it did was to move from
computer to computer displaying a message "Catch me if you can". No damage
was done and it died out soon after when another virus presumably written
by the same programmer removed all traces of it in infected computers.
With this, it started the ball rolling. The next milestone was to spread
a virus quickly and remain undetected in the process. This was milestone was
reached in 1986 with the Brain
virus. It copied itself to the boot sector of any removable storage media
such as floppy disks. In this way, it could spread very quickly as floppy
disks were the most common modes of data transmission in the 1980s before
the advent of the Internet. It was only detected by users when it begun to
slow down their floppy drives.
Up to this point, computer viruses were usually mild and were largely confined
to a small local group of computers. All these changed when the use of the
Internet became widespread. The Morris
worm was one of the first to utilise the power of the Internet to propagate
itself. Since its inception in 1988, it was estimated that about 10% of the
world's computers were infected then as a result. Computers that were infected
began to slow down dramatically as the virus began to run multiple copies
of itself within infected systems.
As you can see, the viruses in this 1980s era were focused mainly on attacking
the operating system (OS) itself rather using personal documents as a means
of propagation. The Melissa virus in 1999 was the first macro
virus that appeared. It marked the shift away from attacking the OS directly
to infecting Word documents. Such documents were previously seen to be safe
as they contained no executable code. Anti-virus companies were shocked then
about this new mode of transmission.
It turns out that the Melissa virus used the macro* features of Microsoft Word as a method to execute its code. The virus (worm) soon began to clog up email systems as it sent itself to multiple computers.
*(A macro is a set of instructions embedded in a document. Its primary
purpose would be to automate certain processes during the usage of the document.
These instructions would usually be run during the opening file stage.)
However, all these viruses up to this point were working as stand-alones.
Yet the power of these machines in the form of distributed computing to commit
spamming attacks was not utilised. The Sobig worm which first appeared in
2003 made used of this form of attack when it managed to compromise hundreds
of thousands of computers. The effect of mass spamming from these computers
crashed many corporate server systems worldwide.
The Blaster worm also dubbed "lazy" worm was created to
exploit not a new unknown vulnerability, but rather, a known one. In fact,
the loophole (RPC service) exploited by Blaster was already known by Microsoft
and a patch
created one month before its inception in August 2003. As a result of the
Blaster worm, the tech community coined a new term which is the 30-day attack
window and subsequently the 0-day exploit. It signified the vulnerability
window between the discovery of the flaw and point where all affected systems
are finally patched up.
The Blaster also combined several key technologies like **buffer-overflow
and ***denial-of-service (DoS) attacks. The DoS attacks were focused
relatively successfully on the Windows Update site. Fortunately the real site
was of a different URL then the one targeted by the virus and Microsoft escaped
unscathed.
**(Buffer flow is a type of programming error that occurs when an (physical)
input to a program is unexpected (large). This may cause the program to crash
as it cannot handle this information. The most famous example of the buffer-overflow
error occurred in 1996 when the European Space Agency's Ariane 5 501 rocket
crashed shortly after takeoff. It was found out a 16-bit program could not
recognise and use a 64-bit input.
***DoS attacks are usually focused on servers hosting websites or corporate
VPN servers. It is usually done by first infecting a huge number of computers.
Then at a preset time, these computers will attempt to load or access a public
server on the Internet with a specific request such as loading a webpage.
The server being unable to handle the heavy load will crash, bringing down
other mission critical tasks it may be required to do.)
Now to recent times- the Storm worm. It started spreading
since January 2007 and it continues to do so today albeit with much less potency.
It set the record for the most number of computers infected at any one time.
Experts put that number between 1 to 50 million computers.
It combined many modern methods like DoS and distributed computing, also
called a "botnet". The Storm worm uses peer-to-peer technology to communicate
and divide tasks among other infected computers. This technology is similar
to file sharing torrents where no central server leads the botnet.
(Bots are individual workstations being controlled to cooperate with
multiple other bots to accomplish certain tasks. These tasks could be to attack
a website, spamming or to seek out other computers to infect. A botnet is
essentially the collection of all the bots.)
The bots operate as individual entities. When they contact each other, certain
computers (usually the faster ones) automatically assume leadership positions
to dictate the tasks done by the slower computers. When one bot leaves the
network, there is always another bot available to take over its job.
It is stunning to note that the virus code in all of the bots are generally
identical and this form of leadership AI can arise even when everybody is
processing the same instructions.
The Storm botnet also employs certain defensive strategies to ensure its survival. One of which is the DoS attack. All bots are constantly on the lookout for any computer that attempts to detect and eliminate it. Once detected, this bot will immediately notify the leader it is associated with. The leader will analyse the severity of the attack and mobilise a calculated number of bots to "attack it" using the DoS technique, enlisting the help of other leaders if necessary.
Next: Prevention is better than cure...