Malware Overview Do you know what goes on under the hood of your car? Do you know the solution for a warning light on the dash? Do you know what's wrong with the car if it starts making strange noises or loses power? Those same questions can be asked about your computer. Computers can have many of the same problems as cars. Engine problems can cause cars to lose power, just like a large program can take up too much of the computer for anything else to run. Where an engine could "throw a rod" or "break a timing chain," computers can mysteriously reboot or die with the dreaded "Blue Screen of Death." We expect that our car will bog down sometimes. You can't expect a car to perform as well when pulling a two-ton trailer up a five degree hill. Likewise, when a computer gets bogged down with a big project, you would expect it to respond a little slower. What you don't expect is for either the car or the computer to bog down or die when we're not pushing so hard. One of the things that "Malware" can do is exactly that. It forces the computer to work harder, taking power away from our programs. It would be like sneaking a dozen cinderblocks into the back of the family car right before the trip. "Malware" is software that works without the user's knowledge and consent. Sometimes called "badware," it covers a wide range of programs, including computer viruses, spyware, adware, and more. Adware can bog down the computer, because it contacts websites to download fresh ads. Spyware collects data on you and the websites you visit and returns all of that data to the host website. And viruses just want to find a way to spread to other computers. But most importantly, malware runs "under the hoood" and behind your back, so that you don't even know that it's there. Virus Overview Computer Viruses are one of the biggest "bogeyman" of the Internet, and with attacks by Melissa, ILoveYou, Nimda, and Michelangelo, there are damage estimates and virus warnings all over the Internet. But what are they really? A virus is a program that spreads to other computers. Like all forms of malware, it both runs without the user's knowledge or permission and it can interfere with other programs that are trying to run on the same computer. Some viruses also carry a payload, like ticking time bombs. On a given date, or after a certain time after the computer is infected, the virus will "trigger." This trigger can damage files, erase drives, or attack other systems over the Internet. Viruses have two major goals. First, they need to be run and installed on the infected computer, and two, they need to spread to other computers. And they need to meet these two goals without alerting the owner of the computer. There are a wide variety of ways for a virus to infect a system. Many early viruses used the "boot sector" of a floppy disk as their infection point. If the user powered on the computer with an infected floppy disk in the drive, the computer would try to boot from the floppy. The virus would infect the system, but make it look like the computer had tried to boot from a blank floppy disk. The virus met both goals at the same time, because every time a new disk was inserted into the drive, the virus would put another copy of itself into the boot sector. Today, floppy disks are far less common, and boot sector viruses have all but disappeared. One of the most common infection routes today is by email attachment. Many viruses today will even search the address book and send out emails without the owner's knowledge. Virus Hoaxes "Warning!," the email screams. "There's a new virus going around, and Microsoft says it's the worst one yet!" After this amazing bit of hype, the email continues with "Once this virus infects your system, it will delete all the files on your hard drive, reset your computer clock, and make your screen only show green and black!" Anyone who has made it this far is then asked to "forward this virus warning to everyone you know!" and "Delete any emails you get with the title "Have a nice day!' This email has all the signs of a virus hoax. First, viruses are not magical or all-powerful. Yes, they can damage your data. Viruses have been known to erase hard drives, delete documents, even forward classified documents to random email addresses. But, to date, only one virus (CIH, or Chernobyl) has actually been able to damage hardware. CIH found a way to overwrite the BIOS, or read-only memory Second, viruses are identified by their programming, and not by the title of the email they're attached to. Once word got out to delete every email with that title, the virus programmer would just change the subject, and everyone would have to send out another virus warning, for a whole new virus, that looks exactly like the old one except for the subject line of the email. Third, if Microsoft (or any other big-name company, for that matter) wanted to get the word out about a new virus, they would post it on their website, and not ask everyone to forward emails. Forwarded emails are very inefficient, because some people only check their email once a week. By the time they got the warning, the virus would have triggered and destroyed their computer! The best advice about virus hoax warnings is "don't pass them along." The huge flood of useless emails do as much damage as the viruses they warn about. The Nimda Virus One of the most complex and dangerous viruses ever was the Nimda virus, in September 2001. Nimda became the most widespread virus in the world a mere 22 minutes after it was released. Nimda was as powerful as it was because it knew so many different ways of infecting a system. First, it spread itself through email, with a built-in SMTP routine. It would search the infected hard drive for email addresses and send itself to them. It used a bug in Microsoft Outlook that would cause the system to be infected just by viewing the email. Second, it checked for shared network drives. Any time it found a drive that it could write itself to, it scattered copies of itself all across the drive. These files were often the first sign that a system on the network was infected. Third, it would attempt to infect web servers through several different known bugs. Any server that wasn't completely up to date on patches was in danger of infection. Fourth, once the server was infected, it would infect web sites. Any visitor to an infected site could be infected, depending on IE security settings. And, since it was attacking from the server, it could find it's way to corporate intranet sites, not just public internet sites. And finally, it would attempt to infect any systems that had previously been attacked by either the Code Red II or the Sadmind viruses. Both viruses opened security holes on the systems they infected, and Nimda would try to use them. Nimda set records for virus tactics. It sent emails that infected on viewing, and put copies of those emails on network drives in the hopes that someone would open them and infect their system. It infected via website, and it even infected servers. Nimda was an ingenious and vicious program that was difficult to destroy. The Michelangelo Virus -- Hype and Fizzle The Michelangelo virus was the first real appearance of computer virus hype in the media. Various "experts" made claims about how widespread the virus was and how much damage it was going to do when it triggered. Michelangelo first hit the news in late January, 1992. A customer noticed that computers from Leading Edge were arriving with the virus pre-installed. The next day, John McAfee is quoted as saying Michelangelo was the third most common virus in the world. Two weeks later, McAfee was quoted again, and this time he estimated that as many as five million computers worldwide could be hurt by the virus. This was a big, impressive number, and journalists ran with it. All through February, readers were treated to an assortment of information that was either overblown or just wrong. For example, several experts reported that the virus came from bulletin board systems, which is not true--the virus was spread on infected floppy disks. One expert advised not shutting computers down on March 5th, the day before the trigger day. The virus would only be triggered by actually booting the computer on the 6th, he said. If the computer was never turned off, the virus wouldn't have a chance to trigger. In early March, Intel discovered it was sending the virus with one of their programs. Several journalists took the words of McAfee and others, especially the estimate of five million infected computers, and spun wilder and wilder predictions of damage. When March 6th arrived, the world held it's breath, waiting for the reports of mass destruction of computers...that never came. Instead of millions of computers, the virus barely hit a few thousand. AT&T, with 250,000 computers, said the virus affected two systems. Critics pointed out that the people making the huge claims stood to profit--because they were also selling anti-virus programs. The CIH Virus On April 26, 1999, systems around the world began dying. Something was both damaging information on hard drives and damaging their BIOS chips. Investigation turned up the CIH Virus, later known as Chernobyl because it was released on the anniversary of the Chernobyl reactor explosion. The CIH virus somehow found it's way onto a set of IBM Aptiva PC's sold to Activision in March of 1999. Every copy of their latest game, SIN, came bundled with a bonus copy of the CIH virus. When it infects a system, the virus actually squeezes into empty spaces in operating system files. CIH was sometimes known as the Spacefiller virus for this ability. When the virus triggered, the first thing it did was to overwrite the first megabyte of the hard drive with zeroes. That area of the hard drive is critical, because that's where the partition information is usually stored. Once the hard drive was hit, the virus would then turn to the BIOS chip. BIOS stands for Basic Input Output System. The BIOS chip is the ROM, or Read Only Memory, of the computer. Without the BIOS, the computer would forget how to "talk" to the other hardware in the computer, like the keyboard and hard drives. Normally, the BIOS is read-only. But by 1999, BIOS manufacturers had switched to chips that could be "flashed," or reprogrammed. The CIH virus tried to use this ability to erase the BIOS. In effect, the virus would try to kill the computer, first by making the hard drive unreadable, and then by making sure the system wouldn't boot without a new BIOS chip. Fortunately, due to a bug, the program only knew how to erase one brand of chips. CIH was still damaging computers in Asia a year after it first triggered, and several viruses have been released that try to infect systems with newer versions of CIH. Spyware Overview Imagine a program that watches your computer. It sits in memory, watching everything the computer does--the websites it displays, the passwords used to get into them, the advertisements that get clicked on. This program silently and secretly gathers all of this information, without the user's knowledge. Then, at some point, it connects to a server somewhere on the Internet, and hands over this collection--again, without letting the owner of the computer know what it's done. Scary thought? Experts believe that at least six out of ten--perhaps as many as nine out of ten--computers on the Internet have this kind of malware installed. Like a virus, many spyware programs run without the user's consent or knowledge. There is an entire industry devoted to gathering demographics information through the use of spyware, and there is another industry that's grown to combat spyware. Spyware is meant to capture "demographics." This is meant to help advertisers better target their ads. For example, if a piece of spyware reports that the user recently visited websites for car dealerships, then the spyware server would then send ads for cars to the computer. Many people, however, regard this as an invasion of privacy. Spyware companies claim to only gather "generic" information, like web site addresses and zip codes, but it's still very easy to gather critical information. Anything entered into a web form can end up in the spyware collection--such things as phone numbers, email addresses, credit card numbers, and even social security numbers can all find their way into a spyware database. In the end, it comes down to personal preference. Some popular programs have spyware attached, and will quit working if the spyware is uninstalled--so the user has to decide whether that program is worth it. Provided, of course, the user even knows that the spyware is running on his system. Robert Tappan Morris and the Internet Worm Robert Tappan Morris claims he only wanted to measure the size of the Internet, but he didn't count on the speed and power of his program. He wrote a virus program that would spread to other computers. He made the program smart; before it infected a new system, it would actually check and see if there was already an active copy running there. Unfortunately, at the same time, he made it stupid. It would be really easy to prevent the spread of the program just by telling all of the computers on the network to always answer "yes" when the virus checked. So, Morris programmed it to install another copy of itself fourteen percent of the time. The main part of the program was designed to hack into known Unix weaknesses, like the Finger bug and Sendmail. On November 2, 1998, Morris released his creation from a computer at MIT (to hide the fact that the virus was created at Cornell). Within hours, the Internet had slowed to a crawl. Morris hadn't counted on the speed of the program. Fourteen percent is a small number in human terms, but a huge number in microseconds. Infected computers were spending every available bit of power into hunting for more computers to infect. Some estimates say that the worm hit over six thousand computers, and the government claims damages of at least ten million dollars. The Internet Worm was quite probably the first computer virus to spread across the Internet, and the first one noticed by the mainstream. It forced many computer experts to rethink computer security and the nature of the Internet, and we're still learning the same lessons today. Robert Tappan Morris was sentenced to probation and a fine, and today he is an associate professor at MIT, the college he released the Internet Worm from. Macro Viruses and the Melissa virus Microsoft thought it was doing it's customers a favor by adding a programming language to Microsoft Word. In terms of customer service, it was a great idea, because it would allow users to automate and program within their documents. For example, when a document opened, it could be programmed to ask the user for details that must be entered into each document, like insurance policy numbers or phone numbers. Microsoft didn't count on this programming language ever being used to turn Word documents into virus infectors, but that's exactly what happened. The first Macro Virus was called the Concept virus. It was designed in 1995 simply to show that it was possible to write a virus in Word's Macro language. Once it was proven, though, the idea took off. By 2004, nearly 75% of all viruses were macro viruses. When Word opens a document, it runs a normal series of macros. When the system is infected, these normal macros have been replaced, so that when any future documents are opened, their macros are infected as well. Every Word document this computer touches carries a copy of the virus, and will infect any other system that opens it. Possibly the most famous macro virus to date was Melissa. Virus programmer David L. Smith named the code after a lap dancer he knew, and released it in late March, 1999. The virus sent a file called "List.doc" which it claimed were passwords to eighty adult websites. Anyone who opened the document would get their passwords and a free copy of the Melissa macro virus. Melissa would then gather up the first fifty entries in the address book, and email itself to all of them. Melissa had infected so many systems that by March 26th, it was shutting down mail servers with all of the infected emails traveling across the 'net. Adware Overview Adware is advertising delivered directly to your computer. Generally, a program puts ads on the screen at some regular interval. In some cases, this program can be installed without the user's knowledge, but not always. Many programs clearly state on install that "this program is supported by advertising, and if you turn off the advertising, you also shut down the program." Adware tends to be a "grey area" in the malware family. Yes, it can run without the user's knowledge, and yes, it can bog down the system (especially when the adware program goes online to retrieve new ads to display). At the same time, adware is generally more open about what it does, giving the user the choice to install the program the adware is attached to. Adware is most often tied into Internet Explorer somehow. The ads that appear are browser windows. When it's installed above-board, adware is generally accepted by the internet community as a valid marketing system, even though it can include elements of spyware (ie, it tracks information, and uses that information to deliver targeted ads to the user). If one user of a system installs adware on a system, and another user is then tracked, then the program crosses the line from adware to spyware--because the second user is being tracked without their consent. Some other forms of adware have used sneaky programming tricks to hide or cover website advertising. For example, an adware program can read an incoming website, and learn the location of a banner ad on that page. Then, the program can use that information to put an ad of it's own in the exact same spot, hiding the legitimate ad. This deceptive use of adware is often called "stealware" because it steals the advertising space from the original website.
Legitimate Adware There are plenty of reasons why malware is "bad." Are there any times when malware is valid and legal? Many shareware programs today come bundled with adware. The premise is this: If you try out the program, and enjoy it, you'll buy it. Until you pay for it, the programmer is paid through the advertising that the shareware program displays. If the user somehow kills or removes the advertising, then he is also obligated to remove the program that was supported by the ads. In some cases, the ads are displayed in the actual program, like in a small window or corner of the program's screen. In most cases, though, the ads are displayed by a totally separate program included in the same installer program. If the adware is legitimate, then it has to be explicitly displayed in the install, and the user has to have the option of not installing it. This is where adware earned it's poor reputation. Many adware programs simply install alongside the ad-supported program, without ever informing the user. The user is then surprised by the constant barrage of pop-up ads on his computer when he isn't even visiting websites and the collection of strange programs on the hard drive that he doesn't remember installing. The key factor in whether or not malware is "legitimate:" If the user has no problem giving demographics information for a program he enjoys using, then the spyware that comes with that program is legal and accepted. However, if another user then sits at the same computer--one who doesn't know the spyware is there--then it's no longer a legitimate program. The person being spied upon by the spyware, or forced to view the pop-ups delivered by the adware, has to understand and accept what the program is going to do. Home Page Hijacking and Browser Helper Objects Internet Explorer has a way for a website to add itself to the list of favorites. It's a feature Microsoft added so that websites can have a button that says "Bookmark This Site! Just Click Here!" Now, if that's all that particular feature did, then there wouldn't be any malware concerns over it. Unscrupulous programmers have taken advantage of it to create Home Page Hijackers. In a nutshell, a Home Page Hijacker is a program that reaches into your browser and changes your homepage: without your permission. You might think, "That's easy enough to fix, just change my homepage back and everything is fine." Unfortunately, the Hijacker won't let you get away with that, thanks to a BHO, or Browser Helper Object. The BHO is a chunk of code that gets added to the browser. It's meant as a quick and easy expansion to the browser, but when malware programmers get their hands on it, it becomes something a lot more sinister. A Homepage Hijacker will both change the homepage and bookmarks, and install a BHO. The "helpful" BHO has been programmed to make sure the homepage hijacker sticks around. What this means is, every time the computer is rebooted, and/or every time the browser is started, the BHO kicks in for just a second.. It "restores" the bookmark file and homepage setting. Homepage Hijackers, with their associated BHO modules, have been known to change the homepage, remove entries from bookmarks, add anywhere from one to hundreds of bookmarks, and even change the default search settings. This way, when a user misspells a web site address, instead of seeing the usual IE "I can't find that" page, he sees an ad-covered search page. At their worst, homepage hijackers force the user to go through their web sites and search engines to get to any site on the 'net. Firewalls and Proxies In building construction, a firewall is a structure designed to contain building fires. For example, an attic crawlspace that covers the entire length of the building would allow a fire to roar from one end of the building to the other. Breaking up the crawlspace with non-flammable walls helps to slow the spread of a fire. Network firewalls have a similar function. A firewall is a network security system, either a program or an actual device, that breaks up a network to contain viruses and hackers. Imagine two large fish tanks side by side, separated by a wall. We want to allow the blue fish to mingle, but we need to keep the carnivorous fish on the left away from the baby fish on the right. If we opened a computer-controlled door in the wall, programmed to only allow blue fish to pass but no one else, that would be a fishtank firewall. Network firewalls "segment" the network. Local traffic -- the information that moves between the computers in that segment -- doesn't go through the firewall to the larger network outside. And information that doesn't need to reach anyone inside the firewall is blocked out, just like the carnivorous fish in our example. A Proxy is another network security tool. Proxies are replacements for Internet servers. When a computer requests a website from the internet, a main hub provides the IP address. A firewall can interfere with this, and declare that no one inside the firewall can surf the Internet. The Proxy is then the "official" way past the firewall. A proxy server has a list of "authorized" websites. When the user's computer requests the address from the Internet, the proxy checks it against the list, and if the website is approved, it authorizes the firewall to let the traffic through. If the website is not approved, then the firewall sends a message saying "you are not authorized to visit this website." Drive-By Downloads You're surfing the Web, enjoying a quiet afternoon, when a window pops up on the screen. "New Windows Antivirus Update Available," it says. "Would you like to update your system?" You get "Yes" and "Cancel" buttons at the bottom. It looks like a real, honest-to-goodness Windows message, right down to the logo in the corner. Should you click Yes, or Cancel? The correct answer is "Neither." In programming terms, this is known as a Drive By Download. A website you visited has this code set to run as soon as you visit. The pop-up is trying to install something on your computer, and if you click "Yes," you really have no idea what you're agreeing to. Your computer may now be set to make long distance phone calls, or assist in a Denial of Service attack, or just flash adult advertisements at you every thirty seconds. Many malware programmers design their systems to look just like system messages and windows. Just because an email or a pop-up says it comes from Microsoft, or your bank, for that matter, doesn't make it true. We don't want any of that, so we should hit "Cancel," right? Nope. It may look like a standard Windows message, but it's really not. It's just an image of those buttons. Clicking either button -- in fact, clicking anywhere in the image -- is the same as clicking "Yes" and giving the mystery program blanket permission to do whatever it's going to do. The correct answer is to click on the little "X" at the top right of the window, closing it without clicking on anything inside it. This is one of the best ways of keeping malware off of your system. When in doubt, don't click. This advice works for ads, email attachments, and mystery files, and is a really good habit to get into. Denial of Service Attack Imagine a group of junior high school kids who decide to play a prank on their least favorite teacher. They agree that they will all call the teacher's phone, as quickly as they can dial, non-stop, until he unplugs the phone in frustration. When this happens using the Internet rather than telephones, it's called a Denial of Service attack. Such attacks are designed to either keep the target system so busy handling the attack that it can't get anything else done, or to overwhelm it into shutting down completely. Why should anyone but a system administrator worry about denial of service attacks? Users need to be aware of something called a BotNet. The MyDoom virus was one of the first viruses to attempt two levels of attack. First, the virus would try to spread. On infection, though, it would insert a second program into the system. Basically, on MyDoom's trigger date (February 1st, 2004), any infected system would launch a denial of service attack against MyDoom's real target. The virus tried to establish a collection of computers that would all launch attacks on the same day. This collection is a botnet, and in the years since MyDoom pioneered the concept, literally dozens of programs have expanded on the idea. A popular program in use today is Stacheldraht. Stacheldraht is the master program, and it manages a collection of "handler" computers. Each of these handlers can control up to a thousand "zombie" computers around the world. The hacker with the Stacheldraht master says "attack this server," the handlers pass the word along, and thousands of systems instantly change from peaceful home computers into remote-controlled computer attackers.. Sure, it sounds like a line from a bad horror movie, but it's true. Users need to keep their systems from becoming one of Stacheldraht's zombies. Backdoor Programs It's the ultimate nightmare for a computer user -- the idea that someone outside the computer can take over. The official "technical" term is Remote Administration, but hackers are more likely to use the word Backdoor. With Windows XP, remote administration comes pre-installed. Windows XP has an option called Remote Assistance, where an XP technician can "remote in" and take over your computer. The remote tech has as much control over your system as if he was sitting there at the keyboard. The hackers predate Microsoft by several years. NetBus, for example, was designed in 1998 by Carl-Fredric Neikter, and many of the backdoor programs since then have followed a similar design. The program comes in two parts, the Client, and the Server. The server is the part that has to be installed on the machine to be hacked, and the Client is the controlling system. Once the Server program has been installed, the Client has almost total control, from dangerous things like recording keystrokes or launching programs to annoying things like opening the CD tray. Netbus 2.0 Pro was even marketed commercially as a remote administration program. Some other backdoor programs are Back Orifice (which was named as a pun on Microsoft's Back Office program), SubSeven, and Poison Ivy. Any backdoor program allows an outsider full, unrestricted access to the hacked computer. The hacker can copy information off of the computer, activate webcams, even remotely shut down or crash the computer. Netbus and SubSeven are very popular among "script kiddies." In one major case in 1999, a law professor was fired and charged because system administrators found child pornography on his system. He was acquitted -- almost five years later -- when the court was shown that Netbus was used to copy the images onto the computer. Most backdoor programs are easily stopped by antivirus and firewall programs. Virus History -- 2001 to Present After the flurry of viruses that haunted 2001, 2002 was amazingly quiet. Unfortunately, 2003 took off again. January saw the SQL Slammer worm infect over 75,000 systems in about ten minutes. It attacked a flaw in Microsoft's SQL Server, and basically slowed down the entire Internet. The Blaster worm attacked in August. It was meant to cause a Denial of Service attack against the Windows Update website, by causing all infected systems to flood the site on August 15th. The programmer was convicted because investigators actually found his name in the virus code. Only a few days later, SoBig attacked. This was another emailing virus. After infection, it searched the files on the hard drive for email addresses and sent itself to any it found. October saw the release of the Sober emailing virus. Sober was notable in that it would shut off antivirus programs after infection. The fastest-spreading virus to date was MyDoom, which struck in January 2004. At one point, MyDoom was responsible for 1 out of every 10 emails on the Internet. 2004 also saw the Witty, Sasser, and Santy virus outbreaks, and in 2005, Zotob and Samy. In 2006, the first Mac OS/X virus was announced, as well as the first MySpace attack, "LordoftheNoose," This program changed the names of MySpace profiles, and locked out users to keep the names it set. At one point, as many as 70% of all MySpace profiles were infected. So far in 2007, another MySpace virus has erupted, and the Peacomm Virus attacked. Peacomm was an email that claimed to be a video clip. Historically, most viruses have used very similar attack routes. Either they carried an attachment which the user had to open, or they took advantage of a known flaw in the system which had not yet been fixed. The moral of the story is this: Keep your updates current, and be wary of unusual attachments. History of Computer Viruses since 1989-1999 Robert Morris's Internet Worm of 1988 was the biggest news in virus history for several years. Until 1992, most virus news was much quieter. In 1989, for example, Ghostball was released. This was the first virus able to attack different kinds of targets. Before Ghostball, viruses were classified by their attack, like "file infector" or "boot sector virus." Ghostball was the first Multipartite virus, because it could follow several attack patterns. In 1990, a programmer named Mark Washburn demonstrated a Polymorphic virus.called 1260. This virus could actually change the structure of it's own code -- meaning, every time it infected a new system, it looked different while doing the same thing. In effect, this kind of virus "hides" from anti-virus software by wearing disguises. Michelangelo was the first virus to achieve stardom. It was discovered in 1991, and was predicted to cause incredible amounts of damage when it reached it's trigger date, March 6th, 1992 (March 6th is Michelangelo's birthday). If an infected system is booted on March 6th, the virus will erase the hard drive. Despite doomsday warnings made by the press and the antivirus industry of "at least five million infected systems at risk," only about 10,000-20,000 computers worldwide were hit by the virus. The Concept virus was discovered in 1995. Concept is short for "Proof of Concept," and it was designed to show how viruses could be written in the macro language programmed into Microsoft Word. By 2004, roughly 75% of all viruses are macro viruses. The CIH virus, later renamed "Chernobyl," appeared in 1998. This was a very damaging virus that was not only programmed to erase hard drives but also tried to erase BIOS chips. For the first time in history, a virus had managed to actually damage the hardware it was running on. Fortunately, CIH wasn't very good at it, and only damaged a handful of systems. History of Viruses, 1999 through 2001 The Melissa virus was the big story of 1999. Named after a lap dancer, Melissa was the first major emailing virus. Upon infection, it used Microsoft Outlook to send copies of itself to the first fifty names in the address book. March, 1999, saw it spread across the Internet, clogging up email servers everywhere it went. 1999 was a busy year, with the ExploreZip virus appearing in Jerusalem in June. This one had a fake Zip file attached called "Zipped_Files.EXE." If the user double-clicked the file, it would put up a fake window saying "sorry, this zip file is corrupt." It would then go on to email everyone in the address book, and follow that by destroying documents and files on the hard drive. The LoveLetter, or "I Love You," virus hit in May of 2000. It was another emailing virus, this time using VBScript. The user would receive an email with an attachment usually called "love-letter-for-you.txt.vbs". Notice the dual extension at the end. Many Windows systems will not display the extension, so the ".vbs" would disappear. The user, thinking he's looking at a .TXT file, feels free to open it, and thereby infects his system. The LoveLetter virus is widely known as the most expensive virus attack in history, with expert estimates upwards of ten billion dollars worth of damage. 2001 was the banner year for viruses. Sadmind in May, Sircam and Code Red in July, Code Red II in August, Nimda in September, and Klez in October. Sircam randomly selected files from an infected machine and sent them out in emails. Nimda attacked through five different methods, including security holes opened by Sadmind and Code Red II. Through all of these virus attacks, many computer experts pointed to Microsoft as the problem--because most of these viruses were attacking security flaws in Microsoft programs, especially Internet Explorer and Outlook. History of Computer Viruses to 1989 Science fiction writer David Gerrold wrote "When H.A.R.L.I.E. Was One" and published it in 1972. In it, a computer program called "VIRUS" spreads from computer to computer, before it is finally killed by another program, appropriately called "VACCINE." Just like communication satellites, moon landings, and waterbeds, science fiction predicted the future. The first program to actually spread from one computer to another appeared around the same time. The Creeper virus infected a system across the Arpanet, the network of computers that eventually became the Internet we know today. Interestingly enough, the Reaper program designed to kill the Creeper virus was also a virus. The first wide-scale virus infection was Elk Cloner on the Apple II computer system in 1981. Since the Apple II kept it's operating system on floppy disk, it was very easy to infect the system, and a surprisingly large number of viruses were written for Apple computers. Five years later, the first PC viruses began to appear, starting with The Pakistani Brain. It was written by a pair of brothers in Pakistan. 1987 saw the first boot-sector viruses, such as Yale, Ping Pong, and Stoned. Boot sector viruses infect a computer if an infected disk is left in the drive with the power off. The Jerusalem virus also appeared that same year, and was one of the first viruses to have a destructive payload -- if the virus was running on Friday the 13th, it would ruin all executable files on the computer. Robert Tappan Morris made computer history in 1988. His computer worm was one of the first to exploit "Buffer Overrun" errors, and spread rapidly across the network. It would run multiple times on infected systems, eventually crowding out anything else on that system. The worm brought the Internet to it's knees until it was found and removed.
InfoBank Intro | Main Page | Usenet Forums | Search The RockSite/The Web