Super Seventies RockSite's Infobank - 'just the facts, ma'am'    Share this site - Email/Facebook/Twitter/Pinterest


OnlineDegree.Degree - Scholarships And Student Grants Finder

Malware

videos bullet icon  Malware Videos

Malware Overview

Do you know what goes on under the hood of your car? Do you know the solution
for a warning light on the dash? Do you know what's wrong with the car if it
starts making strange noises or loses power?

Those same questions can be asked about your computer.

Computers can have many of the same problems as cars. Engine problems can cause
cars to lose power, just like a large program can take up too much of the
computer for anything else to run. Where an engine could "throw a rod" or
"break a timing chain," computers can mysteriously reboot or die with the
dreaded "Blue Screen of Death."

We expect that our car will bog down sometimes. You can't expect a car to
perform as well when pulling a two-ton trailer up a five degree hill. Likewise,
when a computer gets bogged down with a big project, you would expect it to
respond a little slower.

What you don't expect is for either the car or the computer to bog down or die
when we're not pushing so hard.

One of the things that "Malware" can do is exactly that. It forces the computer
to work harder, taking power away from our programs. It would be like sneaking a
dozen cinderblocks into the back of the family car right before the trip.

"Malware" is software that works without the user's knowledge and consent.
Sometimes called "badware," it covers a wide range of programs, including
computer viruses, spyware, adware, and more. Adware can bog down the computer,
because it contacts websites to download fresh ads. Spyware collects data on
you and the websites you visit and returns all of that data to the host
website. And viruses just want to find a way to spread to other computers.

But most importantly, malware runs "under the hoood" and behind your back, so
that you don't even know that it's there.

Virus Overview

Computer Viruses are one of the biggest "bogeyman" of the Internet, and with
attacks by Melissa, ILoveYou, Nimda, and Michelangelo, there are damage
estimates and virus warnings all over the Internet. But what are they really?

A virus is a program that spreads to other computers. Like all forms of
malware, it both runs without the user's knowledge or permission and it can
interfere with other programs that are trying to run on the same computer. Some
viruses also carry a payload, like ticking time bombs. On a given date, or after
a certain time after the computer is infected, the virus will "trigger." This
trigger can damage files, erase drives, or attack other systems over the
Internet.

Viruses have two major goals. First, they need to be run and installed on the
infected computer, and two, they need to spread to other computers. And they
need to meet these two goals without alerting the owner of the computer.

There are a wide variety of ways for a virus to infect a system. Many early
viruses used the "boot sector" of a floppy disk as their infection point. If
the user powered on the computer with an infected floppy disk in the drive, the
computer would try to boot from the floppy. The virus would infect the system,
but make it look like the computer had tried to boot from a blank floppy disk.
The virus met both goals at the same time, because every time a new disk was
inserted into the drive, the virus would put another copy of itself into the
boot sector. Today, floppy disks are far less common, and boot sector viruses
have all but disappeared.

One of the most common infection routes today is by email attachment. Many
viruses today will even search the address book and send out emails without the
owner's knowledge.

Virus Hoaxes

"Warning!," the email screams. "There's a new virus going around, and Microsoft
says it's the worst one yet!" After this amazing bit of hype, the email
continues with "Once this virus infects your system, it will delete all the
files on your hard drive, reset your computer clock, and make your screen only
show green and black!"

Anyone who has made it this far is then asked to "forward this virus warning to
everyone you know!" and "Delete any emails you get with the title "Have a nice
day!'

This email has all the signs of a virus hoax.

First, viruses are not magical or all-powerful. Yes, they can damage your data.
Viruses have been known to erase hard drives, delete documents, even forward
classified documents to random email addresses. But, to date, only one virus
(CIH, or Chernobyl) has actually been able to damage hardware. CIH found a way
to overwrite the BIOS, or read-only memory

Second, viruses are identified by their programming, and not by the title of
the email they're attached to. Once word got out to delete every email with
that title, the virus programmer would just change the subject, and everyone
would have to send out another virus warning, for a whole new virus, that looks
exactly like the old one except for the subject line of the email.

Third, if Microsoft (or any other big-name company, for that matter) wanted to
get the word out about a new virus, they would post it on their website, and
not ask everyone to forward emails. Forwarded emails are very inefficient,
because some people only check their email once a week. By the time they got
the warning, the virus would have triggered and destroyed their computer!

The best advice about virus hoax warnings is "don't pass them along." The huge
flood of useless emails do as much damage as the viruses they warn about.

The Nimda Virus

One of the most complex and dangerous viruses ever was the Nimda virus, in
September 2001. Nimda became the most widespread virus in the world a mere 22
minutes after it was released.

Nimda was as powerful as it was because it knew so many different ways of
infecting a system.

First, it spread itself through email, with a built-in SMTP routine. It would
search the infected hard drive for email addresses and send itself to them. It
used a bug in Microsoft Outlook that would cause the system to be infected just
by viewing the email.

Second, it checked for shared network drives. Any time it found a drive that it
could write itself to, it scattered copies of itself all across the drive. These
files were often the first sign that a system on the network was infected.

Third, it would attempt to infect web servers through several different known
bugs. Any server that wasn't completely up to date on patches was in danger of
infection.

Fourth, once the server was infected, it would infect web sites. Any visitor to
an infected site could be infected, depending on IE security settings. And,
since it was attacking from the server, it could find it's way to corporate
intranet sites, not just public internet sites.

And finally, it would attempt to infect any systems that had previously been
attacked by either the Code Red II or the Sadmind viruses. Both viruses opened
security holes on the systems they infected, and Nimda would try to use them.

Nimda set records for virus tactics. It sent emails that infected on viewing,
and put copies of those emails on network drives in the hopes that someone
would open them and infect their system. It infected via website, and it even
infected servers. Nimda was an ingenious and vicious program that was difficult
to destroy.

The Michelangelo Virus -- Hype and Fizzle

The Michelangelo virus was the first real appearance of computer virus hype in
the media. Various "experts" made claims about how widespread the virus was and
how much damage it was going to do when it triggered.

Michelangelo first hit the news in late January, 1992. A customer noticed that
computers from Leading Edge were arriving with the virus pre-installed. The
next day, John McAfee is quoted as saying Michelangelo was the third most
common virus in the world.

Two weeks later, McAfee was quoted again, and this time he estimated that as
many as five million computers worldwide could be hurt by the virus. This was a
big, impressive number, and journalists ran with it. All through February,
readers were treated to an assortment of information that was either overblown
or just wrong. For example, several experts reported that the virus came from
bulletin board systems, which is not true--the virus was spread on infected
floppy disks.

One expert advised not shutting computers down on March 5th, the day before the
trigger day. The virus would only be triggered by actually booting the computer
on the 6th, he said. If the computer was never turned off, the virus wouldn't
have a chance to trigger.

In early March, Intel discovered it was sending the virus with one of their
programs. Several journalists took the words of McAfee and others, especially
the estimate of five million infected computers, and spun wilder and wilder
predictions of damage.

When March 6th arrived, the world held it's breath, waiting for the reports of
mass destruction of computers...that never came. Instead of millions of
computers, the virus barely hit a few thousand. AT&T, with 250,000 computers,
said the virus affected two systems.

Critics pointed out that the people making the huge claims stood to
profit--because they were also selling anti-virus programs.

The CIH Virus

On April 26, 1999, systems around the world began dying. Something was both
damaging information on hard drives and damaging their BIOS chips.
Investigation turned up the CIH Virus, later known as Chernobyl because it was
released on the anniversary of the Chernobyl reactor explosion.

The CIH virus somehow found it's way onto a set of IBM Aptiva PC's sold to
Activision in March of 1999. Every copy of their latest game, SIN, came bundled
with a bonus copy of the CIH virus.

When it infects a system, the virus actually squeezes into empty spaces in
operating system files. CIH was sometimes known as the Spacefiller virus for
this ability.

When the virus triggered, the first thing it did was to overwrite the first
megabyte of the hard drive with zeroes. That area of the hard drive is
critical, because that's where the partition information is usually stored.

Once the hard drive was hit, the virus would then turn to the BIOS chip.

BIOS stands for Basic Input Output System. The BIOS chip is the ROM, or Read
Only Memory, of the computer. Without the BIOS, the computer would forget how
to "talk" to the other hardware in the computer, like the keyboard and hard
drives.

Normally, the BIOS is read-only. But by 1999, BIOS manufacturers had switched
to chips that could be "flashed," or reprogrammed. The CIH virus tried to use
this ability to erase the BIOS.

In effect, the virus would try to kill the computer, first by making the hard
drive unreadable, and then by making sure the system wouldn't boot without a
new BIOS chip. Fortunately, due to a bug, the program only knew how to erase
one brand of chips.

CIH was still damaging computers in Asia a year after it first triggered, and
several viruses have been released that try to infect systems with newer
versions of CIH.

Spyware Overview

Imagine a program that watches your computer.

It sits in memory, watching everything the computer does--the websites it
displays, the passwords used to get into them, the advertisements that get
clicked on. This program silently and secretly gathers all of this information,
without the user's knowledge. Then, at some point, it connects to a server
somewhere on the Internet, and hands over this collection--again, without
letting the owner of the computer know what it's done.

Scary thought?

Experts believe that at least six out of ten--perhaps as many as nine out of
ten--computers on the Internet have this kind of malware installed. Like a
virus, many spyware programs run without the user's consent or knowledge.

There is an entire industry devoted to gathering demographics information
through the use of spyware, and there is another industry that's grown to
combat spyware.

Spyware is meant to capture "demographics." This is meant to help advertisers
better target their ads. For example, if a piece of spyware reports that the
user recently visited websites for car dealerships, then the spyware server
would then send ads for cars to the computer.

Many people, however, regard this as an invasion of privacy. Spyware companies
claim to only gather "generic" information, like web site addresses and zip
codes, but it's still very easy to gather critical information. Anything
entered into a web form can end up in the spyware collection--such things as
phone numbers, email addresses, credit card numbers, and even social security
numbers can all find their way into a spyware database.

In the end, it comes down to personal preference. Some popular programs have
spyware attached, and will quit working if the spyware is uninstalled--so the
user has to decide whether that program is worth it.

Provided, of course, the user even knows that the spyware is running on his
system.

Robert Tappan Morris and the Internet Worm

Robert Tappan Morris claims he only wanted to measure the size of the Internet,
but he didn't count on the speed and power of his program.

He wrote a virus program that would spread to other computers. He made the
program smart; before it infected a new system, it would actually check and see
if there was already an active copy running there.

Unfortunately, at the same time, he made it stupid. It would be really easy to
prevent the spread of the program just by telling all of the computers on the
network to always answer "yes" when the virus checked. So, Morris programmed it
to install another copy of itself fourteen percent of the time.

The main part of the program was designed to hack into known Unix weaknesses,
like the Finger bug and Sendmail.

On November 2, 1998, Morris released his creation from a computer at MIT (to
hide the fact that the virus was created at Cornell). Within hours, the
Internet had slowed to a crawl.

Morris hadn't counted on the speed of the program. Fourteen percent is a small
number in human terms, but a huge number in microseconds. Infected computers
were spending every available bit of power into hunting for more computers to
infect. Some estimates say that the worm hit over six thousand computers, and
the government claims damages of at least ten million dollars.

The Internet Worm was quite probably the first computer virus to spread across
the Internet, and the first one noticed by the mainstream. It forced many
computer experts to rethink computer security and the nature of the Internet,
and we're still learning the same lessons today.

Robert Tappan Morris was sentenced to probation and a fine, and today he is an
associate professor at MIT, the college he released the Internet Worm from.

Macro Viruses and the Melissa virus

Microsoft thought it was doing it's customers a favor by adding a programming
language to Microsoft Word. In terms of customer service, it was a great idea,
because it would allow users to automate and program within their documents.
For example, when a document opened, it could be programmed to ask the user for
details that must be entered into each document, like insurance policy numbers
or phone numbers.

Microsoft didn't count on this programming language ever being used to turn
Word documents into virus infectors, but that's exactly what happened.

The first Macro Virus was called the Concept virus. It was designed in 1995
simply to show that it was possible to write a virus in Word's Macro language.
Once it was proven, though, the idea took off. By 2004, nearly 75% of all
viruses were macro viruses.

When Word opens a document, it runs a normal series of macros. When the system
is infected, these normal macros have been replaced, so that when any future
documents are opened, their macros are infected as well. Every Word document
this computer touches carries a copy of the virus, and will infect any other
system that opens it.

Possibly the most famous macro virus to date was Melissa. Virus programmer
David L. Smith named the code after a lap dancer he knew, and released it in
late March, 1999. The virus sent a file called "List.doc" which it claimed were
passwords to eighty adult websites. Anyone who opened the document would get
their passwords and a free copy of the Melissa macro virus.

Melissa would then gather up the first fifty entries in the address book, and
email itself to all of them. Melissa had infected so many systems that by March 
26th, it was shutting down mail servers with all of the infected emails traveling 
across the 'net.

Adware Overview

Adware is advertising delivered directly to your computer. Generally, a program
puts ads on the screen at some regular interval. In some cases, this program can
be installed without the user's knowledge, but not always. Many programs clearly
state on install that "this program is supported by advertising, and if you turn
off the advertising, you also shut down the program."

Adware tends to be a "grey area" in the malware family. Yes, it can run without
the user's knowledge, and yes, it can bog down the system (especially when the
adware program goes online to retrieve new ads to display). At the same time,
adware is generally more open about what it does, giving the user the choice to
install the program the adware is attached to.

Adware is most often tied into Internet Explorer somehow. The ads that appear
are browser windows.

When it's installed above-board, adware is generally accepted by the internet
community as a valid marketing system, even though it can include elements of
spyware (ie, it tracks information, and uses that information to deliver
targeted ads to the user). If one user of a system installs adware on a system,
and another user is then tracked, then the program crosses the line from adware
to spyware--because the second user is being tracked without their consent.

Some other forms of adware have used sneaky programming tricks to hide or cover
website advertising. For example, an adware program can read an incoming
website, and learn the location of a banner ad on that page. Then, the program
can use that information to put an ad of it's own in the exact same spot,
hiding the legitimate ad. This deceptive use of adware is often called
"stealware" because it steals the advertising space from the original website.




Legitimate Adware

There are plenty of reasons why malware is "bad." Are there any times when
malware is valid and legal?

Many shareware programs today come bundled with adware. The premise is this: If
you try out the program, and enjoy it, you'll buy it. Until you pay for it, the
programmer is paid through the advertising that the shareware program displays.
If the user somehow kills or removes the advertising, then he is also obligated
to remove the program that was supported by the ads.

In some cases, the ads are displayed in the actual program, like in a small
window or corner of the program's screen. In most cases, though, the ads are
displayed by a totally separate program included in the same installer program.

If the adware is legitimate, then it has to be explicitly displayed in the
install, and the user has to have the option of not installing it. This is
where adware earned it's poor reputation. Many adware programs simply install
alongside the ad-supported program, without ever informing the user. The user
is then surprised by the constant barrage of pop-up ads on his computer when he
isn't even visiting websites and the collection of strange programs on the hard
drive that he doesn't remember installing.

The key factor in whether or not malware is "legitimate:" If the user has no
problem giving demographics information for a program he enjoys using, then the
spyware that comes with that program is legal and accepted. However, if another
user then sits at the same computer--one who doesn't know the spyware is
there--then it's no longer a legitimate program. The person being spied upon by
the spyware, or forced to view the pop-ups delivered by the adware, has to
understand and accept what the program is going to do.

Home Page Hijacking and Browser Helper Objects

Internet Explorer has a way for a website to add itself to the list of
favorites. It's a feature Microsoft added so that websites can have a button
that says "Bookmark This Site! Just Click Here!"

Now, if that's all that particular feature did, then there wouldn't be any
malware concerns over it. Unscrupulous programmers have taken advantage of it
to create Home Page Hijackers.

In a nutshell, a Home Page Hijacker is a program that reaches into your browser
and changes your homepage: without your permission. You might think, "That's
easy enough to fix, just change my homepage back and everything is fine."

Unfortunately, the Hijacker won't let you get away with that, thanks to a BHO,
or Browser Helper Object.

The BHO is a chunk of code that gets added to the browser. It's meant as a
quick and easy expansion to the browser, but when malware programmers get their
hands on it, it becomes something a lot more sinister.

A Homepage Hijacker will both change the homepage and bookmarks, and install a
BHO. The "helpful" BHO has been programmed to make sure the homepage hijacker
sticks around.

What this means is, every time the computer is rebooted, and/or every time the
browser is started, the BHO kicks in for just a second.. It "restores" the
bookmark file and homepage setting.

Homepage Hijackers, with their associated BHO modules, have been known to
change the homepage, remove entries from bookmarks, add anywhere from one to
hundreds of bookmarks, and even change the default search settings. This way,
when a user misspells a web site address, instead of seeing the usual IE "I
can't find that" page, he sees an ad-covered search page.

At their worst, homepage hijackers force the user to go through their web sites
and search engines to get to any site on the 'net.

Firewalls and Proxies

In building construction, a firewall is a structure designed to contain
building fires. For example, an attic crawlspace that covers the entire length
of the building would allow a fire to roar from one end of the building to the
other. Breaking up the crawlspace with non-flammable walls helps to slow the
spread of a fire.

Network firewalls have a similar function. A firewall is a network security
system, either a program or an actual device, that breaks up a network to
contain viruses and hackers.

Imagine two large fish tanks side by side, separated by a wall. We want to
allow the blue fish to mingle, but we need to keep the carnivorous fish on the
left away from the baby fish on the right. If we opened a computer-controlled
door in the wall, programmed to only allow blue fish to pass but no one else,
that would be a fishtank firewall.

Network firewalls "segment" the network. Local traffic -- the information that
moves between the computers in that segment -- doesn't go through the firewall
to the larger network outside. And information that doesn't need to reach
anyone inside the firewall is blocked out, just like the carnivorous fish in
our example.

A Proxy is another network security tool. Proxies are replacements for Internet
servers. When a computer requests a website from the internet, a main hub
provides the IP address. A firewall can interfere with this, and declare that
no one inside the firewall can surf the Internet. The Proxy is then the
"official" way past the firewall.

A proxy server has a list of "authorized" websites. When the user's computer
requests the address from the Internet, the proxy checks it against the list,
and if the website is approved, it authorizes the firewall to let the traffic
through. If the website is not approved, then the firewall sends a message
saying "you are not authorized to visit this website."

Drive-By Downloads

You're surfing the Web, enjoying a quiet afternoon, when a window pops up on
the screen. "New Windows Antivirus Update Available," it says. "Would you like
to update your system?" You get "Yes" and "Cancel" buttons at the bottom.

It looks like a real, honest-to-goodness Windows message, right down to the
logo in the corner. Should you click Yes, or Cancel?

The correct answer is "Neither."

In programming terms, this is known as a Drive By Download. A website you
visited has this code set to run as soon as you visit. The pop-up is trying to
install something on your computer, and if you click "Yes," you really have no
idea what you're agreeing to. Your computer may now be set to make long
distance phone calls, or assist in a Denial of Service attack, or just flash
adult advertisements at you every thirty seconds.

Many malware programmers design their systems to look just like system messages
and windows. Just because an email or a pop-up says it comes from Microsoft, or
your bank, for that matter, doesn't make it true.

We don't want any of that, so we should hit "Cancel," right?

Nope.

It may look like a standard Windows message, but it's really not. It's just an
image of those buttons. Clicking either button -- in fact, clicking anywhere in
the image -- is the same as clicking "Yes" and giving the mystery program
blanket permission to do whatever it's going to do.

The correct answer is to click on the little "X" at the top right of the
window, closing it without clicking on anything inside it. This is one of the
best ways of keeping malware off of your system.

When in doubt, don't click. This advice works for ads, email attachments, and
mystery files, and is a really good habit to get into.

Denial of Service Attack

Imagine a group of junior high school kids who decide to play a prank on their
least favorite teacher. They agree that they will all call the teacher's phone,
as quickly as they can dial, non-stop, until he unplugs the phone in frustration.

When this happens using the Internet rather than telephones, it's called a
Denial of Service attack. Such attacks are designed to either keep the target
system so busy handling the attack that it can't get anything else done, or to
overwhelm it into shutting down completely.

Why should anyone but a system administrator worry about denial of service
attacks? Users need to be aware of something called a BotNet.

The MyDoom virus was one of the first viruses to attempt two levels of attack.
First, the virus would try to spread. On infection, though, it would insert a
second program into the system. Basically, on MyDoom's trigger date (February
1st, 2004), any infected system would launch a denial of service attack against
MyDoom's real target.

The virus tried to establish a collection of computers that would all launch
attacks on the same day. This collection is a botnet, and in the years since
MyDoom pioneered the concept, literally dozens of programs have expanded on the
idea.

A popular program in use today is Stacheldraht. Stacheldraht is the master
program, and it manages a collection of "handler" computers. Each of these
handlers can control up to a thousand "zombie" computers around the world. The
hacker with the Stacheldraht master says "attack this server," the handlers
pass the word along, and thousands of systems instantly change from peaceful
home computers into remote-controlled computer attackers..

Sure, it sounds like a line from a bad horror movie, but it's true. Users need
to keep their systems from becoming one of Stacheldraht's zombies.

Backdoor Programs

It's the ultimate nightmare for a computer user -- the idea that someone
outside the computer can take over. The official "technical" term is Remote
Administration, but hackers are more likely to use the word Backdoor.

With Windows XP, remote administration comes pre-installed. Windows XP has an
option called Remote Assistance, where an XP technician can "remote in" and
take over your computer. The remote tech has as much control over your system
as if he was sitting there at the keyboard.

The hackers predate Microsoft by several years.

NetBus, for example, was designed in 1998 by Carl-Fredric Neikter, and many of
the backdoor programs since then have followed a similar design.

The program comes in two parts, the Client, and the Server. The server is the
part that has to be installed on the machine to be hacked, and the Client is
the controlling system. Once the Server program has been installed, the Client
has almost total control, from dangerous things like recording keystrokes or
launching programs to annoying things like opening the CD tray. Netbus 2.0 Pro
was even marketed commercially as a remote administration program.

Some other backdoor programs are Back Orifice (which was named as a pun on
Microsoft's Back Office program), SubSeven, and Poison Ivy.

Any backdoor program allows an outsider full, unrestricted access to the hacked
computer. The hacker can copy information off of the computer, activate webcams,
even remotely shut down or crash the computer. Netbus and SubSeven are very
popular among "script kiddies."

In one major case in 1999, a law professor was fired and charged because system
administrators found child pornography on his system. He was acquitted -- almost
five years later -- when the court was shown that Netbus was used to copy the
images onto the computer.

Most backdoor programs are easily stopped by antivirus and firewall programs.

Virus History -- 2001 to Present

After the flurry of viruses that haunted 2001, 2002 was amazingly quiet.
Unfortunately, 2003 took off again.

January saw the SQL Slammer worm infect over 75,000 systems in about ten
minutes. It attacked a flaw in Microsoft's SQL Server, and basically slowed
down the entire Internet.

The Blaster worm attacked in August. It was meant to cause a Denial of Service
attack against the Windows Update website, by causing all infected systems to
flood the site on August 15th. The programmer was convicted because
investigators actually found his name in the virus code.

Only a few days later, SoBig attacked. This was another emailing virus. After
infection, it searched the files on the hard drive for email addresses and sent
itself to any it found.

October saw the release of the Sober emailing virus. Sober was notable in that
it would shut off antivirus programs after infection.

The fastest-spreading virus to date was MyDoom, which struck in January 2004.
At one point, MyDoom was responsible for 1 out of every 10 emails on the
Internet.

2004 also saw the Witty, Sasser, and Santy virus outbreaks, and in 2005, Zotob
and Samy.

In 2006, the first Mac OS/X virus was announced, as well as the first MySpace
attack, "LordoftheNoose," This program changed the names of MySpace profiles,
and locked out users to keep the names it set. At one point, as many as 70% of
all MySpace profiles were infected.

So far in 2007, another MySpace virus has erupted, and the Peacomm Virus
attacked. Peacomm was an email that claimed to be a video clip.

Historically, most viruses have used very similar attack routes. Either they
carried an attachment which the user had to open, or they took advantage of a
known flaw in the system which had not yet been fixed. The moral of the story
is this: Keep your updates current, and be wary of unusual attachments.

History of Computer Viruses since 1989-1999

Robert Morris's Internet Worm of 1988 was the biggest news in virus history for
several years. Until 1992, most virus news was much quieter.

In 1989, for example, Ghostball was released. This was the first virus able to
attack different kinds of targets. Before Ghostball, viruses were classified by
their attack, like "file infector" or "boot sector virus." Ghostball was the
first Multipartite virus, because it could follow several attack patterns.

In 1990, a programmer named Mark Washburn demonstrated a Polymorphic
virus.called 1260. This virus could actually change the structure of it's own
code -- meaning, every time it infected a new system, it looked different while
doing the same thing. In effect, this kind of virus "hides" from anti-virus
software by wearing disguises.

Michelangelo was the first virus to achieve stardom. It was discovered in 1991,
and was predicted to cause incredible amounts of damage when it reached it's
trigger date, March 6th, 1992 (March 6th is Michelangelo's birthday). If an
infected system is booted on March 6th, the virus will erase the hard drive.
Despite doomsday warnings made by the press and the antivirus industry of "at
least five million infected systems at risk," only about 10,000-20,000
computers worldwide were hit by the virus.

The Concept virus was discovered in 1995. Concept is short for "Proof of
Concept," and it was designed to show how viruses could be written in the macro
language programmed into Microsoft Word. By 2004, roughly 75% of all viruses are
macro viruses.

The CIH virus, later renamed "Chernobyl," appeared in 1998. This was a very
damaging virus that was not only programmed to erase hard drives but also tried
to erase BIOS chips. For the first time in history, a virus had managed to
actually damage the hardware it was running on. Fortunately, CIH wasn't very
good at it, and only damaged a handful of systems.

History of Viruses, 1999 through 2001

The Melissa virus was the big story of 1999. Named after a lap dancer, Melissa
was the first major emailing virus. Upon infection, it used Microsoft Outlook
to send copies of itself to the first fifty names in the address book. March,
1999, saw it spread across the Internet, clogging up email servers everywhere
it went.

1999 was a busy year, with the ExploreZip virus appearing in Jerusalem in June.
This one had a fake Zip file attached called "Zipped_Files.EXE." If the user
double-clicked the file, it would put up a fake window saying "sorry, this zip
file is corrupt." It would then go on to email everyone in the address book,
and follow that by destroying documents and files on the hard drive.

The LoveLetter, or "I Love You," virus hit in May of 2000. It was another
emailing virus, this time using VBScript. The user would receive an email with
an attachment usually called "love-letter-for-you.txt.vbs". Notice the dual
extension at the end. Many Windows systems will not display the extension, so
the ".vbs" would disappear. The user, thinking he's looking at a .TXT file,
feels free to open it, and thereby infects his system. The LoveLetter virus is
widely known as the most expensive virus attack in history, with expert
estimates upwards of ten billion dollars worth of damage.

2001 was the banner year for viruses. Sadmind in May, Sircam and Code Red in
July, Code Red II in August, Nimda in September, and Klez in October. Sircam
randomly selected files from an infected machine and sent them out in emails.
Nimda attacked through five different methods, including security holes opened
by Sadmind and Code Red II.

Through all of these virus attacks, many computer experts pointed to Microsoft
as the problem--because most of these viruses were attacking security flaws in
Microsoft programs, especially Internet Explorer and Outlook.

History of Computer Viruses to 1989

Science fiction writer David Gerrold wrote "When H.A.R.L.I.E. Was One" and
published it in 1972. In it, a computer program called "VIRUS" spreads from
computer to computer, before it is finally killed by another program,
appropriately called "VACCINE." Just like communication satellites, moon
landings, and waterbeds, science fiction predicted the future.

The first program to actually spread from one computer to another appeared
around the same time. The Creeper virus infected a system across the Arpanet,
the network of computers that eventually became the Internet we know today.
Interestingly enough, the Reaper program designed to kill the Creeper virus was
also a virus.

The first wide-scale virus infection was Elk Cloner on the Apple II computer
system in 1981. Since the Apple II kept it's operating system on floppy disk,
it was very easy to infect the system, and a surprisingly large number of
viruses were written for Apple computers.

Five years later, the first PC viruses began to appear, starting with The
Pakistani Brain. It was written by a pair of brothers in Pakistan.

1987 saw the first boot-sector viruses, such as Yale, Ping Pong, and Stoned.
Boot sector viruses infect a computer if an infected disk is left in the drive
with the power off. The Jerusalem virus also appeared that same year, and was
one of the first viruses to have a destructive payload -- if the virus was
running on Friday the 13th, it would ruin all executable files on the computer.

Robert Tappan Morris made computer history in 1988. His computer worm was one
of the first to exploit "Buffer Overrun" errors, and spread rapidly across the
network. It would run multiple times on infected systems, eventually crowding
out anything else on that system. The worm brought the Internet to it's knees
until it was found and removed.





Peace Icon  InfoBank Intro | Main Page | Usenet Forums | Search The RockSite/The Web