All the course material is here:
https://docs.google.com/document/d/1u4WGgKQcRj1GZ1tk9D34hiDKcBLum9A2VZ2uAEmst24/edit?usp=sharing
Snap Shots
Monday, November 28, 2016
Tuesday, July 14, 2015
Monday, November 2, 2009
Tuesday, October 27, 2009
All Things Web
Blogging - Blogger / My Blog /Wordpress / The whole list
Social networking - Facebook / Myspace / Twitter (micro-blogging & social networking combined) / The whole list
Hosting personal content -
Video - YouTube / Video.ca / The whole list
Pictures - Flickr / (Facebook) The whole list
Wikis - Wikipedia / Wikitravel / Wikihow / Wikimapia / The whole list
Alternative Communication (VoIP)
Skype / Google Talk / The whole list
Online shopping - eBay / Kijiji / Craigslist / Amazon (eBay interview)
Online applications - Picnik / Google Docs / Zoho /
Virtual worlds - Second Life
Augmented reality (AR) - Layar / Star Walk (iPad) / Car Finder / Theodolite
(great article )
Mobile applications - Google Maps / Foursquare / Shazam / Yelp (AR)
Others - Jinni /Xtranormal / Stack (digg labs) / Music Plasma /
Social networking - Facebook / Myspace / Twitter (micro-blogging & social networking combined) / The whole list
Hosting personal content -
Video - YouTube / Video.ca / The whole list
Pictures - Flickr / (Facebook) The whole list
Wikis - Wikipedia / Wikitravel / Wikihow / Wikimapia / The whole list
Alternative Communication (VoIP)
Skype / Google Talk / The whole list
Online shopping - eBay / Kijiji / Craigslist / Amazon (eBay interview)
Online applications - Picnik / Google Docs / Zoho /
Virtual worlds - Second Life
Augmented reality (AR) - Layar / Star Walk (iPad) / Car Finder / Theodolite
(great article )
Mobile applications - Google Maps / Foursquare / Shazam / Yelp (AR)
Others - Jinni /Xtranormal / Stack (digg labs) / Music Plasma /
Monday, June 4, 2007
Computer Virus History
This is a reprint of an old article on the history of viruses.
A Rough History of the Computer Virus
Many people would say the first computer virus was written by Microsoft with MS-DOS. It crept from machine to machine, went mostly unnoticed, and did untold damage. That is a cynical view but it does fulfil all the criteria.
With thanks to Dr Solomon's Virus Encyclopedia - The text has been very slightly edited and enhanced with example code (Zipped assembler) and WWW links where necessary.
1986-1987 - The Prologue
It all started in 1986. Basit and Amjad realized that the boot sector of a floppy diskette contained executable code, and this code is run whenever you start up the computer with a diskette in drive A. They realized that they could replace this code with their own program, that this could be a memory resident program, and that it could install a copy of itself on each floppy diskette that is accessed in any drive. The program copied itself; they called it a virus. But it only infected 360KB floppy disks.
In 1987, the University of Delaware realized that they had this virus, when they started seeing the label "(c) Brain" on floppy diskettes. That's all it did; copy itself, and put a volume label on diskettes.
Meanwhile, also in 1986, a programmer called Ralf Burger realized that a file could be made to copy itself, by attaching a copy of itself to other files. He wrote a demonstration of this effect, which he called VIRDEM. He distributed it at the Chaos Computer Club conference that December, where the theme was viruses. VIRDEM would infect any COM file; again the payload was pretty harmless.
This attracted so much interest, that he was asked to write a book. Ralf hadn't thought of boot sector viruses like Brain, so his book doesn't even mention them. But by then, someone had started spreading a virus, in Vienna.
In 1987, Franz Swoboda became aware that a virus was being spread in a program called Charlie. He called it the Charlie virus. He made lots of noise about the virus (and got badly bitten as a result). At this point, there are two versions of the story, Burger claims that he got a copy of this virus from Swoboda, but Swoboda denies this. In any case, Burger obtained a copy, and gave it to Berdt Fix, who disassembled it (this was the first time anyone had disassembled a virus). Burger included the disassembly in his book, after patching out a couple of areas to make it less infectious and changing the payload. The normal payload of Vienna is to cause one file in eight to reboot the computer (the virus patches the first five bytes of the code); Burger (or maybe Fix) replaced this reboot code with five spaces. The effect was that patched files hung the computer, instead of rebooting. This isn't really an improvement.
Meanwhile, in the US, Fred Cohen had completed his doctoral dissertation, which was on computer viruses. Dr Cohen proved that you cannot write a program that can, with 100% certainty, look at a file and decide whether it is a virus. Of course, no one ever thought that you could, but Cohen made good use of an existing mathematical theorem and earned a doctorate. He also did some experiments; he released a virus on a system, and discovered that it travelled further and faster than anyone had expected.
In 1987, Cohen was at Lehigh, as was Ken van Wyk. So was the author of the Lehigh virus. Lehigh was an extremely unsuccessful virus - it never managed to spread outside its home university, because it could only infect COMMAND.COM and did a lot of damage to its host after only four replications. One of the rules of the virus is that a virus that quickly damages its host, cannot survive. However, the Lehigh virus got a lot of publicity, and led to van Wyk setting up the Virus-L newsgroup on Usenet. Lehigh was nasty. After four replications, it did an overwrite on the disk, hitting most of the File Allocation Table. But a virus that only infects COMMAND.COM, isn't very infectious.
Meanwhile, in Tel Aviv, Israel (some say in Italy), another programmer was experimenting. His first virus was called Suriv-01 (virus spelled backwards). It was a memory resident virus, but it could infect any COM file, whereas Lehigh could only infect COMMAND.COM. This is a much better infection strategy than the non-TSR strategy used by Vienna, as it leads to files on all drives and all directories being infected. His second virus was called Suriv-02, and that could infect only EXE files, but it was the first EXE infector in the world. His third attempt was called Suriv-03, and it could handle COM and EXE files. His fourth effort escaped into the world, and became known as the Jerusalem virus. Every Friday 13th, instead of infecting files that are run, it deletes them. but Friday 13ths are not common, so the virus is pretty inconspicuous, most of the time. It avoids infecting COMMAND.COM, because in those days, many people believed that this was the file to watch (see Lehigh).
It looks as if it escaped rather than was released, because it plainly was not ready for release. The author decided to change the way that the virus detected itself in EXE files, and had made part of that change. There is redundant code from the Suriv viruses still in place, and also what looks like debugging code. It was found in the Hebrew University of Jerusalem (hence the name) by Yisrael Radai.
While all this was going on, a young student at the University of Wellington, New Zealand, had found a very simple way to create a very effective virus. One time in eight, when booting from an infected floppy, it also displayed the message 'Your PC is now Stoned', hence the name of the virus.
The virus itself was just a few hundred bytes long, but because of its self-restraint, and memory-resident replication, it has become the most widespread virus in the world, accounting for over a quarter of outbreaks. It is very unlikely that Stoned virus will ever become rare. The virus spread rapidly, because of its inconspicuousness (and because in those days, people were keeping a careful eye on COMMAND.COM, because of Lehigh).
In Italy, at the University of Turin, a programmer was writing another boot sector virus. This one put a bouncing ball up on the screen, if the disk was accessed exactly on the half hour. It became known as Italian virus, Ping pong, or Bouncing Ball. But this virus had a major defect; it couldn't work on anything except an 8088 or 8086 computer, because it uses an instruction that doesn't work on more advanced chips. As a result, this virus has almost died out (as has Brain, which can only infect 360KB floppies, and which foolishly announces its presence via the volume label).
Back in the US, an American was demonstrating a problem that has continued to dog US virus writers ever since: incompetence. The Lehigh didn't make it outside a small circle; neither did the Yale virus. This was another boot sector virus, but it only copied itself when you booted from an infected floppy, then put another floppy in to continue the boot process. No subsequent diskette was infected, and if the boot-up continued from a hard disk, there was no infection at all. Yale never spread at all widely, either.
But also in 1987, a German programmer was writing a very competent virus, the Cascade, so called after the falling letters display that it gave. Cascade used a new idea - most of the virus was encrypted, leaving only a small stub of code in clear for decrypting the rest of the virus. The reason for this was not clear, but it certainly made it more difficult to repair infected files, and it restricted the choice of search string to the first couple of dozen bytes. This idea was later extended by Mark Washburn when he wrote the first polymorphic virus, 1260 (Chameleon). Washburn based Chameleon on a virus that he found in a book: the Vienna, published by Burger.
Cascade was supposed to look at the BIOS, and if it found an IBM copyright, it would refrain from infecting. This part of the code didn't work. The author soon released another version of the virus, 1704 bytes long instead of 1701, in order to correct this bug. But the corrected version had a bug that meant that it still didn't detect IBM BIOS.
Of these early viruses, only Stoned, Cascade and Jerusalem are common today, but those three are very common
1988 - The Game Begins
The year 1988 was fairly quiet, as far as virus writing went. Mostly, it was the year that anti-virus vendors started appearing, making a fuss about what was at that time only a potential problem, and not selling very much anti-virus software. The vendors were all small companies, selling their software for very low prices ($5 or $10 was common). Some of them were shareware, some were freeware. Occasionally some larger company tried to pop up, but no-one was paying serious cash to solve a potential problem.
In some ways, that was a pity, because 1988 was a very virus-friendly year. It gave Stoned, Cascade and Jerusalem a chance to spread undetected, and to establish a pool of infected objects that will ensure that they never become rare.
It was in 1988 that IBM realized that it had to take viruses seriously. This was not because of the well-known Christmas tree worm, which was pretty easy to deal with. It was because IBM had an outbreak of Cascade at the Lehulpe site, and found itself in the embarrassing position of having to inform its customers that they might have become infected there. In fact, there was no real problem, but from this point on, IBM took viruses very seriously indeed, and the High Integrity Computing Laboratory in Yorktown was given responsibility for the IBM research effort in this field.
1988 saw a few scattered, sporadic outbreaks of Brain, Italian, Stoned, Cascade and Jerusalem. It also saw the final arguments about whether viruses existed or not. Peter Norton, in an interview, said that they were an urban legend, like the crocodiles in the New York sewers, and one UK expert claimed that he had a proof that viruses were a figment of the imagination. In 1988, the real virus experts would debate with such people; after that year, real virus experts would simply walk away from anyone who had such absurd beliefs.
Each outbreak of a virus was dealt with on a case-by-case basis. One American claimed that he had a fully equipped mobile home for dealing with virus outbreaks (and another one extrapolated to the notion that soon there would be many such mobile units). Existing software was used to detect boot sector viruses (by inspecting the boot sector), and one-off software was written for dealing with outbreaks of Cascade and Jerusalem.
In 1988, a virus that is called "Virus-B" was written. This is another virus that doesn't go memory resident, and it is a modification of another virus that deletes files on Friday 13th. When this virus is run, it displays "WARNING!!!! THIS PROGRAM IS INFECTED WITH VIRUS-B! IT WILL INFECT EVERY .COM FILE IN THE CURRENT SUBDIRECTORY!". A virus that is as obvious as that, was clearly not written to spread. It was obviously written as a demonstration virus. Virus researchers are often asked for "harmless viruses" or "viruses for demonstration"; most researchers offer some alternative, such as an overhead foil, or a non-virus program that does a falling letters display. But it looks as if VIRUS-B was written with the intention of giving it away as a demonstration virus - hence the warning. And, indeed, we find that an American company was offering it to "large corporations, universities and research organizations" on a special access basis.
At the end of 1988, a few things happened almost at once. The first was a big outbreak of Jerusalem at a large financial institution, which meant that dozens of people were tied up in doing a big clean-up for several days. The second was that a company called S&S did the first ever Virus Seminar that actually explained what a virus was and how they worked. The third was Friday 13th. [CK: S&S became what is now known as Dr. Solomon Software.]
It was clear that we couldn't go out and help everyone with a virus, even if we bought a mobile home and equipped it (with what)? It was also clear that the financial institution, and the academic site, could easily handle a virus outbreak, but they didn't have the tools to do the job. All they needed was a decent virus detector, which was not available. So we wrote one, added some other tools that experience said might be useful, and created the first Anti-Virus Toolkit.
In 1989, the first Friday 13th was in January. At the end of 1988, it was clear that Jerusalem was in Spain and the UK, at least, and was in academic as well as commercial sites. Because of the destructive payload in the virus, we felt that if we failed to send out some sort of warning, we would be negligent. But the media grabbed the ball and ran with it; the predictability of the trigger day, together with the feature of it being Friday 13th, caught their imagination, and the first virus media circus was under way.
On the 13th of January, we had dozens of phone calls, mostly from the media wanting to know if the world had ended yet. But we also had calls from a large corporate site, a small vendor of PC hardware, and a couple of single users. We were invaded by TV cameras in droves, and had to schedule them carefully to avoid them tripping over each other. In the middle of all this, the PC Support person from the infected corporation arrived. The TV people wanted nothing better than a victim to film, but the corporate person wanted anonymity. We pretended that he was just one of our staff. Also, at that time, British Rail contacted us; they also had an outbreak of Jerusalem, and they went public on it. Later, they regretted that decision, because for a long time afterwards, their PC Support person was badgered by the media seeking interviews.
1989 - Datacrime
During 1989 things really started to move. The Fu Manchu virus (a modification of Jerusalem) was sent anonymously to a virus researcher in the UK, and the 405 virus (a modification of the overwriting virus in the Burger book) was sent to another UK researcher. A third UK researcher wrote a virus and sent it to another UK researcher; in 1989, the UK was where it was all happening. But not quite all. In 1989, the Bulgarians started getting interested in viruses, and Russia was beginning to awaken.
In March of 1989, a minor event happened that was to trigger an avalanche. A new virus was written in Holland. A Dutchman calling himself Fred Vogel (a very common Dutch name) contacted a UK virus researcher, and said that he had found this virus all over his hard disk. He also said that it was called Datacrime, and that he was worried that it would trigger on the 13th of the next month.
When the virus was disassembled, it was found that on any day after October 12th, it would trigger a low level format of cylinder zero of the hard disk, which would, on most hard disks, wipe out the File Allocation Table, and leave the user effectively without any data. It would also display the virus' name: Datacrime virus. A straightforward write-up of the effect of this virus was published, but it was another non-memory-resident virus, and so highly unlikely to spread.
However, the write-up was reprinted by a magazine, another magazine repeated the story, a third party embellished it a bit, and by June it was becoming an established fact that it would trigger on October 12th (not true, it triggers on any day after the 12th, up till December 31st) and that it would low level format the whole hard disk. In America, the press started calling it "Columbus Day virus" (October 12th) and it was suggested that it had been written by Norwegian terrorists, angry at the fact that Eric the Red had discovered America, not Columbus.
Meanwhile, in Holland, the Dutch police were doing one of the things that falls within those things that police are supposed to do: crime prevention. Datacrime virus was obviously a crime, and the way to prevent it was to run a detector for it. So they commissioned a programmer to write a Datacrime detector, and offered it at Dutch police stations for $1. It sold really well. But it gave a number of false alarms, and it had to be recalled and replaced with version 2. There were long queues outside the Dutch police stations, lots of confusion about whether anyone actually had this virus (hardly anyone did, but the false alarms muddied the waters).
If the police take something seriously, it must be serious, right? So in July, large Dutch companies started asking IBM if viruses were a serious threat. Datacrime isn't, but there is a distinct possibility that a company could get Jerusalem, Cascade or Stoned (or Italian, in those days before 8088 computers became a rarity). So what is IBM doing about this threat, they asked?
IBM had internal-use-only anti-virus software. They used this to check incoming media, and to make sure that an accident like Lehulpe could never happen again. IBM had a problem: if they didn't offer this software to their customers, they could look very bad if on October 13th a lot of computers went down. The technical people knew that this wouldn't happen, but obviously they knew that someone, somewhere, might have important data on a computer that would get hit by Datacrime. IBM had to make a decision about whether to release their software, and they had a very strict deadline to work to; October the 13th would be too late.
In September of 1989, IBM sent out version 1.0 of the IBM scanning software, together with a letter telling their customers what it was, and why they were sending it out. When you get a letter like that from IBM, and a disk, you would be pretty brave to take no notice, so a lot of large companies scanned a lot of computers, for the first time. Hardly anyone found Datacrime, but there were instances of the usual viruses.
October 13th fell on a Friday, so there was a double event: Jerusalem and Datacrime. In the US, Datacrime (Columbus Day) had been hyped out of all proportion for a virus that is as uninfective as this one, and it is highly likely that not a single user had the virus. In Europe (especially in Holland) there might have been a few, but not many.
In London, the Royal National Institute for the Blind announced that they'd had a hit, and had lost large amounts of valuable research data, and months of work. We investigated this particular incident, and the truth was that they had a very minor outbreak of Jerusalem, and a few easily-replaced program files had been deleted. Four computers were infected. But the RNIB outbreak has passed into legend as a Great Disaster. Actually, the RNIB took more damage from the invasion of the television and print media than from the virus.
By the end of 1989, there were a couple of dozen viruses that we knew about, but we didn't know that in Bulgaria and Russia, big things were brewing
1990 - The Game Gets More Complex
By 1990, it was no longer a matter of running a couple of dozen search strings down each file. Mark Washburn had taken the Vienna virus, and created the first polymorphic virus from it. We didn't use that word at first, but the idea of his viruses (1260, V2P1, V2P2 and V2P6) was that the whole virus would be variably encrypted, and there would be a decryptor at the start of the virus. But the decryptor could take a very wide number of forms, and in the first few viruses, the longest possible search string was just two bytes long (V2P6 got this down to one byte). To detect this virus, it was necessary to write an algorithm that would apply logical tests to the file, and decide whether the bytes it was looking at were one of the possible decryptors.
One consequence of this, was that some vendors couldn't do this. It isn't easy to write such an algorithm, and many vendors were, by this time, relying on search strings extracted by someone else. The three main sources of search strings were a newsletter called Virus Bulletin, the IBM scanner, and reverse engineering a competitor's product. But you can't detect a polymorphic virus this way (indeed, two years after these viruses were published, many products are [CK: were] still incapable of detecting these viruses). Washburn also published his source code, which is now widely available. At the time, we thought that this would bring out a number of imitators; in practice, no-one seems to be using Washburn's code. However, plenty of virus authors are using his idea.
Another consequence of polymorphic viruses, was an increase in the false alarm rate. If you write code to detect something that has as many possibilities as V2P6, then there is a chance that you will flag an innocent file, and that chance is much greater than with the sort of virus that you can find with a 24-byte scan string. A false alarm can be as much hassle to the user as a real virus, as he will put all his anti-virus procedures into action.
Also, in 1990, we saw a number of virus coming out of Bulgaria, especially from someone who called himself "Dark Avenger." The Dark Avenger viruses introduced two new ideas. The first idea was the "Fast infector"; with these viruses, if the virus is in memory, then simply opening a file for reading, triggers the virus infection. The entire hard disk is very soon infected. The second idea in this virus, was that of subtle damage. Dark Avenger-1800 occasionally overwrites a sector on the hard disk. If this isn't noticed for a period of time, the corrupted files are backed up, and when the backup is restored, the data is still no good. Dark Avenger targets backups, not just data. Other viruses came from the same source, such as the Number-of-the-Beast (stealth in a file virus) and Nomenklatura (with an even nastier payload than Dark Avenger.
Also, Dark Avenger was more creative about distributing his viruses. He would upload them to BBSes, infecting shareware anti-virus programs, together with a documentation file that gave reassurance to anyone who checked the file size and checksums. He uploaded his source code also, so that people could learn how to write viruses.
In 1990, another event happened in Bulgaria - the first virus exchange BBS. The idea was that if you uploaded a virus, you could download a virus, and if you uploaded a new virus, you were given full access. This, of course, encourages the creation of new viruses, and gets viruses into wider circulation. Also, the VX BBS offered source code, which makes the technology of writing a virus more widely available.
In the second half of 1990, the Whale appeared. Whale was a very large, and very complex virus. It didn't do very much; mostly, it crashed the computer when you tried to run it. But it was an exercise in complexity and obfuscation, and it arrived in virus author's hands like a crossword puzzle to be solved. Some virus researchers wasted weeks unravelling Whale, although in practise you could detect it with a couple of dozen search strings, and you didn't really need to do any more, as the thing was too clumsy to work anyway. But because it was so large and complex, it achieved fame.
At the end of 1990, the anti-virus people saw that they had to get more organized; they had to be at least as organized as the virus authors. So EICAR (European Institute for Computer Antivirus Research) was born in Hamburg, in December 1990. This gave a very useful forum for the anti-virus researchers and vendors to meet and exchange ideas (and specimens), and to encourage the authorities to try to prosecute virus authors more vigorously. At the time that EICAR was founded, there were about 150 viruses, and the Bulgarian "Virus factory" was in full swing.
1991 - Product Launches and Polymorphism
In 1991, the virus problem was sufficiently interesting to attract the large marketing companies. Symantec launched Norton Anti-Virus in December 1990, and Central Point launched CPAV in April 1991. This was soon followed by Xtree, Fifth Generation and a couple of others. Most of these companies were rebadging other company's programs (nearly all Israeli). The other big problem of 1991 was "glut." In December 1990, there were about 200-300 viruses; by December 1991 there were 1,000 (there may have been even more written that year, because by February, we were counting 1,300).
Glut means lots of viruses, and this causes a number of unpleasant problems. In every program, there must be various limitations. In particular, a scanner has to store search strings in memory, and under DOS, there is only 640KB to use (and DOS, the network shell and the program's user interface might take half of that).
Another Glut problem, is that some scanners slow down in proportion to the number of viruses scanned for. Not many scanners work this way, but it certainly poses a problem for those that do.
A third Glut problem, comes with the analysis of viruses; this is necessary if you want to detect the virus reliably, to repair it, and if you want to know what it does. If it takes one researcher one day to disassemble one virus, then he can only do 250 per year. If it takes one hour, that figure becomes 2,000 per year, but whatever the figure, more viruses means more work.
Glut also means a lot of viruses that are similar to each other. This then can lead to mis-identification, and therefore a wrong repair. Very few scanners attempt a complete virus identification, so this confusion about exactly which virus is being found, is very common.
Most of these viruses came from Eastern Europe and Russia; the Russian virus production was in full swing. But another major source of new viruses was the virus exchange BBSes.
Bulgaria pioneered the VX BBS, but a number of other countries quickly followed. Some shut down not long after they started up, but the Milan "Italian Virus Research Laboratory" was where a virus author called Cracker Jack uploaded his viruses (which were plagiarized versions of the Bulgarian viruses). Germany had Gonorrhea, Sweden had Demoralised Youth, America had Hellpit, UK had Dead On Arrival and Semaj. Some of these have now either closed down or gone underground, but they certainly contributed to the glut problem. With a VX BBS, all a virus author has to do, is download some source code, make a few simple changes, then upload a new virus, which gives him access to all the other viruses on the board.
1991 was also the year that polymorphic viruses first made a major impact on users. Washburn had written 1260 and the V2 series long before, but because these were based on Vienna, they weren't infectious enough to spread. But in April of 1991, Tequila burst upon the world like a comet. It was written in Switzerland, and was not intended to spread. But it was stolen from the author by a friend, who planted it on his father's master disks. Father was a shareware vendor, and soon Tequila was very widespread.
Tequila used full stealth when it installed itself on the partition sector, and in files it used partial stealth, and was fully polymorphic. A full polymorphic virus is one for which no search string can be written down, even if you allow the use of wild cards. Tequila was the first polymorphic virus that was widespread. By May, the first few scanners were detecting it, but it was not until September that all the major scanners could detect it reliably. If you don't detect it reliably, then you miss, say, 1% of infected files. The virus starts another outbreak from these overlooked instances, and has to be put down again, but now there is that old 1%, plus another 1% of files that are infected but not detected. This can continue for as long as the user has patience, until eventually the hard disk contains nothing but files that the scanner cannot detect. The user, thinks that after the virus coming back a number of times, it gradually infected fewer and fewer files, until now he has gotten rid of it completely.
In September 1991, Maltese Amoeba spread through Europe - another polymorphic virus. By the end of the year, there were a few dozen polymorphic viruses. Each of these is classified as "difficult," meaning it takes a virus researcher more than a few hours to do everything that needs to be done. Also, most products need some form of hard coding in order to detect the virus, which means program development, which means bugs, debugging, beta testing and quality control. Furthermore, although a normal virus won't slow down most scanners, a polymorphic virus might.
It was also in 1991, that Dark Avenger announced the first virus vapourware. He threatened a virus that had 4,000,000,000 different forms. In January 1992, this virus appeared, but it wasn't a virus.
1992 - Michelangelo
January 1992 saw the Self Mutating Engine (MtE) from Dark Avenger. At first, all we saw was a virus that we named Dedicated, but shortly after that, we saw the MtE. This came as an OBJ file, plus the source code for a simple virus, and instructions on how to link the OBJ file to a virus to give you a full polymorphic virus. Immediately, virus researchers set to work on detectors for it. Most companies did this in two stages. In some outfits, stage one was look at it and shudder, stage two was ignore it and hope it goes away. But at the better R&D sites, stage one was usually a detector that found between 90 and 99% of instances, and was shipped very quickly, and stage two was a detector that found 100%. At first, it was expected that there would be lots and lots of viruses using the MtE, because it was fairly easy to use this to make your virus hard to find. But the virus authors quickly realized that a scanner that detected one MtE virus, would detect all MtE viruses fairly easily. So very few virus authors have taken advantage of the engine (there are about a dozen or two viruses that use it).
This was followed by Dark Avenger's Commander Bomber. Before CB, you could very easily predict where in the file the virus would be. Many products take advantage of this predictability to run fast; some only scan the top and tail of the file, and some just scan the one place in the file that the virus must occupy if it is there at all. Bomber transforms this, and so products either have to scan the entire file, or else they have to be more sophisticated about locating the virus.
Another virus that came out at about that time, was Starship. Starship is a fully polymorphic virus (to defeat scanners), with a few neat anti-debugging tricks, and it also aims to defeat check-summers with a very simple trick. Checksumming programs aim to detect a virus by the fact that it has to change executable code in order to replicate. Starship only infects files as they are copied from the hard disk to the floppy. So files on the hard disk never change. But the copy on the floppy disk is infected, and if you then copy that onto a new hard disk, and tell the check-summer on the new machine about this new file, the check-summer will happily accept it, and never report any changes. Starship also installs itself on the hard disk, but without changing executable code. It changes the partition data, making a new partition as the boot partition. No code is changed, but the new partition contains the virus code, and this is run before it passes control on to the original boot partition.
Probably the greatest event of 1992 was the great Michelangelo scare. One of the American anti-virus vendors forecast that five million computers would go down on March the 6th, and many other US vendors climbed on to the bandwagon. PC users went into a purchasing frenzy, as the media whipped up the hype. On March the 6th, between 5,000 and 10,000 machines went down, and naturally the US vendors that had been hyping the problem put this down to their timely and accurate warning. We'll probably never know how many people had Michelangelo, but certainly in the days leading up to March the 6th, a lot of computers were checked for viruses. After March 6th, there were a lot of discredited experts around.
The reaction to the Michelangelo hype did a lot of damage to the credibility of people advocating sensible antivirus strategies, and outweighed any possible benefits from the gains in awareness.
In August 1992, we saw the first serious virus authoring packages. First the VCL (Virus Creation Laboratory) from Nowhere Man, and then Dark Angel's Phalcon/Skism Mass-Produced Code Generator. These packages made it possible for anyone who could use a computer, to write a virus. Within twelve months, dozens of viruses had been created using these tools.
Toward the end of 1992, a new virus writing group called ARCV (Association of Really Cruel Viruses) had appeared in England - within a couple of months, the Computer Crime Unit of New Scotland Yard had tracked them down and arrested them. ARCV flourished for about three months, during which they wrote a few dozen viruses and attracted a few members.
Another happening of 1992, was the appearance of people selling (or trying to sell) virus collections. To be more precise, these were collections of files, some of which were viruses, and many of which were assorted harmless files. In America, John Buchanan offered his collection of a few thousand files for $100 per copy, and in Europe, The Virus Clinic offered various options from £25. The Virus Clinic was raided by the Computer Crime Unit; John Buchanan is still offering viruses for sale.
Toward the end of 1992, the US Government was offering viruses to people who called the relevant BBS.
1993 - Polymorphics and Engines
Early in 1993, XTREE announced that they were quitting the antivirus business. This was the first time that a major company had given up the struggle.
Early in 1993, a new virus writing group appeared, in Holland, called Trident. The main Trident author, Masouf Khafir, wrote a polymorphic engine called the Trident Polymorphic Engine, and released a virus that used it, called GIRAFE. This was followed by updated versions of the TPE. The TPE is much more difficult to detect reliably than the MtE, and very difficult to avoid false alarming on.
Khafir also released the first virus that worked according to a principle first described by Fred Cohen. The Cruncher virus was a data compression virus, that automatically added itself to files in order to auto-install on as many computers as possible. Meanwhile, Nowhere Man, of the Nuke group, had been busy. Early in 1993, he released the Nuke Encryption Device (NED). This was another mutator that was more tricky than MtE. A virus called Itshard soon followed.
Phalcon/Skism was not to be left out. Dark Angel released DAME (Dark Angel's Multiple Encyptor) in an issue of 40hex; a virus called Trigger uses this. Trident released version 1.4 of TPE (again, this is more complex and difficult than previous versions) and released a virus called Bosnia that uses it.
Soon after that, Lucifer Messiah, of Anarkick Systems had taken version 1.4 of the TPE and written a virus POETCODE, using a modified version of this engine (1.4b).
Early in 1993, another highly polymorphic virus appeared, called Tremor. This rocketed to stardom when it got included in a TV broadcast of software (received via a decoder).
In the middle of 1993, Trident got a boost when Dark Ray and John Tardy joined the group. Tardy released a fully polymorphic virus in 444 bytes, and we can expect more difficult things from Trident.
The main events of 1993, were the emergence of an increasing number of polymorphic engines, which will make it easier and easier to write viruses that scanners find difficult to detect.
The Future
There will be more viruses - that's an easy prediction. How many more is a difficult call, but over the last five years, the number of viruses has been doubling every year or so. This surely must slow down. If we say 1,500 viruses in mid-1992, and 3,000 in mid-1993, then we could imagine 5,000 in mid 1994 and we could expect to reach the 8,000 mark some time in 1995. Or perhaps we are being optimistic? [KP: The number topped 48,000 in 2000.]
The glut problem will continue, and could get sharply worse. Whenever a group of serious anti-virus researchers meet, we find an empty room, hang "Closed for cleaning" on the door, and frighten each other with "nightmare scenarios." Some of the older nightmare scenarios have already come true, others have not, but remain possibilities. The biggest nightmare for all anti-virus people is glut. There are only about 10-15 first class anti-virus people in the world, and most of the anti-virus companies have just one of these people (some have none). It would be difficult to create more, as the learning curve is very steep. The first time you disassemble something like Jerusalem virus, it takes a week. After you've done a few hundred viruses, you could whip through something as simple as Jerusalem in 15 minutes.
The polymorphic viruses will get more numerous. It turns out that they are a much bigger problem than the stealth viruses, because stealth is aimed at check-summers, but polymorphism is aimed at scanners, which is what most people are using. And each polymorphic virus will be a source of false alarms, and will cause the researchers much more work than the normal viruses. Polymorphic viruses will also continue to get more complex, as virus authors learn the technique, and increasingly try to ensure that their viruses cannot be detected.
Scanners will get larger - more code will be needed because more viruses will need hard coding to scan for them. The databases that scanners use will get larger; each new virus needs to be detected, identified and repaired. Loading the databases will take longer, and some programs will have memory shortage problems.
Users will get a lot more relaxed about viruses. We've long since passed the stage where a virus is regarded as a loathsome disease, to be kept secret. But we're increasingly seeing people who regard a virus on their system with about the same degree of casualness as a bit of fluff on their jacket. Sure, they'll wipe it off, but there's not real need to worry about it happening again. This is perhaps a bit too relaxed an attitude, but what can you expect if a user keeps on getting hit by viruses, and nothing terrible ever seems to result.
The virus problem will be with us forever. It isn't the dramatic, world-shaking kind of problem that Michelangelo was made out to be; nor is it the fluff-on-your-jacket kind of problem. But as long as people have problems with computers, other people will be offering solutions for those problems.
A Rough History of the Computer Virus
Many people would say the first computer virus was written by Microsoft with MS-DOS. It crept from machine to machine, went mostly unnoticed, and did untold damage. That is a cynical view but it does fulfil all the criteria.
With thanks to Dr Solomon's Virus Encyclopedia - The text has been very slightly edited and enhanced with example code (Zipped assembler) and WWW links where necessary.
1986-1987 - The Prologue
It all started in 1986. Basit and Amjad realized that the boot sector of a floppy diskette contained executable code, and this code is run whenever you start up the computer with a diskette in drive A. They realized that they could replace this code with their own program, that this could be a memory resident program, and that it could install a copy of itself on each floppy diskette that is accessed in any drive. The program copied itself; they called it a virus. But it only infected 360KB floppy disks.
In 1987, the University of Delaware realized that they had this virus, when they started seeing the label "(c) Brain" on floppy diskettes. That's all it did; copy itself, and put a volume label on diskettes.
Meanwhile, also in 1986, a programmer called Ralf Burger realized that a file could be made to copy itself, by attaching a copy of itself to other files. He wrote a demonstration of this effect, which he called VIRDEM. He distributed it at the Chaos Computer Club conference that December, where the theme was viruses. VIRDEM would infect any COM file; again the payload was pretty harmless.
This attracted so much interest, that he was asked to write a book. Ralf hadn't thought of boot sector viruses like Brain, so his book doesn't even mention them. But by then, someone had started spreading a virus, in Vienna.
In 1987, Franz Swoboda became aware that a virus was being spread in a program called Charlie. He called it the Charlie virus. He made lots of noise about the virus (and got badly bitten as a result). At this point, there are two versions of the story, Burger claims that he got a copy of this virus from Swoboda, but Swoboda denies this. In any case, Burger obtained a copy, and gave it to Berdt Fix, who disassembled it (this was the first time anyone had disassembled a virus). Burger included the disassembly in his book, after patching out a couple of areas to make it less infectious and changing the payload. The normal payload of Vienna is to cause one file in eight to reboot the computer (the virus patches the first five bytes of the code); Burger (or maybe Fix) replaced this reboot code with five spaces. The effect was that patched files hung the computer, instead of rebooting. This isn't really an improvement.
Meanwhile, in the US, Fred Cohen had completed his doctoral dissertation, which was on computer viruses. Dr Cohen proved that you cannot write a program that can, with 100% certainty, look at a file and decide whether it is a virus. Of course, no one ever thought that you could, but Cohen made good use of an existing mathematical theorem and earned a doctorate. He also did some experiments; he released a virus on a system, and discovered that it travelled further and faster than anyone had expected.
In 1987, Cohen was at Lehigh, as was Ken van Wyk. So was the author of the Lehigh virus. Lehigh was an extremely unsuccessful virus - it never managed to spread outside its home university, because it could only infect COMMAND.COM and did a lot of damage to its host after only four replications. One of the rules of the virus is that a virus that quickly damages its host, cannot survive. However, the Lehigh virus got a lot of publicity, and led to van Wyk setting up the Virus-L newsgroup on Usenet. Lehigh was nasty. After four replications, it did an overwrite on the disk, hitting most of the File Allocation Table. But a virus that only infects COMMAND.COM, isn't very infectious.
Meanwhile, in Tel Aviv, Israel (some say in Italy), another programmer was experimenting. His first virus was called Suriv-01 (virus spelled backwards). It was a memory resident virus, but it could infect any COM file, whereas Lehigh could only infect COMMAND.COM. This is a much better infection strategy than the non-TSR strategy used by Vienna, as it leads to files on all drives and all directories being infected. His second virus was called Suriv-02, and that could infect only EXE files, but it was the first EXE infector in the world. His third attempt was called Suriv-03, and it could handle COM and EXE files. His fourth effort escaped into the world, and became known as the Jerusalem virus. Every Friday 13th, instead of infecting files that are run, it deletes them. but Friday 13ths are not common, so the virus is pretty inconspicuous, most of the time. It avoids infecting COMMAND.COM, because in those days, many people believed that this was the file to watch (see Lehigh).
It looks as if it escaped rather than was released, because it plainly was not ready for release. The author decided to change the way that the virus detected itself in EXE files, and had made part of that change. There is redundant code from the Suriv viruses still in place, and also what looks like debugging code. It was found in the Hebrew University of Jerusalem (hence the name) by Yisrael Radai.
While all this was going on, a young student at the University of Wellington, New Zealand, had found a very simple way to create a very effective virus. One time in eight, when booting from an infected floppy, it also displayed the message 'Your PC is now Stoned', hence the name of the virus.
The virus itself was just a few hundred bytes long, but because of its self-restraint, and memory-resident replication, it has become the most widespread virus in the world, accounting for over a quarter of outbreaks. It is very unlikely that Stoned virus will ever become rare. The virus spread rapidly, because of its inconspicuousness (and because in those days, people were keeping a careful eye on COMMAND.COM, because of Lehigh).
In Italy, at the University of Turin, a programmer was writing another boot sector virus. This one put a bouncing ball up on the screen, if the disk was accessed exactly on the half hour. It became known as Italian virus, Ping pong, or Bouncing Ball. But this virus had a major defect; it couldn't work on anything except an 8088 or 8086 computer, because it uses an instruction that doesn't work on more advanced chips. As a result, this virus has almost died out (as has Brain, which can only infect 360KB floppies, and which foolishly announces its presence via the volume label).
Back in the US, an American was demonstrating a problem that has continued to dog US virus writers ever since: incompetence. The Lehigh didn't make it outside a small circle; neither did the Yale virus. This was another boot sector virus, but it only copied itself when you booted from an infected floppy, then put another floppy in to continue the boot process. No subsequent diskette was infected, and if the boot-up continued from a hard disk, there was no infection at all. Yale never spread at all widely, either.
But also in 1987, a German programmer was writing a very competent virus, the Cascade, so called after the falling letters display that it gave. Cascade used a new idea - most of the virus was encrypted, leaving only a small stub of code in clear for decrypting the rest of the virus. The reason for this was not clear, but it certainly made it more difficult to repair infected files, and it restricted the choice of search string to the first couple of dozen bytes. This idea was later extended by Mark Washburn when he wrote the first polymorphic virus, 1260 (Chameleon). Washburn based Chameleon on a virus that he found in a book: the Vienna, published by Burger.
Cascade was supposed to look at the BIOS, and if it found an IBM copyright, it would refrain from infecting. This part of the code didn't work. The author soon released another version of the virus, 1704 bytes long instead of 1701, in order to correct this bug. But the corrected version had a bug that meant that it still didn't detect IBM BIOS.
Of these early viruses, only Stoned, Cascade and Jerusalem are common today, but those three are very common
1988 - The Game Begins
The year 1988 was fairly quiet, as far as virus writing went. Mostly, it was the year that anti-virus vendors started appearing, making a fuss about what was at that time only a potential problem, and not selling very much anti-virus software. The vendors were all small companies, selling their software for very low prices ($5 or $10 was common). Some of them were shareware, some were freeware. Occasionally some larger company tried to pop up, but no-one was paying serious cash to solve a potential problem.
In some ways, that was a pity, because 1988 was a very virus-friendly year. It gave Stoned, Cascade and Jerusalem a chance to spread undetected, and to establish a pool of infected objects that will ensure that they never become rare.
It was in 1988 that IBM realized that it had to take viruses seriously. This was not because of the well-known Christmas tree worm, which was pretty easy to deal with. It was because IBM had an outbreak of Cascade at the Lehulpe site, and found itself in the embarrassing position of having to inform its customers that they might have become infected there. In fact, there was no real problem, but from this point on, IBM took viruses very seriously indeed, and the High Integrity Computing Laboratory in Yorktown was given responsibility for the IBM research effort in this field.
1988 saw a few scattered, sporadic outbreaks of Brain, Italian, Stoned, Cascade and Jerusalem. It also saw the final arguments about whether viruses existed or not. Peter Norton, in an interview, said that they were an urban legend, like the crocodiles in the New York sewers, and one UK expert claimed that he had a proof that viruses were a figment of the imagination. In 1988, the real virus experts would debate with such people; after that year, real virus experts would simply walk away from anyone who had such absurd beliefs.
Each outbreak of a virus was dealt with on a case-by-case basis. One American claimed that he had a fully equipped mobile home for dealing with virus outbreaks (and another one extrapolated to the notion that soon there would be many such mobile units). Existing software was used to detect boot sector viruses (by inspecting the boot sector), and one-off software was written for dealing with outbreaks of Cascade and Jerusalem.
In 1988, a virus that is called "Virus-B" was written. This is another virus that doesn't go memory resident, and it is a modification of another virus that deletes files on Friday 13th. When this virus is run, it displays "WARNING!!!! THIS PROGRAM IS INFECTED WITH VIRUS-B! IT WILL INFECT EVERY .COM FILE IN THE CURRENT SUBDIRECTORY!". A virus that is as obvious as that, was clearly not written to spread. It was obviously written as a demonstration virus. Virus researchers are often asked for "harmless viruses" or "viruses for demonstration"; most researchers offer some alternative, such as an overhead foil, or a non-virus program that does a falling letters display. But it looks as if VIRUS-B was written with the intention of giving it away as a demonstration virus - hence the warning. And, indeed, we find that an American company was offering it to "large corporations, universities and research organizations" on a special access basis.
At the end of 1988, a few things happened almost at once. The first was a big outbreak of Jerusalem at a large financial institution, which meant that dozens of people were tied up in doing a big clean-up for several days. The second was that a company called S&S did the first ever Virus Seminar that actually explained what a virus was and how they worked. The third was Friday 13th. [CK: S&S became what is now known as Dr. Solomon Software.]
It was clear that we couldn't go out and help everyone with a virus, even if we bought a mobile home and equipped it (with what)? It was also clear that the financial institution, and the academic site, could easily handle a virus outbreak, but they didn't have the tools to do the job. All they needed was a decent virus detector, which was not available. So we wrote one, added some other tools that experience said might be useful, and created the first Anti-Virus Toolkit.
In 1989, the first Friday 13th was in January. At the end of 1988, it was clear that Jerusalem was in Spain and the UK, at least, and was in academic as well as commercial sites. Because of the destructive payload in the virus, we felt that if we failed to send out some sort of warning, we would be negligent. But the media grabbed the ball and ran with it; the predictability of the trigger day, together with the feature of it being Friday 13th, caught their imagination, and the first virus media circus was under way.
On the 13th of January, we had dozens of phone calls, mostly from the media wanting to know if the world had ended yet. But we also had calls from a large corporate site, a small vendor of PC hardware, and a couple of single users. We were invaded by TV cameras in droves, and had to schedule them carefully to avoid them tripping over each other. In the middle of all this, the PC Support person from the infected corporation arrived. The TV people wanted nothing better than a victim to film, but the corporate person wanted anonymity. We pretended that he was just one of our staff. Also, at that time, British Rail contacted us; they also had an outbreak of Jerusalem, and they went public on it. Later, they regretted that decision, because for a long time afterwards, their PC Support person was badgered by the media seeking interviews.
1989 - Datacrime
During 1989 things really started to move. The Fu Manchu virus (a modification of Jerusalem) was sent anonymously to a virus researcher in the UK, and the 405 virus (a modification of the overwriting virus in the Burger book) was sent to another UK researcher. A third UK researcher wrote a virus and sent it to another UK researcher; in 1989, the UK was where it was all happening. But not quite all. In 1989, the Bulgarians started getting interested in viruses, and Russia was beginning to awaken.
In March of 1989, a minor event happened that was to trigger an avalanche. A new virus was written in Holland. A Dutchman calling himself Fred Vogel (a very common Dutch name) contacted a UK virus researcher, and said that he had found this virus all over his hard disk. He also said that it was called Datacrime, and that he was worried that it would trigger on the 13th of the next month.
When the virus was disassembled, it was found that on any day after October 12th, it would trigger a low level format of cylinder zero of the hard disk, which would, on most hard disks, wipe out the File Allocation Table, and leave the user effectively without any data. It would also display the virus' name: Datacrime virus. A straightforward write-up of the effect of this virus was published, but it was another non-memory-resident virus, and so highly unlikely to spread.
However, the write-up was reprinted by a magazine, another magazine repeated the story, a third party embellished it a bit, and by June it was becoming an established fact that it would trigger on October 12th (not true, it triggers on any day after the 12th, up till December 31st) and that it would low level format the whole hard disk. In America, the press started calling it "Columbus Day virus" (October 12th) and it was suggested that it had been written by Norwegian terrorists, angry at the fact that Eric the Red had discovered America, not Columbus.
Meanwhile, in Holland, the Dutch police were doing one of the things that falls within those things that police are supposed to do: crime prevention. Datacrime virus was obviously a crime, and the way to prevent it was to run a detector for it. So they commissioned a programmer to write a Datacrime detector, and offered it at Dutch police stations for $1. It sold really well. But it gave a number of false alarms, and it had to be recalled and replaced with version 2. There were long queues outside the Dutch police stations, lots of confusion about whether anyone actually had this virus (hardly anyone did, but the false alarms muddied the waters).
If the police take something seriously, it must be serious, right? So in July, large Dutch companies started asking IBM if viruses were a serious threat. Datacrime isn't, but there is a distinct possibility that a company could get Jerusalem, Cascade or Stoned (or Italian, in those days before 8088 computers became a rarity). So what is IBM doing about this threat, they asked?
IBM had internal-use-only anti-virus software. They used this to check incoming media, and to make sure that an accident like Lehulpe could never happen again. IBM had a problem: if they didn't offer this software to their customers, they could look very bad if on October 13th a lot of computers went down. The technical people knew that this wouldn't happen, but obviously they knew that someone, somewhere, might have important data on a computer that would get hit by Datacrime. IBM had to make a decision about whether to release their software, and they had a very strict deadline to work to; October the 13th would be too late.
In September of 1989, IBM sent out version 1.0 of the IBM scanning software, together with a letter telling their customers what it was, and why they were sending it out. When you get a letter like that from IBM, and a disk, you would be pretty brave to take no notice, so a lot of large companies scanned a lot of computers, for the first time. Hardly anyone found Datacrime, but there were instances of the usual viruses.
October 13th fell on a Friday, so there was a double event: Jerusalem and Datacrime. In the US, Datacrime (Columbus Day) had been hyped out of all proportion for a virus that is as uninfective as this one, and it is highly likely that not a single user had the virus. In Europe (especially in Holland) there might have been a few, but not many.
In London, the Royal National Institute for the Blind announced that they'd had a hit, and had lost large amounts of valuable research data, and months of work. We investigated this particular incident, and the truth was that they had a very minor outbreak of Jerusalem, and a few easily-replaced program files had been deleted. Four computers were infected. But the RNIB outbreak has passed into legend as a Great Disaster. Actually, the RNIB took more damage from the invasion of the television and print media than from the virus.
By the end of 1989, there were a couple of dozen viruses that we knew about, but we didn't know that in Bulgaria and Russia, big things were brewing
1990 - The Game Gets More Complex
By 1990, it was no longer a matter of running a couple of dozen search strings down each file. Mark Washburn had taken the Vienna virus, and created the first polymorphic virus from it. We didn't use that word at first, but the idea of his viruses (1260, V2P1, V2P2 and V2P6) was that the whole virus would be variably encrypted, and there would be a decryptor at the start of the virus. But the decryptor could take a very wide number of forms, and in the first few viruses, the longest possible search string was just two bytes long (V2P6 got this down to one byte). To detect this virus, it was necessary to write an algorithm that would apply logical tests to the file, and decide whether the bytes it was looking at were one of the possible decryptors.
One consequence of this, was that some vendors couldn't do this. It isn't easy to write such an algorithm, and many vendors were, by this time, relying on search strings extracted by someone else. The three main sources of search strings were a newsletter called Virus Bulletin, the IBM scanner, and reverse engineering a competitor's product. But you can't detect a polymorphic virus this way (indeed, two years after these viruses were published, many products are [CK: were] still incapable of detecting these viruses). Washburn also published his source code, which is now widely available. At the time, we thought that this would bring out a number of imitators; in practice, no-one seems to be using Washburn's code. However, plenty of virus authors are using his idea.
Another consequence of polymorphic viruses, was an increase in the false alarm rate. If you write code to detect something that has as many possibilities as V2P6, then there is a chance that you will flag an innocent file, and that chance is much greater than with the sort of virus that you can find with a 24-byte scan string. A false alarm can be as much hassle to the user as a real virus, as he will put all his anti-virus procedures into action.
Also, in 1990, we saw a number of virus coming out of Bulgaria, especially from someone who called himself "Dark Avenger." The Dark Avenger viruses introduced two new ideas. The first idea was the "Fast infector"; with these viruses, if the virus is in memory, then simply opening a file for reading, triggers the virus infection. The entire hard disk is very soon infected. The second idea in this virus, was that of subtle damage. Dark Avenger-1800 occasionally overwrites a sector on the hard disk. If this isn't noticed for a period of time, the corrupted files are backed up, and when the backup is restored, the data is still no good. Dark Avenger targets backups, not just data. Other viruses came from the same source, such as the Number-of-the-Beast (stealth in a file virus) and Nomenklatura (with an even nastier payload than Dark Avenger.
Also, Dark Avenger was more creative about distributing his viruses. He would upload them to BBSes, infecting shareware anti-virus programs, together with a documentation file that gave reassurance to anyone who checked the file size and checksums. He uploaded his source code also, so that people could learn how to write viruses.
In 1990, another event happened in Bulgaria - the first virus exchange BBS. The idea was that if you uploaded a virus, you could download a virus, and if you uploaded a new virus, you were given full access. This, of course, encourages the creation of new viruses, and gets viruses into wider circulation. Also, the VX BBS offered source code, which makes the technology of writing a virus more widely available.
In the second half of 1990, the Whale appeared. Whale was a very large, and very complex virus. It didn't do very much; mostly, it crashed the computer when you tried to run it. But it was an exercise in complexity and obfuscation, and it arrived in virus author's hands like a crossword puzzle to be solved. Some virus researchers wasted weeks unravelling Whale, although in practise you could detect it with a couple of dozen search strings, and you didn't really need to do any more, as the thing was too clumsy to work anyway. But because it was so large and complex, it achieved fame.
At the end of 1990, the anti-virus people saw that they had to get more organized; they had to be at least as organized as the virus authors. So EICAR (European Institute for Computer Antivirus Research) was born in Hamburg, in December 1990. This gave a very useful forum for the anti-virus researchers and vendors to meet and exchange ideas (and specimens), and to encourage the authorities to try to prosecute virus authors more vigorously. At the time that EICAR was founded, there were about 150 viruses, and the Bulgarian "Virus factory" was in full swing.
1991 - Product Launches and Polymorphism
In 1991, the virus problem was sufficiently interesting to attract the large marketing companies. Symantec launched Norton Anti-Virus in December 1990, and Central Point launched CPAV in April 1991. This was soon followed by Xtree, Fifth Generation and a couple of others. Most of these companies were rebadging other company's programs (nearly all Israeli). The other big problem of 1991 was "glut." In December 1990, there were about 200-300 viruses; by December 1991 there were 1,000 (there may have been even more written that year, because by February, we were counting 1,300).
Glut means lots of viruses, and this causes a number of unpleasant problems. In every program, there must be various limitations. In particular, a scanner has to store search strings in memory, and under DOS, there is only 640KB to use (and DOS, the network shell and the program's user interface might take half of that).
Another Glut problem, is that some scanners slow down in proportion to the number of viruses scanned for. Not many scanners work this way, but it certainly poses a problem for those that do.
A third Glut problem, comes with the analysis of viruses; this is necessary if you want to detect the virus reliably, to repair it, and if you want to know what it does. If it takes one researcher one day to disassemble one virus, then he can only do 250 per year. If it takes one hour, that figure becomes 2,000 per year, but whatever the figure, more viruses means more work.
Glut also means a lot of viruses that are similar to each other. This then can lead to mis-identification, and therefore a wrong repair. Very few scanners attempt a complete virus identification, so this confusion about exactly which virus is being found, is very common.
Most of these viruses came from Eastern Europe and Russia; the Russian virus production was in full swing. But another major source of new viruses was the virus exchange BBSes.
Bulgaria pioneered the VX BBS, but a number of other countries quickly followed. Some shut down not long after they started up, but the Milan "Italian Virus Research Laboratory" was where a virus author called Cracker Jack uploaded his viruses (which were plagiarized versions of the Bulgarian viruses). Germany had Gonorrhea, Sweden had Demoralised Youth, America had Hellpit, UK had Dead On Arrival and Semaj. Some of these have now either closed down or gone underground, but they certainly contributed to the glut problem. With a VX BBS, all a virus author has to do, is download some source code, make a few simple changes, then upload a new virus, which gives him access to all the other viruses on the board.
1991 was also the year that polymorphic viruses first made a major impact on users. Washburn had written 1260 and the V2 series long before, but because these were based on Vienna, they weren't infectious enough to spread. But in April of 1991, Tequila burst upon the world like a comet. It was written in Switzerland, and was not intended to spread. But it was stolen from the author by a friend, who planted it on his father's master disks. Father was a shareware vendor, and soon Tequila was very widespread.
Tequila used full stealth when it installed itself on the partition sector, and in files it used partial stealth, and was fully polymorphic. A full polymorphic virus is one for which no search string can be written down, even if you allow the use of wild cards. Tequila was the first polymorphic virus that was widespread. By May, the first few scanners were detecting it, but it was not until September that all the major scanners could detect it reliably. If you don't detect it reliably, then you miss, say, 1% of infected files. The virus starts another outbreak from these overlooked instances, and has to be put down again, but now there is that old 1%, plus another 1% of files that are infected but not detected. This can continue for as long as the user has patience, until eventually the hard disk contains nothing but files that the scanner cannot detect. The user, thinks that after the virus coming back a number of times, it gradually infected fewer and fewer files, until now he has gotten rid of it completely.
In September 1991, Maltese Amoeba spread through Europe - another polymorphic virus. By the end of the year, there were a few dozen polymorphic viruses. Each of these is classified as "difficult," meaning it takes a virus researcher more than a few hours to do everything that needs to be done. Also, most products need some form of hard coding in order to detect the virus, which means program development, which means bugs, debugging, beta testing and quality control. Furthermore, although a normal virus won't slow down most scanners, a polymorphic virus might.
It was also in 1991, that Dark Avenger announced the first virus vapourware. He threatened a virus that had 4,000,000,000 different forms. In January 1992, this virus appeared, but it wasn't a virus.
1992 - Michelangelo
January 1992 saw the Self Mutating Engine (MtE) from Dark Avenger. At first, all we saw was a virus that we named Dedicated, but shortly after that, we saw the MtE. This came as an OBJ file, plus the source code for a simple virus, and instructions on how to link the OBJ file to a virus to give you a full polymorphic virus. Immediately, virus researchers set to work on detectors for it. Most companies did this in two stages. In some outfits, stage one was look at it and shudder, stage two was ignore it and hope it goes away. But at the better R&D sites, stage one was usually a detector that found between 90 and 99% of instances, and was shipped very quickly, and stage two was a detector that found 100%. At first, it was expected that there would be lots and lots of viruses using the MtE, because it was fairly easy to use this to make your virus hard to find. But the virus authors quickly realized that a scanner that detected one MtE virus, would detect all MtE viruses fairly easily. So very few virus authors have taken advantage of the engine (there are about a dozen or two viruses that use it).
This was followed by Dark Avenger's Commander Bomber. Before CB, you could very easily predict where in the file the virus would be. Many products take advantage of this predictability to run fast; some only scan the top and tail of the file, and some just scan the one place in the file that the virus must occupy if it is there at all. Bomber transforms this, and so products either have to scan the entire file, or else they have to be more sophisticated about locating the virus.
Another virus that came out at about that time, was Starship. Starship is a fully polymorphic virus (to defeat scanners), with a few neat anti-debugging tricks, and it also aims to defeat check-summers with a very simple trick. Checksumming programs aim to detect a virus by the fact that it has to change executable code in order to replicate. Starship only infects files as they are copied from the hard disk to the floppy. So files on the hard disk never change. But the copy on the floppy disk is infected, and if you then copy that onto a new hard disk, and tell the check-summer on the new machine about this new file, the check-summer will happily accept it, and never report any changes. Starship also installs itself on the hard disk, but without changing executable code. It changes the partition data, making a new partition as the boot partition. No code is changed, but the new partition contains the virus code, and this is run before it passes control on to the original boot partition.
Probably the greatest event of 1992 was the great Michelangelo scare. One of the American anti-virus vendors forecast that five million computers would go down on March the 6th, and many other US vendors climbed on to the bandwagon. PC users went into a purchasing frenzy, as the media whipped up the hype. On March the 6th, between 5,000 and 10,000 machines went down, and naturally the US vendors that had been hyping the problem put this down to their timely and accurate warning. We'll probably never know how many people had Michelangelo, but certainly in the days leading up to March the 6th, a lot of computers were checked for viruses. After March 6th, there were a lot of discredited experts around.
The reaction to the Michelangelo hype did a lot of damage to the credibility of people advocating sensible antivirus strategies, and outweighed any possible benefits from the gains in awareness.
In August 1992, we saw the first serious virus authoring packages. First the VCL (Virus Creation Laboratory) from Nowhere Man, and then Dark Angel's Phalcon/Skism Mass-Produced Code Generator. These packages made it possible for anyone who could use a computer, to write a virus. Within twelve months, dozens of viruses had been created using these tools.
Toward the end of 1992, a new virus writing group called ARCV (Association of Really Cruel Viruses) had appeared in England - within a couple of months, the Computer Crime Unit of New Scotland Yard had tracked them down and arrested them. ARCV flourished for about three months, during which they wrote a few dozen viruses and attracted a few members.
Another happening of 1992, was the appearance of people selling (or trying to sell) virus collections. To be more precise, these were collections of files, some of which were viruses, and many of which were assorted harmless files. In America, John Buchanan offered his collection of a few thousand files for $100 per copy, and in Europe, The Virus Clinic offered various options from £25. The Virus Clinic was raided by the Computer Crime Unit; John Buchanan is still offering viruses for sale.
Toward the end of 1992, the US Government was offering viruses to people who called the relevant BBS.
1993 - Polymorphics and Engines
Early in 1993, XTREE announced that they were quitting the antivirus business. This was the first time that a major company had given up the struggle.
Early in 1993, a new virus writing group appeared, in Holland, called Trident. The main Trident author, Masouf Khafir, wrote a polymorphic engine called the Trident Polymorphic Engine, and released a virus that used it, called GIRAFE. This was followed by updated versions of the TPE. The TPE is much more difficult to detect reliably than the MtE, and very difficult to avoid false alarming on.
Khafir also released the first virus that worked according to a principle first described by Fred Cohen. The Cruncher virus was a data compression virus, that automatically added itself to files in order to auto-install on as many computers as possible. Meanwhile, Nowhere Man, of the Nuke group, had been busy. Early in 1993, he released the Nuke Encryption Device (NED). This was another mutator that was more tricky than MtE. A virus called Itshard soon followed.
Phalcon/Skism was not to be left out. Dark Angel released DAME (Dark Angel's Multiple Encyptor) in an issue of 40hex; a virus called Trigger uses this. Trident released version 1.4 of TPE (again, this is more complex and difficult than previous versions) and released a virus called Bosnia that uses it.
Soon after that, Lucifer Messiah, of Anarkick Systems had taken version 1.4 of the TPE and written a virus POETCODE, using a modified version of this engine (1.4b).
Early in 1993, another highly polymorphic virus appeared, called Tremor. This rocketed to stardom when it got included in a TV broadcast of software (received via a decoder).
In the middle of 1993, Trident got a boost when Dark Ray and John Tardy joined the group. Tardy released a fully polymorphic virus in 444 bytes, and we can expect more difficult things from Trident.
The main events of 1993, were the emergence of an increasing number of polymorphic engines, which will make it easier and easier to write viruses that scanners find difficult to detect.
The Future
There will be more viruses - that's an easy prediction. How many more is a difficult call, but over the last five years, the number of viruses has been doubling every year or so. This surely must slow down. If we say 1,500 viruses in mid-1992, and 3,000 in mid-1993, then we could imagine 5,000 in mid 1994 and we could expect to reach the 8,000 mark some time in 1995. Or perhaps we are being optimistic? [KP: The number topped 48,000 in 2000.]
The glut problem will continue, and could get sharply worse. Whenever a group of serious anti-virus researchers meet, we find an empty room, hang "Closed for cleaning" on the door, and frighten each other with "nightmare scenarios." Some of the older nightmare scenarios have already come true, others have not, but remain possibilities. The biggest nightmare for all anti-virus people is glut. There are only about 10-15 first class anti-virus people in the world, and most of the anti-virus companies have just one of these people (some have none). It would be difficult to create more, as the learning curve is very steep. The first time you disassemble something like Jerusalem virus, it takes a week. After you've done a few hundred viruses, you could whip through something as simple as Jerusalem in 15 minutes.
The polymorphic viruses will get more numerous. It turns out that they are a much bigger problem than the stealth viruses, because stealth is aimed at check-summers, but polymorphism is aimed at scanners, which is what most people are using. And each polymorphic virus will be a source of false alarms, and will cause the researchers much more work than the normal viruses. Polymorphic viruses will also continue to get more complex, as virus authors learn the technique, and increasingly try to ensure that their viruses cannot be detected.
Scanners will get larger - more code will be needed because more viruses will need hard coding to scan for them. The databases that scanners use will get larger; each new virus needs to be detected, identified and repaired. Loading the databases will take longer, and some programs will have memory shortage problems.
Users will get a lot more relaxed about viruses. We've long since passed the stage where a virus is regarded as a loathsome disease, to be kept secret. But we're increasingly seeing people who regard a virus on their system with about the same degree of casualness as a bit of fluff on their jacket. Sure, they'll wipe it off, but there's not real need to worry about it happening again. This is perhaps a bit too relaxed an attitude, but what can you expect if a user keeps on getting hit by viruses, and nothing terrible ever seems to result.
The virus problem will be with us forever. It isn't the dramatic, world-shaking kind of problem that Michelangelo was made out to be; nor is it the fluff-on-your-jacket kind of problem. But as long as people have problems with computers, other people will be offering solutions for those problems.
Internet Safety & Security
Anti-virus
• Anti-Virus (AV) software is a must on all of your computers.• AV software can be had for free. The newest versions of Windows have free anti-virus built in now.
• Learn how to use the AV software. It has to be fully enabled, scanning any data entering or leaving your computer - including e-mail.
• You have to actually scan all of your files on a regular basis. This includes any storage media (CD-R/RW/ROM; DVD-R/RW/ROM; floppy; USB drive; etc.) each time it's inserted / connected. This is important so you don't get infected with malware from the media’s source.
• Most AV programs can be configured to scan your hard drive automatically. Just configure the software to scan your files at a time that you won't be using the PC (but it does have to be ON).
• AV software is useless unless it has the latest updates. If a computer has been turned off for days, it is missing vital updates. Leave the computer on for a while to give those updates a chance to download.
• This updating process is usually automated, but be wary of such an important task happening in the background. You may miss the fact that the update never took place - such as if the Internet connection is down or the computer's been off for a while.
Spyware
• Many free downloads whether from peers or businesses come with potentially undesirable side effects.
• Spyware is software installed without your knowledge or consent that adversely affects your computer (although it’s often mentioned in the EULA). Spyware works mostly by monitoring how you use the software itself, or your internet surfing habits which are collected for marketing purposes.
• To avoid spyware, resist the urge to install any software unless you know exactly what comes packaged with it.
• You can install anti-spyware software, which scans for and deletes any spyware programs that may have sneaked onto your computer.
• Be forewarned however, removing spyware may render the software that it came with unusable.
• AV software doesn't necessarily include anti-spyware detection.
• The jury is still out whether spyware is as bad as the hype. I believe most isn't.
• The biggest problem in my opinion is that some things being labelled as spyware should more appropriately be called malware (virus; trojan; worm). This results in spyware getting a bad rap.
Attachments
• Never open an attachment that you are not expecting, even from a sender you know. The sender's email address is easily spoofed. If it's unexpected - suspect it.• Email attachments and embedded web links are the single biggest vector (means) for distributing malware.
Phishing
• "Phishers" send spam or pop-up messages claiming to be from a business or organization that you might currently deal with.• For example, an Internet service provider (ISP), bank, online payment service, or even a government agency.
• The message usually says that you need to "update" or "validate" your account information. The message might threaten some dire consequence if you don't respond. This preys on your mind's inability to reason when it senses danger.
• The message directs you to a website that looks just like a legitimate organization's site, but it isn't.
• The purpose of the bogus site is to trick you into divulging your personal information (by logging in) so the perpetrators can steal your identity and run up bills or commit crimes in your name.
Don't take the bait:
• Don’t open unsolicited or unknown email messages.
• Don’t open attachments from people you don't know or don't expect.
• Never reply to or click on links in email or pop-ups that ask for personal information or offer to fix something on your PC.
• If you are unsure whether an email request is legitimate, try to verify the request by contacting the company directly.
• Do not use contact information provided on a web site connected to the request - check previous statements or other official documents for contact information.
• Information about known Phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
• Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal work information.
• If an unknown individual claims to be from a legitimate organization, verify his or her identity directly with the company.
• Legitimate companies don't ask for personal information or ask for account verification via email.
• Open a new browser window and type the web site address (URL) into the address field, watching that the actual URL of the site you visit doesn't change and is still the one you intended to visit. Most organizations have information on their web sites about where to report problems.
• It is very easy to spoof a web site address (URL), so don’t trust that a labelled link in an email or other message is really taking you to the indicated site. It is always safer (albeit less efficient) to type in a URL than to click a web link from an unknown source.
• If an email offers to take you to a web site you're familiar with, you're better off just navigating to that site on your own by using a bookmark / favourite or typing the URL by hand.
• Mis-spelled URL’s are yet another way to be spoofed into dangerous territory.
Example: www.rbay.com versus www.ebay.com
• IE and Firefox have anti-phishing settings
Embedded code
• Set the default options of your email program to view opened emails as plain text to avoid active web links or pop-up scripts in the messages.
• Embedded code does not have to be clicked on to execute – often just opening an email is enough to execute the code. The email programs most guilty of this are Outlook and Outlook Express.
Spam
• Ask your Internet provider about spam filtering and virus scanning options provided by them, and learn how to use your email client's spam filter.• Keep in mind that spam filters are not perfect and are likely to sometimes filter out legitimate email messages.
• You will find that even with spam filters in place, some spam will still get through. This is because spammers continually come up with clever ways to disguise their spam. One of the most recent ploys is to change the ad inside the message from text to an image.
• Do not reply or attempt to unsubscribe to spam. They use your response as confirmation that they have discovered a working (and therefore valuable to sell) email address.
• If you value the (relative) anonymity of your email address, never leave it on a web site / forum. Spiders regularly comb all web sites looking for email addresses to add to spam lists. If you have to leave contact information in the form of an address, try disguising the address: my first name at that free email service that's 'hot' (get it?).
Preview mode
• To avoid automatically opening messages and risk executing anything embedded, turn off the "Preview Pane" functionality in email programs. At the very least, this allows you to prevent an email message from opening until you are ready to open it.
Web Mail
• Web mail is one of the safest alternatives to using an email client program.• The web mail method keeps the messages and their attachments on the mail server, rather than downloading them to your PC. With web mail, you’re only viewing the messages remotely, not downloading them. Attachments are not downloaded until you specifically and manually instruct it to do so.
• Web mail also offers the added benefit of giving you access to your messages from any internet connection - with traditional email the messages are only accessible from your PC once you retrieve your email.
• Another recent benefit of web mail services is that most of them now automatically scan your messages for viruses, using their own built-in resources.
OS / Software Vulnerabilities
SecurityFocus Home User's Security Checklist for WindowsWindows updates
• As your operating system (OS) matures, security vulnerabilities are discovered and updates are made available by Microsoft / Apple / Etc. to patch those vulnerabilities.• To take the guess work out of the whole issue of updates, make your OS do them automatically - this is usually set up by default.
• If you insist on doing updates manually, find out what updates or patches are available for your OS and your programs (Office, etc.), especially the critical and security-related ones.
• Let your OS find and apply the updates.
• If you ever re-install your OS or any program, make sure you begin the update process right away.
Software updates
• It's important to note that Windows Automatic Updates may do a decent job of updating Windows and its embedded applications (IE, Media Player, etc.), but it probably will not update other programs on your computer - even other Microsoft products like MS Office.• You must find, download and apply these updates yourself.
• This oversight in Windows creates an huge false sense of security and leads to security postures on PCs that are almost as bad as having no updates at all.
• In contrast, the Linux and the MAC OS X operating systems update every program installed on your system, making these operating systems much safer.
Insecure Configuration
The hidden file extension.Windows is configured by default to "Hide file extensions for known file types". Certain extensions are hidden when files are displayed in Windows Explorer / My Computer. This is a horribly dangerous situation. Windows users should re-configure Windows Explorer to show all file extensions. The reason this is a problem is that many email-borne viruses are known to exploit the hidden file extensions option. The first major attack that took advantage of this was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have incorporated similar schemes. Examples include:
Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
VBS/Timofonica (TIMOFONICA.TXT.vbs)
VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).
Firewalls
A firewall is something that monitors your Internet connection and allows or disallows data to pass based on a set of rules. You can use a hardware (built into a Cable/DSL or wireless router) or software Firewall. I would recommend to use both kinds.
Hardware or Network (Cable / DSL modem)
• The reason I suggest to use both a hardware and a software firewall is that a consumer-grade hardware firewall only stops unwanted incoming connections.• Learn how to use your firewall. This might not be easy. Don't let that deter you.
• You will likely need to do some re-configuration of your firewall if you use certain types of software (like peer to peer file sharing programs) that accept connections from the Internet.
• Home PC Firewall Guide
Software Firewall
Built into Windows
Windows has a built in software firewall which gets better with each new version of Windows. Bear in mind that it only protects against unwanted outgoing connections. If you decide to use something other than the Windows firewall (3rd party software), make sure that you turn the Windows firewall off so that the firewalls don't interfere with each other.
3rd Party
You can get a software firewall free if price is an issue.
Zone Alarm
Comodo
While configuring your firewall, pay as much attention to what you allow out of your network as to what you allow into your network. This is because an infected computer will take advantage of an always-on, high speed Internet connection as a perfect platform from which to launch attacks on other computer systems. This is activity that you may never notice is happening. This describes what is known in the security field as a 'zombie computer'.
Wireless Security
Many people who set up a wireless network in their home have no idea what wireless security is about, how it works or why it's desirable to set it up correctly.• It is a good idea to change the default Service Set Identifier (SSID) of your wireless access point or router from the default (or the one you may have chosen), to something that doesn’t readily identify you.
• It is critical to change the default password for your wireless router / access point to something hard to guess.
• Turn off SSID broadcasting if that is an option. This makes it so that the wireless router doesn't advertise its existence. It's a minor point, but it helps.
• You should encrypt your communications on your wireless network. The best to worst protection is, in order: WPA2 (WPA AES), followed by WPA (WPA-TKIP), WEP 128 bit and the least secure WEP 64 bit. The issue is that while the latest and most secure encryption / protection options might be available on your wireless router, they might not be supported by the device(s) you are connecting to the wireless network.
• To protect your wireless network from rogue devices connecting to it, set the DHCP options to only offer IP addresses for the same number of wireless devices / computers that you have on your network. For example, if you have 4 computers set it to 101-104. The only thing is that you'll have to remember that anything new you buy will not be able to connect until you adjust this setting.
• An even better method of protecting your wireless network from rogue connections is to use MAC filtering if it is possible. See below ‘How to find your MAC address’.
• Always enable your router’s built-in firewall to restrict unwanted access to your network from the internet.
• Consider turning your access point off when it is not being used for extended periods.
• Most Access Points are configured to use channel 6 by default. Try using an alternate – channel11 offers the least interference.
• Keep your wireless system patched and up to date.
WEP - (Wired Equivalent Privacy) was intended to make a Wireless / Wi-Fi network difficult to penetrate, but vulnerabilities were discovered very quickly in WEP, making it about as useful as the luggage lock that comes with a suitcase.
WPA / WPA2 - (Wi-Fi Protected Access/Wi-Fi Protected Access 2) WPA/WPA2 addresses the security issues of WEP. WPA utilizes just a passphrase, although the underlying technology actually makes it harder to crack than WEP.
How to find your MAC address: From the Windows Start Menu, Run and type ‘cmd’. This opens a command prompt. Type ipconfig /all. The ‘physical address’ is your MAC address.
Links: Wireless Security by Bob Rankin
Securing your Netgear wireless router
Wireless networking made easy
Passwords
• Come up with a password that is sufficiently complex, yet easy to remember.• The longer a password is, the more difficult it will be to guess. A length of 8 characters is good, 12 is better - this is why pass phrases are becoming more commonly recommended.
• A good password will have many random combinations of upper and lower case letters, numbers and even symbols.
• One method for creating good passwords involves using the first letter from words in a phrase and changing the case of some letters and some of the letters to numbers and symbols. For example, "There is a lot of money in the lottery" could become T1@lomitL . The phrase itself is easy to remember, but guessing that particular password is difficult.
• Do not use one password for everything - if the password is compromised, so is everything you use it for. Having said that, it is OK to share a password amongst web sites that only offer a simple anonymous service access, like a news site or basic forum. But if the site involves using or offering access to personal information (online shopping or banking), do not use a shared password.
• Don't write passwords down where they can be found - this includes in an obvious file on your PC (such as 'passwords.docx').
• It is not wise to let your web browser remember your passwords for you to access web sites. This convenient yet dangerous feature makes it possible for anyone to sit down at your computer and connect to a web site / account as if they were you. Worse, the passwords are stored on your computer in a manner that they can be easily copied.
Browser Security
How to configure Internet Explorer security.
IE Security Settings
• A Web browser can run malicious applications on your computer without you knowing - if you don't have it configured correctly.
• The easiest way to make your online browsing experience a little more secure in one easy step is to switch from using Microsoft's Internet Explorer to Mozilla Firefox, Google Chrome or any other non-Microsoft browser.
• Internet Explorer (IE) has a horrible security track record. IE often makes things too easy for attackers by letting special and potentially malicious content (Active X, java, scripting, etc.) run on your machine without you knowing - unless you have disabled all these functions.
• Disable Java, Javascript and ActiveX if possible, but keep in mind that doing so may prevent web sites you depend on from working correctly - or at all.
Alternate Browsers• Using Firefox, Chrome, or Edge instead of IE lets you avoid many of IE's security issues altogether and still offers a very nice browsing experience.
• You can still have multiple Web browsers on your computer. Some sites for example, will only work properly with Internet Explorer. Use IE for those sites and then go back to your alternate browser for your regular browsing.
Browser Hijacking
If your browser seems to be diverting your search site to something other than what you normally use, or if pop-ups appear even when you visit sites that normally don’t suffer from pop-ups, or if your home page has been changed without your doing, your browser may have been hijacked.
Hijacked browsers are often difficult to fix and usually require help from a professional, but they are repairable in most circumstances.
Once a browser is fixed, consider using a browser that is less prone to hijacking – like Firefox, Chrome or Opera.
Pop-ups
You must be extremely cautious of any pop-up. Even though some pop-ups are just harmless ads, it’s the malicious ones you must never click on. These include pop-ups announcing your computer status, or offering a fix to a computer problem, or announcing that you’ve won something, etc.
Pop-ups are a normal side effect of certain web sites, but if pop-ups are appearing when your browser isn’t even open, or when you browse sites that normally don’t offer pop-ups (like Google), your browser may be hijacked.
It is very important to understand that if a pop-up appears out of nowhere indicating that there is a security issue with your computer, offering that if you download a program, that it will automatically fix it - it's a scam. Never, ever fall for this. Estimates indicate that there were 9,287 bogus anti-malware programs in circulation in December 2008. Some of these programs are nasty. Internet Antivirus Pro software displays fake Windows security messages to trick people into thinking the product is legit. It also contains a password stealer that watches where people go online and grabs their login credentials.
Chaperoning your Web Browsing
It’s impossible for the average user to know the difference between an uninfected web site and an infected one. As a result, many security product companies now offer to help chaperone your web browsing experience. One example is McAfee’s Site Advisor plug-in for your browser.
Firefox has an option built in that will tell you if the site you’re visiting is a suspected forgery, based either on a list Firefox provides, or you can ask it to use Google to automatically check.
Cookies
• Cookies get a bad rap.
• There are a number of utilities that offer to delete them for you - but is this really necessary?
• Cookies are used by the web sites you visit to anonymously identify you. They do this in an effort to make return visits to the same web site more personal by remembering your preferences.
• Cookies are also used to track what ads are being placed in your browser window and whether you click the links that are presented to you in those ads.
• Many folks go around paranoically (new word) deleting cookies, but this is fruitless. As soon as you surf to the next web page, the cookies start piling up again.
• Deleting cookies not only makes visiting certain sites behave like you've never been there before, in some cases the lack of a stored cookie may render the site inoperative for security reasons – this is especially true of work related web sites.
Shopping Online
Credit Card Use• Using a credit card online is much safer than most people think.
• As long as your browser is in secure (encrypted) mode while credit card numbers and other pieces of personal information are transmitted (the browser lock icon is visible), you're fine - interception is highly unlikely.
• In fact, the real danger is not what you'd expect. What consumers should really worry about is whether the entity at the other end of the transaction is trustworthy or not. What does the vendor do with all that personal information once it's in their hands?
• For folks who still have reservations about online credit transactions - one sensible safeguard is to consider getting a separate credit card with a low limit just for online shopping.
Paypal
• The safety of using PayPal online is no different than a credit card, except that PayPal is usually tied to more than one source of money (it may have ties to both your credit card and bank account).
• Reduce the risk by limiting what PayPal is connected to.
• Only use PayPal to pay at trusted online vendors.
Personal Information on your Computer
Sensitive Files
• Ask yourself: "Is there any information stored on my computer that I wouldn't want to lose or that I wouldn’t want falling into the wrong hands?" (workplace information, sensitive work content, pictures, sensitive personal messages or documents, financial information, personal contacts, passwords, personal identification, etc.)
• If the answer to the last question is 'yes', is the computer's hard drive the appropriate place to store this sensitive data? Valuable data can be lost to a complete hard drive failure, a power surge or even theft. Consider storing very important and highly sensitive information on something other than your hard drive (USB memory stick, CD-ROM, DVD-ROM, USB external hard drive).
• Personal information should be hidden, encrypted or better yet - removed from the PC altogether.
• A very popular mobile storage solution of late is the USB memory stick - and they have become quite inexpensive. These are a great way to transport information between computers but are not the best choice for long term storage.
• Make backups of anything you can't replace (Windows and software can always be re-installed - but documents, pictures, music, etc. cannot). Storage media is too cheap these days to ignore the option of backups.
Physical Security
• Laptops are a double-edged sword when it comes to security. On the one hand, they are portable, making them easy to take with you. On the other hand, from a thief’s perspective, they are portable, making them easy to steal.
• Laptops should be locked to an immovable object with a security tether.
• Laptops should never be left unguarded, even for a moment. That’s all it takes. A thief will not look any different from a legitimate laptop owner whilst carrying your stolen laptop and can easily hide the laptop in a backpack or briefcase.
• Since laptops are easily stolen, measures should be taken to protect the data that is stored on the laptop's hard drive. All business laptops should employ hard drive encryption to protect company data. This adds another layer of security so that anyone with a stolen laptop in their possession can only format the hard drive, they cannot access any data stored on it without the password. Security FOBs can also be used to protect the laptop - you need both the login credentials and the FOB to access the laptop's programs and data.
• Storage media deserves protection too. CD-ROM / DVD-ROM discs containing sensitive information must be guarded. Memory sticks may be potentially storing important data and are easily stolen.
Address Book
• The problem with the Windows / Outlook address book is that the people who write malware know exactly where its files are located on the computer and this makes it easy to create malware to harvest the address book’s contents.
• I solve this problem by using an Excel spreadsheet with an obscure filename to store all of my contact info and saving frequently used (but not sensitive) email addresses within my web mail services.
Parental Controls
• There are inherent weaknesses in relying on software to babysit childrens’ web surfing habits.• For one, all parental control software can be defeated. So in the end, relying on it leads to a false sense of security.
• Second, using this type of software sends the wrong message to our children - that there is an automated, non-human, blanket solution to every problem. It also indicates a lack of trust.
• Third, parental control software is going to prevent your children from accessing many perfectly legitimate web sites (the software is notorious for producing false positives). Worse, the software will not prevent them from accessing all objectionable sites (false negatives). The false negatives are much more common than the false positives. This is because web site owners know how to circumvent the detection methods of the software.
• Fourth, it has been shown that some parental control software actually monitors child Instant Messaging and Facebook chat content and sells this information to marketing companies.
• The best way to protect your child from objectionable content online is to actually supervise their online activity. By this I don't mean look over their shoulder every second, I mean keep their computer in an area where they can be seen – where you are likely to appear at any time without warning.
• If you feel they can be trusted to surf in private (such as behind a closed bedroom door), then they don't really need any controls whatsoever.
• Would you trust a computer program to decide who your children can play with? If you answered no, then why would you trust it to determine what they can surf online?
• Many parents don't stop to consider that all of the best parental control software in the world installed at home will not prevent your children from accessing objectionable material while they are at school, at the library, at a friend’s house or at an internet cafĂ©. Then, there's mobile access from phones. It's a battle you cannot win.
Malware and their sources
File Sharing / Peer to peer / Bittorrent - File-sharing can give people access to a wealth of information, including music, games, and software. Special software connects your computer to an informal network of other computers running the same type of software. If you don't check the settings, you could allow access not just to the files you intend to share, but also to other information on your hard drive, like your tax returns, email messages, photos, or other personal documents. In addition, the endless collections of files you can find online are seeded with malware pretending to be something else. These are but some of the risks associated with file sharing.The Weakest Link
Many firms around the world today are coming to terms with the importance of protecting their intellectual assets. But while information security finally seems to be getting the attention it deserves, many seem to be focusing all their solutions onto one area. I speak of course about network security. But this is only part of the picture. Unfortunately we seem to be ignoring the method of protection that is hardest to implement, yet the easiest to bypass. You can have the strongest network security technologies and still have a big gaping hole in your defenses. That is because the people who try to break into your systems have known for a long time that it is often easier to use your own employees as the method of intrusion. A good analogy for this would be if you set your home intrusion alarm to protect against someone getting in without your knowledge. Unbeknownst to you, one of your children has disabled your alarm after you've gone to bed in order to let one of their friends inside later in the evening.
In this article, I would like to raise your awareness of some threats to your information that cannot be stopped using network security technology. Most of these fall into the categories of social engineering and/or physical security.
Someone who wants access to your company's information may realize that trying to hack your network could be too inefficient. There are much easier ways to get access to your information that don't even require having knowledge of your network and its security features. Let me give you some examples.
If I want access to your premises, I only have to get my hands on the uniform of a utility worker, or technology support person, like someone from the telephone company or a photocopier repairperson. Once in your reception area, I will likely not be challenged trying to access an area of the company containing workstations or servers. This is especially true if I look the part, carry the right tools and have an air of determination about me. Fake support people have been known to have great success sitting at a workstation, accessing data during times of chaos, such as during department moves, after power failures, etc.
If my goal is to access company information you might think I will require a lot of time on premises. You would be wrong. All I need is three to five minutes in an unoccupied room with a live network connection. I could leave behind a small laptop computer running a network-sniffing program that would capture enough information about your network to make it easy for me to access it from a place and time of my choosing. This assumes I am connecting to a hub versus a switch. But with a little more planning I could leave the laptop plugged into your switch or router in the cable closet, as long as it was out of sight. I could walk in, leave the laptop under a pile of stuff or behind a rack for a day or so and then I would come back and retrieve it just as easily.
If I did manage to get inside your company, I could do something as simple as attaching a keystroke-capturing device to a workstation's keyboard. This would capture all of the user's keystrokes including their username and password. I would of course have to come back to retrieve this device. But if I got caught under someone's desk, it's not likely they would suspect I was meddling with their PC, just retrieving a dropped tool.
If I need to access information belonging to a specific individual within your company I may have a unique and creative method at my disposal if this individual works on a laptop computer. I'll just come in and steal the laptop. It's very unlikely that I will be challenged leaving your company with a laptop under my arm as it probably happens all the time, let alone if I conceal it inside a briefcase or backpack.
Speaking of passwords, using hi-tech methods to try to capture a password from a keyboard are often unnecessary considering the foolish things users often do at their desks. For example, rather than memorizing their passwords, users will often write them down and leave them in a place that is easy to find. I have lost count of how many passwords I have found on sticky notes attached to monitors, under keyboards, inside drawers, on the backs of picture frames and so on.
While doing a practicum at a company that provides network and hosting services, I was employed in their network operations center. After earning a high level of trust amongst the administrators, I was left to manage the center while the remainder attended an important function. The previous evening, they had changed the administrator password on all of the servers. Of course they forgot to tell me, which was going to make my life difficult trying to log into all of the servers to do my work while I was there alone. Fortunately, they left me many clues that helped to solve my problem. First, I discovered a note describing the transposition of certain letters to numbers such as "3" instead of "e". If you are familiar with "l33t speak" you know what I'm talking about. This had been left in plain sight beside one of the servers. I continued to look around and eventually found a piece of paper in the garbage with the new password written on it in plain text. Having all the information I needed, I transposed the plain text password into l33t speak and I tried it, with complete success. The other administrators were quite surprised to find that I was able to log into all the servers without any trouble, after realizing they had never told me the new password. They had already forgotten that they had left behind all the clues I would need.
If obtaining a uniform would be too difficult or breaching the premises as a service person would be next to impossible, it may actually be easier to gain access by following an authorized employee through a door. Again, this would be rather easy if I look like I belong there, by dressing and acting the part. All I would need is a few days to study the culture of your employees. It is human nature to be polite and offer to hold the door for someone who was following him or her through it. Getting back to the preparation that would be required, I may need to spend a few days hanging around so that your employees get used to my presence. Contrary to what you might think, I am actually going to go out of my way to talk to various people. This adds to the illusion that I belong. I may spend some time in the nearest coffee shop or restaurant. That way, once I find a way inside it is less likely that I will be challenged by anyone.
In the previous examples, I actually had to show up at your company. But in reality, I may not have to go there at all. I may just call one of your employees who I suspect knows little about security or systems support and convince them to give me their username and password. How would I do that? All I would have to do is say that I am Fred from IT. If your support person asked you for your username and password so that they could fix your account you'd give it to them wouldn't you? I hope your answer to the last question was no. If your company has in place a method of connecting to the network from home, a username and password may be all I need.
But I have the other methods of gaining access to your information that would boggle your mind. There are methods of capturing the radiation from a video monitor and using it to recreate what a user is seeing on their screen. This can be done from a fair distance, perhaps your parking lot or an office on another floor of your building. While we're talking about radiation, let's not forget analog cell phone use or even cordless phones within the company. Now of course wireless networks have created perhaps the easiest method of accessing information in the history of networking. This is mostly due to the fact that most users of wireless networks have no idea how patently insecure they are nor do they know enough about the simple methods that can be used to secure these networks, even in a basic way. For this reason alone, wireless infrastructure should never be used on a network that is used to carry or connect to critical data. Unfortunately, there are times users have extended their connection to the corporate network with OTS (off-the-shelf) wireless hardware and the company doesn't even know it's happening. The technology to operate a wireless network more securely is coming in short order, but in the meantime I would advise against it.
Now you're probably thinking this is an awful lot of trouble to go through just to get access to corporate information. While all these cloak and dagger techniques may have been limited at one time to governments and the military, corporate secrets are being sought from the competition all the time. After all, is there an easier way to level the corporate playing field?
So what's a poor company to do about all of this nonsense? The answer is simpler than you might think. It's called awareness and education. Users at every level need to be indoctrinated with basic security skills and knowledge. It starts at the Receptionist's desk. Nobody should be allowed beyond the foyer unless they can produce valid identification and their purpose at your company can be validated with a phone call to that person's boss or a known contact within your company. Employees throughout the company must be trained to be on the lookout for people who don't seem to belong there. They need to be taught that it is just as important to protect a strong password from falling into the wrong hands, as it is to have a strong password to begin with. They need to be aware that the support department is never going to ask them for their username and password since they have the power to completely control their account, including changing and or resetting a password at any time. They need to understand the dangers of opening attachments in an e-mail message, even if it is from someone they know. And they need to understand why it is possible for an e-mail from someone they know to be infected. You may have prohibited the use of instant messaging programs or any software that could be used to bypass the security features built into your network. The users in your company may not know why these programs are not allowed. In their mind, it's just another example of the fun police in action.
All of your employees need to be empowered with the mission to strengthen its security. After all, even if an employee is aware of what steps they need to take to help keep the company secure, they will resist doing so if they do not feel it's in their best interest. Employees will also resist any security measure that is too impractical or inconvenient. For example, you'll likely have a mutiny on your hands if you were to impose a 24 character password that expires every other day.
The best way to handle this is to take steps to make your employees part of the solution instead of part of the problem. Many companies around the world are learning this lesson and making employee-driven security initiatives profitable for the employees themselves. For example, if an employee does something that directly prevents a security breach; they can be offered a substantial cash reward, say $10,000. This may seem excessive, but imagine how many millions of dollars you could potentially lose if someone succeeded in accessing your corporate information. This is the kind of plan that puts responsibility for security back in the hands of the people who can contribute the most.
When it comes to security, your employees may be the weakest link. With logical, enforceable security policy and solid security training this link can be transformed into one of the strongest.
Subscribe to:
Posts (Atom)
