MALWARE HISTORY

From Michelangelo to Self-Mutating Engine

1992 debuted straight with a large-scale security threat signed by Bulgarian programmer Dark Avenger. Just as he had promised one year earlier, the virus writer was about to introduce a new mutating algorithm, but he decided to take things smoothly.

The first creation
to emerge in 1992 was a simple virus, known as MtE.Dedicated.A, followed by the Self-Mutating Engine (MtE). This Engine was nothing but a
polymorphic generator, a tool that could integrate with other viruses to
facilitate their code changes. Dark Avenger delivered its creation accompanied
by exhaustive documentation, as well as with an OBJ file, plus the source code
for a simple virus. The new package made writing malware a lot easier, but at
the same time, antivirus researchers also started working on a detector for it.

Security experts
estimated that there would be plenty of viruses built on top of the Self-Mutating Engine, but malware
authors quickly realized that a virus scanner able to detect the MtE would easily “catch” all its
derivatives (At the moment, there are only a few viruses built with the Self
Mutating Engine, which is way less than initially estimated).

However, the MtE was only the starting point for a
whole new series of other polymorphic generators that scared out not only
average computer users, but many antivirus companies as well.

Right as the Self-Mutating Engine hysteria was about
to calm down, a new plague hit the industry on March the 6th.
Detected since 1991, the Michelangelo
virus was expected to set off at the respective date and infect over 5 million
machines (The scary estimation pushed almost any PC user into buying
specialized antivirus software). In spite of all the fears, the virus proved to
be much ado about nothing, as it only managed to infect a few thousand machines
only.

Michelangelo was a
boot-sector virus that operated at the BIOS level. It would stay dormant until
the date changes to March the 6th, the birth of the artist. Although
the virus is not associated in any way with the Renaissance artist, it got its
name by the fact that it unleashes its payload on the day Michelangelo was born.

Another
interesting hypothesis assumes that the virus is a variant of the already
notorious Jerusalem B (also known as Friday the 13th). Users who
think they can fool Jerusalem by
changing the system date on the twelfth would in fact unleash Michelangelo.

This year was also
the time when the first anti-antivirus piece of malware was introduced. Also
known as Peach, the malicious
application would look whether the Central Point AntiVirus is already present
on the computer, and if successfully detected, it would delete the change
inspector database. When the antivirus was unable to locate its database files,
it would act as if it had been started for the first time and reconfigure
itself. The virus was thus able to slowly but surely infect the entire system
without a problem.

The summer of 1992
brought another wave of concern, as two new virus construction kits appeared on
the underground market. The VCL
(Virus Creation Laboratory) from Nowhere Man and PS-MCP (Phalcon/Skism Mass-Produced Code Generator, this is another
creation of the same Bulgarian malware writer known as Dark Avenger)
constructors allowed malware writers to build up security risks by simply
adding malicious payloads to the already pre-written constructors. Within a
single year, there were a couple of dozen viruses built using the new one-click-virus
technology.

Later in 1992, a
new malware group appeared in England.
The so-called ARCV (Association of Really Cruel Viruses) organization has been
hunted down by the newly-established Crime Unit of New Scotland Yard, but in
its short-lived history (It took only three months for the Scotland Yard to
locate and arrest the group of malware authors.), the organization was able to
deliver about a hundred new viruses to the world.

Moreover, selling
malware has quickly become a fully-fledged business, as a couple of underground
programmers started selling virus collections. For instance US resident
John Buchanan offered his collection of a few thousand files for as much as
$100, while the European Virus Clinic would allow its customers to pick the
desired malware for about $25. Given the fact that the Virus Clinic was located
in Europe, it got a visit from the Computer
Crime Unit and got shut down thereafter.

Another kind of
virus made its debut in 1992, as the Microsoft Windows operating system gained
ground among computer users. The Win.Vir_1_4
was world’s first virus designed to attack operating system executable files.
Even though its author had made some programming mistakes that rendered it
rather harmless, it is an important step in the evolution of malware as we know
it today.

1993 was mostly
under the threat of polymorphic viruses generated by a wide range of
polymorphic generators and constructors. More than that, they started multiple
electronic magazines dedicated to writing and spreading malware. The increasing
amount of stealth viruses made it clear that malware authors had quit vandalizing
for fun and planned their creations to bring them as much gains as possible.

The new year
brought the PMBS virus which worked
in the secure regime of Intel 80386 processors. This dangerous, memory-resident
boot virus copied itself into extended memory, then switched the infected
system into protect mode and run virtual V86 machine. In different situation,
the computer would hang with an error. Although the virus itself contained some
programming errors, it was yet another threat available in the wild.

A new malware
community was established in Holland
under the Trident moniker. Its members came up with a new polymorphic engine
called the Trident Polymorphic Engine,
and then with a fully operational virus (TPE.Girafe).
The Trident Polymorphic Engine was
harder to detect using antivirus scanners, that usually would trigger false
alarms. It seems that the main Trident programmer, Masouf Khafir, built its BAT.P2P.Cruncher virus following the
principles described by Fred Cohen. The BAT.P2P.Cruncher
was a data compression virus that automatically appended its code to other files
in order to auto-install on as many computers as possible.

Nuke member
Nowhere Man released the Nuke Encryption
Device (NED)
, another mutation engine that seemed to work even better than
Dark Angel’s Self-Mutating Engine. Itshard was the first virus built using
the new mutation technology. 

On the other side
of the fence, the antivirus industry released the first wild list, comprised of
all the viruses that had been spotted “in the wild” (“In the wild” viruses are
actively infecting production systems across the world and try to replicate in
live environments. This category is opposite to the so-called zoo-viruses,
pieces of malware that are built inside laboratories for educational and
research purposes).  Another major
achievement in the battle against malware is the release of the GDE (Generic
Description Device), a complex tool able to recognize polymorphic viruses.

Early in spring,
Microsoft starts its own antivirus business, called Microsoft AntiVirus (MSAV).
The new product was based on the former Central Point AntiVirus (CPAV) and was
bundled with the company’s MS-DOS and Windows operating systems. Although in
its early days the product had been rated as highly effective, it could not
keep up with the upcoming security challenges and was ultimately discontinued.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.