MALWARE HISTORY

Security Experts Start Looking for the Antidote

If 1987 was a huge leap in developing and distributing malware, the worst was yet to come in 1988. As the computer industry started to take off, so did malware writers.

 The first notable virus outbreak in 1988 was
triggered by the Suriv-3 virus on
May 13th. The event is also known as the Black Friday and antivirus
companies are still going into full alert each time the 13th of any month falls
on a Friday. Suriv-3 infected many enterprises, government offices and academic
institutions around the world, but caused extensive damage in the US, Europe and the Near
East.

 Following the
massive infections in 1987 and 1988, a couple of companies stared developing
antivirus utilities. However, such small companies with two to five employees
would only produce simplistic string scanners, able to detect unique virus code
sequences. Basic antivirus software was often bundled with immunizers (pieces
of software that modified programs in order to trick viruses into thinking that
they had already been infected). Although immunizers were highly efficient for
specific viruses, they did not offer proactive defense against unknown security
threats. Moreover, as viruses started to bloom, antivirus companies were unable
to issue immunizers quickly enough for all of them.

 Although the vast
majority of antivirus products were sold for negligibly low prices, computer
users did not rush to get protected. In addition to that, antivirus software
could not be updated easily, as the Internet was still in its early days. This
meant that new viruses could easily escape string scanners

 On April 22, the
first dedicated antivirus forum went live on the Usenet network. Called the
Virus-L forum, it was founded by Ken van Wyk, Fred Cohen’s friend and
colleague.

 However, virus
creators have also begun gearing up for the battle. 1988 marks the birth date
of a new type of malware, in the form of a virus construction kit, designed for
the Atari ST. The do-it-yourself utility allowed beginner virus creators to
easily build viruses with miscellaneous features using a simple and intuitive
interface.

 Worm.Macos.Macmag.A was
the first important computer virus written for Macintosh computers. It also
came with a number of programming innovations that made it extremely efficient.
It all began in February 1988, when a file Apple’s HyperCard software turned up
in a Compuserve online forum. When users would download and open it, the file
would secretly install a system extension (The “system extension” is an INIT resource that had been copied
into the system folder, which means that a program is automatically executed
upon startup.) which made the computer display a New Age peace message on every startup. It
seems that the virus had been written by Artemus Barnoz
(known as Richard Brandow. Although Brandow claimed authorship, he commissioned the programming
part to a professional software developer called Drew Davidson) and Boris Wanowitch, that were the editors of both
the Canadian computer magazine MacMag and the “Computer Graphics Conspiracy” New
Age publication.

 The virus was
rather harmless, given the fact that its payload would only display a “peace
message” that read:

“RICHARD
BRANDOW, publisher of
MacMag, and its entire staff
would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE
to all Macintosh users around the world.”

 However, the peace
message was at least questionable, given the medium the two colleagues used to
spread it. The virus went off circulation on March 2nd(The date picked by the authors for the final run was not chosen at
random: March 2, 1988 was the first anniversary of Macintosh II line. More than
that, a coding bug caused Macintosh II systems to crash),when it would appear once and then it would delete itself from the infected
system.

 History repeats itself, they say, and this seems to have been the
case with “Denzuko.A“, a virus
written by Indonesian programmer Denny Yanuar
Ramdhani. Just as the Reaper would
seek and destroy the Creeper virus in
early seventies, Denzuko.A (The virus is also known as Den Zuk with its Ohio and Hacker variants) would look for instances of the Brain
virus, then swiftly remove them from the infected computer. However, Denzuko.A
was more than an antivirus utility, given the fact that it would replace Brain
with copies of itself. The virus lay hidden on track 40 on the infected
diskettes, but its programmer seems to have made a programming error, since
360KB diskettes only have 39 tracks. More than that, the virus is not able to
infect 1.2M or 3.5″ diskettes correctly –
instead, it would destroy all the stored data on it. Upon successful infection Denzuko.A would change the “(c)
Brain” label with “Y

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.