MALWARE HISTORY

The Nineties: Malware Creators Start Building Communities

Writing malware has become more of a fashion during the new decade, and "outlaw" programmers have started building new communities dedicated to such activities.

Antivirus
manufacturers quickly realized that the rules of the game were about to change
in such a manner that string scanners would have been rendered useless. Mark Washburn
had already proved that with his polymorphic creations built on top of Vienna.  New tricks included encrypting the whole
virus, except for a small part to act as decryptor, so in order to efficiently
detect malware , antivirus engines had to perform miscellaneous logical tests to
the file, the figure out whether the bytes were part of a possible decryptor.
The technology involved in such operations was extremely complicated, and would
exceed the resources of two- or three-employee antivirus companies. At that
time, many security software vendors were heavily relying on third-party search
strings delivered by IBM scanner or via the Virus Bulletin newsletter, or even
achieved by reverse-engineering competing products.

Polymorphic
viruses, however, were playing by other rules, and there was no antivirus
available to protect the user from the new threat. To make things worse,
Washburn published the source code for its polymorphic creations, and while
there were no reports about other viruses using the same core logic, a few
malware authors made use of the concept itself.

During the early
nineties, Bulgaria
was one of the hottest locations for malware writers, as a group of enthusiasts
set up the first virus exchange bulletin-board system (BBS). The main idea
behind the BBS was to grant malware authors access to the virus code database
if they uploaded a new virus. Such rules did nothing but stimulate production
of new malware, while their publicly-available source code was being improved.

A couple of new viruses
started showing up right after the BBS went online.  Most of them came with new features to make
them stealthier and more efficient. Some minor viruses, such as Ping-Pong (also known as Bouncing Ball or Italian) only infected the boot sector, and then display a ball
bounces across the screen.

Polymorphic
viruses were by far the toughest security threats, and the USA witnessed an
outbreak as Virus-90 and Virus-101 kicked in. Both viruses are
written by the same author, who never bothered to conceal its identity.  He uploaded the virus to multiple bulletin
boards, in an attempt to sell the source code for $20. Its payload is totally
harmless, as infected files would only display a message that reads “Infected!”
According to the author, the virus is an educational proof-of-concept and not a
fully-fledged virus. The Virus-101
is a variant of the Virus-90 that
adds .exe infection capabilities.

If Virus-90 was
quite harmless, the same thing does not apply to the newly-introduced Anthrax or V1 multi-partite viruses, able to infect both files and boot
sectors. After it has successfully infected a computer, Anthrax would infect .COM and .EXE files, including COMMAND.COM as
well as the Master Boot Record (MBR) and diskette boot sectors. It also writes
a copy of itself on the last sectors of the system’s hard drive, overwriting
any data saved at the specific locations. Anthrax‘s
viral code includes text strings written in Cyrillic that allegedly locates its
author in Sofia, Bulgaria.

The Whale was first spotted in the wild on
June 1st 1990. It was an extremely large (hence the Whale moniker) and complex virus that
was not overly destructive. Instead, it was a new step in the evolution of
malware as it came with novel techniques of obfuscation (The Whale is an
armored virus, which means that it uses special tricks to make tracing,
disassembling and understanding of its code more difficult) to conceal its
presence. The Whale took virology by
storm, as it could rewrite its own instructions in such a way that it never looks the
same way twice. The new virus was also the final challenge for simple string
scanners, as they were merely unable to recognize the virus after subsequent
infections.

Another security
incident took place in July, when the UK-based PC Today computer magazine
shipped its issues bundled with a free floppy disc which turned out to be
infected with a copy of Trojan.DiskKiller.B.
According to the company, more than 50,000 copies of the magazine were
delivered, and about as many computers have been taken down by the virus. The
memory-resident piece of malware copies itself in three distinct blocks onto
the floppy disk or hard-disk. These blocks are detected as bad and skipped
during the write process.

DiskKiller‘s payload kicks
in on April the 1st, when the virus displays the following text:

Disk Killer —
Version 1.00 by COMPUTER OGRE 04/01/89 Warning!!
Don

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.