From the first amateur hackers in the 80s till 2011 when international cyber sabotage is a reality, viruses have illustrated the frightening potential of human ingenuity. Here’s a brief look back how computer viruses have evolved through the most important outbreaks of the last 25 years.
The first PC virus
1. Brain, 1986
More than a decade before anyone had ever heard of Napster, the first PC virus was designed to fight piracy. The author who came up with the word “cyber,” William Gibson called Brain “basically a wheel-clamp for PCs.”
Basit and Amjad Alvi created and marketed medical software in Lahore, Pakistan. They were interested in two things. First, they wanted to check the multi-tasking functionality in the new DOS operating system (so-called “TSR” systems). Secondly, they wanted to see if there are security vulnerabilities in DOS compared to other operating systems such as Unix.
When they realized that DOS was quite vulnerable, they had the idea to write a snippet of software that would monitor how the software and the floppy disks move around. Brain spread virally via 3 1/4-inch disks, and within weeks, the Alvi’s had to change their phone numbers.
25 years after the creation of first PC virus, in early 2011, F-Secure’s Mikko Hypponen went to Lahore, Pakistan to visit the address in the code. He found the Alvi brothers still there, running a successful business. The following video includes the first video interview Amjad and Farooq have given about Brain ever.
Some early fun
Most of the early viruses were variations of the same theme: “Gotcha!” Users knew they’d been infected because that was exactly the point. Like a digital pie in the face.
2. Stoned, 1987
Created by a high school student in New Zealand, Stoned was supposed to be harmless. It simply displayed the message “Your PC is now Stoned!” on your screen. However, as the first virus that infected a PC’s boot sector, Stoned established that viruses could control a computer’s function from the moment it turned on. Bob Dylan should be proud.
3. Form, 1990
Form became one of the most widespread viruses ever. On the 18th of each month, it produced a clicking sound from the PC’s speaker whenever a key was pressed. Annoying, but harmless.
Other variations on this early innocent sort of “gotcha” virus included V-Sign, which displayed a V on your screen. The Walker virus showed an elderly man walking across your screen. Elvira scrolled text in the “A long time ago, in a galaxy far, far away” style a la Star Wars. And then there was Joshi. Every year, on the Joshi’s birthday, this eponymous virus displayed a birthday message. The machine refused to boot up until the user typed “Happy Birthday Joshi.”
4. Michelangelo, 1992
Michelangelo would override everything on a hard drive on specified dates. A variation of Stoned with much crueler intentions, Michelangelo was probably the first computer virus that made international news.
5. VCL, 1992
Virus Creation Laboratory made it easy to whip up a malicious little program by automating virus creation using a simple graphical interface.
Early MS-DOS and PC-DOS viruses did some damage to PCs, usually intentionally, but virus writers soon began to actively seek to wreak havoc by actively disabling computers.
6. Happy99, 1999
Happy99 was the first email virus. It greeted you with “Happy New Year 1999” and emailed itself to all contacts in your address book. Like the very first PC viruses, Happy99 did not cause any real damage, though it did spread to millions of PCs around the world.
7. Monkey, 1993
A distant relative of Stoned, Monkey secretly integrated itself into data files and spread seamlessly. It was the early ancestor of a rootkit, a self-concealing program, and it prevented booting from a floppy disk. When it was removed improperly, Monkey prevented any sort of booting at all.
Upgrading to Windows
In the early 90s, viruses became macro viruses and took on Microsoft’s new OS, Windows. Written in the same languages as applications like Microsoft Word, macro viruses appeared in late 1995. In just three months, they became the most common virus type in the world.
8. Concept, 1995
The first virus that infected Microsoft Word files, Concept became one of the most common viruses in the world because it could infect any OS that could run Word. Share the file, share the virus.
9. Melissa, 1999
Allegedly named after a female exotic dancer familiar to the virus writer, Melissa combined a virus and an email virus. It infected a Word file then emailed itself to all contacts in the user’s address book and became the first virus to span the globe in only hours. Melissa combined the jokey motivations of the early virus writers with the destructiveness of the era. This virus inserted comments from “The Simpsons” into users’ documents. Not so bad. But Melissa could also send out confidential information without the users’ notice. D’oh!
Not long after Melissa, Microsoft virtually eliminated macro viruses by changing how its Visual Basic macro language works within Office applications.
Crashing the network
Before firewalls, computer worms generated huge amounts of network traffic, disrupting systems by pure volume. These worms generally did not affect individual users but they could rock the infrastructure of both private businesses and governments.
10. Code Red, 2001
The first worm that spread without requiring any user interaction at all and thus spread around the world in minutes, Code Red hid from detection and carried out various functions on a cycle. On Days 1-19, it spread itself. From the 20th to the 27th, it launched Denial of Service attacks on various addresses including the White House. And from the 28th day till the end of the month, it rested.
10. Loveletter, 2000
The computer worm that broke millions of hearts, Loveletter is still one of the biggest outbreaks of all time. It spread via email attachment and overwrote many of the crucial files on the PCs it infected. This outbreak was an incredible successful attempt at social engineering. Using the promise of love, it convinced millions to open the attachment, causing an estimated $5.5 billion in damage worldwide. Guess there are a lot of people out there looking for a little love.
12. Slammer, 2003
Network worms require just a few lines of code and vulnerability to spark real world trouble. Slammer took down Bank of America’s ATM network and 911 services in Seattle. Even the air traffic control system was not immune.
13. Sobig, 2003
Sobig was a quick improvement on Fizzer (see below). Some versions waited for a couple of days after infecting a machine before turning affected machines into e-mail proxy servers. The result? Massive spam. AOL alone reported stopping more than 20 million infected messages on one day.
14. Mydoom, 2004
Mydoom spread over email and the Kazaa Peer-to-Peer (P2P) network. It set new records but was old school in the sense that the motive wasn’t monetary. Mydoom executed Distributed Denial-of-Service attack on one particular website and opened a backdoor on infected computers, which left the machine open to remote access.
15. Sasser, 2004
Sasser came in through a vulnerable network ports and slowed or crashed networks from Australia to Hong Kong to the UK.
Money. Money. Money.
In the last decade, the motive for virus writing has become obvious: Money. The technology still tends to be variations on a theme, but modern virus writers utilize advanced user psychology and social engineering to draw users into traps that they’d probably been warned about several times.
16. Fizzer, 2003
Fizzer was the first virus designed to make money. It arrived as an infected attachment. Once opened, it took over infected computers and forced them to send spam.
As the real-world impact of viruses was felt in the early 90s, business, government, software makers and the Internet security industry put fires out and collaborated to minimize threats. Virus writers, too, evolved to avoid detection, creating advanced malware that could even be programmed to be patient.
17. Cabir, 2003
The first mobile phone virus in history, Cabir targeted Nokia smartphones running the Symbian operating system. It was spread via Bluetooth and proved that whatever shape PCs evolve into, they will be targeted.
18. SDBot, 2003
SDBot was a Trojan horse that bypassed normal security to secretly control a computer. It created a backdoor that allowed the user to do several things including sniff for passwords and the reg codes of games like Half-Life and Need for Speed 2.
19. Haxdoor, 2005
Haxdoor was another Trojan horse that sniffed for passwords and other private data. Later variants had rootkit capabilities. Even Brain used techniques to cloak itself, but Haxdoor employed far more sophisticated methods. A modern rootkit can turn a computer into a zombie computer that can be controlled without the user’s knowledge, sometimes for years.
20. Sony BMI, 2005
In 2005, one of the biggest record companies in the world had the same idea that the Alvi brothers had in 1986: Use a virus to prevent piracy. On its audio CDs, it included a music player program and a rootkit that controlled how the owner could access the audio tracks. The result was a media firestorm and a class-action lawsuit that ended with Sony offering users money and free downloads.
Computer viruses have had real world effects for decades, but in 2010 a computer virus may have changed the course of history.
In November of 2010, Iranian President Mahmoud Ahmadinejad confirmed that a cyber attack had indeed caused problems with their nuclear centrifuges. And in January of 2011, Russia’s ambassador to NATO said that Stuxnet could cause a “new Chernobyl.”
21. Stuxnet, 2010
An unusually large Windows worm—about a 1000% larger than the typical computer worm, Stuxnet most likely spread through USB device. It infects a system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic factory system. If the worm finds a connection, it then changes the commands sent from the Windows computer to the PLC Programmable Logic Controllers, i.e., the boxes that actually control the machinery. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
F-Secure Labs estimates that it would take more than 10 man-years of work to complete Stuxnet. This complexity and the fact that it could be used to impair the ability of a centrifuge to enrich uranium while providing no monetary gain suggest that Stuxnet was probably developed by a government—though which government is unclear.
22. Storm Worm, 2007
Machiavelli said it’s better to be feared than loved. Seven years after Loveletter, Storm Worm capitalized on our collective fear of bad weather and first spread generally via an email message with the subject line “230 dead as storm batters Europe.” Once the attachment was open, a Trojan backdoor and a rootkit forced the PC to join a botnet. Botnets are armies of zombie computers that can be used to, among other thing, send out tons of spam. And this one sucked in ten million computers.
23. Mebroot, 2008
Mebroot was a rootkit built to hide from the rootkit detectors that quickly became part of many Internet security suites. It is so advanced that if it crashes a PC, Mebroot will send a diagnostic report to the virus writer.
24. Conficker, 2008
Conficker quickly took millions of computers all over the globe. It exploits both flaws along with Windows and weak passwords along with several advanced techniques. Once a system is infected, further malware can be installed and the user is even prevented from visiting the website of most Internet security vendors. More than two years after it was first spotted, more computers are infected by the worm every day. F-Secure’s Chief Research Office Mikko Hypponen has said that in many ways Conficker is still “a great mystery.”
25. 3D Anti Terrorist
This trojanized “game” targets Windows Mobile phones and was spread via freeware sites. Once installed, it starts making calls to expensive numbers leaving you with large charges. This strategy of hijacking a mobile app or cloaking a malicious app is still new, but it’s likely to one of the main ways the virus writers will attack mobile devices.
Where are we 25 years after Brain?
In 2011, a PC running an updated version of Windows 7 is quite secure, especially when running updated security software. Now that we know more about viruses, we know how to fight them, and ideally prevent them. So, hopefully, in 25 years viruses will have gone the way of macro viruses and we won’t have to make a new list.
Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios. Safe surfing, Micke Photo by etnyk under CC
A recent PEW report says that 86 percent of people have taken action to avoid online surveillance, including simple things like clearing their browser cache, as well as using more effective methods, such as using a VPN (virtual private network). The same report says that 61 percent of participants indicated that they’d like to do more. Many people understand their privacy is at risk when they do things online, and want to do something about it. But that’s easier said than done. Not only do you have to have the will to make it happen, but you have to know where to start. Who do you want to protect your privacy from anyway? Facebook? The NSA? Nosey neighbors? PEW’s report says that 91 percent of people agree or strongly agree that consumers have lost control over personal information that is collected and used by companies. So if you want to take this control back, the first thing you need to do is figure out who’s stalking you online. F-Secure’s Freedome VPN, which you can try for free, has baked-in tracking protection technologies to help people protect their privacy while they’re surfing online. It also has Tracker Mapper – a feature that people can use to control how they expose themselves to Internet trackers. Tracker Mapper has been available for Macs and Windows PCs for about half a year, and was just launched for Freedome’s Android and iOS apps. So how does using Tracker Mapper help you control your online privacy? Here’s our Chief Research Officer, Mikko Hyppönen, talking about how online tracking threatens people’s privacy, and how Freedome (and Tracker Mapper) can help people protect themselves. [youtube=https://www.youtube.com/watch?v=X1F8sHjCBx0&w=560&h=315] I ran a little experiment to help me learn how to limit my exposure to trackers while planning a vacation. I used Alexa to help me find some popular travel websites that I could use to shop for deals on hotels. After that, I turned on Tracker Mapper (which is turned off by default, because we respect the fact that people don’t want apps to create logs without permission) so I could find out which of these websites used the most tracking to study me as I used their site. I chose 5 of the more popular sites, and then I spent about 10 minutes on each, and left a bit of extra time so I could check out the results in between. The whole thing took me about an hour, giving me a one-hour log of the tracking attempts Freedome blocked while I browsed these sites. Tracker Mapper creates an interactive visualization of the blocked tracking attempts, and gives you information on what trackers attempted to monitor you on different websites. It also shows how these trackers link together to create a network capable of monitoring you as you navigate from website to website. These are screenshots showing how Tracker Mapper visualizes online tracking, as well some of the statistics it provides. The capture on the left shows the entire overview of the session (which lasted exactly one hour). The shot in the middle shows the sites I visited ordered by the most tracking attempts. The capture on the right shows the actual trackers that attempted to track me during my session, ordered by the number of blocked attempts. Based on this, Trip Advisor appears to have made the most tracking attempts. But you can learn even more about this by combining Tracker Mapper with a bit of online digging. You can tap on the different “bubbles” in Tracker Mapper to pull up statistics about different websites and tracking services. The first screen capture shows how many tracking attempts from different services were blocked when I visited Trip Advisor. The next two show the most prominent tracking services Freedome blocked – the tracker that TripAdvisor has integrated into its website (www.tripadvisor.com), and a tracking tag from Scorecard Research (b.scorecardresearch.com). As you might have guessed, TripAdvisor’s own tracking service is only used on their website (it’s what’s called “first-party tracking”). That’s why Tracker Mapper doesn’t show any connections between it and other websites. The second one, Scorecard Research, is used on both Trip Advisor and Lonely Planet. That’s why there are lines connecting it with both (it’s what’s called “third-party tracking”). Scorecard research is a marketing research firm that provides tracking and analytic services by having websites host their “tags”, which collect information about those website’s visitors. The Guardian has an excellent write-up about Scorecard Research, but what’s missing from the Guardian story is that you can opt-out of Scorecard Research’s tracking. Basically, they put a cookie on your browser, which isn’t an uncommon way for tracking companies to allow web surfers to protect their privacy (and oddly enough, a common way for them to track you). Stripping trackers out of websites lets people take control of who’s monitoring what they do online. PEW’s survey found that this idea of control is central to people’s concerns about online privacy - 74 percent of respondents said it’s important to control who can get information, and 65 percent said its important to control what information is collected. However, opting out of every tracking service (and for every browser you use) by installing opt-out cookies isn’t as convenient as using Freedome. And as F-Secure Security Advisor Sean Sullivan pointed out in this blog post, it actually works much better for your browsing (one experiment found that Freedome can reduce the time it takes to load web pages by about 30 percent, and decrease data consumption by about 13 percent). You can download Freedome for a free trial and find out for yourself if how it can help you control your online privacy. And right now, you can win free annual subscriptions, as well as cool swag (like stylish hoodies) by posting a screenshot showing your blocked tracking attempts to F-Secure’s Facebook wall, or on Instagram with F-Secure tagged. The contest is open till March 23rd, and 5 winners will be randomly drawn after it ends.
We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of. "Back to the Future" banner image courtesy of Garry Knight, flickr.com