From the first amateur hackers in the 80s till 2011 when international cyber sabotage is a reality, viruses have illustrated the frightening potential of human ingenuity. Here’s a brief look back how computer viruses have evolved through the most important outbreaks of the last 25 years.
The first PC virus
1. Brain, 1986
More than a decade before anyone had ever heard of Napster, the first PC virus was designed to fight piracy. The author who came up with the word “cyber,” William Gibson called Brain “basically a wheel-clamp for PCs.”
Basit and Amjad Alvi created and marketed medical software in Lahore, Pakistan. They were interested in two things. First, they wanted to check the multi-tasking functionality in the new DOS operating system (so-called “TSR” systems). Secondly, they wanted to see if there are security vulnerabilities in DOS compared to other operating systems such as Unix.
When they realized that DOS was quite vulnerable, they had the idea to write a snippet of software that would monitor how the software and the floppy disks move around. Brain spread virally via 3 1/4-inch disks, and within weeks, the Alvi’s had to change their phone numbers.
25 years after the creation of first PC virus, in early 2011, F-Secure’s Mikko Hypponen went to Lahore, Pakistan to visit the address in the code. He found the Alvi brothers still there, running a successful business. The following video includes the first video interview Amjad and Farooq have given about Brain ever.
Some early fun
Most of the early viruses were variations of the same theme: “Gotcha!” Users knew they’d been infected because that was exactly the point. Like a digital pie in the face.
2. Stoned, 1987
Created by a high school student in New Zealand, Stoned was supposed to be harmless. It simply displayed the message “Your PC is now Stoned!” on your screen. However, as the first virus that infected a PC’s boot sector, Stoned established that viruses could control a computer’s function from the moment it turned on. Bob Dylan should be proud.
3. Form, 1990
Form became one of the most widespread viruses ever. On the 18th of each month, it produced a clicking sound from the PC’s speaker whenever a key was pressed. Annoying, but harmless.
Other variations on this early innocent sort of “gotcha” virus included V-Sign, which displayed a V on your screen. The Walker virus showed an elderly man walking across your screen. Elvira scrolled text in the “A long time ago, in a galaxy far, far away” style a la Star Wars. And then there was Joshi. Every year, on the Joshi’s birthday, this eponymous virus displayed a birthday message. The machine refused to boot up until the user typed “Happy Birthday Joshi.”
4. Michelangelo, 1992
Michelangelo would override everything on a hard drive on specified dates. A variation of Stoned with much crueler intentions, Michelangelo was probably the first computer virus that made international news.
5. VCL, 1992
Virus Creation Laboratory made it easy to whip up a malicious little program by automating virus creation using a simple graphical interface.
Early MS-DOS and PC-DOS viruses did some damage to PCs, usually intentionally, but virus writers soon began to actively seek to wreak havoc by actively disabling computers.
6. Happy99, 1999
Happy99 was the first email virus. It greeted you with “Happy New Year 1999” and emailed itself to all contacts in your address book. Like the very first PC viruses, Happy99 did not cause any real damage, though it did spread to millions of PCs around the world.
7. Monkey, 1993
A distant relative of Stoned, Monkey secretly integrated itself into data files and spread seamlessly. It was the early ancestor of a rootkit, a self-concealing program, and it prevented booting from a floppy disk. When it was removed improperly, Monkey prevented any sort of booting at all.
Upgrading to Windows
In the early 90s, viruses became macro viruses and took on Microsoft’s new OS, Windows. Written in the same languages as applications like Microsoft Word, macro viruses appeared in late 1995. In just three months, they became the most common virus type in the world.
8. Concept, 1995
The first virus that infected Microsoft Word files, Concept became one of the most common viruses in the world because it could infect any OS that could run Word. Share the file, share the virus.
9. Melissa, 1999
Allegedly named after a female exotic dancer familiar to the virus writer, Melissa combined a virus and an email virus. It infected a Word file then emailed itself to all contacts in the user’s address book and became the first virus to span the globe in only hours. Melissa combined the jokey motivations of the early virus writers with the destructiveness of the era. This virus inserted comments from “The Simpsons” into users’ documents. Not so bad. But Melissa could also send out confidential information without the users’ notice. D’oh!
Not long after Melissa, Microsoft virtually eliminated macro viruses by changing how its Visual Basic macro language works within Office applications.
Crashing the network
Before firewalls, computer worms generated huge amounts of network traffic, disrupting systems by pure volume. These worms generally did not affect individual users but they could rock the infrastructure of both private businesses and governments.
10. Code Red, 2001
The first worm that spread without requiring any user interaction at all and thus spread around the world in minutes, Code Red hid from detection and carried out various functions on a cycle. On Days 1-19, it spread itself. From the 20th to the 27th, it launched Denial of Service attacks on various addresses including the White House. And from the 28th day till the end of the month, it rested.
10. Loveletter, 2000
The computer worm that broke millions of hearts, Loveletter is still one of the biggest outbreaks of all time. It spread via email attachment and overwrote many of the crucial files on the PCs it infected. This outbreak was an incredible successful attempt at social engineering. Using the promise of love, it convinced millions to open the attachment, causing an estimated $5.5 billion in damage worldwide. Guess there are a lot of people out there looking for a little love.
12. Slammer, 2003
Network worms require just a few lines of code and vulnerability to spark real world trouble. Slammer took down Bank of America’s ATM network and 911 services in Seattle. Even the air traffic control system was not immune.
13. Sobig, 2003
Sobig was a quick improvement on Fizzer (see below). Some versions waited for a couple of days after infecting a machine before turning affected machines into e-mail proxy servers. The result? Massive spam. AOL alone reported stopping more than 20 million infected messages on one day.
14. Mydoom, 2004
Mydoom spread over email and the Kazaa Peer-to-Peer (P2P) network. It set new records but was old school in the sense that the motive wasn’t monetary. Mydoom executed Distributed Denial-of-Service attack on one particular website and opened a backdoor on infected computers, which left the machine open to remote access.
15. Sasser, 2004
Sasser came in through a vulnerable network ports and slowed or crashed networks from Australia to Hong Kong to the UK.
Money. Money. Money.
In the last decade, the motive for virus writing has become obvious: Money. The technology still tends to be variations on a theme, but modern virus writers utilize advanced user psychology and social engineering to draw users into traps that they’d probably been warned about several times.
16. Fizzer, 2003
Fizzer was the first virus designed to make money. It arrived as an infected attachment. Once opened, it took over infected computers and forced them to send spam.
As the real-world impact of viruses was felt in the early 90s, business, government, software makers and the Internet security industry put fires out and collaborated to minimize threats. Virus writers, too, evolved to avoid detection, creating advanced malware that could even be programmed to be patient.
17. Cabir, 2003
The first mobile phone virus in history, Cabir targeted Nokia smartphones running the Symbian operating system. It was spread via Bluetooth and proved that whatever shape PCs evolve into, they will be targeted.
18. SDBot, 2003
SDBot was a Trojan horse that bypassed normal security to secretly control a computer. It created a backdoor that allowed the user to do several things including sniff for passwords and the reg codes of games like Half-Life and Need for Speed 2.
19. Haxdoor, 2005
Haxdoor was another Trojan horse that sniffed for passwords and other private data. Later variants had rootkit capabilities. Even Brain used techniques to cloak itself, but Haxdoor employed far more sophisticated methods. A modern rootkit can turn a computer into a zombie computer that can be controlled without the user’s knowledge, sometimes for years.
20. Sony BMI, 2005
In 2005, one of the biggest record companies in the world had the same idea that the Alvi brothers had in 1986: Use a virus to prevent piracy. On its audio CDs, it included a music player program and a rootkit that controlled how the owner could access the audio tracks. The result was a media firestorm and a class-action lawsuit that ended with Sony offering users money and free downloads.
Computer viruses have had real world effects for decades, but in 2010 a computer virus may have changed the course of history.
In November of 2010, Iranian President Mahmoud Ahmadinejad confirmed that a cyber attack had indeed caused problems with their nuclear centrifuges. And in January of 2011, Russia’s ambassador to NATO said that Stuxnet could cause a “new Chernobyl.”
21. Stuxnet, 2010
An unusually large Windows worm—about a 1000% larger than the typical computer worm, Stuxnet most likely spread through USB device. It infects a system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic factory system. If the worm finds a connection, it then changes the commands sent from the Windows computer to the PLC Programmable Logic Controllers, i.e., the boxes that actually control the machinery. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.
F-Secure Labs estimates that it would take more than 10 man-years of work to complete Stuxnet. This complexity and the fact that it could be used to impair the ability of a centrifuge to enrich uranium while providing no monetary gain suggest that Stuxnet was probably developed by a government—though which government is unclear.
22. Storm Worm, 2007
Machiavelli said it’s better to be feared than loved. Seven years after Loveletter, Storm Worm capitalized on our collective fear of bad weather and first spread generally via an email message with the subject line “230 dead as storm batters Europe.” Once the attachment was open, a Trojan backdoor and a rootkit forced the PC to join a botnet. Botnets are armies of zombie computers that can be used to, among other thing, send out tons of spam. And this one sucked in ten million computers.
23. Mebroot, 2008
Mebroot was a rootkit built to hide from the rootkit detectors that quickly became part of many Internet security suites. It is so advanced that if it crashes a PC, Mebroot will send a diagnostic report to the virus writer.
24. Conficker, 2008
Conficker quickly took millions of computers all over the globe. It exploits both flaws along with Windows and weak passwords along with several advanced techniques. Once a system is infected, further malware can be installed and the user is even prevented from visiting the website of most Internet security vendors. More than two years after it was first spotted, more computers are infected by the worm every day. F-Secure’s Chief Research Office Mikko Hypponen has said that in many ways Conficker is still “a great mystery.”
25. 3D Anti Terrorist
This trojanized “game” targets Windows Mobile phones and was spread via freeware sites. Once installed, it starts making calls to expensive numbers leaving you with large charges. This strategy of hijacking a mobile app or cloaking a malicious app is still new, but it’s likely to one of the main ways the virus writers will attack mobile devices.
Where are we 25 years after Brain?
In 2011, a PC running an updated version of Windows 7 is quite secure, especially when running updated security software. Now that we know more about viruses, we know how to fight them, and ideally prevent them. So, hopefully, in 25 years viruses will have gone the way of macro viruses and we won’t have to make a new list.
Last week, F-Secure Labs published a new study that provides a detailed analysis of a hacking group called “the Dukes”. The Dukes are what’s known as an advanced persistent threat (APT) – a type of hacking campaign in which a group of attackers is able to covertly infiltrate an organization’s IT network and steal data, often over a long period of time while remaining undetected. The report provides a comprehensive analysis of the Dukes’ history, and provides evidence that security researchers and analysts say proves the various attacks discussed in the report are attributable to the Duke group. Furthermore, the new information contained in the report strengthens previous claims that the group is operating with support from the Russian government. Mikko Hypponen has said that attacker attribution is important, but it’s also complex and notoriously difficult, so the findings of the report have considerable security implications. I contacted several people familiar with the report to get some additional insights into the Dukes, the research, and what this information means to policy makers responsible for issues pertaining to national cybersecurity. Artturi Lehtiö (AL) is the F-Secure Researcher who headed the investigation and authored the report. He has published previous research on attacks that are now understood to have been executed by the Dukes. Patrik Maldre (PM) is a Junior Research Fellow at the International Center for Defense and Security, and has previously written about the Dukes, and the significance of this threat for global security. Mika Aaltola (MA) is the Program Director for the Global Security research program at the Finnish Institute for International Affairs. He published an article of his own examining how groups like the Dukes fit into the geopolitical ambitions of nations that employ them. Q: What is the one thing that people must absolutely know about the Dukes? PM: They are using their capabilities in pursuit of Russian strategic interests, including economic and political domination in Central and Eastern Europe, as well as the Caucasus region, and a return to higher status at the international level. AL: They are a long-standing key part of Russian espionage activity in the cyber domain. MA: The geopolitical intention behind the vast majority of targets. Q: We now know the Dukes are responsible for a number of high profile attacks, and seemingly target information about politics and defense. But what kind of information might they obtain with their attacks, and why would it be valuable? AL: They might obtain information like meeting notes, memos, plans, and internal reports, not to mention email conversations. In essence, the Dukes aim to be a fly on the wall behind the closed doors of cabinets, meeting rooms, and negotiating tables. PM: The targets of the Dukes include government ministries, militaries, political think tanks, and parliaments. The information that can be gained from these organizations includes, among other things, sensitive communication among high-level officials, details of future political postures, data about strategic arms procurement plans, compromising accounts of ongoing intelligence operations, positions regarding current diplomatic negotiations, future positioning of strategic military contingents, plans for future economic investments, and internal debates about policies such as sanctions. MA: The targets are high value assets. Two things are important: data concerning the plans and decisions taken by the targeted organizations. Second, who is who in the organizations, what are the key decision-making networks, what possible weaknesses can be used and exploited, and how the organization can be used to gain access to other organizations. Q: The Dukes are typically classified as an APT. What makes the Dukes different from other APTs? MA: APT is a good term to use with the Dukes. However, there are some specific characteristics. The multi-year campaigning with relatively simple tools sets Dukes apart from e.g. Stuxnet. Also, the Dukes are used in psychological warfare. The perpetrators can even benefit from they actions becoming public as long as some deniability remains. AL: The sophistication of the Dukes does not come as much from the sophistication of their own methods as it comes from their understanding of their targets’ methods, what their targets’ weaknesses are, and how those can be exploited. PM: They are among the most capable, aggressive, and determined actors that have been publicly identified to be serving Russian strategic interests. The Dukes provide a very wide array of different capabilities that can be chosen based on the targets, objectives, and constraints of a particular operation. They appear to be acting in a brazen manner that indicates complete confidence in their immunity from law enforcement or domestic oversight by democratic bodies. Q: There are 9 distinctive Duke toolsets. Why would a single group need 9 different malware toolsets instead of just 1? AL: The Dukes attempt to use their wide arsenal of tools to stay one-step ahead of the defenders by frequently switching the toolset used. MA: They are constantly developing the tools and using them for different targets. Its an evolutionary process meant to trick different “immunity” systems. Much like drug cocktails can trick the HIV virus. PM: The different Duke toolsets provide flexibility and can be used to complement each other. For example, if various members of the Dukes are used to compromise a particular target and the infection is discovered, the incident responders may be led to believe that quarantines and remediation have been successful even though another member of the Dukes is still able to extract valuable information. Q: Many people reading this aren’t involved in geopolitics. What do you think non-policy makers can take away from this whitepaper? AL: This research aims to provide a unique window into the world of the Dukes, allowing people not traditionally involved with governmental espionage or hacking to gauge for themselves how their lives may be affected by activity like the Dukes. PM: It is important for people to understand the threats that are associated with these technological developments. The understanding of cybersecurity should grow to the point where it is on par with the wider public’s understanding of other aspects of international security, such as military strategy or nuclear non-proliferation. This knowledge is relevant for the exercise of fundamental liberties that are enjoyed in democratic societies, including freedom of speech, freedom of the press, freedom of association, as well as of basic rights such as voting in elections. MA: The geopolitical intent is clearly present in this activity. However, the developments in this realm affects other types of cyber-attacks. Same methods spread. There is cross-fertilization, as in the case of Stuxnet that was soon adapted for other purposes by other groups. F-Secure’s Business Security Insider blog recently posted a quick breakdown on how the Dukes typically execute their attacks, and what people can do to prevent becoming a victim of the Dukes or similar threats. Check it out for some additional information about the Dukes.
Despite Apple's stringent "walled garden" approach requiring strict approvals of all software that ends up in its App Story, dozens of apps infected with XcodeGhost malware apparently made it through the store and on to millions of users' devices. The malware allows the attackers remote access, which can lead to phishing or further exploitation of vulnerabilities. Our Labs initial take on this incident is that it appears to be another case of "convenience is the enemy of security". Reports suggest developers were using a Trojanized version of Apple's official tool for working on iOS and OS X apps called Xcode. Developers may have used third-party versions of Xcode to avoid long download times. Some developers also have disabled XCode's Gatekeeper, which would've prevented installation of tainted apps, because it takes too long to run, especially on older devices. These not-so secure practices likely led to a rare breach of iOS security. F-Secure Freedome is already blocking the command and control servers used by the infected apps. This will interrupt their ability to work properly or steal information from a Freedome-protected device. You should check to make sure you have not installed any of the infected apps, which include some of the most popular apps in China, and only install apps from developers that have a track record you can trust.
The first day of September may go down in internet security history -- and not just because it's the day when F-Secure Labs announced that its blog, which was the first antivirus industry blog ever, has moved to a new home. It's also the day that Google's Chrome began blocking flash ads from immediately loading, with the goal of moving advertisers to develop their creative in HTML5. Google is joining Amazon, whose complete rejection of Flash ads also begins on September 1. "This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later," F-Secure Security Advisor Sean Sullivan wrote in August when Amazon made its announcement. "Flash-based ads are now an all-too-common security risk. Everybody will be better off without them." Last month, Adobe issued its 12th update in 2015 for the software addressing security and stability concerns. An estimated 90 percent of rich media ads are delivered through Flash. Having the world's largest online retailer reject your ad format is a significant nudge away from the plugin. But it would be difficult to overstate the impact of Chrome actively encouraging developers to drop Flash. About 1 out of every 2 people, 51.74 percent, who access the internet through a desktop browser do it via Chrome, according to StatCounter. This makes it the world's most popular web interface by far. Facebook's Chief Security Officer has also recently called for the end of Flash and YouTube moved away from the format by default in January. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely," F-Secure Senior Researcher Timo Hirvonen told our Business Insider blog. So what's keeping Flash alive? Massive adoption and advertisers. “Everyone in every agency’s creative department grew up using Adobe’s creative suite, so agencies still have deep benches of people who specialize in this,”Media Kitchen managing partner Josh Engroff told Digiday. “Moving away from it means new training and calibration.” And Flash does have some advantages over the format that seems fated to replace it. "HTML5 ads may be more beautiful, and are perceived to be more secure, but the files can be a lot larger than Flash," Business Insider's Laura O'Reilly wrote. In markets, stability can breed instability and it seems that our familiarity and reliance on Flash has resulted in unnecessary insecurity for our data. Has Flash hit its moment when its dominance rapidly evaporates? We can have hope. "I sincerely hope this is the end of Flash," Timo told us. Cheers, Sandra [Image by Sean MacEntee | Flickr]