White Paper: The Evolution of Viruses

Nathan Edwards

The first computer virus appeared more than 30 years ago, which renders this class of pestilence a mere infant compared to the real thing. But 30 years is an eon in technology time, and the critters—and their creators—have morphed and adapted to resist every effort to stamp them out. While early viruses were the innocuous work of geeks seeking a creative outlet, any of today’s computer viruses are hatched with criminal intent.

Primordial Viruses

The first computer viruses were created for exploration and experimentation; they often did little more than replicate. “Very early viruses were kind of proof of concept,” says Craig Schmugar, threat research manager for McAfee Avert Labs. “[They were] written by, effectively, geek programmers who had a lot of skill and who knew what they were doing. In some respects it was almost like an art form to them.”

Creeper, which appeared in the early 1970s on the ARPAnet (the progenitor of the Internet), is a case in point. It did little more than spread across the network and taunt its victims.

When John Walker, creator of the 20-questions-style game Animal, wanted a better distribution method than mailing tapes (this being 1975, magnetic tape was the prevalent means of data storage), he turned to a second program of his creation called Pervade. Attached to Animal, the Pervade code copied the game to all the directories the game player had access to.

As a result, both Animal and Pervade made their way into the accounts of system administrators, who spread both programs to even more systems—via tape, ironically enough. From there, it didn’t take long for the programs to spread to computers across the United States. Walker, who went on to found Autodesk, had no malicious intent—he just wanted to distribute his little game—but his technique blazed a path for modern virus propagators.

The first personal-computer virus broke into the wild in 1982. Created by high-school freshman Richard Skrenta, Elk Cloner spread by copying itself from an infected Apple II floppy disk to the host computer’s system memory. The virus would reside in memory until another floppy was inserted, at which point the program would copy itself to the new disk. When the disk was used to boot the machine (Apple II computers didn’t have hard drives), the embedded virus would display a short poem on every 50th startup.

Computer viruses became more prevalent in the 1990s, and they exploded with the widespread availability of Internet access. A hacker culture began to take root. Most virus writers remained tinkerers, but they sought more widespread fame and even formed communities.

The use of macro viruses was one common technique for spreading an attack as quickly as possible. The ubiquity of programs such as Microsoft Word and Excel—with their built-in scripting language—gave virus writers a new way to toy with systems.

Modern Times

The virus economy today is booming, for the virus writers as much as it is for the antivirus doctors. “It’s scary how literal a business it is,” says Zulfikar Ramzan, senior principal researcher at Symantec. “You have a lot of people who had really good technical skills, but when the economies in [Eastern Europe and Asia] drastically shifted… [they] were out of a job and needed some outlet to make income.” By analyzing attacks, Ramzan says he can tell the time of day these kinds of viruses are written—a fingerprint that reveals the authors to be 9-to-5 employees. They even write clean, commented code in order to ease collaboration.

These often-criminal enterprises create viruses that can generate illicit profits in several ways: Keyloggers can steal passwords, credit cards, and identities; and botnets create massive, distributed platforms that can be leased for spam mailings, phishing, denial of service attacks, and other uses. Some of these groups even sell virus toolkits with full graphical user interfaces, so their customers can install their own payloads. “They actually offer technical support if you’re having trouble getting it installed,” according to Schmugar.

The original viruses often simply taunted victims with their presence, but today these ventures make the most money by staying quiet to delay their removal. Some viruses even download modified antivirus software as their first step, blocking infection from competitors while fooling the host system into behaving as though it’s healthy.

Rootkits often help viruses avoid detection. These tools are nothing new; system administrators sometimes use them to manage PCs or hide critical files. But viruses often use these low-level tools to mask their presence while gaining complete access to a machine. Once free to muck around, viruses can modify the kernel and process list to stay hidden even if a user asks which programs are running. And boot-record viruses in the spirit of Elk Cloner are once again becoming popular because they can be difficult to detect and purge.

Security researchers and less-predatory hackers have also become a part of this monetized culture. Maintaining a “white hat,” or ethical, approach, they root out vulnerabilities in code and then follow established disclosure practices to inform companies about security flaws in their products before going public with the information. Some software developers even pay bounties for such tips.

Breaking In

Sometimes, computer owners make the hacker’s job entirely too easy. “The main security issues today are not so much technical as they are social,” notes Symantec’s Ramzan. “Hackers often just ring the doorbell and ask to be invited in. Although there are ways to compromise a system by finding a technical hole, the most common way hackers try to compromise systems is by finding the human hole, by emailing you an attachment with malicious code and telling you to execute it by yourself.” These initial bits of code often work as a stage downloader, with the main objective being to clear a path for the malicious bytes to follow.

Sloppy programming, on the other hand, creates opportunities for viruses to infect a system without a user’s help. The buffer-overflow attack is one of the most common exploits. The virus designer, for example, might identify a point at which the software expects user input. Instead of entering a normal amount of data, the virus floods the query, overwhelming the program. Executable code hidden within this tsunami of data gains control of the host machine and overrides the program, tricking the computer into running a new set of instructions.

“Code itself is a type of data,” Ramzan explains. “It’s basically data that can be executed on a machine. Sometimes that distinction is not actually made at a very low technical level, and that’s what often causes these vulnerabilities to occur. At the end of the day, they’re all just bits, and your computer has to know which one’s which.”

Fortunately, it’s easy to protect your PC from viruses and cyber criminals. Install an antivirus program, perform periodic scans, and don’t do anything that would make it easy for criminals and mischief-makers to take advantage of you.

Around the web

by CPMStar (Sponsored) Free to play