A History of Computer Viruses - Introduction

7/29/2019 A History of Computer Viruses - Introduction

1/4

Computers & Security, 16 (1997) 412-415

A History Of ComputerViruses - IntroductionHarold Joseph Highland FICS, FACMEditor-in-Chief Emeritus

The following series of articles are taken from Harolds ComputerVirus Handbook, published by Elsevier Advanced Technology in1990. Viruses have moved on a long way since then, but theextracts published here provide a useful background in virusdevelopment, and contain much information that is still relevanttoday. It is also interesting to note that Harold introduces theMacro Virus concept a few years before it became more widelyidentified as a major problem.

In this section we shall present detailed informationabout a number of computer viruses, specifically whenand where the virus was found, how it behaved and atechnical report on how it works as well as other rel-ative information. We had hoped to present these datain historical perspective. However, it is too early toprepare a comprehensive history of computer viruses.This volume is about DOS computer viruses, that iscomputer viruses that have been found in systems usingeither IBM-DOS or MS-DOS. No attempt has beenmade to cover the many other viruses that have surfacedto infect Macintosh microcomputers. Nor are any ofthe VAX viruses included. Furthermore, although we

0 Compulit, Inc., lY89. AU rights reterved

shall include detailed data about a number of viruses,we are not willing to put into print some of thematerial and purported research reports currentlyavailable. So that the reader is better able to understandour viewpoint, we shall elaborate on some of theproblems prior to the detailed reports about specificviruses.

A Matter of DefinitionFirst, there is the question of a definition of a comput-er virus. There is currently no agreement in the com-puter community.To the general reader differences mayappear slight but to the technician they are major.There are many who consider computer viruses asthe offspring of Dr. Frederick B. Cohen. He createda virus, as part of his doctoral thesis, in an effort tofind ways to defend computer systems fromself-replicating programsThere are others who claimthat computer viruses existed well before 1984 whenDr. Cohen did his research. The debate about theappearance of the first virus will probably continuefar into the future. Currently it does not appear like-ly that computer scientists will agree upon an offi-cial definition of the term.

412 3160167-4048/97$17.00 0 1997 Elsevier Science Ltd


2/4

Computers and Security, Vol. 16, No. 5

Dr. Cohen first made his research public at the 1984National Computer Security Conference. He made hisfindings known to an international audience during hispresentation that same year at the InternationalFederation for Information Processing ComputerSecurity Conference in Toronto, Canada, IFIP/Sec 84.That conference was sponsored by IFIP TechnicalCommittee 11 responsible for information processingsecurity. It was attended by several hundred computersecurity specialists from all over the world. We oftentell our lecture audiences about the reaction to hispresentation at that meeting.Later in the day, after Dr. Cohen presented his paper,we met with several computer security directors fromEurope and Asia. Most of them felt that Dr. Cohensreport was interesting but esoteric. One security direc-tor from a major multinational corporation remarkedthat it was most interesting to him that an Americanuniversity would provide a young man with a labora-tory to play games. He could see no practicalapplication of the research and felt that it too woulddisappear among the many useless, academic studies.Dr. Cohens reports, made in the United States andCanada, received little, if any, coverage in the Europeanpress. It was not until a presentation by RudigerDierstein of the Deutsche Forschungs undVersuchsanstalt fur Luft - und Raumfahrt [DFVLRl atSECURICOM in Paris the next year that the Europeanpress began to report about computer viruses.

Is It Really a virus?We have followed a conservative approach to theacceptance of computer virus claims. Unless we havebeen able to obtain a copy of the virus, disassemble it

[l] DMA is direct memory access, a techmque that allows peripheraldevices to gain direct access to the microcomputers main memory. Thiscauses the processor to stop all activity along a bus, a communications linealong which the data are transmmed - HJH[2] CRC is cyclic redundancy check a method used for detectmg errors inthe transfer of data - HJH

and see it in action, we have steadfastly refused toaccept unsupported claims made by others.For example, early in 1988 one of the anti-virus prod-uct producers reported that he had found a new com-puter virus that destroyed the hard disk. To obtainadditional information I spoke a few weeks later withthe individual who had reported the virus to him.The virus had appeared several months earlier on hersystem. What she found was that when backing up afile to a floppy disk using the DOS COPY commandor even using her text editor, the backup copy wassometimes incomplete - part of the copy just van-ished. Having read about the producers appeal toreport computer viruses, she telephoned him. At hisrequest she sent him a copy of her hard disk.During our conversation she admitted that she hadnot reformatted her disk and reloaded it with cleanprograms. Almost five months after the press ran theproducers report she was still operating as before. Shestill encountered the difficulty at infrequent intervals.Because the virus was found only at one site and notreported elsewhere, we filed that report for futureconsideration.Because we were busy with other viruses, we did notfind time to follow up that story for many months.However, on November 14,1988, Dr. I? M. Adams ofthe Computer Science Department of NovaUniversity [Florida] issued a research report,Hardware-Induced Data Virus: Floppy DisketteController Design Flaw. In it he explained that therewas a basic flaw in INTELs chip 8272A that had beenused on the floppy disk controller board in roughly 25million microcomputers. According to Dr. Adams,INTEL had sent a release on May 2, 1988 to its cus-tomers stating:

It has been found that the 8272A cannotdetect a DMA underrun on the last byte of awrite operation to a sector. If the 8272A is pre-empted during a DMA [l] transfer, and anoverrun occurs on the last byte of a sector, thefollowing occurs: the underrun flag does notget set, the last byte written to the disk is madeequal to the previous byte written and CRC 121

413


3/4

H.J. Highland/A History Of Computer Viruses - Introduction

is generated on the ALTERED data.The resultis that INCORRECT DATA is WRITTEN tothe disk andVALIDATED by the 8272A.

Although we do not agree with Dr. Adamss use of theterm, hardware-induced data virus, it appears likelythat the earlier reported virus may well have been ahardware defect. In any event the so-called virus hadnot destroyed her hard disk.

The Numbers GameAn oft-repeated question by the press during an inter-view with anyone working with computer viruses isHow many computer viruses are there? An answerthat we are not certain but we have 15 in our labora-tory, sends the interviewer off to find a better source.There appears to be a competition among someworking in the computer virus field to announce agreater number than anyone else . One researcher whodistributes his findings on a bulletin board announcedthat he had collected and examined 48 computerviruses. Another whom we heard at a conference inthe late spring of 1989 told the audience that he hadalready collected more than 160. It appears that themore computer viruses one can list, the greater anauthority he is on the subject.There are viruses and there are often mutations ofthese viruses. For example, one attribute of the Brainvirus is to write Brain as the label on an infecteddisk. If another virus is found that writes HA-HA asthe disk label but is identical in every other respect,does one count this as a new virus? The code ofboth are the same but only five ASCII characters havebeen changed.We deal with these mutations in a simple way. So longas critical code in the virus has not been altered, wecall the other virus a variant or mutant. On the otherhand, many researchers have taken an easier way out.If there is any change, no matter how slight, theycount the other as a new virus. The policy we havefollowed thus far leads to some problems.

For example, a virus that will attack all .COM pro-grams except COMMAND.COM appears in analtered form so that even COMMAND.COM isattacked. Although the modification of the code ofthat virus is no more difficult than the change of thelabel name, this altered form is different. The actionof the virus has been modified.Similarly if a virus that attacks only 5 l/4-inch flop-py disks appears so that it is capable of attacking ahard disk drive, do we consider it to be a new virus?

We feel that so long as any two viruses have identicalcode and do not behave differently, they are variants ofthe original virus. However, if their actions have beenmodified they should be classed as a new form of theoriginal virus. We are not interested in amassing num-bers. However we feel that a logical, scientificapproach to virus taxonomy is needed.

Virus IdentificationEach time a virus appears in a new location, the find-er often believes he has a new virus. When we receiveda virus from an associate in the Middle East we accept-ed the name as the Ping-Pong virus. Our first reportsfrom England late in 1988 about that virus called it theItalian virus. Later some researchers there renamed itas the 1803 virus. Since then we have seen it calledthe Bouncing Ball virus and the Turin virus.The virus specialist, who does not have a copy of thisvirus and/or is unable to confirm that the versions areidentical, is too often misled. He is likely to considercounting each as a separate virus. Even if he goesthrough the many reports from the different centreshe might not be fully informed.

Most serious researchers have called for a protocolwhereby specialists in different parts of the worId cancompare the viruses they have without the need to sendthe actual virus and/or its disassembled code. Most arereluctant to send either for fear of spreading the virus.Making source code or a copy of a disk with a virusavailable is dangerous. It takes little effort on the part ofa skilled programmer to modify the trigger and/or

414


4/4

Computers and Security, Vol. 16, No. 5

action portions of a virus once one has a workable copyThere have been calls by researchers to establish a cen-tral clearing house for computer viruses. In most casesthe researcher feels that his site should serve as thatcenter. We have long felt that there is need for amethod by which researchers can exchange informa-tion without sending the actual virus and/or the dis-assembled code. Charles M. Preston, a computer secu-rity specialist and virus researcher in Anchorage[Alaska] and we have discussed the need for creating acomputer virus directory. That directory would pro-vide specific information about each virus; amongsome of the data would be:l its size in number of bytes,l the medium which it attacks,l a hexadecimal or ASCII checksum of its actual code,l the signature, if any, that the virus uses to avoid rein-

fection,l a listing ofASCl1 strings in the viral code and their

location, andl detailed information about the replication proce-dure, the trigger mechanism, and action taken.Source of Virus Data

have included virus analysis in the following few sec-tions based on the following sources:[l] Computer viruses we have in our laboratory.

These viruses have been received f?om sites thathave been attacked as well as from associates in dif-ferent parts of the world. In addition to our ownanalysis we have supporting information from BillKenny, a highly-skilled programmer and analystwith Digital Dispatch Inc. of St. Paul [Minnesota]and Dr. Jon David of Systems Research andDevelopment of Tappan [New York]. We shouldalso acknowledge the assistance from several com-puter security specialists in different parts of theworld, ranging from Australia to the UnitedKingdom to Finland and Sweden.

[2] Substantiated reports from reliable researchers.Although we have a number of computer virus-es and mutations, we do not physically havecopies of all the viruses that have been found inthe world. Many researcher reports cannot beconfirmed and others have analyses of virusesthat do not conform with our findings; thesewere not used.

[3] Finally we should note that the material presentedin the section of laboratory viruses has come fromsources that cannot be publicly identified. In eachcase, however, we have thoroughly examined thedata and investigated the integrity of the source.

In line with the conservative policy we have followedsince the computer virus explosion in late 1987 we

415

A History of Computer Viruses - Introduction

Documents