Computer virus
A computer virus is a computer program that
can replicate itself and spread from one computer to another. The term
"virus" is also commonly,
but erroneously, used to refer to other types of malware, including but not
limited to adware and spyware programs that do not have a reproductive ability.
Malware includes computer viruses, computer
worms, ransomware, trojan horses, keyloggers, most rootkits, spyware, dishonest
adware, malicious BHOs and other malicious software. The majority of active
malware threats are usually trojans or worms rather than viruses. Malware such
as trojan horses and worms is sometimes confused with viruses, which are
technically different: a worm can exploit security vulnerabilities to spread
itself automatically to other computers through networks, while a trojan horse
is a program that appears harmless but hides malicious functions. Worms and
trojan horses, like viruses, may harm a computer system's data or performance.
Some viruses and other malware have symptoms noticeable to the computer user,
but many are surreptitious or simply do nothing to call attention to
themselves. Some viruses do nothing beyond reproducing themselves.
Classification
In order to replicate itself, a virus must
be permitted to execute code and write to memory. For this reason, many viruses
attach themselves to executable files that may be part of legitimate programs
(see code injection). If a user attempts to launch an infected program, the
virus' code may be executed simultaneously. Viruses can be divided into two
types based on their behavior when they are executed. Nonresident viruses
immediately search for other hosts that can be infected, infect those targets,
and finally transfer control to the application program they infected. Resident
viruses do not search for hosts when they are started. Instead, a resident
virus loads itself into memory on execution and transfers control to the host
program. The virus stays active in the background and infects new hosts when
those files are accessed by other programs or the operating system itself.
Nonresident
viruses
Nonresident viruses can be thought of as
consisting of a finder module and a replication module. The finder module is
responsible for finding new files to infect. For each new executable file the
finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication
module that is similar to the one that is employed by nonresident viruses. This
module, however, is not called by a finder module. The virus loads the
replication module into memory when it is executed instead and ensures that
this module is executed each time the operating system is called to perform a
certain operation. The replication module can be called, for example, each time
the operating system executes a file. In this case the virus infects every
suitable program that is executed on the computer.
Vectors and hosts This section does not cite any references or sources. Please help
improve this section by adding citations to reliable sources. Unsourced
material may be challenged and removed. (May 2011)
Viruses have targeted various types of
transmission media or hosts. This list is not exhaustive:
Binary executable files (such as COM files
and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, the
Mach-O format in OSX, and ELF files in Linux)
Volume boot records of floppy disks and
hard disk partitions
The master boot record (MBR) of a hard disk
General-purpose script files (such as batch
files in MS-DOS and Microsoft Windows, VBScript files, and shell script files
on Unix-like platforms).
Application-specific script files (such as
Telix-scripts)
System specific autorun script files (such
as Autorun.inf file needed by Windows to automatically run software stored on
USB memory storage devices).
Documents that can contain macros (such as
Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and
Microsoft Access database files)
Cross-site scripting vulnerabilities in web
applications (see XSS Worm)
Arbitrary computer files. An exploitable
buffer overflow, format string, race condition or other exploitable bug in a
program which reads the file could be used to trigger the execution of code
hidden within it. Most bugs of this type can be made more difficult to exploit
in computer architectures with protection features such as an execute disable
bit and/or address space layout randomization.
PDFs, like HTML, may link to malicious
code. PDFs can also be infected with malicious code, see Adobe Acrobat
Security.
In operating systems that use file
extensions to determine program associations (such as Microsoft Windows), the
extensions may be hidden from the user by default. This makes it possible to
create a file that is of a different type than it appears to the user. For
example, an executable may be created named "picture.png.exe", in
which the user sees only "picture.png" and therefore assumes that
this file is an image and most likely is safe, yet when opened runs the executable
on the client machine.
Stealth infection
strategies
In order to avoid detection by users, some
viruses employ different kinds of deception. Some old viruses, especially on
the MS-DOS platform, make sure that the "last modified" date of a
host file stays the same when the file is infected by the virus. This approach
does not fool antivirus software, however, especially those which maintain and
date cyclic redundancy checks on file changes.
Some viruses can infect files without
increasing their sizes or damaging the files. They accomplish this by
overwriting unused areas of executable files. These are called cavity viruses.
For example, the CIH virus, or Chernobyl Virus, infects Portable Executable
files. Because those files have many empty gaps, the virus, which was 1 KB in
length, did not add to the size of the file.
Some viruses try to avoid detection by
killing the tasks associated with antivirus software before it can detect them.
As computers and operating systems grow
larger and more complex, old hiding techniques need to be updated or replaced.
Defending a computer against viruses may demand that a file system migrate
towards detailed and explicit permission for every kind of file access.
Read request
intercepts
While some antivirus software employ
various techniques to counter stealth mechanisms, once the infection occurs any
recourse to clean the system is unreliable. In Microsoft Windows operating
systems, the NTFS file system is proprietary. Direct access to files without
using the Windows OS is undocumented. This leaves antivirus software little
alternative but to send a read request to Windows OS files that handle such
requests. Some viruses trick antivirus software by intercepting its requests to
the OS. A virus can hide itself by intercepting the request to read the
infected file, handling the request itself, and return an uninfected version of
the file to the antivirus software. The interception can occur by code
injection of the actual operating system files that would handle the read
request. Thus, an antivirus software attempting to detect the virus will either
not be given permission to read the infected file, or, the read request will be
served with the uninfected version of the same file.
The only reliable method to avoid stealth
is to boot from a medium that is known to be clean. Security software can then
be used to check the dormant operating system files. Most security software
relies on virus signatures, or they employ heuristics.
Security software may also use a database
of file hashes for Windows OS files, so the security software can identify
altered files, and request Windows installation media to replace them with
authentic versions. In older versions of Windows, file hashes of Windows OS
files stored in Windows—to allow file integrity/authenticity to be
checked—could be overwritten so that the System File Checker would report that
altered system files are authentic, so using file hashes to scan for altered
files would not always guarantee finding an infection.
Self-modification
Most modern antivirus programs try to find
virus-patterns inside ordinary programs by scanning them for so-called virus
signatures. Unfortunately, the term is misleading, in that viruses do not
possess unique signatures in the way that human beings do. Such a virus
signature is merely a sequence of bytes that an antivirus program looks for
because it is known to be part of the virus. A better term would be
"search strings". Different antivirus programs will employ different
search strings, and indeed different search methods, when identifying viruses.
If a virus scanner finds such a pattern in a file, it will perform other checks
to make sure that it has found the virus, and not merely a coincidental
sequence in an innocent file, before it notifies the user that the file is
infected. The user can then delete, or (in some cases) "clean" or
"heal" the infected file. Some viruses employ techniques that make
detection by means of signatures difficult but probably not impossible. These
viruses modify their code on each infection. That is, each infected file
contains a different variant of the virus.
Encryption with a
variable key
A more advanced method is the use of simple
encryption to encipher the virus. In this case, the virus consists of a small
decrypting module and an encrypted copy of the virus code. If the virus is
encrypted with a different key for each infected file, the only part of the
virus that remains constant is the decrypting module, which would (for example)
be appended to the end. In this case, a virus scanner cannot directly detect
the virus using signatures, but it can still detect the decrypting module,
which still makes indirect detection of the virus possible. Since these would
be symmetric keys, stored on the infected host, it is in fact entirely possible
to decrypt the final virus, but this is probably not required, since
self-modifying code is such a rarity that it may be reason for virus scanners
to at least flag the file as suspicious.
An old, but compact, encryption involves
XORing each byte in a virus with a constant, so that the exclusive-or operation
had only to be repeated for decryption. It is suspicious for a code to modify
itself, so the code to do the encryption/decryption may be part of the
signature in many virus definitions.
Polymorphic code
Polymorphic code was the first technique
that posed a serious threat to virus scanners. Just like regular encrypted
viruses, a polymorphic virus infects files with an encrypted copy of itself,
which is decoded by a decryption module. In the case of polymorphic viruses,
however, this decryption module is also modified on each infection. A
well-written polymorphic virus therefore has no parts which remain identical
between infections, making it very difficult to detect directly using
signatures. Antivirus software can detect it by decrypting the viruses using an
emulator, or by statistical pattern analysis of the encrypted virus body. To
enable polymorphic code, the virus has to have a polymorphic engine (also
called mutating engine or mutation engine) somewhere in its encrypted body. See
polymorphic code for technical detail on how such engines operate.
Some viruses employ polymorphic code in a
way that constrains the mutation rate of the virus significantly. For example,
a virus can be programmed to mutate only slightly over time, or it can be
programmed to refrain from mutating when it infects a file on a computer that
already contains copies of the virus. The advantage of using such slow
polymorphic code is that it makes it more difficult for antivirus professionals
to obtain representative samples of the virus, because bait files that are
infected in one run will typically contain identical or similar samples of the
virus. This will make it more likely that the detection by the virus scanner
will be unreliable, and that some instances of the virus may be able to avoid
detection.
Metamorphic code
To avoid being detected by emulation, some
viruses rewrite themselves completely each time they are to infect new
executables. Viruses that utilize this technique are said to be metamorphic. To
enable metamorphism, a metamorphic engine is needed. A metamorphic virus is
usually very large and complex. For example, W32/Simile consisted of over
14,000 lines of assembly language code, 90% of which is part of the metamorphic
engine.
Vulnerability and countermeasures
The vulnerability
of operating systems to viruses
Just as genetic diversity in a population
decreases the chance of a single disease wiping out a population, the diversity
of software systems on a network similarly limits the destructive potential of
viruses and malware. This became a particular concern in the 1990s, when
Microsoft gained market dominance in desktop operating systems, web browsers,
and office suites. Microsoft software is targeted by writers of viruses and
malware partially due to Microsoft's desktop dominance
Although Windows is by far the most popular
target operating system for virus writers, viruses also exist on other
platforms. Any operating system that allows third-party programs to run can
theoretically run viruses.
As of 2006, there were at least 60 known
security exploits targeting the base installation of Mac OS X (with a
Unix-based file system and kernel). The number of viruses for the older Apple
operating systems, known as Mac OS Classic, varies greatly from source to
source, with Apple stating that there are only four known viruses, and
independent sources stating there are as many as 63 viruses. Many Mac OS
Classic viruses targeted the HyperCard authoring environment. The difference in
virus vulnerability between Macs and Windows is a chief selling point, one that
Apple uses in their Get a Mac advertising. In January 2009, Symantec announced
the discovery of a trojan that targets Macs. This discovery did not gain much
coverage until April 2009.
While Linux, and Unix in general, has
always natively blocked normal users from having access to make changes to the
operating system environment, Windows users are generally not. This difference
has continued partly due to the widespread use of administrator accounts in
contemporary versions like XP. In 1997, a virus for Linux was released—known as
"Bliss". Leading antivirus vendors issued warnings that Unix-like
systems could fall prey to viruses just like Windows. The Bliss virus may be
considered characteristic of viruses—as opposed to worms—on Unix systems. Bliss
requires that the user run it explicitly, and it can only infect programs that
the user has the access to modify. Unlike Windows users, most Unix users do not
log in as an administrator user except to install or configure software; as a
result, even if a user ran the virus, it could not harm their operating system.
The Bliss virus never became widespread, and remains chiefly a research
curiosity. Its creator later posted the source code to Usenet, allowing
researchers to see how it worked.
Software development
Because software is often designed with
security features to prevent unauthorized use of system resources, many viruses
must exploit security bugs (security defects) in system or application software
to spread. Software development strategies that produce large numbers of bugs
will generally also produce potential exploits.
Antivirus
software and other preventive measures
Many users install antivirus software that
can detect and eliminate known viruses when the computer attempts to download
or run the executable (which may be distributed as an email attachment, or on
USB flash drives, for example). Some antivirus software blocks known malicious
web sites that attempt to install malware. Antivirus software does not change
the underlying capability of hosts to transmit viruses. Users must update their
software regularly to patch security vulnerabilities ("holes"). Antivirus
software also needs to be regularly updated in order to recognize the latest
threats. The German AV-TEST Institute publishes evaluations of antivirus
software for Windows and Android.
Examples of Microsoft Windows anti virus
and anti-malware software include the optional Microsoft Security Essentials
(for Windows XP, Vista and Windows 7) for real-time protection, the Windows
Malicious Software Removal Tool (now included with Windows (Security) Updates
on "Patch Tuesday", the second Tuesday of each month), and Windows
Defender (an optional download in the case of Windows XP). Additionally,
several capable antivirus software programs are available for free download
from the Internet (usually restricted to non-commercial use). Some such free
programs are almost as good as commercial competitors. Common security
vulnerabilities are assigned CVE IDs and listed in the US National
Vulnerability Database. Secunia PSIis an example of software, free for personal
use, that will check a PC for vulnerable out-of-date software, and attempt to
update it. Ransomware and phishing scam alerts appear as press releases on the
Internet Crime Complaint Center noticeboard.
Other commonly used preventative measures
include timely operating system updates, software updates, careful Internet
browsing, and installation of only trusted software.
Antivirus
software methods
There are two common methods that an
antivirus software application uses to detect viruses, as described in the
antivirus software article. The first, and by far the most common method of
virus detection is using a list of virus signature definitions. This works by
examining the content of the computer's memory (its RAM, and boot sectors) and
the files stored on fixed or removable drives (hard drives, floppy drives, or
USB flash drives), and comparing those files against a database of known virus
"signatures". Virus signatures are just strings of code that are used
to identify individual viruses; for each virus, the anti-virus designer tries
to choose a unique signature string that will not be found in a legitimate
program. Different anti-virus programs use different "signatures" to
identify viruses. The disadvantage of this detection method is that users are
only protected from viruses that are detected by signatures in their most
recent virus definition update, and not protected from new viruses (see
"zero-day attack"). A second method to find viruses is to use a
heuristic algorithm based on common virus behaviors. This method has the
ability to detect new viruses for which anti-virus security firms have yet to
define a "signature", but it also gives rise to more false positives
than using signatures. False positives can be disruptive, especially in a
commercial environment.
Recovery
strategies and methods
One may also minimize the damage done by
viruses by making regular backups of data (and the operating systems) on
different media, that are either kept unconnected to the system (most of the
time), read-only or not accessible for other reasons, such as using different
file systems. This way, if data is lost through a virus, one can start again using
the backup (which should preferably be recent).
If a backup session on optical media like
CD and DVD is closed, it becomes read-only and can no longer be affected by a
virus (so long as a virus or infected file was not copied onto the CD/DVD).
Likewise, an operating system on a bootable CD can be used to start the
computer if the installed operating systems become unusable. Backups on
removable media must be carefully inspected before restoration. The Gammima
virus, for example, propagates via removable flash drives.
A number of recovery options exist after a
computer has a virus. These actions depend on the virus. Some may be safely
removed by functions available in most antivirus software products (see above).
Others may require re-installation of damaged programs. It is necessary to know
the characteristics of the virus involved to take the correct action, and
anti-virus products will identify known viruses precisely before trying to
"dis-infect" a computer; otherwise such action could itself cause a
lot of damage. New viruses that anti-virus researchers have not yet encountered
(zero-day viruses) therefore present an ongoing problem, which requires
anti-virus packages to be updated frequently.
Virus removal
Many websites run by antivirus software companies
provide free online virus scanning, with limited cleaning facilities (the
purpose of the sites is to sell anti-virus products). Some websites—like Google
subsidiary VirusTotal.com—allow users to upload one or more suspicious files to
be scanned and checked by one or more antivirus programs in one operation.
Additionally, several capable antivirus software programs are available for
free download from the Internet (usually restricted to non-commercial use).
Microsoft offers an optional free antivirus utility called Microsoft Security
Essentials, a Windows Malicious Software Removal Tool that is updated as part
of the regular Windows update regime, and an older optional anti-malware
(malware removal) tool Windows Defender that has been upgraded to an antivirus
product in Windows 8.
Some viruses disable System Restore and
other important Windows tools such as Task Manager and Command Prompt. An
example of a virus that does this is CiaDoor. Many such viruses can be removed
by rebooting the computer, entering Windows safe mode with networking, and then
using system tools or Microsoft Safety Scanner. System Restore on Windows Me,
Windows XP, Windows Vista and Windows 7 can restore the registry and critical
system files to a previous checkpoint. Often a virus will cause a system to
hang, and a subsequent hard reboot will render a system restore point from the
same day corrupt. Restore points from previous days should work provided the
virus is not designed to corrupt the restore files and does not exist in previous
restore points.
Operating system
reinstallation
Microsoft's System File Checker (improved
in Windows 7 and later) can be used to check for, and repair, corrupted system
files.
Restoring an earlier "clean"
(virus-free) copy of the entire partition from a cloned disk, a disk image, or
a backup is one solution—restoring an earlier backup disk image is relatively
simple to do, usually removes any malware, and may be faster than disinfecting
the computer—or reinstalling and reconfiguring the operating system and
programs from scratch, as described below, then restoring user preferences.
Reinstalling the operating system—as
described here—is another approach to virus removal, if the above options don't
work: It may be possible to recover copies of essential user data by booting
from a live CD, or connecting the hard drive to another computer and booting
from the second computer's operating system, taking great care not to infect
that computer by executing any infected programs on the original drive. The
original hard drive can then be reformatted and the OS and all programs
installed from original media. Once the system has been restored, precautions
must be taken to avoid reinfection from any restored executable files.
History
Academic work
The first academic work on the theory of
computer viruses (although the term "computer virus" was not used at
that time) was done in 1949 by John von Neumann who gave lectures at the
University of Illinois about the "Theory and Organization of Complicated Automata".
The work of von Neumann was later published as the "Theory of
self-reproducing automata". In his essay von Neumann described how a
computer program could be designed to reproduce itself. Von Neumann's design
for a self-reproducing computer program is considered the world's first
computer virus, and he is considered to be the theoretical father of computer
virology.
In 1972 Veith Risak, directly building on
von Neumann's work on self-replication, published his article
"Selbstreproduzierende Automaten mit minimaler
Informationsübertragung" (Self-reproducing automata with minimal
information exchange). The article describes a fully functional virus written
in assembler language for a SIEMENS 4004/35 computer system.
In 1980 Jürgen Kraus wrote his diplom
thesis "Selbstreproduktion bei Programmen" (Self-reproduction of
programs) at the University of Dortmund. In his work Kraus postulated that
computer programs can behave in a way similar to biological viruses.
In 1984 Fred Cohen from the University of
Southern California wrote his paper "Computer Viruses – Theory and
Experiments". It was the first paper to explicitly call a self-reproducing
program a "virus", a term introduced by Cohen's mentor Leonard
Adleman. In 1987, Fred Cohen published a demonstration that there is no
algorithm that can perfectly detect all possible viruses. Fred Cohen's
theoretical compression virus was an example of a virus which was not malware,
but was putatively benevolent. However, antivirus professionals do not accept
the concept of benevolent viruses, as any desired function can be implemented
without involving a virus (automatic compression, for instance, is available
under the Windows operating system at the choice of the user). Any virus will
by definition make unauthorised changes to a computer, which is undesirable
even if no damage is done or intended. On page one of Dr Solomon's Virus
Encyclopaedia, the undesirability of viruses, even those that do nothing but
reproduce, is thoroughly explained.
An article that describes "useful
virus functionalities" was published by J. B. Gunn under the title
"Use of virus functions to provide a virtual APL interpreter under user
control" in 1984.
Science fiction
The first known description of a
self-reproducing program in a short story occurs in a 1970 story by Gregory
Benford which describes a computer program called VIRUS which, when installed
on a computer with telephone modem dialling capability, randomly dials phone
numbers until it hit a modem that is answered by another computer. It then
attempts to program the answering computer with its own program, so that the
second computer will also begin dialling random numbers, in search of yet
another computer to program. The program rapidly spreads exponentially through
susceptible computers and can only be countered by a second program called
VACCINE.
The idea was explored further in two 1972
novels - When HARLIE Was One by David Gerrold and The Terminal Man by Michael
Crichton - and became a major theme of the 1975 novel The Shockwave Rider by
John Brunner
Although the word "virus" isn't
mentioned, in the movie Westworld, the android entertainers in a futuristic
holiday park develop violent behavior that spreads among them like an
infection.
Virus programs
The Creeper virus was first detected on
ARPANET, the forerunner of the Internet, in the early 1970s. Creeper was an
experimental self-replicating program written by Bob Thomas at BBN Technologies
in 1971. Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX
operating system. Creeper gained access via the ARPANET and copied itself to
the remote system where the message, "I'm the creeper, catch me if you
can!" was displayed. The Reaper program was created to delete Creeper.
In 1982, a program called "Elk Cloner"
was the first personal computer virus to appear "in the wild"—that
is, outside the single computer or lab where it was created. Written in 1981 by
Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and
spread via floppy disk. This virus, created as a practical joke when Skrenta
was still in high school, was injected in a game on a floppy disk. On its 50th
use the Elk Cloner virus would be activated, infecting the personal computer
and displaying a short poem beginning "Elk Cloner: The program with a
personality."
The first IBM PC virus in the wild was a
boot sector virus dubbed (c)Brain, created in 1986 by the Farooq Alvi Brothers
in Lahore, Pakistan, reportedly to deter piracy of the software they had
written.
Before computer networks became widespread,
most viruses spread on removable media, particularly floppy disks. In the early
days of the personal computer, many users regularly exchanged information and
programs on floppies. Some viruses spread by infecting programs stored on these
disks, while others installed themselves into the disk boot sector, ensuring
that they would be run when the user booted the computer from the disk, usually
inadvertently. Personal computers of the era would attempt to boot first from a
floppy if one had been left in the drive. Until floppy disks fell out of use,
this was the most successful infection strategy and boot sector viruses were
the most common in the wild for many years.
Traditional computer viruses emerged in the
1980s, driven by the spread of personal computers and the resultant increase in
BBS, modem use, and software sharing. Bulletin board–driven software sharing
contributed directly to the spread of Trojan horse programs, and viruses were
written to infect popularly traded software. Shareware and bootleg software
were equally common vectors for viruses on BBSs. Viruses can increase their
chances of spreading to other computers by infecting files on a network file
system or a file system that is accessed by other computers.
Macro viruses have become common since the
mid-1990s. Most of these viruses are written in the scripting languages for
Microsoft programs such as Word and Excel and spread throughout Microsoft
Office by infecting documents and spreadsheets. Since Word and Excel were also
available for Mac OS, most could also spread to Macintosh computers. Although
most of these viruses did not have the ability to send infected email messages,
those viruses which did take advantage of the Microsoft Outlook COM interface.
Some old versions of Microsoft Word allow
macros to replicate themselves with additional blank lines. If two macro
viruses simultaneously infect a document, the combination of the two, if also
self-replicating, can appear as a "mating" of the two and would
likely be detected as a virus unique from the "parents".
A virus may also send a web address link as
an instant message to all the contacts on an infected machine. If the
recipient, thinking the link is from a friend (a trusted source) follows the
link to the website, the virus hosted at the site may be able to infect this
new computer and continue propagating.
Viruses that spread using cross-site
scripting were first reported in 2002, and were academically demonstrated in
2005. There have been multiple instances of the cross-site scripting viruses in
the wild, exploiting websites such as MySpace and Yahoo!.
Terminology
The term "virus" was used by
computer scientist Fred Cohen because a computer virus causes its replication
by means of the infected computer, in a way similar to how a biological virus
causes its replication by means of the infected organism.
The plural of "virus" in English
is "viruses".
Two Pakistani brothers invented the "Pakistani
Brain" virus..
When and how did the metaphor of the computer
'virus' arise?
Lauri Mullens
Los Angeles, Calif.
Back
to Ask the Experts Rob Rosenberger is a computer consultant who maintains the
Computer Virus Myths Homepage. He replies:
The
roots of the modern computer virus go back to 1949, when computer pioneer John
von Neumann presented a paper on the "Theory and Organization of
Complicated Automata," in which he postulated that a computer program
could reproduce. Bell Labs employees gave life to von Neumann's theory in the
1950s in a game they called "Core Wars." In this game, two
programmers would unleash software "organisms" and watch as they vied
for control of the computer. You can read about Core Wars in the May 1984 issue
of Scientific American.
Strangely enough, two science-fiction books in
the 1970s helped to promote the concept of a replicating program. Thomas
Brunner's Shockwave Rider and Thomas Ryan's Adolescence of P-1 depicted worlds
where a piece of software could transfer itself from one computer to another
without detection. Back in the real world, Fred Cohen presented the first
rigorous mathematical definition for a computer virus in his 1986 Ph.D. thesis.
Cohen coined the term "virus" at this point and is considered the
father of what we know today as computer viruses. He sums it up in one sentence
as "a program that can infect other programs by modifying them to include
a, possibly evolved, version of itself."
The
media seldom mentioned computer viruses in the mid-1980s, treating the whole
concept as an obscure theoretical problem. The media's perception of viruses
took a dramatic turn in late-1988, when a college student named Robert T.
Morris unleashed the infamous "Internet Worm." (Some trivia: Morris's
father had a hand in the original Core Wars games.) Reporters grew infatuated
with the idea of a tiny piece of software knocking out big mainframe computers
worldwide. The rest, as they say, is history.
Some
references:
V.I.R.U.S. Protection by Pamela Kane. Bantam
Books, New York, 1989.
"Computer Viruses: Theory and
Experiments," described by Frederick B. Cohen in A Short Course on
Computer Viruses; ASP Press, Pittsburgh, 1990.
Steven White, manager of IBM Research's
Massively Distributed System Group, offers some complementary information:
The
term "computer virus" was coined in the early 1980s. Fred Cohen, then
a Ph.D. student at the University of Southern California, came up with the idea
of using self-replicating software, which spreads by attaching itself to
existing programs as a way of attacking the security of multi-user computing
systems. He showed this idea to Len Adleman, his thesis advisor. Adleman
pointed out the similarity to a biological virus, which uses the resources of
the cell it attacks to reproduce itself, and the term "computer
virus" began its journey into everyday English.
Since then, computer viruses have mimicked
their biological namesakes, spreading digital disease around the world. And,
here at IBM Research, we are taking inspiration from biological defenses to
viruses and creating a kind of immune system for cyberspace, which will be able
to find, analyze and eliminate new computer viruses from the world's computers
quickly and automatically.
Alex
Haddox is product manager of the Symantec AntiVirus Research Center, which
manufactures Norton AntiVirus products. He adds:
The
history of the computer virus began in the 1940s when John von Neumann
published a paper called "Theory and Organization of Complicated
Automata" which documented the possibility of replicating computer
programs. John Conway is credited with creating the first "virus" in
the form of a life emulating program called the "Game of Life" in the
1960s. In the 1970s, the first true self-replicating programs, referred to as
"organisms," were written as experiments in artificial intelligence
on UNIX systems and used in small, isolated network type games by large
research companies. In 1983, the term "virus" was first coined to
describe self-replicating programs by Frederick Cohen and his colleague, Len
Alderman. The first reports of serious damage from a PC virus occurred in 1986;
the infection was caused by the "Pakistani Brain" virus, which was
written by two brothers, Basit and Amjad Farooq Alvi, of Lahore, Pakistan.
A
final reply comes from Jacob Motola of Integralis, a software security company:
The
concept behind the first malicious computer programs was described years ago in
the Computer Recreations column of Scientific American. The metaphor of the
"computer virus" was adopted because of the similarity in form,
function and consequence with biological viruses that attack the human system.
Computer viruses can insert themselves in another program, taking over control
or adversely effecting the function of the program.
Like
their biological counterparts, computer viruses can spread rapidly and
self-replicate systematically. They also mimic living viruses in the way they
must adapt through mutation to the development of resistance within a system:
the author of a computer virus must upgrade his creation in order to overcome
the resistance (antiviral programs) or to take advantage of new weakness or
loophole within the system.
Computer viruses also act like biologics in
the way they can be set off: they can be virulent from the outset of the
infection or the can be activated by a specific event (logic bomb). But
computer viruses can also be triggered at a specific time (time bomb). Most
viruses act innocuous towards a system until their specific condition is met.
The
computer industry has expanded the metaphor to now include terms like
inoculation, disinfection, quarantine and sanitation. Now if your system gets
infected by a computer virus you can quarantine it until you can call the
"virus doctor" who can direct you to the appropriate "virus
clinic" where your system can be inoculated and disinfected and an
anti-virus program can be presc
Timeline of computer viruses and worms
Malware
This
timeline of computer viruses and worms presents a chronology of noteworthy
computer viruses, computer worms, trojan horses, similar malicious software,
related research and events.
1949John von
Neumann's article on the "Theory of self-reproducing automata" is
published. The article is based on lectures given by von Neumann at the
University of Illinois about the "Theory and Organization of Complicated
Automata" in 1949.
1970–19791971The
Creeper virus, an experimental self-replicating program, is written by Bob
Thomas at BBN Technologies. Creeper infected DEC PDP-10 computers running the
TENEX operating system. Creeper gained access via the ARPANET and copied itself
to the remote system where the message, "I'm the creeper, catch me if you
can!" was displayed. The Reaper program was later created to delete
Creeper.
1974
The Rabbit
(or Wabbit) virus, more a fork bomb than a virus, is written. The Rabbit virus
makes multiple copies of itself on a single computer (and was named
"Rabbit" for the speed at which it did so) until it clogs the system,
reducing system performance, before finally reaching a threshold and crashing
the computer.
1975
April: ANIMAL is written by John Walker for
the UNIVAC 1108. ANIMAL asked a number of questions of the user in an attempt
to guess the type of animal that the user was thinking of, while the related
program PERVADE would create a copy of itself and ANIMAL in every directory to
which the current user had access. It spread across the multi-user UNIVACs when
users with overlapping permissions discovered the game, and to other computers
when tapes were shared. The program was carefully written to avoid damage to
existing file or directory structures, and not to copy itself if permissions
did not exist or if damage could result. Its spread was therefore halted by an
OS upgrade which changed the format of the file status tables that PERVADE used
for safe copying. Though non-malicious, "Pervading Animal" represents
the first Trojan "in the wild".
The novel
The Shockwave Rider by John Brunner is published, coining the word
"worm" to describe a program that propagates itself through a
computer network.
1980–1989
1981
A program
called Elk Cloner, written for Apple II systems, was created by Richard
Skrenta. The Apple II was seen as particularly vulnerable due to the storage of
its operating system on floppy disk. Elk Cloner's design combined with public
ignorance about what malware was and how to protect against it led to Elk
Cloner being responsible for the first large-scale computer virus outbreak in
history.
1983
November: The term 'virus' is coined by
Frederick Cohen in describing self-replicating computer programs. In 1984 Cohen
uses the phrase "computer virus" – as suggested by his teacher
Leonard Adleman – to describe the operation of such programs in terms of
"infection". He defines a 'virus' as "a program that can
'infect' other programs by modifying them to include a possibly evolved copy of
itself." Cohen demonstrates a virus-like program on a VAX11/750 system at
Lehigh University. The program could install itself in, or infect, other system
objects.
A very early
Trojan Horse designed for the IBM PC called ARF-ARF was downloaded from BBS
sites and claimed to “Sort” the DOS Diskette Directory. This was a very
desirable feature because DOS didn’t list the files in alphabetical order in
1983. Instead, the program deleted all of the files on the diskette, cleared
the screen and typed ARF – ARF. ARF was a reference to the common “Abort, Retry
Fail” message you would get when a PC could not boot from a diskette.
1984
August: Ken Thompson publishes his seminal
paper, Reflections on Trusting Trust, in which he describes how he modified a C
compiler so that when used to compile a specific version of the Unix operating
system, it inserted a backdoor into the login command, and when used to compile
itself, it inserted the backdoor insertion code, even if neither the backdoor
nor the backdoor insertion code were present in the source code.
1986
January: The Brain boot sector virus is
released. Brain is considered the first IBM PC compatible virus, and the
program responsible for the first IBM PC compatible virus epidemic. The virus
is also known as Lahore, Pakistani, Pakistani Brain, and Pakistani flu as it
was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit
Farooq Alvi, and his brother, Amjad Farooq Alvi.
December: Ralf Burger presented the Virdem
model of programs at a meeting of the underground Chaos Computer Club in
Germany. The Virdem model represented the first programs that could replicate
themselves via addition of their code to executable DOS files in COM format.
1987
Appearance
of the Vienna virus, which was subsequently neutralized—the first time this had
happened on the IBM platform.
Appearance
of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New
Zealand, Ping Pong from Italy, and appearance of first self-encrypting file
virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and
has never been found elsewhere as a result. A subsequent infection of Cascade
in the offices of IBM Belgium led to IBM responding with its own antivirus
product development. Prior to this, antivirus solutions developed at IBM were
intended for staff use only.
October: The Jerusalem virus, part of the (at
that time unknown) Suriv family, is detected in the city of Jerusalem. The
virus destroys all executable files on infected machines upon every occurrence
of Friday the 13th (except Friday 13 November 1987 making its first trigger
date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988.
November: The SCA virus, a boot sector virus
for Amigas appears, immediately creating a pandemic virus-writer storm. A short
time later, SCA releases another, considerably more destructive virus, the Byte
Bandit.
December: Christmas
Tree EXEC was the first widely disruptive replicating network program, which
paralyzed several international computer networks in December 1987.
1988
March 1: The
Ping-Pong virus (also called Boot, Bouncing Ball, Bouncing Dot, Italian,
Italian-A or VeraCruz), an MS-DOS boot sector virus, is discovered at
University of Turin in Italy.
June: The CyberAIDS and Festering Hate
Apple ProDOS viruses spreads from underground pirate BBS systems and starts
infecting mainstream networks. Festering Hate was the last iteration of the
CyberAIDS series extending back to 1985 and 1986. Unlike the few Apple viruses
that had come before which were essentially annoying, but did no damage, the
Festering Hate series of viruses was extremely destructive, spreading to all
system files it could find on the host computer (hard drive, floppy, and system
memory) and then destroying everything when it could no longer find any
uninfected files.
November 2: The Morris worm, created by Robert
Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX that are
connected to the Internet, and becomes the first worm to spread extensively
"in the wild", and one of the first well-known programs exploiting
buffer overrun vulnerabilities.
1989
October: Ghostball,
the first multipartite virus, is discovered by Friðrik Skúlason. It infects
both executable .COM-files and boot sectors on MS-DOS systems. It captures
certain information entered or saved by the user, with the corresponding threat
to privacy, causes the loss of information stored on the computer, either
specific files or data in general, affects the productivity of the computer,
the network to which it’s connected or other remote sites, decrease the
security level of the computer, but does not automatically spread itself.
1990–1999
1990
Mark
Washburn working on an analysis of the Vienna and Cascade viruses with Ralf
Burger develops the first family of polymorphic virus: the Chameleon family.
Chameleon series debuted with the release of 1260.
1992March: The Michelangelo virus was expected
to create a digital apocalypse on March 6, with millions of computers having
their information wiped according to mass media hysteria surrounding the virus.
Later assessments of the damage showed the aftermath to be minimal. John McAfee
had been quoted by the media as saying that 5 million computers would be
affected. He later said that, pressed by the interviewer to come up with a
number, he had estimated a range from 5 thousand to 5 million, but the media
naturally went with just the higher number.
1993
"Leandro
& Kelly" and "Freddy Krueger" spread quickly due to
popularity of BBS and shareware distribution
1994April: OneHalf is
a DOS-based polymorphic computer virus.
1995
The first
Macro virus, called "Concept," is created. It attacked Microsoft Word
documents.
1996
"Ply"
- DOS 16-bit based complicated polymorphic virus appeared with built-in
permutation engine1998
June 2: The first version of the CIH virus
appears. It is the first known virus able to erase flash ROM BIOS content.
1999
January 20: The Happy99 worm first appeared. It
invisibly attaches itself to emails, displays fireworks to hide the changes
being made, and wishes the user a happy New Year. It modifies system files
related to Outlook Express and Internet Explorer (IE) on Windows 95 and Windows
98.
March 26: The Melissa worm was released,
targeting Microsoft Word and Outlook-based systems, and creating considerable
network traffic.
June 6: The ExploreZip worm, which destroys
Microsoft Office documents, was first detected.
December 30: The Kak worm is a Javascript
computer worm that spread itself by exploiting a bug in Outlook Express.
2000–20092000May: The ILOVEYOU worm, also known as
Love Letter, or VBS, or Love Bug worm, is a computer worm purportedly created
by a Filipino computer science student. Written in VBScript, it infected
millions of Windows computers worldwide within a few hours of its release. It
is considered to be one of the most damaging worms ever.
2001
February 11: The Anna Kournikova virus hits
e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook
addressbook.Its creator, Dutchman Jan de Wit, was sentenced to 150 hours of
community service.
May 8: The Sadmind worm spreads by
exploiting holes in both Sun Solaris and Microsoft IIS.
July: The Sircam worm is released,
spreading through Microsoft systems via e-mail and unprotected network shares.
July 13: The Code Red worm attacking the
Index Server ISAPI Extension in Microsoft Internet Information Services is
released.
August 4: A complete re-write of the Code Red
worm, Code Red II begins aggressively spreading onto Microsoft systems,
primarily in China.
September 18: The Nimda worm is discovered and
spreads through a variety of means including vulnerabilities in Microsoft
Windows and backdoors left by Code Red II and Sadmind worm.
October 26: The Klez worm is first identified.
It exploits a vulnerability in Microsoft Internet Explorer and Microsoft
Outlook and Outlook Express.
2002
February 11: The Simile virus is a metamorphic
computer virus written in assembly.
Beast is a
Windows-based backdoor Trojan horse, more commonly known as a RAT (Remote
Administration Tool). It is capable of infecting almost all versions of
Windows. Written in Delphi and released first by its author Tataye in 2002, its
most current version was released October 3, 2004
March 7: Mylife is a computer worm that
spread itself by sending malicious emails to all the contacts in Microsoft
Outlook.
August 30: Optix Pro is a configurable remote
access tool or trojan, similar to SubSeven or BO2K.
2003
January 24: The SQL slammer worm, aka Sapphire
worm, Helkern and other names, attacks vulnerabilities in Microsoft SQL Server
and MSDE becomes the fastest spreading worm of all time (measured by doubling
time at the peak rate of growth),crashing the Internet within 15 minutes of
release.
April 2: Graybird is a trojan horse also
known as Backdoor.Graybird.
June 13: ProRat is a Turkish-made Microsoft
Windows based backdoor trojan horse, more commonly known as a RAT (Remote
Administration Tool).
August 12: The Blaster worm, aka the Lovesan
worm, rapidly spreads by exploiting a vulnerability in system services present
on Windows computers.
August 18: The Welchia (Nachi) worm is
discovered. The worm tries to remove the blaster worm and patch Windows.
August 19: The Sobig worm (technically the
Sobig.F worm) spreads rapidly through Microsoft systems via mail and network
shares.
September 18: Swen is a
computer worm written in C++.
October 24: The Sober worm is first seen on
Microsoft systems and maintains its presence until 2005 with many new variants.
The simultaneous attacks on network weakpoints by the Blaster and Sobig worms
cause massive damage.
November 10: Agobot is a computer worm that can
spread itself by exploiting vulnerabilities on Microsoft Windows. Some of the
vulnerabilities are MS03-026 and MS05-039.
November 20: Bolgimo is a computer worm that
spread itself by exploiting a buffer overflow vulnerability at Microsoft
Windows DCOM RPC Interface.
2004
January 18: Bagle is a mass-mailing worm
affecting all versions of Microsoft Windows. There were 2 variants of Bagle
worm, Bagle.A and Bagle.B. Bagle.B was discovered on February 17, 2004.
January 23: The L10n worm (usually pronounced
"lion") was a Linux worm that spread by exploiting a buffer overflow
in the BIND DNS server. It was based on an earlier worm known as the Ramen worm
(commonly, albeit incorrectly referred to as the Ramen Virus) which was written
to target systems running versions 6.2 and 7.0 of the Red Hat Linux
distribution.
Late January: The MyDoom worm emerges, and
currently holds the record for the fastest-spreading mass mailer worm.
February 16: The Netsky worm is discovered. The
worm spreads by email and by copying itself to folders on the local hard drive
as well as on mapped network drives if available. Many variants of the Netsky
worm appeared.
March 19: The Witty worm is a record-breaking
worm in many regards. It exploited holes in several Internet Security Systems (ISS)
products. It was the fastest disclosure to worm, it was the first internet worm
to carry a destructive payload and it spread rapidly using a pre-populated list
of ground-zero hosts.
May 1: The Sasser
worm emerges by exploiting a vulnerability in the Microsoft Windows LSASS
service and causes problems in networks, while removing MyDoom and Bagle
variants, even interrupting business.
June 15: Caribe or Cabir is a computer worm
that is designed to infect mobile phones that run Symbian OS. It is the first
computer worm that can infect mobile phones. It spread itself through
Bluetooth. More information can be found on F-Secure and Symantec.
August 16: Nuclear RAT
(short for Nuclear Remote Administration Tool) is a backdoor trojan that
infects Windows NT family systems (Windows 2000, Windows XP, Windows 2003).
August 20: Vundo, or the Vundo Trojan
(Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a trojan
known to cause popups and advertising for rogue antispyware programs, and
sporadically other misbehaviour including performance degradation and denial of
service with some websites including Google and Facebook.
October 12: Bifrost, also known as Bifrose, is a
backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the
typical server, server builder, and client backdoor program configuration to
allow a remote attack.
December: Santy, the first known
"webworm" is launched. It exploited a vulnerability in phpBB and used
Google in order to find new targets. It infected around 40000 sites before
Google filtered the search query used by the worm, preventing it from
spreading.
2005
Late 2005: The Zlob Trojan, is a trojan horse
which masquerades as a required video codec in the form of the Microsoft
Windows ActiveX component. It was first detected in late 2005.
Bandook or
Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse
that infects the Windows family. It uses a server creator, a client and a
server to take control over the remote computer. It uses process hijacking /
kernel patching to bypass the firewall, and let the server component hijack
processes and gain rights for accessing the Internet.
2006
January 20: The Nyxem worm was discovered. It
spread by mass-mailing. Its payload, which activates on the third of every
month, starting on February 3, attempts to disable security-related and file
sharing software, and destroy files of certain types, such as Microsoft Office
files.
February 16: discovery of the first-ever malware
for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is
announced.
Late March: Brontok variant N was found in late
March. Brontok was a mass-email worm and the origin for the worm was from
Indonesia.
Late September: Stration or Warezov worm first
discovered.
2007
January 17: Storm Worm identified as a fast
spreading email spamming threat to Microsoft systems. It begins gathering
infected computers into the Storm botnet. By around June 30 it had infected 1.7
million computers, and it had compromised between 1 and 10 million computers by
September. Thought to have originated from Russia, it disguises itself as a
news email containing a film about bogus news stories asking you to download
the attachment which it claims is a film.
July: Zeus is a trojan that targets
Microsoft Windows to steal banking information by keystroke logging.
2008
February 17: Mocmex is a trojan, which was found
in a digital photo frame in February 2008. It was the first serious computer
virus on a digital photo frame. The virus was traced back to a group in China.
March 3: Torpig, also known as Sinowal and
Mebroot, is a Trojan horse that affects Windows, turning off anti-virus
applications. It allows others to access the computer, modifies data, steals
confidential information (such as user passwords and other sensitive data) and
installs more malware on the victim's computer.
May 6: Rustock.C, a hitherto-rumoured
spambot-type malware with advanced rootkit capabilities, was announced to have
been detected on Microsoft systems and analyzed, having been in the wild and
undetected since October 2007 at the very least.
July 6: Bohmini.A
is a configurable remote access tool or trojan that exploits security flaws in
Adobe Flash 9.0.115 with
Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.
July 31: The Koobface computer worm targets
users of Facebook and MySpace. New variants constantly appear.
November 21: Computer worm Conficker infects
anywhere from 9 to 15 million Microsoft server systems running everything from
Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defence
(including Royal Navy warships and submarines), Sheffield Hospital network,
German Bundeswehr and Norwegian Police were all affected. Microsoft sets a
bounty of $250,000 USD for information leading to the capture of the worm's
author(s). Five main variants of the Conficker worm are known and have been
dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29
December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.
On December 16, 2008, Microsoft releases KB958644 patching the server service vulnerability
responsible for the spread of Conficker.
2009
July 4:
The
July 2009 cyber attacks occur and the emergence of the W32.Dozer attack the
United States and South Korea.
July 15: Symantec discovered Daprosy Worm.
Said trojan worm is intended to steal online-game passwords in internet cafes.
It could, in fact, intercept all keystrokes and send them to its author which
makes it potentially a very dangerous worm to infect B2B (business-to-business)
systems.
2010
and later
2010
January: A botnet
called Waledac sent spam emails. In February 2010, an international group of
security researchers and Microsoft took Waledac down.
February 18: Microsoft announced that a BSoD
problem on some Windows machines which was triggered by a batch of Patch
Tuesday updates was caused by the Alureon trojan.
June 17: Stuxnet, a Windows trojan, was
detected. It is the first worm to attack SCADA systems. There are suggestions
that it was designed to target Iranian nuclear facilities. It uses a valid
certificate from Realtek.
September 9: The virus, called "here you
have" or "VBMania", is a simple trojan horse that arrives in the
inbox with the odd-but-suggestive subject line "here you have". The
body reads "This is The Document I told you about, you can find it
Here" or "This is The Free Download Sex Movies, you can find it
Here".
September 15: The virus called Kenzero is a virus
that spreads online from Peer to peer (P2P) sites taking browsing history.
2011
SpyEye and
Zeus merged code is seen. New variants attack mobile phone banking information.
Anti-Spyware
2011, a trojan horse which attacks Windows 9x, 2000, XP, Vista, and Windows 7,
posing as an anti-spyware program. It actually disables security-related
process of anti-virus programs, while also blocking access to the Internet
which prevents updates.
Summer 2011: The Morto worm attempts to propagate
itself to additional computers via the Microsoft Windows Remote Desktop
Protocol (RDP). Morto spreads by forcing infected systems to scan for Windows
servers allowing RDP login. Once Morto finds an RDP-accessible system, it
attempts to log into a domain or local system account named 'Administrator'
using a number of common passwords. A detailed overview of how the worm
works—along with the password dictionary Morto uses—was done by Imperva.
July 13: the ZeroAccess rootkit (also known
as Sirefef or max++) was discovered.
September 1: Duqu is a
worm thought to be related to the Stuxnet worm. The Laboratory of Cryptography
and System Security (CrySyS Lab) of the Budapest University of Technology and
Economics in Hungary discovered the threat, analysed the malware, and wrote a
60-page report naming the threat Duqu. Duqu gets its name from the prefix
"~DQ" it gives to the names of files it creates.
2012
May: Flame also known as Flamer,
sKyWIper, and Skywiper is modular computer malware discovered in 2012 that
attacks computers running Microsoft Windows. The program is being used for
targeted cyber espionage in Middle Eastern countries. Its discovery was
announced on 28 May 2012 by MAHER Center of Iranian National Computer Emergency
Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University
of Technology and Economics. CrySyS stated in their report that "sKyWIper
is certainly the most sophisticated malware we encountered during our practice;
arguably, it is the most complex malware ever found".
August 16: Shamoon is a computer virus designed
to target computers running Microsoft Windows in the energy sector. Symantec,
Kaspersky Lab, and Seculert announced its discovery on August 16, 2012.
September 20: NGRBot is a worm that uses the IRC
network for file transfer, sending and receiving commands between zombie
network machines and the attacker’s IRC server, and monitoring and controlling
network connectivity and intercept. It employs a user-mode rootkit technique to
hide and steal its victim’s information. This family of bot is also designed to
infect HTML pages with iframes, causing redirections, blocking victims from
getting updates from security/antimalware products, and killing those services.
The bot is designed to connect via a predefined IRC channel and communicate
with a remote botnet..
