Ten years ago, PC viruses did not exist. Now there are up to 8000 circulating among the world’s computers and on the Internet. Wilson da Silva reports.
CHRIS Pile is 26. He is British, unemployed and a self-taught computer programmer. Although talented, he doesn’t do that much programming these days: he is currently in a British jail serving an 18-month sentence for creating computer viruses.
Operating under the Net pseudonym of Black Baron, between October 1993 and April 1994 Pile hacked into corporate bulletin boards and inserted his Smeg.Pathogen series of viruses.
The fiendishly clever programs corrupted hard disks. They also employed what he called Smeg (simulated metamorphic encryption generator) - a “toolkit” part of the virus that allowed it to hide its code from anti-virus scanning programs and mutate with every infection, making it hard to trace.
At his trial, Scotland Yard testified that his viruses, which had spread like wildfire across the Internet, had already cost British businesses À500,000 (about $A831,000) in damage to computer files and in repairs. Even after his conviction in November 1995, industry analysts said they expected his virus family - which has spawned a number of copycats - to top À1 million in costs to industry within a year.
Pile is only the latest of a community of virus creators who inhabit the computer underground. As recently as 1992, there were only 1800 known computer viruses, 99 per cent of them targeting IBM-compatible computers. There are an estimated 150 Amiga and 30 Macintosh viruses.
These days there are between 6000 and 8000 - depending on how you classify the variant strains - and hundreds more are being created every year.
Its creators are typically young (mostly in their teens or early 20s), male and seeking the fame and notoriety that a successful computer virus brings. Many of them get a kick from reading in computer magazines and newspapers of the panic their creations spark. Pile is one of the few who have ever been caught.
They operate computer bulletin boards in the United States and Britain, and in the former Eastern Bloc countries like Bulgaria and Russia.
Boards like The Hell Pit, in Chicago; Caustic Contagion, in Texas; and Dark Coffin, in rural Pensylvannia; or Virus Exchange, in Bulgaria, are the electronic meeting places where virus creators discuss new programming strategies or swap their latest creations.
From these bulletin boards, hackers can download virus copies, modify and personalise them, and attach them to otherwise innocuous pieces of shareware or freeware programs.
Most of these do little damage, merely infecting the boot sector of hard drives or attaching themselves to documents, but thereafter lying dormant. They might force you to print a slogan with every document, such as the recent virus called Nuclear, which attaches “Stop French Nuclear Tests!” to documents.
“Most viruses don’t have a payload,” says Grant Scurrah, general manager of the New Zealand-based Second Sight software, whose Israeli-designed virus-smasher InVircible rates among the most effective.
“They’re designed to propagate and not necessarily go active,” he said. “A lot of them (the authors) are kids just looking for recognition and publicity. Some of them write viruses particularly to beat the anti-virus industry.”
Anti-virus experts estimate that only 5 per cent of viruses carry a payload or an executable program that makes the infected computer do things its user had not intended. It is thought that only 0.5 per cent are malevolent viruses that cause serious damage, such as reformat hard disks or randomly destroy documents.
Most viruses lodge themselves in the boot sector - the operating system’s “front door” - and move the original boot code to some other part of the disk. This forces the computer to load up using the virus commands, displaying the virus creator’s message first. The first PC boot-sector virus is thought to be the Pakistani Brain Virus, which began appearing on computers in June 1986.
This was followed by the file infectors, viruses that attach themselves to the end of an application, installing a code at the file header which forces it to jump to the viral end- tag before executing. These may or may not carry a payload.
By 1989, from Bulgaria, some of the nastiest and most sophisticated viruses emerged. They were extremely infectious: once installed in memory, just opening or copying a new file would infect it. If a user ran an anti-virus program over the hard disk, the virus would infect the software and go on to spread itself across every other program in one sweep.
In one version, at every 16th infection, the virus would overwrite a section of the hard disk at a random. It would destroy files and directories indiscriminately, and add the words: “Eddie lives . . . somewhere in time!” Victims were often unaware of the damage being done until a large amount of data was corrupted. Its creator was only known by his sobriquet, which appeared in the core code of the virus: Dark Avenger. He is credited with at least 22 viruses, most of them clever and quite destructive.
It was at this time that he also created the nemesis of computer security experts: the “Mutation Engine”, which was a subprogram used by a virus so it could mutate with every new infection. So-called polymorphic viruses were born.
Dark Avenger’s work began to really scare the computing community. It was at this time that anti-virus companies began to offer software that would recognise known viruses and delete them. This in turn spurned virus creators to write newer and smarter viruses that could side-step the industry. Soon, there were “stealth” viruses and encrypted viruses, and a range of other tactics meant to trick anti-virus software.
“Dark Avenger had quite a few well-written viruses,” said Jakub Kamiski, a virus researcher at Australia’s largest anti- virus company, the Melbourne-based Cybec. “A lot of people have followed, and now there are a lot of polymorphic engines and mutation engines.”
One of the doyens of virus-busters is Vesselin Bontchev, a software engineer at the virus test centre at the University of Hamburg, Germany. Bontchev, who is also a Bulgarian, spent years analysing the work of Dark Avenger as well as other virus creators, and finding solutions to their viral missiles.
Bontchev blames official government policy under the old communist regime for the rise of Bulgaria as a hatchery for computer viruses. The country was the nerve centre for the production of hardware and software for use by members of the communist common market, Comecon.
But instead of its engineers being trained to design their own hardware and software, state policy was to pilfer from the West and build unauthorised clones, or hack through copy- protected software and tailor it to specific needs.
When the Communist Bloc collapsed, Bulgaria suddenly had the world’s best-trained hackers. Many lost their jobs. Those who retained them saw their paypackets shrink as the country plunged into recession. With nothing but time on their hands, access to the Internet, and a growing awareness of the Western wealth, many began to write viruses as a way to get back at the West.
Dark Avenger has never been caught: not only is his identity unknown, his activities are not a crime in Bulgaria.
Bontchev classes Dark Avenger as a “technopath”, and has himself been targeted with destructive programs by the elusive cyber-terrorist. They have even exchanged untraceable electronic mail.
“When asked why his viruses are destructive,” Bontchev says, “he replies that ‘destroying data is pleasure’ and that he ‘just loves to destroy other people’s work’. “ Authorities are powerless to stop the virus exchange bulletin boards. Nor would they want to: it is the best way for anti- virus software developers to discover new viruses and develop tools to stop them. Many virus authors provide the codes so anti-virus software developers can try to crack them; it is seen as a challenge to create an uncrackable, untraceable and invulnerable virus.
The better virus creators tend to know their way around the Net, and post viruses using fictitious names and bogus e-mail addresses: there have been many George Bushes, Saddam Husseins and Ozzy Osbornes.
Many viruses are duds, according to virus expert Professor Bill Caelli, head of data communications at the Queensland University of Technology. “Most of them have bugs that never deliver the payload,” he told Computer Age. “Some viruses do damage but not deliberately - it’s just a side-effect of a badly written virus.”
Recently, virus writers have migrated from the operating system-based virus into executable sub-programs that work in tandem with existing programs.
The most notable is the Concept virus, which is in reality a macro written within Microsoft Word. These can be sent over the Internet as an attachment to a Word file.
“It is so successful because it doesn’t do any damage,” said Cybec’s Kamiski. “But also because it infects documents and people are more used to exchanging documents than programs.
“ Even the latest Web hyper-tools language, Java, has encountered viruses. Known as Black Widows, they infect drives as soon as they are opened. Experts recommend that any downloaded software, macros, applets, or other executable attachments be unlaunched on arrival and checked by the latest anti-virus software.
TOP 10 REPORTED VIRUS INFECTIONS
SOME VIRUS PROFILES
Monkey. Aliases: Stoned.Monkey, Empire.Monkey. Origin: Canada. Type: Stealth OS Boot MBR Boot. First detected in Edmonton, Canada, in 1991, it quickly spread to the United States, Australia and Britain. It is one of the most common boot sector viruses. It infects Master Boot Records of hard disks and the DOS boot records of diskettes, and encrypts the Master Boot Record as well as relocating it.
Junkie. Origin: Sweden. Type: OS Boot MBR Boot Resident COM-files. Message: “Dr White - Sweden 1994. Junkie Virus - Written in Malmo . . . M01D” Circulated via European BBSs in May 1994. Advertised as a program to overcome copy-protected software, it actually carried the virus. A multipartite, fast-infecting virus, it writes to the hard disk MBRs and COM files. When an infected file is executed in a computer for the first time, the virus overwrites the hard disk’s MBR with its own code, and infects boot sectors of all floppies used by the computer.
Nightfall. Origin: Germany. Type: Resident COM/EXE -files. Message: “Invisible and silent - circling overland, N8FALL. Rearranged by Neurobasher - Germany. - MY-WILL-TO-DESTROY- IS-YOUR-CHANCE-FOR-IMPROVEMENTS.” A very complicated stealth and polymorphic virus. High-end anti-viral programs detect and destroy 4518 and 4519 variants, and detects but leaves untouched the 5764 and 5765 variants.
Stoned. Aliases: New-Zealand, Beijing, Bloody! Origin: Unknown. Type: OS Boot MBR Boot Resident. Message: “Your computer is now stoned.” or “Bloody! Jun. 4, 1989.” Seems to have been designed to be harmless, but due to a programming error, it is likely to destroy the original boot sector root directory. One of the most widespread viruses in existence.