In a slight change of pace, I would like to talk about malware and how things have evolved. I am not exactly a spring chicken which surprises some people because I am still part of the support organization. I like it here – I am working on real problems that affect real people. Working on pivot tables to make the stats say something different is not for me. Anyway, my hair is mostly white and I remember punch cards. The relevance of that is I have seen malware evolve from what it was to what it now.
The first malware that I ever saw was back in 1985 on the Atari ST. In those days, game rental was just beginning to happen and games came on one, two, or in the case of an epic, 3 disks. Of course, they still do but now we are talking DVDs with an 8.5GB capacity rather than 360KB floppies as then. The important difference was that floppy disks are writeable if the little tag was not covered by a sticky label or plastic slidy thing if you had those new fangled 3.5” drives… and the ST did. That early malware halted the process and displayed a banner saying that your computer was now alive.
Of course, that wasn’t the first malware. Some people credit Elk Cloner back in 1982, back on the Apple II. I would cite the much earlier “Cookie Monster” from 1960. This malware ran on Multics and required human intervention and social engineering to spread. It was relatively harmless in that it simply sent increasingly insistent requests for a cookie to the console of the user – this was all long before GUI interfaces. The program would “sleep” for a while if the user typed “cookie” on the console in response. The propagation method for Cookie monster was largely magnetic tape in contrast to the magnetic disks of the Atari ST. Malware didn’t spread across networks much because there were no networks. There was JANET in the UK and a fair few university (and US government) computers would allow a modem user to log on with the user name UCLA/Password “Guest” but we were years away from wide spread connectivity. ARPANET (which eventually became the internet which you may have come across) had its first virus (“creeper”) and first anti-virus (“reaper”) back in the 70s but this was before computers were common place.
Malware came to the PC in January 1986 with the Brain Virus. There was a second virus by the end of December. It was hard for malware to spread from machine to machine so it spread from disk to disk or executable to executable if you had a hard drive. Typically a virus would attach itself to a file and rely on the file being passed around. Boot sector viruses were sometimes seen on MS-DOS but they were not common.
Of course, the early malware had no stealth capabilities. I will be talking a bit about subversion in a later blog when it will all get very geeky again. Viruses were often named after the number of bytes that they added to the file. People got wise to those – and at this point, most computer users were professionals in the computer field. It was unusual to have a computer at home and they were not a part of everyday office life. For most people, windows were things that allowed fresh air in and a shortage of RAM was only a problem for sheep farmers. Things happened pretty rapidly after that but malware plodded along. By 1989, there were still fewer than 10 viruses in the wild for the PC.
1990 saw the first polymorphic virus that could change its signature to evade the first anti-malware solutions.
The first macro viruses appeared in Office around 1995. In those days, macros could automatically run with no warning. It was more innocent time. You can say “Naïve” and I won’t be offended.
May 2000 saw the “ILOVEYOU” worm. Not an especially clever bit of malware relying on some simple VBscript. It came on a world unprepared and computers the world over crashed. Things began to tighten up – and computers increased in numbers ever faster.
2003 was a bad year. SQL Slammer, Blaster, Sobig and Sober all hit that year. They had something else in common. They all used security vulnerabilities that we had released patches for quite some time before. There were some less famous viruses during this time.
2004 gave us MyDoom (spread via email) and Sasser. Oh, we had a patch for Sasser out before the malware hit. Some people are still reluctant to install patches. It was more common then than now. There were also a lot of lesser viruses and rootkits.
2005 saw Zotob which was not quite as bad as the press made out but it was not good. It only affected Windows 2000 which was not all that common by then. Oh, and the patch? Available before then. There were a host of other viruses by then, most of them using old vulnerabilities or social engineering.
2006 saw thousands of new malwares springing up – often dozens of variants of a single exploit and payload. The trend continued though 2007. There have been a few that have mildly successful but no pandemics so far – and don’t I know how like famous last words those sound!
What we see now is that malware writers are trying to reverse engineer our patches in the hope of creating a 0 day exploit – finding what we changed and then writing malware (be it rootkit or worm or whatever) that same day. The numbers make for scary reading. The patch for Nimda preceded the malware by 331 days. The patch for Slammer preceded the malware by 180 days. Nachi was 151 days. Blaster was only 25. Sasser was 17 days late. Zotob? 9 days.
Care to guess how long the next one will take?
Me? I advise patching early.