It was late 1995, after months of intensive labor, Danny Cade* had finally managed to build his employer's first Website on the Internet. It was adult in nature, for a swingers club, expansive in content, and destined for greatness - Cade just knew it.
He was particularly proud of himself. An enormous sense of accomplishment lent an extra, almost physical dimension to his already corpulent appearance. He fairly glowed with glee as he besieged everyone in his limited circle of friends with the blow-by-blow descriptions of the project's intricacies.
The project had not been an easy one. Forces had conspired against it. The local telephone company, which had found innumerable reasons to delay installation of the cable required for worldwide connectivity, had also raised the price at each juncture. Hardware and software vendors piddling changes to the site's design, despite Cade's assurance that he had built the perfect beast.
But all that was behind him now. The site was live, and it was gorgeous. Even more important, it was Cade's ticket to a better life. The Web was hot, those who operated in the rarified atmosphere of sysadmins, programmers, and designers were sought-after folk, and the new site would be Cade's VIP pass into that inner circle. The money that would come flowing in as the site became pouplar was a valuable perk, to be sure, but Cade's ambitions were focused on more than money. He wated to be hailed as a geek god, so that with one broad sweep of the cursor, all those years of fat jokes that he had endured at the hands of people he at once despised and wanted to emulate - and be liked by - would all be wiped away.
It was a short-lived fantasy.
Only days after going online, Cade found himself paralyzed with panic as he watchied his world-toppling creation begin disintegrating before his eyes. He was powerless to stop it, and worse, he had triggered the catastrophe with his own had, albeit accidentally.
On the morning of what would be one of the darkest days of his life, Cade sat down to perform his usual sysadmin chores. While making a cursory examination of the hard drive on his Web server, he discovered a small file with an unfamiliar name. What the heck is this? he thought to himself. A Microsoft Certified Systems Engineer, Cade was not unaware of Windows' proclivity for stashing all sorts of odd minutiae on storage media. The file didn't belong on the drive, but it was probably just another one of Windows' little tongue-in-cheek "gotchas." In any case, it wasn't necessary for the function of the system, so Cade clicked on it to delete it.
The file exploded, sending tentacles throughout the system and wiping the hard drive clean. In an instant, what had taken Cade months to build was gone, along with other Websites belonging to a handful of clients he had scraped together to help fund his grand adventure. He phoned his clients, tersely explained what had happened, and dug in for the long climb out of darkness.
Three sleepless days later, everything was back online, but Danny Cade would never be the same. Consumed with hatred for the miscreant who had planted the virus, he became obsessed with Internet security measures, spending hours in the lab, checking and rechecking anti-break-in measures in order to prevent a recurrence of the embarrassing assault. Thirty days later, the swing club's siren song lost its appeal, and Cade found himself out of a job, out of a home, and moving to another state to escape the imaginary public derision that played over and over in his head.
Cade's experience is an extreme example of the destructive power of "malware," but it serves as a stark reminder that regardless of the training, dedication, and financial support a network project can bring to bear, the whole thing can come crashing down in minutes before the malignant onslaught of viruses, worms, Trojans, and their malicious ilk.
The Sick and the Dead
In his book Malicious Mobile Code (O'Reilly & Associates Inc., 2001), network security expert Roger A. Grimes defines four major categories of malware - or destructive programs - into which he says all rogue applications fit: viruses, Trojans, worms, and "mixed" or "blended."
Viruses are, with few exceptions, malicious programs that modify other files or boot sectors in order to replicate, much as biological viruses replicate in the real world at the expense of their hosts. In most cases, the modified host files contain a complete copy of the computer virus, and subsequent running of the infected files or boot areas infects other objects. Viruses mutate over time and evolve to resist antiviral agents.
Much of the credit for defining viruses and their modes of attack, as well as for proving mathematically that no antiviral agent can provide 100-percent detection or protection, belongs to Dr. Fred Cohen. Cohen's research into the issue, which provided the background for his 1986 doctoral dissertation in electrical engineering at the University of Southern California, remains the foremost foundational reference for virus writers and researchers.
Trojans are non-replicating programs that masquerade as other programs so their real intent is hidden. In many cases, the real purpose of a Trojan program is to open a "back door" on an infected machine, allowing the program's author to gain access for nefarious purposes. One of the earliest Trojans claimed to be a program that would allow TTL monitors to display graphics. Although TTL monitors were physically incapable of displaying graphics, some people loaded and ran what sounded like miraculous breakthrough software, only to be greeted by the message, "Gotcha. Arf, arf." as their hard drive was erased.
(Trojans are named after the infamous Trojan Horse of Greek mythology, a huge wooden beast inside which Greek warriors hid. After the Trojans dragged what they believed was a gift inside the city's gates, the warriors spilled out of the horse, laying waste to the city of Troy, ending the fabled 10-year Trojan War. Trojan programs do not modify or infect other files.)
Worms are similar to viruses in that they replicate and spread, but instead of infecting other files, worms use their own sophisticated internal code to complete their malignant missions with minimal user intervention. Typically, worms use widely available and notoriously insecure external applications, like chat programs and email, to spread, attaching themselves to trusted communications to take advantage of security holes in application software. Worms and Trojans share a common ancestor and are often confused, but unlike Trojans, worms replicate and act invisibly behind the scenes, whereas Trojans masquerade as other, often fun or useful, programs. The majority of software distributed in the modern wired world falls under the classification "worm."
Mixed or blended malware, as its name implies, incorporates components of two or more of the other categories. Entries in this category are currently few and far between, but as coders seek new and ever more creative ways to wreak havoc, they will inevitably become more common. For example, although classified by McAfee's Anti-Virus Emergency Response Team (AVERT; www.mcafee.com) as a worm, W32/Klez.h@MM incorporates some characteristics of both viruses and worms. It is able to copy itself into RAR archives, thereby "infecting" other files in a manner similar to a virus, and as this was written, it was evolving into new forms faster than anti-virus (AV) agents could keep up. Like a worm, Klez.H replicates and spreads via public channels, primarily email.
A Brief History of Malware
What is today known as malware - or malicious mobile code - saw its genesis at the dawn of the computer age, when each machine was capable of running only a single program - usually a complex mathematical calculation requiring precise input and output. When one program had finished its work and the machine's owner wanted to run another, he first had to destroy all remnants of the original occupant in the machine's memory. In order to do that, an instruction was given to the computer in its own native tongue (i.e., "machine language"). The instruction had one purpose: to fill the memory with a known value, overwriting everything it might encounter. In this way, the earliest computer users eliminated any random bits of data or program code and filled the memory with data they expected to be there (zeroes or ones), which made the results of their computing much more reliable. Because of its single-minded "destructive" replication, the machine language instruction could be considered the first "virus."
As computers became more sophisticated and powerful, more than one program could be run at a time by a single machine. Data integrity remained important, of course, so each program and its associated data were relegated to a separate section, or partition, of the machine's memory, which by this time had become known as RAM (random access memory) to distinguish it from the "permanent" data memory (ROM, or read-only memory) on hard disk drives, which were just beginning to make their appearance.
Inevitably, because of faulty programming or unforeseen events, some programs escaped their bounds and tried to have their ways with data belonging to other applications. In some cases, the rogue software actually transferred control to random areas of the RAM and attempted to execute data as program instructions. Random operations and data damage resulted, much to the consternation of computer operators. In trying to track the activity of the wayward processes, the operators plotted the affected memory locations on a "printout map." This led to the discovery of a "virtual infection" model that came to be called a "wormhole pattern" because of its resemblance to worm-eaten wood. The term later was shortened to "worm." The infamous "Xerox worm" was one of the earliest documented examples of this type of outbreak across a network of computers.
Programmers thrive on challenges and love to play games, so it should come as no surprise that developing rogue programs on purpose soon became great sport for them. "Core Wars," a favorite pastime among the uber-geek set, was one predictable result. Virus researcher Robert M. Slade describes the game thus: "A program is run which 'simulates' a computer environment. A standard set of instructions, known as 'Redstone code,' is used to build programs which battle each other within the simulated environment. The objective is survival. The use of such tactics as attack, avoidance, and replication is of interest to virus research, as is the trade-off between complexity of design and chance of destruction."
Those same elements, of course, are of interest to the so-called "script kiddies" who release their malicious game pieces into the real world. No longer content to play within the confines of a closed and research-relevant system, today's malware coders - the majority of whom, researchers say, are in their teens and write malicious programs simply to prove it can be done or to expose system weaknesses they've found - release hundreds of new viruses, Trojans, and worms "into the wild" monthly. The popularity of the Internet makes the game all the more intriguing, because it allows malware to spread more quickly into more types of environments than ever before. It also presents more opportunities for serious damage, as viral code that originally might have been intended to illustrate a system defect or play a prank often is incorporated in later programs whose authors are intent upon causing harm.
Despite the commonly held - and largely true - belief that Microsoft's various Windows operating systems are the most prone to attack by malware, the first virus to be successful "in the wild" was designed for the Apple II disk operating system (DOS). It was developed in 1981 as a benign, almost benevolent, application by a group of computer gamers at Texas A&M University, and it was released selectively beyond the bounds of the close-knit group of original developers in 1982. Eventually, security surrounding the informal project was relaxed too much, and the virus "escaped" into the general Apple population, infecting floppy disks that had no known connection to the original experiment. Fortunately, the ill effects of the virus - abortion of a very few computer programs and one game - were small and fairly easily quarantined. By 1984, though, the virus had turned feral and malicious; thankfully, its ill effects were confined to the campuses of a handful of universities. Texas A&M, appropriately enough, was among them.
Four years later, on Feb. 7, 1988, another benign Apple virus surfaced. This one propagated via downloads at Compuserve's Hypercard Forum, a popular computer bulletin board service (BBS, precursor to the Web) for Macintosh users. Eventually Richard Brandow, then the publisher and editor of MacMag, took credit for authoring the MacMag virus (although he actually hired someone else to write it). MacMag reproduced and spread until March 2, 1988, the first anniversary of the introduction of the Macintosh II system. When Macs were booted on that date, the virus activated and displayed the message, "RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world." Instead of engendering warm, fuzzy feelings in victims, however, the MacMag virus raised ire among U.S. Mac addicts (but, interestingly, not among those in Europe). After the message appeared once, the virus erased itself.
The first virus to be detected on PCs running Microsoft's DOS (MS-DOS) was called "Brain." According to the Washington, D.C.-based National Com-puter Security Association, Brain originated in Lahore, Pakistan in Jan.1986, although the first noticeable infections did not occur until the spring of 1988, when, for example, 100 machines at The Providence Journal-Bulletin newspaper were found to be infected with it. Brain was written by one of two brothers who owned a computer store in Lahore, apparently to punish people who ran bootleg copies of a program he was selling to physicians. The original virus (variants were developed later), a boot-sector infector, was relatively harmless. It infected only 5 1/4-inch floppies, adding a copyright notice naming its creator to their volume labels, apparently as "compensation" for the credit he had lost for his legitimate work. Notably, Brain was the first virus to include within its code a valid name, address, and phone number for its developer.
The first really destructive virus to command widespread attention was "Lehigh," which appeared in the wild in Nov. 1987 at Lehigh University. The eruption of Lehigh is often credited as the impetus for the birth of the anti-virus industry, as it was the first piece of malware to impose an honest-to-goodness death sentence upon any computer it infected. Designed to attack MS-DOS-based machines, Lehigh overwrote the stack space at the end of command.com files, which are launched during the system boot-up process, and stayed resident in memory, infecting the command.com files on any other disks that were accessed via DOS commands like "type," "copy," and "dir" during a session. The virus employed an internal counter; after four infections, it overwrote the boot and file allocation table areas of infected hard and floppy disks with contents from the computer's BIOS.
At about the same time as Lehigh and Brain were making their presences known, one of the most copied viruses in history also appeared: the Jerusalem virus, also known variously as the Israeli virus (because it was discovered by one), "1813" (because of its code length), the I.D.F. virus (because it infected computers belonging to the Israeli Defense Forces), the PLO virus (because its trigger date was thought to be related to the last day Palestine existed as a nation), and "sUMsDos" and "sURIV" (both based upon text found in the virus' code). The Jerusalem virus and its variants usually were set to detonate on specific days, and sometimes on specific days within specific years. When they "went off," they generally added themselves to both ".com" and ".exe" files and remained resident in memory. In addition, their "logic-bomb" payloads often added the virus' code to the end of each executable file invoked after the virus was triggered, displayed a text message, or deleted programs as they were started. Although Jerusalem's original code was full of errors that produced all sorts of results probably not intended by its creator, some of its hundreds of versions remain popular templates for new malicious code.
The first malicious Trojan of note reared its ugly head in the fall of 1989, courtesy of a Panamanian company named PC Cyborg. Originally erroneously labeled a virus (and still often referred to as one), the "AIDS Trojan" was part of an international con game. Preying upon the public's fascination with and fear of the rapidly spreading and ill-understood human syndrome with the same name, PC Cyborg distributed 10,000 copies of an "AIDS Information" package containing software that accompanying literature stated was a sample for review purposes. The software was simplistic on its face, consisting of a "page-turning" program that allowed users to browse risk-assessment materials. Behind the scenes, however, the install routine created a hidden directory and a hidden program file, both with names that included nonprinting characters so they couldn't be detected during cursory examinations of a hard drive. At the same time, the program renamed the autoexec.bat file - which is instrumental in booting up a computer - and replaced it with a ringer that called the hidden program. The hidden program's function was to count the number of times the host computer was rebooted, and then encrypt the hard disk after a predetermined number of reboots had been performed. At that point, an invoice appeared on the user's screen along with a message demanding that he or she pay a "software licensing fee" in order to decrypt the hard drive. One American was arrested for his part in the scheme, but his trial was suspended because his bizarre behavior in court indicated he was incapable of assisting in his own defense.
Post Mortem
In the early days of computing, coders depended upon floppy disks to distribute their nasty little toys. The advent of the World Wide Web has enabled broader more rapid distribution of malware - with more disastrous results. According to AVERT, more than 60,000 viruses, worm, Trojans, and other malware existed at the time of this writing, with 200-250 new ones are released each month. Knock-offs of existing viruses, just different enough to sneak by old AV software, make up about 70 percent of the monthly total.
Thankfully, most malware outbreaks are not serious enough to require mass hysteria. Generally, the "risk level" of malware is assessed based on four factors:
Prevalence: How widespread is the threat? A single piece of malware is considered a significant threat only if it has been widely reported or discovered by researchers "in the wild."
Payload danger: What happens when the piece of malicious code runs? The larger the potential damage to data or revenue, the greater the threat. The most serious threat is considered to be from malware that has the ability to surreptitiously redistribute confidential data to third parties or destroy entire networks. The least damaging code merely generates bogus text or sounds.
Target: How common is the platform, program, or environment that the malware was written to attack? The most serious threats are those that attack Windows operating systems and widely used or essential applications (like ".com" and ".exe" files, email, word-processing programs, Internet browsers and newsgroups, and chat and instant messaging clients). The least threatening outbreaks target Unix OSes and infrequently used or "specialized" applications.
Methodology: Malicious code that includes its own distribution engine (like mass emailing worms) represents the greatest risk; malware that requires user intervention to spread is significantly less threatening.
Outbreak!
High-risk and high-outbreak malicious code (malware that spreads rapidly or is impossible to eradicate) is of particular interest to virus researchers, AV companies, and the public at large. Within recent years, several high-profile programs have invaded the World Wide Web, and although most of them seem to go away after a month or two, many simply remain dormant, waiting to be reawakened when a script kiddy modifies their code or someone unfamiliar with their original devastation accidentally restarts their cycle. A few of the more notorious - and still viable - threats include:
Chernobyl: Also called "CIH" after its author's initials, the Chernobyl virus appeared in the wild in June 1998 in Taiwan. One of the few viruses that can destroy hardware, it attacks a computer's flash-BIOS (which boots the computer and gives it basic information), overwriting it if it's write-enabled (as most modern flash-BIOS is) and rendering the system useless. In Korea alone, Chernobyl infected one million computers and caused more than $250 million in damage. The latest variant of the virus, CIH.1049, is scheduled to release its payload on Aug. 2; the original virus triggered on April 26, 1998, the twelfth anniversary of the Chernobyl nuclear disaster, hence the virus' common name. In early May, CIH.1049 was discovered "piggybacking" on a variant of the Klez worm in the Asia-Pacific region.
Klez: The Klez worm, the most prolific piece of malware ever developed, reached the height of its activity in May. An exceptionally sneaky worm that spreads via email, it is remarkable in its ability to change its appearance from message to message, arriving in inboxes with a variety of subject lines and message bodies and from random senders. Though not destructive, it has proven embarrassing for many infected users as the messages delivered a random data file from the users' hard drives along with the malware payload. Klez also is unusual in that it makes use of a flaw in older, unpatched versions of Microsoft's Outlook and Outlook Express email clients to launch itself without requiring the user to open the message to which it is attached. The worm wreaked havoc with email newsletters and newsgroups because it subscribed thousands of unwilling users and sent messages to entire lists without the knowledge or consent of the lists' owners. Within only a few weeks of its discovery in the wild, Klez had infected more than 7 percent of PCs worldwide.
Code Red: In May - nine months after its introduction - the Code Red worm continued to spread across the Internet, leaving infected computers vulnerable to outside attack. The primary purpose of the worm is to co-opt infected systems into a massive distributed denial-of-service attack that could cripple the Internet as a whole. In April, Internet security experts estimated that at least 18,000 computers worldwide remained affected by the worm (up from 14,000 in December 2001), even though security alerts and fixes for it became widely distributed almost immediately upon its discovery. The worm's primary method of propagation is to use infected servers running Microsoft's Internet Information Server to infect other vulnerable machines.
Nimda: A mass-mailing worm that uses multiple methods to spread, Nimda's main goal is simply to infect as many computers as possible, creating so much traffic that networks become virtually unusable. The worm's name represents the reversed spelling of "admin," reflecting its ability to open network shares on infected computers and imbue those shares with system administrator privileges. Like Klez, Nimda is able to exploit MIME vulnerabilities in Microsoft programs to launch itself when a user reads or previews the message to which it is attached. Nimda also is known to distribute itself through Websites hosted on IIS servers by prompting users to download a file with a ".eml" extension. The file contains the worm as an attachment.
Cute: The first really virulent Trojan to hit the Internet scene, Cute (also called "Floodnet" and "W32.Tendoolf") arrives as an attachment to an email with the subject line "Thoughts..." and a message body that reads "I just found this program, and, I don't know why... but it reminded me of you. Check it out." Users who are tricked into opening the attachment (named "cute.exe") find their PCs with an open "back door" through which the Trojan's author can assume complete control of the infected machine. Once resident in a system, Cute sends a message to its author, informing him or her of the machine's IP address. The newest threat at the time of this writing - having only been discovered in the wild on May 1 - Cute spreads not only by email, but also through MSN Messenger and AOL Instant Messenger. Although it is not destructive, like all other Trojans, it exposes the owner of an infected machine to theft of personally identifying material and information.
Epitaph
That this article was scheduled to run in the June issue of AVN Online but is running instead in July is testimony to the deleterious effects viruses can have even on those who think they're smart enough and experienced enough to avoid them. The tale goes something like this:
When I arrived at my computer to begin work on the morning of April 5, something seemed strange. Although the desktop's background remained visible, there were no icons to be found. Because I had shut down all the terminate-and-stay-resident (TSR) programs that normally populate my system in order to "defrag" the hard drive while I was sleeping, I assumed the behavior was just another of the odd little glitches that occur in Windows from time to time. Giving the situation very little additional thought, I tried to restart the computer. The machine refused to reboot, displaying a "non-system disk or disk error" message instead of entering the normal sequence. That bothered me. After ensuring no stray disks were hiding in the floppy or CD-ROM drives, I tried to rebooting several times, to no avail. A sense of impending doom threatened to overwhelm me as I pulled out a Windows 98 emergency start-up diskette, inserted it, and let it start the machine for me.
The computer would only boot into DOS mode, and when I typed "DIR" at the prompt in order to see a listing of files on the hard drive, I discovered why: Only one directory containing a very few, non-critical files remained. The operating system, applications, and most of the data previously stored on the drive were irretrievably - and seemingly inexplicably - gone.
Several hours, multiple emotional outbursts, and an OS reinstall later, I discovered the culprit. Somehow, my machine had become infected with Sircam.A, a mass-mailing virus that sends itself and random, sometimes confidential, files to every address it can find in an infected computer's address book and browser cache files. Sircam.A was discovered in July 2001, and protection against it had been universally available for almost a year at the time my computer was infected. A little detective work revealed the bizarre and largely avoidable chain of events that led to the machine's untimely demise.
Because of the ways in which Windows-based computers store and access data, their hard disk drives must be defragmented frequently. This can be a time-consuming chore, especially when the hard disks are large and contain lots of "stuff." That's why I prefer to perform "defrag" tasks on my Windows boxes late at night, when I'm not planning to use the machines.
All of the computers I use routinely are networked through a router to a cable modem, which provides an "always on" Internet connection. My router incorporates an excellent "firewall" system that prevents unauthorized access to my internal network, so I don't spend much time worrying about "hack attacks." Experts say, however, that most security threats come from within a network, and such was the case in this situation.
Because Windows' "defrag" command won't work if TSR programs are running in the background, all processes of that nature - notably virus protection software - must be halted before defrag can begin. Therefore, I had turned off all TSRs before starting defrag and heading upstairs to bed.
That's when the plot thickened. At about 2 a.m., my husband's uncle (who was staying with us temporarily), decided to check his email. He closed the completed defrag program, opened a Web browser, and surfed over to Hotmail.com. A message from a friend caught his eye, and although I've warned him repeatedly not to open email attachments regardless who sent them or how safe he thought they were, he opened the image file that arrived with the message, thereby falling into Sircam's twisted little trap.
"I thought it was strange," he admitted later, "because the image never did open, and the machine 'hung up,' so I just gave up and went back to bed."
Had Uncle Vanya*, a dear, sweet old man who remains one of my favorite relatives despite his crime against my equipment, been a bit more computer literate, he might have recognized the telltale ".pif" file extension tacked onto the image file's name after ".jpeg." In most cases, a double file extension provides warning that a file is not what it seems.
Compounding Uncle Vanya's error was his reliance on Hotmail's internal anti-viral agents. Uncle Vanya - who had lost his own PC to viral infections not once but twice - said he had allowed Hotmail's online AV program to scan the attachment before he opened it, but apparently the service's software didn't catch the infection (some would say that is not surprising, as Hotmail is owned and operated by Microsoft). Had the AV software I maintain on all of my computers not been "turned off" on the one Uncle Vanya used, undoubtedly it would have sounded the alarm about the infected file before the virus had the chance to do any damage.
After wiping the hard drive clean again and re-installing the operating system on a thoroughly blank medium, my computer ran better than ever - but I had lost five years' worth of archived files, my personal and professional address books, and several half-finished articles, including this one. One would not expect this sort of nightmare to befall someone who makes her living advising others how to avoid the pitfalls of technology. That it happened to me means no one is ever entirely safe, regardless of their best efforts and intentions.
Statistics gathered for a study by the Hurwitz Group (www.hurwitz.com) indicate that although 95 percent of companies use some kind of virus-prevention solution, 10 percent of email users continue to contract malware infections of one kind or another, and the costs associated with those infections runs into the billions of dollars every year.
My encounter with Uncle Vanya's virus was not the first time I'd received malicious code from a trusted source. Several months earlier, I received a suspicious email message fro
