Celebrate bad times


28 Feb 2006

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

At some stage in life everyone reaches a point where major events like birthdays are barely acknowledged, never mind celebrated. But whether the occasion is marked or not, there’s no denying its existence. So it is with the computer virus, which on 19 January reached a milestone of sorts: its 20th birthday. It’s safe to say few champagne bottles would have been uncorked in celebration but we’re all living with a hell of a hangover just the same.

The original virus was written in Pakistan by two brothers, Basit and Amjad Farooq Alvi. Its origins actually led BusinessWeek magazine to dub the virus the Pakistani flu but the name that stuck most was Brain.

Some versions of the story have it that the virus was written to protect a computer game; alternatively, it may have been coded to stop others from pirating medical software that the brothers had developed. What seems clear is that Brain was not written with malicious intent. “It was relatively harmless,” relates Sal Viveros, a security specialist with McAfee, one of the world’s largest antivirus companies. “In the past, mass mailers were a form of cyber graffiti and the virus writer’s name was often found within the code.”

That’s true of Brain, which contained the names, addresses and telephone numbers of the brothers. Brain was a boot sector virus, so called because it works by hiding itself in the boot sector of a floppy disk. If the computer was set up to read and write from a floppy disk, it would start up, or boot, directly from the disk. This allowed the virus to install itself on the computer and every time a new floppy disk would be put into the computer, the virus would copy itself to the disk to help its spread.

Due to the means of infection, viruses like this would take months or even years to spread. “I’d make the analogy with how colds used to spread before commercial air flight — they used to be very regional,” says Viveros. Despite the limitations of transport, boot sector viruses remained the most common form of infection for around nine years, until the floppy disk gradually became obsolete. “There were a lot of enthusiasts then — people creating proof of concept viruses to prove that these things could spread by themselves,” Viveros points out.

Next came the development of macro viruses, which took advantage of flaws in early versions of Microsoft Windows. Infection times reduced and macro viruses could propagate around the world in a month.

“It really wasn’t until we saw the adoption of the internet that we saw large numbers of viruses spreading,” says Viveros. By a strange coincidence, in 1998 20 January was the discovery date of the first recorded internet virus: Win16.RedTeam.

The next stage in malware development saw the arrival of email worms and these were capable of crossing the world in a single day. One of the first and most famous was ILOVEYOU, also known as Loveletter or Love Bug, which caused widespread damage and financial losses estimated at US$10bn in 2000.

By 2001, the transmission time window shrank from one day to one hour with the introduction of network worms such as Blaster and later, Sasser. These automatically and indiscriminately infect every online computer that does not have up-to-date security settings. Email and network worms show no signs of slowing today.

It’s estimated that there are around 150,000 viruses currently in existence and the number continues to grow. One of the biggest changes in the fight against viruses has been the development of technology known as heuristics. This looks at the behaviour of the application that’s being attacked — if it starts to do something unusual or outside of its normal functions, security software can pinpoint it as suspicious. Beforehand, many antivirus tools worked by identifying the ‘signature’ of a virus in order to stop it, but hackers could get around this simply by adjusting a couple of lines of code.

Over the 20 years since Brain there has been one clear trend that stands above the various types or amount of viruses: rather it has been the change in motives of those writing viruses. Back in the day, notoriety was the stock in trade of virus writers, who were happy to boast about their exploits.

Mikko Hypponen, chief research officer with the Finnish antivirus firm F-Secure, however, recently pointed to “the evolution of virus writing hobbyists into criminally operated gangs bent on financial gain”.

His observations were supported by findings from IBM’s Global Security Intelligence team, which found that there were actually fewer worldwide computer virus outbreaks last year than in 2004. What the group uncovered instead was signs of a growing criminal element becoming involved in online attacks or frauds.

Viveros adds that by their nature, criminals don’t like to draw attention to themselves and as a result, cyber crime patterns are changing from widespread global virus outbreaks to more focused attacks against smaller, specific targets.

Cal Slemp, vice-president of IBM’s security and privacy services, agrees. “The decrease in pervasive attacks in 2005 is counter-intuitive to what society at large believes is a major threat to their personal data,” he says. “IBM believes that the environment has shifted — with increased security protection on most systems and stiffer penalties, we are seeing organised, committed and tenacious profiteers enter this space.”

If there is one piece of good news from this, it’s that the threat to the average PC user appears to be decreasing: the global IT threat landscape last year was rated as medium level, data from IBM’s 2005 Global Business Security Index Report reveals. So although last summer’s Zotob worm may have grabbed the headlines because it infected some high-profile media outlets, it was one of just a few major attacks during the year. IBM’s figures found that 2.8pc of emails contained a virus or Trojan horse program last year, down significantly from 2004 levels of 6.1pc.

As against that, arrests of cyber-criminals in the US and elsewhere do appear to support the theory of a shift in virus-writing trends. For that reason, the computer virus is unlikely to fade into obscurity and the rallying cry of the security industry for users to keep their protection software up to date is as valid as ever.

By Gordon Smith