Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

From Michelangelo to Self-Mutating Engine

1992 debuted straight with a large-scale security threat signed by Bulgarian programmer Dark Avenger. Just as he had promised one year earlier, the virus writer was about to introduce a new mutating algorithm, but he decided to take things smoothly.

The first creation to emerge in 1992 was a simple virus, known as MtE.Dedicated.A, followed by the Self-Mutating Engine (MtE). This Engine was nothing but a polymorphic generator, a tool that could integrate with other viruses to facilitate their code changes. Dark Avenger delivered its creation accompanied by exhaustive documentation, as well as with an OBJ file, plus the source code for a simple virus. The new package made writing malware a lot easier, but at the same time, antivirus researchers also started working on a detector for it.

Security experts estimated that there would be plenty of viruses built on top of the Self-Mutating Engine, but malware authors quickly realized that a virus scanner able to detect the MtE would easily "catch" all its derivatives (At the moment, there are only a few viruses built with the Self Mutating Engine, which is way less than initially estimated).

However, the MtE was only the starting point for a whole new series of other polymorphic generators that scared out not only average computer users, but many antivirus companies as well.

Right as the Self-Mutating Engine hysteria was about to calm down, a new plague hit the industry on March the 6^th. Detected since 1991, the Michelangelo virus was expected to set off at the respective date and infect over 5 million machines (The scary estimation pushed almost any PC user into buying specialized antivirus software). In spite of all the fears, the virus proved to be much ado about nothing, as it only managed to infect a few thousand machines only.

Michelangelo was a boot-sector virus that operated at the BIOS level. It would stay dormant until the date changes to March the 6^th, the birth of the artist. Although the virus is not associated in any way with the Renaissance artist, it got its name by the fact that it unleashes its payload on the day Michelangelo was born.

Another interesting hypothesis assumes that the virus is a variant of the already notorious Jerusalem B (also known as Friday the 13^th). Users who think they can fool Jerusalem by changing the system date on the twelfth would in fact unleash Michelangelo.

This year was also the time when the first anti-antivirus piece of malware was introduced. Also known as Peach, the malicious application would look whether the Central Point AntiVirus is already present on the computer, and if successfully detected, it would delete the change inspector database. When the antivirus was unable to locate its database files, it would act as if it had been started for the first time and reconfigure itself. The virus was thus able to slowly but surely infect the entire system without a problem.

The summer of 1992 brought another wave of concern, as two new virus construction kits appeared on the underground market. The VCL (Virus Creation Laboratory) from Nowhere Man and PS-MCP (Phalcon/Skism Mass-Produced Code Generator, this is another creation of the same Bulgarian malware writer known as Dark Avenger) constructors allowed malware writers to build up security risks by simply adding malicious payloads to the already pre-written constructors. Within a single year, there were a couple of dozen viruses built using the new one-click-virus technology.

Later in 1992, a new malware group appeared in England. The so-called ARCV (Association of Really Cruel Viruses) organization has been hunted down by the newly-established Crime Unit of New Scotland Yard, but in its short-lived history (It took only three months for the Scotland Yard to locate and arrest the group of malware authors.), the organization was able to deliver about a hundred new viruses to the world.

Moreover, selling malware has quickly become a fully-fledged business, as a couple of underground programmers started selling virus collections. For instance US resident John Buchanan offered his collection of a few thousand files for as much as $100, while the European Virus Clinic would allow its customers to pick the desired malware for about $25. Given the fact that the Virus Clinic was located in Europe, it got a visit from the Computer Crime Unit and got shut down thereafter.

Another kind of virus made its debut in 1992, as the Microsoft Windows operating system gained ground among computer users. The Win.Vir_1_4 was world's first virus designed to attack operating system executable files. Even though its author had made some programming mistakes that rendered it rather harmless, it is an important step in the evolution of malware as we know it today.

1993 was mostly under the threat of polymorphic viruses generated by a wide range of polymorphic generators and constructors. More than that, they started multiple electronic magazines dedicated to writing and spreading malware. The increasing amount of stealth viruses made it clear that malware authors had quit vandalizing for fun and planned their creations to bring them as much gains as possible.

The new year brought the PMBS virus which worked in the secure regime of Intel 80386 processors. This dangerous, memory-resident boot virus copied itself into extended memory, then switched the infected system into protect mode and run virtual V86 machine. In different situation, the computer would hang with an error. Although the virus itself contained some programming errors, it was yet another threat available in the wild.

A new malware community was established in Holland under the Trident moniker. Its members came up with a new polymorphic engine called the Trident Polymorphic Engine, and then with a fully operational virus (TPE.Girafe). The Trident Polymorphic Engine was harder to detect using antivirus scanners, that usually would trigger false alarms. It seems that the main Trident programmer, Masouf Khafir, built its BAT.P2P.Cruncher virus following the principles described by Fred Cohen. The BAT.P2P.Cruncher was a data compression virus that automatically appended its code to other files in order to auto-install on as many computers as possible.

Nuke member Nowhere Man released the Nuke Encryption Device (NED), another mutation engine that seemed to work even better than Dark Angel's Self-Mutating Engine. Itshard was the first virus built using the new mutation technology. 

On the other side of the fence, the antivirus industry released the first wild list, comprised of all the viruses that had been spotted "in the wild" ("In the wild" viruses are actively infecting production systems across the world and try to replicate in live environments. This category is opposite to the so-called zoo-viruses, pieces of malware that are built inside laboratories for educational and research purposes).  Another major achievement in the battle against malware is the release of the GDE (Generic Description Device), a complex tool able to recognize polymorphic viruses.

Early in spring, Microsoft starts its own antivirus business, called Microsoft AntiVirus (MSAV). The new product was based on the former Central Point AntiVirus (CPAV) and was bundled with the company's MS-DOS and Windows operating systems. Although in its early days the product had been rated as highly effective, it could not keep up with the upcoming security challenges and was ultimately discontinued.