Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

Security Experts Start Looking for the Antidote

If 1987 was a huge leap in developing and distributing malware, the worst was yet to come in 1988. As the computer industry started to take off, so did malware writers.

 The first notable virus outbreak in 1988 was triggered by the Suriv-3 virus on May 13^th. The event is also known as the Black Friday and antivirus companies are still going into full alert each time the 13th of any month falls on a Friday. Suriv-3 infected many enterprises, government offices and academic institutions around the world, but caused extensive damage in the US, Europe and the Near East.

 Following the massive infections in 1987 and 1988, a couple of companies stared developing antivirus utilities. However, such small companies with two to five employees would only produce simplistic string scanners, able to detect unique virus code sequences. Basic antivirus software was often bundled with immunizers (pieces of software that modified programs in order to trick viruses into thinking that they had already been infected). Although immunizers were highly efficient for specific viruses, they did not offer proactive defense against unknown security threats. Moreover, as viruses started to bloom, antivirus companies were unable to issue immunizers quickly enough for all of them.

 Although the vast majority of antivirus products were sold for negligibly low prices, computer users did not rush to get protected. In addition to that, antivirus software could not be updated easily, as the Internet was still in its early days. This meant that new viruses could easily escape string scanners

 On April 22, the first dedicated antivirus forum went live on the Usenet network. Called the Virus-L forum, it was founded by Ken van Wyk, Fred Cohen's friend and colleague.

 However, virus creators have also begun gearing up for the battle. 1988 marks the birth date of a new type of malware, in the form of a virus construction kit, designed for the Atari ST. The do-it-yourself utility allowed beginner virus creators to easily build viruses with miscellaneous features using a simple and intuitive interface.

 Worm.Macos.Macmag.A was the first important computer virus written for Macintosh computers. It also came with a number of programming innovations that made it extremely efficient. It all began in February 1988, when a file Apple's HyperCard software turned up in a Compuserve online forum. When users would download and open it, the file would secretly install a system extension (The "system extension" is an INIT resource that had been copied into the system folder, which means that a program is automatically executed upon startup.) which made the computer display a New Age peace message on every startup. It seems that the virus had been written by Artemus Barnoz (known as Richard Brandow. Although Brandow claimed authorship, he commissioned the programming part to a professional software developer called Drew Davidson) and Boris Wanowitch, that were the editors of both the Canadian computer magazine MacMag and the "Computer Graphics Conspiracy" New Age publication.

 The virus was rather harmless, given the fact that its payload would only display a "peace message" that read:

"RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world."

 However, the peace message was at least questionable, given the medium the two colleagues used to spread it. The virus went off circulation on March 2^nd(The date picked by the authors for the final run was not chosen at random: March 2, 1988 was the first anniversary of Macintosh II line. More than that, a coding bug caused Macintosh II systems to crash),when it would appear once and then it would delete itself from the infected system.

 History repeats itself, they say, and this seems to have been the case with "Denzuko.A", a virus written by Indonesian programmer Denny Yanuar Ramdhani. Just as the Reaper would seek and destroy the Creeper virus in early seventies, Denzuko.A (The virus is also known as Den Zuk with its Ohio and Hacker variants) would look for instances of the Brain virus, then swiftly remove them from the infected computer. However, Denzuko.A was more than an antivirus utility, given the fact that it would replace Brain with copies of itself. The virus lay hidden on track 40 on the infected diskettes, but its programmer seems to have made a programming error, since 360KB diskettes only have 39 tracks. More than that, the virus is not able to infect 1.2M or 3.5" diskettes correctly - instead, it would destroy all the stored data on it. Upon successful infection Denzuko.A would change the "(c) Brain" label with "YùCù1ùEùRùP" (YC1ERP is Denny Yanuar Ramdhani's screen name).

 The first sign of infection with the Denzuko.A virus is the fact that pressing Ctrl+Alt+Del will not trigger a simple reboot operation, and the "DEN ZUK" logo would appear on the screen for a small period of time.