Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

The Anti-Virus Virus and Computer Games Give That Spell Disaster

Just like biological viruses can not exist, multiply and spread in the absence of an animal host, computer viruses are closely tied to electronic computing systems.

Historians are still debating on the actual birth date of the first computer virus, and many of them would dare to place the first malware applications in the mid-1970 timeframe.Three computer models have been surely infected by malware in mid-70s: Univax 1108 and IBM 360/370.

However, theoretical approaches to self-reproducing mathematical automata are estimated to have started in early 1950s. John von Neumann (December 28, 1903 – February 8, 1957) illustrated the concept of self-replicating machines in his posthumous work, “Theory of Self Reproducing Automata”. 

Pre-History: From Innocent Pranks to Widespread Infections

The first computer viruses have been born in academia, and pitched at totally different purposes than infecting systems and causing havoc amongst computer users. For instance, in late 50s, British mathematician Lionel Penrose published a report called “Self-Reproducing Machines”, an overview of a simple two dimensional model able to self-replicate, mutate and attack computer systems. The practical part of the project was ported by Frederick G. Stahl on an IBM 650 system. At that moment, scientists and researchers were exclusively concerned with artificial intelligence and the blooming field of robotics.

A few years later, three researchers at the Bell Telephone Laboratories (Victor A. Vyssotsky, Robert Morris Sr., and M. Douglas McIlroy) started experimenting with a programming game called Darwin (August 1961). Darwin was comprised of a program called the “umpire” running in a designated section of the computer's memory (the memory location was referred to as “the arena”).

Each of the players would have to write small programs using IBM 7090 machine code, and could call specific functions stored in the “umpire”. The main goal was to probe memory locations, terminate the opposing program running at that location, then fill the vacant space with copies of themselves. The game would end either after a specific amount of time, or when there was only a single player left “alive”.

Morris ultimately developed a highly specialized application, built using only 44 instructions. His software would locate the start of an enemy program, and then probe subsequent memory locations until it finds the end of the program. The piece of software would “remember” the exact length of the opponent’s program and use it in subsequent searches.

The game itself was nothing but harmless amusement, but it also can be regarded as the beginning of self-multiplying software to be used in completely different manners.

 

Duality: The Anti-Virus Virus

 

In early 1970s, the first worm program appeared in the wild, on the US military computer network ARPANET (The US military computer network ARPANET was the forerunner of the modern Internet). Called the Creeper, this archaic worm was written to work on the Tenex system, an extremely popular choice at that time. The worm would spread by independently getting access to the network (via modem), and then infecting remotely-located systems. According to some historians, the Creeper worm has been developed inside the ARPANET, and Bob Thomas (one of the network’s inventors) experimented with this piece of software as he was extremely interested in its capacity of penetrating networks and passing its copy on various systems. Creeper might have been annoying, but it had no malicious payload, as most of the modern worms do. Infected systems would only display the message: 'I'M THE CREEPER: CATCH ME IF YOU CAN.' However, this little experiment succeeded in such a manner that shortly thereafter, the entire TENEX network was carrying copies of the worm. In order to clear the network from the Creeper attack, an anonymous programmer wrote Reaper, a computer virus that would seek and delete Creeper copies installed on machines.  Just like its predecessor, the Reaper was also able to independently travel across the network.The Reaper virus marks an important milestone in the malware history. It is not only the first virus ever spotted in the wild, but at the same time, due to its hunt-down capabilities, it can also be regarded as the first antivirus product.

 

The Seventies: Computer Games Give That Spell Disaster

 

In early 1974, a new computer virus emerged. Called the Rabbit, it was still more of a prank than an effective security threat. The virus would do nothing but multiply and spread at an accelerated pace. In fact, it was named after the speed at which it bloated the computer with multiple copies of itself. Unlike its predecessors, the virus severely affected the infected computer’s performance and would eventually crash it.  It is currently unknown whether the virus was designed to deliberately disrupt activity or was just an experiment that got out of control.

Another innocent game called Pervading Animal emerged one year later and gave Univac 1100/42 users a hard time. Some historians still argue whether Pervading Animal was yet another computer virus or it marked the beginning of a new breed of malware: Trojans.

Pervading Animal would spread into successively more protected directories in what today is called a “classic Trojan Horse attack”. 

This “innocent” piece of software had been written in April 1974 by John Walker, and had been later updated with self-replication functionalities. The game concept was extremely simple: the user had to think of an animal, and then the program would fire up a set of questions in an attempt to identify the specific animal. However, the game featured an error-correction feature, which allowed it to “learn” from its previous mistakes(Each time the program failed to guess the animal, it would add up new sets of questions to be asked in the next games). Each time a correction was performed against its database, the software would overwrite the previous version, but at the same time, it would also copy itself to other directories within the mainframe. After a specific period, all other directories would end up containing a copy of the program. Although the software itself took up only little disk space, all its copies would clog up the computer, thus affecting its overall performance.

Self-replication features were added later to the Animal program, in order to spare the author the hassle of making manual copies of the game for his friends and colleagues. According to an explanation given by John Walker himself , he wrote the PERVADE routine, a general purpose piece of code that created an independent process listing all the directories accessible to the caller. The routine subsequently would check whether the available directory has an up-to-date version of the Animal, then copy version being executed into that directory.

Despite its Trojan behavior, PERVADE was coded in such a manner not to destroy third-party files with an identical name, which proves that it was not designed with damage in mind. However, the borders between malicious intent and programming flaws were extremely blurry at that time. 

In order to get rid of the multiple instances copied all in each and every folder, Walker and his friends took the same approach as in the Creeper – Reaper war.

Even the folders available to super-administrators have been infected. This was possible when a privileged user (root administrator or super-user) would launch the program. Since they have full access to the computer, PERVADE would inherit their administrative rights, and then use them to replicate in previously inaccessible folders. 

A new version of the game, called the HUNTER scanned folders for older versions of the Animal and deleted them all. However, the program was stopped for good from spreading only when a new version of the Exec  operating system was released.

The next iteration of the Exec OS (version 8) came with a modified file system, which would disallow the game to spread.