The Nineties: Malware Creators Start Building Communities

Antivirus manufacturers quickly realized that the rules of the game were about to change in such a manner that string scanners would have been rendered useless. Mark Washburn had already proved that with his polymorphic creations built on top of Vienna.  New tricks included encrypting the whole virus, except for a small part to act as decryptor, so in order to efficiently detect malware , antivirus engines had to perform miscellaneous logical tests to the file, the figure out whether the bytes were part of a possible decryptor. The technology involved in such operations was extremely complicated, and would exceed the resources of two- or three-employee antivirus companies. At that time, many security software vendors were heavily relying on third-party search strings delivered by IBM scanner or via the Virus Bulletin newsletter, or even achieved by reverse-engineering competing products.

Polymorphic viruses, however, were playing by other rules, and there was no antivirus available to protect the user from the new threat. To make things worse, Washburn published the source code for its polymorphic creations, and while there were no reports about other viruses using the same core logic, a few malware authors made use of the concept itself.

During the early nineties, Bulgaria was one of the hottest locations for malware writers, as a group of enthusiasts set up the first virus exchange bulletin-board system (BBS). The main idea behind the BBS was to grant malware authors access to the virus code database if they uploaded a new virus. Such rules did nothing but stimulate production of new malware, while their publicly-available source code was being improved.

A couple of new viruses started showing up right after the BBS went online.  Most of them came with new features to make them stealthier and more efficient. Some minor viruses, such as Ping-Pong (also known as Bouncing Ball or Italian) only infected the boot sector, and then display a ball bounces across the screen.

Polymorphic viruses were by far the toughest security threats, and the USA witnessed an outbreak as Virus-90 and Virus-101 kicked in. Both viruses are written by the same author, who never bothered to conceal its identity.  He uploaded the virus to multiple bulletin boards, in an attempt to sell the source code for $20. Its payload is totally harmless, as infected files would only display a message that reads "Infected!" According to the author, the virus is an educational proof-of-concept and not a fully-fledged virus. The Virus-101 is a variant of the Virus-90 that adds .exe infection capabilities.

If Virus-90 was quite harmless, the same thing does not apply to the newly-introduced Anthrax or V1 multi-partite viruses, able to infect both files and boot sectors. After it has successfully infected a computer, Anthrax would infect .COM and .EXE files, including COMMAND.COM as well as the Master Boot Record (MBR) and diskette boot sectors. It also writes a copy of itself on the last sectors of the system's hard drive, overwriting any data saved at the specific locations. Anthrax's viral code includes text strings written in Cyrillic that allegedly locates its author in Sofia, Bulgaria.

The Whale was first spotted in the wild on June 1^st 1990. It was an extremely large (hence the Whale moniker) and complex virus that was not overly destructive. Instead, it was a new step in the evolution of malware as it came with novel techniques of obfuscation (The Whale is an armored virus, which means that it uses special tricks to make tracing, disassembling and understanding of its code more difficult) to conceal its presence. The Whale took virology by storm, as it could rewrite its own instructions in such a way that it never looks the same way twice. The new virus was also the final challenge for simple string scanners, as they were merely unable to recognize the virus after subsequent infections.

Another security incident took place in July, when the UK-based PC Today computer magazine shipped its issues bundled with a free floppy disc which turned out to be infected with a copy of Trojan.DiskKiller.B. According to the company, more than 50,000 copies of the magazine were delivered, and about as many computers have been taken down by the virus. The memory-resident piece of malware copies itself in three distinct blocks onto the floppy disk or hard-disk. These blocks are detected as bad and skipped during the write process.

DiskKiller's payload kicks in on April the 1^st, when the virus displays the following text:

Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!!
Don´t turn off the power or remove the diskette while Disk Killer is Processing
PROCESSING
Now you can turn off the power. I wish you Luck!

After the message has been displayed, all the data stored on the hard-drive gets either corrupted or encrypted.

As the first Russian viruses (Piter.529.A, Voronezh.600, and Lovechild.2710) started to show up on worldwide computers, German security researchers set the basis of a new antivirus research organization, called the EICAR (European Institute for Computer Antivirus Research). The Institute is still operational and is regarded as one of the most respected international data security organizations. At that time, there were about 150 known viruses, but the situation looked gloomy as the Bulgarian "Virus factory" took off.

Later in 1990, Symantec unveiled its own antivirus product, called Norton AntiVirus. The new software utility was one of the first security utilities ever developed by a large company.

In 1991, the number of known viruses managed to beat the 300 mark, but their increased number was not the only problem security companies had to face. Viruses were becoming increasingly intricate and destructive, and the huge number of incidents called for professional antivirus products.

Following the Bulgarian model, other malware authors set up virus bulletin boards in Italy, Germany, Switzerland, USA and UK. These new malware hotspots were to become later a fully-fledged underground network. The German underground group called the "Verband Deutscher Virenliebhaber" (Association of German Virus Fans) came up with a construction kit for DOS systems, a do-it-yourself piece of software that allows novice programmers to create new viruses following the specified patterns.

1991 also witnessed the apparition of the first cluster virus in the Dir-II family(Dir-II was using an entirely new method of infecting files: link-technology. Dir-II is the only virus of its kind to have ever been spotted in the wild). Unlike conventional infectious malware, cluster viruses infect users' files not by performing changes to the files, but rather by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. This way, the virus would be executed before the desired program. Dir-II triggered a fully-fledged epidemic in the summer of 1991.

Computer users did not have the necessary time to recover from the Dir-II disaster when Swiss virus Tequila hit. The multipartite virus used to infect both the master boot sector and DOS-EXE files, and used full stealth while running on the host system. More than that, its fully polymorphic structure allowed it to bypass even the most complex string scanners, as no piece of its code was identical.

The first antivirus scanners started to catch its instances by May, but it could not be reliably detected until late September. It takes only a few undeleted files to start another outbreak, and the procedure repeats itself until none of the infected files can be detected by antivirus software.

Despite the fact that there were no imminent threats hovering above computer users, this did not necessarily mean that malware creators were fast asleep. On the contrary, they were extremely active and managed to increase the virus count from 300 to more than 1,000 in December 1991. Most of the new viruses were written in Eastern Europe and Russia and they would usually serve as currency for other viral source code.

September took the antivirus community by surprise as the polymorphic virus called the Maltese Amoeba started to show up in Europe. At that time, polymorphic viruses were extremely difficult to handle, given the fact that most scanners would require some form of hard coding in order to detect the virus.

The Bulgarian Dark Avenger also made a comeback on the malware scene and announced the first virus vapourware(The term defines a software or hardware product which is announced by a developer well in advance of its release, but it either fails to emerge or it makes it on the market, but arrives stripped off all its glorious features). According to one of his posts, he warned computer users that he would release a piece of malware with more than four billion different variations; the new virus was allegedly slated for release in January 1992. The year concluded with no major security incidents, a calm period to anticipate the upcoming storm.