Skip to content

"Microsoft is now talking about the digital nervous system... I guess I would be nervous if my system was built on their technology too." ~Scott McNealy, Co-Founder of Sun Microsystems

Viruses, Evolved

In 1990, Mark Washburn developed the first family of polymorphic viruses, known as Chameleon. These viruses could alter their machine-language code (and thus their digital "fingerprint") without altering the functionality of the virus. This effect was achieved by packing the viral core into a wrapper using randomized encryption algorithms and keys. Washburn designed the first of these viruses, 1260 (otherwise known as V2PX), after studying the Vienna Virus's disassembled source code, published by Ralf Burger (of Virdem fame).

AntiVirus (AV) software was in its infancy at this time, and many early AV engines used hash-based detection. Polymorphism enabled malware to evade these hash-based engines, triggering a digital "arms race." AV vendors scrambled to develop new detection methods, which drove malware authors to develop new evasion techniques, which drove new detection methods, and so on.

This cycle continues to this day.

Michaelangelo

In 1991, Australian researchers discovered the Michaelangelo Virus, designed to infect DOS machines. The virus operated on the BIOS level, infecting systems' boot sectors and spreading to any mounted floppy disks. After infection, it would lay dormant, infecting any inserted floppy disks but otherwise not taking any actions. The virus was set to "detonate" every year on March 6th, at which point it would corrupt any attached storage media. While the data on the drives technically wasn't wiped, their partition maps were corrupted, making file recovery impossible for average users.

Much ado was made about this virus, particularly after January of 1992, when hardware and software vendors accidentally shipped infected products to consumers. As the virus made headlines, John McAfee (creator of McAfee Antivirus) and other tech "experts" stoked the flames, claiming that millions of computers could be infected with the virus—despite known infections being limited to a few hundred systems. Users were advised not to use their computers on March 6th, or to fiddle with their computers' clocks on March 5th and 7th to avoid the date landing on the 6th. This advice was largely disregarded, and on March 6th, 1992, only ten to twenty thousand cases of data loss were reported. The last known Michaelangelo infection was in 1997.

This was one of the earliest cases of "branded" malware getting mass-publicity and causing undue panic, despite having a relatively low impact. This tradition continues to this day, with new "branded" malware and vulnerabilities making headlines every year, followed by countless vendors using the subsequent panic to promote their "cutting-edge" security products.

Macro Viruses

In 1995, the same year that the greatest movie of all time was released to adoring theater audiences, the Concept virus became the first known example of a Macro Virus, abusing Microsoft Word's built-in macro-scripting language to infect documents and take unwanted actions on systems.

In 1996, XML.Laroux was the first Microsoft Excel macrovirus. These viruses were the first viruses designed to infect documents, rather than executable files, and they were the first cross-platform viruses, capable of running on any system with Microsoft Office installed.

Nobody is Safe

1996 also saw the release of the Staog virus, the first computer virus written for Linux. Fortunately, the vulnerabilities exploited by the virus were patched quickly, and the virus died off with little fanfare. In the years since, there have been numerous Linux malware discovered in the wild, yet Linux users continue to proudly boast: "I don't need antivirus; I run Linux." (They're not alone; macOS users make the same boast.)

Knock, Knock

As if macro viruses and Linux viruses weren't enough, 1996 also brought NokNok 5.0, the first (that I'm aware of) Remote-Access Trojan (RAT).

Tools for remote desktop access have been around since the early '80s, with software like Carbon Copy and Timbuktu leading the pack. These tools were designed for legitimate use, and made no attempt to evade detection or deceive users.

NokNok changed the game, providing remote control capabilities in a discreet package which could be installed without victims' knowledge. This was typically achieved via the Trojan Horse technique, wherein a malicious payload is attached to a legitimate, desirable application.

This technique is a form of Social Engineering, much like its mythical namesake, and has seen widespread popularity among file-sharing and piracy communities, where users often seek free "cracked" copies or dodgy "key generators" ("keygens") for expensive legitimate software.

CIH, the Space-Filler

In 1998, the CIH virus infected sixty million computers worldwide, destroying data and, in many cases, erasing the system BIOS. The virus caused an estimated US$1 billion in damages, yet no charges were filed against its author, Chen Ing-hau, who claimed that he wrote the virus to challenge the AV industry's bold detection claims. He and a fellow student, Weng Shi-hao, co-authored an antivirus, enabling users to safely remove CIH from infected systems.

At the time CIH was released, many viruses would prepend or append their viral code to the files they infected, resulting in changes to the size of the infected files. AV vendors caught on to this, and created detections for file-size alterations. To defeat this detection mechanism, the CIH authors developed a method to infect files without altering their size.

When languages like C++ or Rust are compiled to binary, assemblers often include "gaps" of unused bytes in the executable file, padding sections to ensure proper byte alignment. The CIH virus would write its code into these gaps, thus infecting the file without altering its size.

Plague of RATs

Following NokNok, RATs became a hot commodity. In 1998, the Cult of the Dead Cow (cDc) released Back Orifice (BO), a tool they designed to demonstrate the insecurity of Windows systems. Despite claims that it was intended only for legitimate uses, the tool employed evasive tactics and could be installed without user interaction, making it perfect for use as a Trojan.

In 1999, cDc released Back Orifice 2000 (BO2k), the successor to their previous year's release. BO2k added support for Windows NT, 2000 and XP, and employed a plugin architecture, enabling new functionality to be pushed to clients on-the-fly. As before, BO2k was touted as a legitimate tool. Here are a few of the plugins provided by the tool:

  • Remote control of mouse and keyboard.
  • Remote observation of the user's desktop and audio.
  • Rootkit behavior, capable of hiding things from the system.
  • Bypass firewalls via tunneling.
  • Route through "connection chains" of multiple infected hosts.
  • Live keylogging.
  • Clientless Command-and-Control (C2) via IRC.

With features like these, it's no surprise that BO2k was classified as malware in most AV engines.

Following on BO2k's coattails, Sub7 was also released in 1999, and swiftly became one of the most popular RATs in the world. Much like BO2k, Sub7 was designed for trojanized installation, and provided a variety of similar features:

  • Remote control and observation.
  • Recovering cached passwords.
  • ICQ account takeover.
  • C2 via IRC.
  • Keylogging.
  • Port scanning and redirection.

Sub7 also included some "prank" features, making it popular among skids:

  • Open and close the CD tray.
  • Swap mouse buttons.
  • Use text-to-speech to make the computer speak.

In the decades folowing the release of BO2k and Sub7, the popularity and proliferation of RATs has soared, and the focus has shifted from pranks to profits.

Outlook, Look Out

In 1999, a variety of malware was released which took advantage of Microsoft products, including Outlook, Outlook Express, and Office.

  • The Happy99 worm wished users Happy New Year while infecting outbound emails.
  • The Melissa worm was a macro virus which spread via Microsoft Office documents attached to infected emails.
    • The documents appeared to contain login credentials for a number of pornographic websites, designed to entice users to open the file.
  • The ExploreZip worm was discovered. It was designed to destroy Microsoft Office documents.
  • The Kak worm, written in JavaScript, spread by exploiting a bug in Outlook Express.

Shattering Windows

In the years following the release of Windows 3.0, Microsoft became the global leader in the desktop OS market. Much to the chagrin of Mac and Linux users, Microsoft's products became the most wide-spread software in the world, despite being plagued by vulnerabilities and malware. To this day, the vast majority of malware targets Microsoft Office and Windows. These products continue to be the most common route for malware to infect systems and networks, whether via exploitation of 0-day vulnerabilities, or simply by abusing the built-in functionality of the software. In fact, one could argue that the single most effective way to prevent malware infections would be to eliminate all Microsoft products from your workplace.

Still, Microsoft's global market dominance continues unabated. In fact, they now offer Microsoft Defender, a clever way to turn Microsoft's historically bug-ridden software into yet another revenue source. Defender protects Windows systems against malware which, historically, abuses Microsoft's own products to infect and spread.

Microsoft creates and sells exploitable products, then creates and sells exploit protection.

That's like if Kia sold cars that sometimes exploded, then sold a separate add-on package that prevented the explosions.

Brilliant!