Twenty glorious years of Windows malware
The evolution of groundbreaking Windows malware sheds light on what's to come
By Woody Leonhard | InfoWorld | Published: 15:40, 01 March 2011
Back when Windows was young, viruses scampered from system to system, occasionally deleting files, which could almost always be retrieved, and putting up dialog boxes with inscrutable contents, like the numeral 1.
Nowadays, Windows malware locks up your data and holds it for ransom. It manipulates your PC into launching attacks, mines files for credit card numbers and passwords, and sets nuclear centrifuges to whirl with wild abandon - nasty stuff.
Along the way, Windows malware has spawned several billion dollar antivirus companies, inspired enough articles to fill the Library of Alexandria, created jobs for many tens of thousands of security professionals, and caused more than half a billion kingsize headaches.
These pesky programs didn't morph from toddler to kickfighter overnight. There's been a clear succession, with the means, methods and goals changing definitively over time. As with any technology, innovative thinking points the way forward. Here's a look at how ingenuity to nefarious ends has transformed Windows hacking into a multi-billion-dollar industry, and where the Windows mailware trail points to the future.
The early rogue's gallery
Some of the most innovative and (still) pervasive malware techniques arrived at the dawn of Windows, with the years leading up to Windows 3.0 setting a strong foundation for Windows-specific malware to come.
Take, for example, VirDem, the first virus to infect an executable file. Ralf Burger created the virus in Germany in 1986 by sticking a self-replicating program at the front of a COM file and moving the original instructions to the end. This was soon followed by Cascade, which appeared in 1987 as the first virus that used encryption to disguise itself. Unfortunately, the encrypting routine was the same in all infected files, so scanners picked it up easily. #Fail.
GhostBalls (the code states proudly "Product of Iceland / Copyright © 1989") combined two infection techniques, creating the first multipartite or blended threat virus. GhostBalls attaches itself to COM files and spreads by copying itself to other COM files, but it also looks for a diskette in the A: drive and, if found, copies a modified boot sector virus onto the diskette.
Overcoming Cascade's congenital defect, in 1990 Mark Washburn came up with 1260, the first polymorphic virus. Polymorphic viruses change each time they're encrypted, often altering the encrypting routine itself, making detection considerably more difficult.
Flying below the radar was the modus operandi of two other viruses launched in 1990, Frodo and Whale, which both became known as stealth viruses because they took great care to hide themselves. Frodo made Windows lie about the size of infected COM files so that they appeared as if they weren't infected. Whale, at 9KB the largest virus to date, used the Frodo technique to hide its size and the 1260 shtick to change itself. Neither program infected much of anything, but both excelled at staying hidden.
Twenty years later, the Windows malware pantheon runs chock-full of infected executables, multipartite, polymorphic and stealth techniques.
The rise of Microsoft macro viruses
Windows 3.0 hit the ground running on May 22, 1990, and soon the platform would go gangbusters. With the exception of Michelangelo, a garden-variety boot sector virus that took out Windows machines, injected the phrase "computer virus" into almost every language on earth, and helped substantiate the lucrative antivirus industry, virus innovation stagnated.
Then in the summer of 1995, an epiphany: Somebody, we still don't know who, wrote a very simple macro virus using WordBasic, the macro language behind Microsoft Word.
Documents infected with this virus, when opened using Word 6, add four macros to Word's default template, NORMAL.DOT, which then infects any subsequent Word document you save. The macro has a harmless payload, which displays an odd dialog box with the numeral 1. The macro code contains the text "That's enough to prove my point", thus the name Concept.
The floodgates burst. In late August 1995, several Microsoft employees told me that more than 80 percent of all PCs on Microsoft's Redmond campus were infected by Concept, which spread across the world in a matter of weeks.
Antivirus companies scrambled, trying to protect against this completely new attack vector, and virus writers, aided by macro virus construction kits widely distributed in 1996, had a field day. Word took the initial beating, but then Excel spreadsheets came under attack, first with Laroux, then with a deluge of more than 1,000 macro viruses.
Microsoft shored up security in Office 97, but virus writers quickly figured out how to get around the controls, and many old viruses automatically converted over to the new system, using Microsoft's automatic upgrade tools. The tide didn't shift until antivirus vendors started to get the upper hand, primarily by brute force, and Microsoft finally made infection more difficult in Office 2000. Even so, Word and Excel macro attacks remained an omnipresent part of the malware landscape until Microsoft finally changed the default file formats in Office 2007.