Changing Threats, Changing Solutions: A History of Viruses and Antivirus
by David Emm - Senior Technology Consultant, Kaspersky Lab UK - Thursday, 17 April 2008.
It is more than 20 years since the first PC virus appeared. Since then, the nature of threats has changed significantly. Today’s threats are more complex than ever before. Much of today’s malicious code, and this includes a wide array of Trojans, exploits, rootkits, phishing scams, spam and spyware as well as classic viruses and worms, is purpose-built to hijack users’ machines to make money illegally. The connectivity provided by the Internet means that attacks can be launched on victim machines very quickly, as widely or selectively as malware authors, and the criminal underground that sponsors them, require. Malicious code may be embedded in e-mail, injected into fake software packs, or placed on web pages for download by a Trojan installed on an infected machine. The scale of the problem, in terms of numbers alone, has also continued to increase. Kaspersky Lab antivirus databases contain 570,500 records and around 3,500 new records are added weekly.

In any field of human activity, the latest generation stands squarely on the shoulders of those who went before, learning from what has been done before, re-applying what has proved successful and also trying to break new ground. This is no less true of those who develop malicious code. Successive waves of malicious code have re-defined the threat landscape.

What’s also clear is that security solutions have also had to evolve to match each successive generation of threats. As a result, both the disease and the cure differ greatly from the situation when the virus problem first appeared. But what are the specific factors that have influenced the development of malicious code? And how have security solutions had to evolve to deal with each emerging threat?

The first PC viruses: boot sector viruses

The first PC virus, Brain, appeared in 1986. Brain was a boot sector virus. Boot sector viruses work by modifying the first sector on floppy disks. The life-cycle of a boot sector virus is as follows: the virus executes, and loads its code into memory, when a user boots from an infected disk. The disk doesn’t have to be a system disk: any disk will do. In most cases, the user doesn’t mean to boot from the disk at all. Typically, they simply forget to remove the disk when they shut down the machine and then forgot it’s there when they boot up the next day. If the BIOS is configured to boot from floppy disk (and, of course, a growing number of PCs these days do not come with a floppy disk drive) the system detects the disk in drive A and automatically loads whatever code is in the boot sector: in the case of an infected disk, the virus. The user realizes they’ve tried to boot from floppy disk by mistake when they see the message ‘Non system disk or disk error, replace and press any key when ready’. They then remove the disk and continue working, suspecting nothing about what has just happened. What happens next depends on the operating system being used. Boot sector viruses infect at a BIOS level, before the operating system is loaded. So they’re operating system independent. However, they use DOS calls to go memory resident and spread to other floppy disks: if the operating system doesn’t support DOS, they don’t get the chance to load and spread. They’re effectively sidelined by any operating system other than DOS, Windows 3.x (which sits on top of DOS) or Windows 9x (which may sometimes use DOS access to floppy disks). The only damage they can do on other operating systems is if the virus is coded to carry out any damage routine at a BIOS level, before the operating system loads. This is true of Michelangelo, for example, which overwrites the start of the hard drive as soon as the PC is booted on 6 March ... before the operating system loads.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th