In any field of human activity, the latest generation stands squarely on the shoulders of those who went before, learning from what has been done before, re-applying what has proved successful and also trying to break new ground. This is no less true of those who develop malicious code. Successive waves of malicious code have re-defined the threat landscape.
What’s also clear is that security solutions have also had to evolve to match each successive generation of threats. As a result, both the disease and the cure differ greatly from the situation when the virus problem first appeared. But what are the specific factors that have influenced the development of malicious code? And how have security solutions had to evolve to deal with each emerging threat?
The first PC viruses: boot sector viruses
The first PC virus, Brain, appeared in 1986. Brain was a boot sector virus. Boot sector viruses work by modifying the first sector on floppy disks. The life-cycle of a boot sector virus is as follows: the virus executes, and loads its code into memory, when a user boots from an infected disk. The disk doesn’t have to be a system disk: any disk will do. In most cases, the user doesn’t mean to boot from the disk at all. Typically, they simply forget to remove the disk when they shut down the machine and then forgot it’s there when they boot up the next day. If the BIOS is configured to boot from floppy disk (and, of course, a growing number of PCs these days do not come with a floppy disk drive) the system detects the disk in drive A and automatically loads whatever code is in the boot sector: in the case of an infected disk, the virus. The user realizes they’ve tried to boot from floppy disk by mistake when they see the message ‘Non system disk or disk error, replace and press any key when ready’. They then remove the disk and continue working, suspecting nothing about what has just happened. What happens next depends on the operating system being used. Boot sector viruses infect at a BIOS level, before the operating system is loaded. So they’re operating system independent. However, they use DOS calls to go memory resident and spread to other floppy disks: if the operating system doesn’t support DOS, they don’t get the chance to load and spread. They’re effectively sidelined by any operating system other than DOS, Windows 3.x (which sits on top of DOS) or Windows 9x (which may sometimes use DOS access to floppy disks). The only damage they can do on other operating systems is if the virus is coded to carry out any damage routine at a BIOS level, before the operating system loads. This is true of Michelangelo, for example, which overwrites the start of the hard drive as soon as the PC is booted on 6 March ... before the operating system loads.