Softpanorama May the source be with you, but remember the KISS principle ;-)	Home	Switchboard	Unix Administration	Red Hat	TCP/IP Networks	Neoliberalism	Toxic Managers
	(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Chapter 1: An Overview of Malware History

An overview of Malware development history

To get a proper understanding of this topic, let's first review the history of this subject. Any serious researcher would agree that the antivirus industry (as well as now newly minted antispyware vendors) is to a large extent a by-product of Microsoft products. and not only operating systems. Some Microsoft applications such as MS Word gave a start new types of viruses. Of course Microsoft was not a single reason, but due to its dominance and inability (or lack of desire) to close some holes in Windows, until recently it played a major role in creating malware friendly environment and stimulating growth of anti-virus vendors.

The history of antivirus/anti-malware software closely corresponds to the history of viruses and worms themselves. It started with boot and file viruses in MS DOS days and anti-virus software vendors of those ancient period. Some of them like McAfee, Symantec and Kaspersky managed to survive from those days.

History of PC malware can be viewed as consisting of the several overlapping stages:

Boot and file viruses (1988-1996). Microsoft DOS was and early version of Windows such as 3.1 were the most virus friendly OSes available. First of all due to their mass deployment which far exceeded any competitive OSes, but not only because of that. Almost until 1996 when macro viruses appears and started of threaten Microsoft bottom line it did absolutely nothing to make Windows more secure. No attempt of patching major security holes present in its DOS and early Windows were undertaken as they might break compatibility with old software.
Macro viruses (1996-2000). Macro viruses was viruses specific for a single Microsoft application -- MS Office with Word macro viruses taking lion share, although a couple of Excel viruses also existed. First al all this was the first tie a particular application proved to be popular enough to sustain the new type of malware.

This period was also very interesting as AV vendors proved to be completely unprepared to the new threat (the situation that will repeat itself in the future many times). Please remember that in 1995-1996 it took almost a year for AV vendors to (more or less adequately) react on the Concept macro virus. Each time a relatively new threat arise, AV vendors fall far behind the regular upgrade cycle. Before that the value of AV products for Ms Word macro virus protection was the same as the value of a simple grep-style search utility, available for free from any good file repository ;-).

In late 90th Microsoft started to understand that native Office formats are insecure and that can badly affect the revenue stream. So the company made some improvements in Office 97 and especially in Office 2000. But it was too little and too late. I think that growing understanding of insecurity of Microsoft platform provided some breathing space for Apple which was on the brink of extinction.
Mail viruses and worms (1998-2004). Here Microsoft was in the game again and managed to create a new category of mail worms (due to a simple and stupid decision of hiding the extension in files by default): "double extension attachment" worms and Trojans ;-). But generally mail worms became so popular due to the fact that extension in Microsoft Windows was nothing but a mnemonically part of the name -- in reality OS determined type of the file based on binary format. So a file with extension, say, pdf which should be Adobe document can well be hidden executable.
Network viruses and worms (2001-2007). This new type of malware was result of growth of TCP connectivity of PCs, which since Windows 95 included TCP/IP stack by default. Unlike, say macro viruses, this type of malware was not new as the first network worms were written for Unix and mainframes. Morris worm was probably the oldest network worm known. It propagated based on the fact that in old days neither Unixes not applications on them were systematically patches and it successfully exploited old known holes in ancient flavors on Unix and several Unix applications (Sendmail).

Windows got into the game rather late with network worm called Code Red ( July 16, 2001). It was followed by series of real epidemics of such network words as SQL Slammer (Jan, 2003), MSBlaster (Aug, 2003); Sasser (Apr 30, 2004) and Zotob (Aug 17, 2005). The last network worm that caused major epidemics was probably Allaple.b (aka Rahack.W and Rahack.BB ) (Nov 2006-March 2007). After that network works fall into permanent decline. Many organizations blocked TFTP protocol outside of selected networking devices as the proactive protection against copycats and now worms need to provide its own reliable transmission protocol that negatively affect minimal size. Also law enforcement is more vigilant now and chances to go to jail for unleashing the worm are very real.
Spyware (2002-present). Spyware proliferation overlaps with network worms but soon it far surpassed them. It was the first type of malware written for getting revenue stream, In a way malware authors became part of organized crime world. Several shadow companies hired professional programmer to write and polish various types of spyware, each of which dramatically surpassed in complexity previous generations of malware. Many types of spyware are designed in such a way as to make their removal very difficult and recreate themselves if some parts are not removed.
Rootkits and RATs (2006-present) Acronym RAT means Remote Access Trojans. It is often part of so called rootkits -- a set of software designed to get administrative access on a particular PC. For user PCs rootkits are often less necessary as user typically is an administrator, but for corporate PC the story is different and typically user does not have full administrative capabilities. There is another meaning of rootkit that is unique to Pc world -- it means complex set of modules that prevent disinfection and mask the presence of the malware. This is the nastiest flavor of malware because often it is designed both to provide backdoor and to ensure "survival" of other spyware on a [particular PC. They are quite stealthy. Such rootkits as Hacker Defender, FU, HE4Hook, Vanquish, AFX first started as parts of s of porno spyware. If is also often propagated from "pseudo warez" sites the lure naive users with "free downloads" of popular commercial software such as Microsoft Office, Adobe Photoshop and similar popular programs. College campuses are especially hard hit. Mass deployment of rootkits created PC zombies armies which became an important tool for denial of service attacks and spreading scam. Spam industry from the beginning was commercial and this was the first industry where first malware millionaires were made.
Scareware or more correctly extortionware. Around 2008 a new type, more profitable type of malware surfaced and soon became pretty prominent if not dominant type of malware. It is usually called scareware but more correct term is extortionware, The first major epidemics was in 2009 and was connected with rogue antivirus called Antivirus Pro. Antivirus Pro was a representative of a new type of malware -- rogue security software that displays deceptive information about the infected system. It also blocks access to the infected system by terminating processes not included in its predefined list. This malware was commonly known as "Windows Antivirus Pro". The idea was to course the user into paying for registration. this method of extortion proved to be remarkably effective and here new bunch of malware multi-millionaires were created. At this point malware industry became real part of organized crime.
Data stealing Trojans. As of 2012 the newest type of malware are so called data stealing Trojans. Those Trojans are designed to find and transmit financial information found on the PC. Obviously this is malware with a distinct criminal intent. Not much known about the level of this danger and the damage it caused. But it is clear that to store your personal data on a PC with internet access without encryption is now really foolish thing to do. For which you can dearly pay. Still many PCs grace successful generations of Tax Cut or other tax software with returns readily available in standard for the particular version folders. like Bernard Show once noted: experience keeps the most expensive school but fools can learn in no other. On the other hands absence of built-in encryption with user supplied password in Tax Cut and similar software is a real blunder of designers.