by Dr. Nikolai Bezroukov.
Copyright: Dr. Nikolai Bezroukov 1994-2013.
Unpublished notes. Version 0.80.October, 2013
Chapter 1: An Overview of Malware History
An overview of Malware development history
To get a proper understanding of this topic, let's first review the history of
this subject. Any serious researcher would agree that the antivirus industry (as
well as now newly minted antispyware vendors) is to a large extent a by-product
of Microsoft products. and not only operating systems. Some Microsoft applications
such as MS Word gave a start new types of viruses. Of course Microsoft was
not a single reason, but due to its dominance and inability (or lack of desire)
to close some holes in Windows, until recently it played a major role in creating
malware friendly environment and stimulating growth of anti-virus vendors.
The history of antivirus/anti-malware software closely corresponds to the history
of viruses and worms themselves. It started with boot and file viruses in MS DOS
days and anti-virus software vendors of those ancient period. Some of them like
McAfee, Symantec and Kaspersky managed to survive from those days.
History of PC malware can be viewed as consisting of the several overlapping
- Boot and file viruses (1988-1996). Microsoft DOS was and early version
of Windows such as 3.1 were the most virus friendly OSes available. First
of all due to their mass deployment which far exceeded any competitive OSes,
but not only because of that. Almost until 1996 when macro viruses appears and
started of threaten Microsoft bottom line it did absolutely nothing to make
Windows more secure. No attempt of patching major security holes present
in its DOS and early Windows were undertaken as they might break compatibility
with old software.
- Macro viruses (1996-2000). Macro viruses was viruses specific for
a single Microsoft application -- MS Office with Word macro viruses taking lion
share, although a couple of Excel viruses also existed. First al all this was
the first tie a particular application proved to be popular enough to sustain
the new type of malware.
This period was also very interesting as AV vendors proved to be completely
unprepared to the new threat (the situation that will repeat itself in the future
many times). Please remember that in 1995-1996 it took almost a year for AV
vendors to (more or less adequately) react on the Concept macro virus. Each
time a relatively new threat arise, AV vendors fall far behind the regular upgrade
cycle. Before that the value of AV products for Ms Word macro virus protection
was the same as the value of a simple grep-style search utility, available
for free from any good file repository ;-).
In late 90th Microsoft started to understand that native Office formats are
insecure and that can badly affect the revenue stream. So the company made some
improvements in Office 97 and especially in Office 2000. But it was too little
and too late. I think that growing understanding of insecurity of Microsoft
platform provided some breathing space for Apple which was on the brink of extinction.
- Mail viruses and worms (1998-2004). Here Microsoft was in the game
again and managed to create a new category of mail worms (due to a simple and
stupid decision of hiding the extension in files by default): "double extension
attachment" worms and Trojans ;-). But generally mail worms became so
popular due to the fact that extension in Microsoft Windows was nothing but
a mnemonically part of the name -- in reality OS determined type of the file
based on binary format. So a file with extension, say, pdf which should be Adobe
document can well be hidden executable.
- Network viruses and worms (2001-2007). This new type of malware was
result of growth of TCP connectivity of PCs, which since Windows 95 included
TCP/IP stack by default. Unlike, say macro viruses, this type of malware
was not new as the first network worms were written for Unix and mainframes.
Morris worm was probably the oldest network worm known. It propagated based
on the fact that in old days neither Unixes not applications on them were systematically
patches and it successfully exploited old known holes in ancient flavors on
Unix and several Unix applications (Sendmail).
Windows got into the game rather late with network worm called
Code Red ( July 16, 2001).
It was followed by series of real epidemics of such network words as
SQL Slammer (Jan, 2003),
MSBlaster (Aug, 2003);
Sasser (Apr 30, 2004) and
Zotob (Aug 17, 2005). The
last network worm that caused major epidemics was probably
Allaple.b (aka Rahack.W
and Rahack.BB ) (Nov 2006-March 2007). After that network works fall into
permanent decline. Many organizations blocked TFTP protocol outside of selected
networking devices as the proactive protection against copycats and now worms
need to provide its own reliable transmission protocol that negatively affect
minimal size. Also law enforcement is more vigilant now and chances to
go to jail for unleashing the worm are very real.
- Spyware (2002-present). Spyware proliferation overlaps with network
worms but soon it far surpassed them. It was the first type of malware written
for getting revenue stream, In a way malware authors became part of organized
crime world. Several shadow companies hired professional programmer to write
and polish various types of spyware, each of which dramatically surpassed in
complexity previous generations of malware. Many types of spyware are designed
in such a way as to make their removal very difficult and recreate themselves
if some parts are not removed.
- Rootkits and RATs (2006-present) Acronym RAT means Remote Access
Trojans. It is often part of so called rootkits -- a set of software designed
to get administrative access on a particular PC. For user PCs rootkits are often
less necessary as user typically is an administrator, but for corporate PC the
story is different and typically user does not have full administrative capabilities.
There is another meaning of rootkit that is unique to Pc world -- it means complex
set of modules that prevent disinfection and mask the presence of the malware.
This is the nastiest flavor of malware because often it is designed both to
provide backdoor and to ensure "survival" of other spyware on a [particular
PC. They are quite stealthy. Such rootkits as Hacker Defender, FU, HE4Hook,
Vanquish, AFX first started as parts of s of porno spyware. If is also often
propagated from "pseudo warez" sites the lure naive users with "free downloads"
of popular commercial software such as Microsoft Office, Adobe Photoshop
and similar popular programs. College campuses are especially hard hit.
Mass deployment of rootkits created PC zombies armies which became an important
tool for denial of service attacks and spreading scam. Spam industry from the
beginning was commercial and this was the first industry where first malware
millionaires were made.
- Scareware or more correctly extortionware. Around 2008 a new type,
more profitable type of malware surfaced and soon became pretty prominent if
not dominant type of malware. It is usually called scareware but more correct
term is extortionware, The first major epidemics was in 2009 and was connected
with rogue antivirus called Antivirus Pro. Antivirus Pro was a representative
of a new type of malware -- rogue security software that displays deceptive
information about the infected system. It also blocks access to the infected
system by terminating processes not included in its predefined list. This malware
was commonly known as "Windows Antivirus Pro". The idea was to course
the user into paying for registration. this method of extortion proved to be
remarkably effective and here new bunch of malware multi-millionaires were created.
At this point malware industry became real part of organized crime.
- Data stealing Trojans. As of 2012 the newest type of malware are
so called data stealing Trojans. Those Trojans are designed to find and transmit
financial information found on the PC. Obviously this is malware with a distinct
criminal intent. Not much known about the level of this danger and the damage
it caused. But it is clear that to store your personal data on a PC with internet
access without encryption is now really foolish thing to do. For which you can
dearly pay. Still many PCs grace successful generations of Tax Cut or other
tax software with returns readily available in standard for the particular version
folders. like Bernard Show once noted: experience keeps the most expensive school
but fools can learn in no other. On the other hands absence of built-in encryption
with user supplied password in Tax Cut and similar software is a real blunder