Malware-Then, Now, and in the Near Future

Malware poses the largest single threat to information security. Within just a few decades, this previously marginal phenomenon has become a criminal industry worth billions and a tool of state-level online attackers-but the current problems may be just the beginning.

The History of Malware

Malware, which includes viruses, worms, and trojans, has had a tremendous impact on computer security since the 1980s. There are other problems, but malware is the common thread connecting almost every major information security incident. The development of malware over the last three decades divides into clear epochs.

Viruses on Floppies

Scientific publications and science-fiction authors were already mentioning computer viruses and similar problems in the 1960s. The first computer virus to actually spread was discovered in 1981: the malware, Elk Cloner, that ran on Apple II computers. Between 1981 and 1986, around 10 other viruses targeted at the Apple II were discovered.

In 1986, the first virus aimed at the Commodore 64 was found-it was known as BHP. The Commodore 64 and Apple II used a similar central processing unit (MOS Technology 6502/6510). They also both used 5.25-inch floppy disks. Early Apple and Commodore viruses were spread by users trading floppies, but never became a major problem-it took the IBM PC to do that.

The first PC virus was known as Brain.A and was discovered in 1986. Brain is often mentioned as the first virus, but it's actually just the first virus for PCs. Like Elk Cloner and BHP, Brain spread on floppies. In practice, viruses spread via floppies from one company, city, or country to another as people carried infected floppy disks with them, at a similar rate to a disease such as the flu. Such viruses required travel in order to spread: it was impossible for Brain to spread from Pakistan to Philadelphia, for example, unless someone took the trip and carried a disk with them.

Floppy disk viruses were also called boot sector viruses. This was because, when starting up, early PCs checked the disk drive for a floppy disk in order to load the operating system on the disk. Brain and the other early PC viruses, such as Stoned and Form, copied their code in the boot sector of every disk they encountered and relied on people transporting the disks further afield. Sooner or later, the user would start their computer with an infected disk in the drive.

Disks infected by floppy disk viruses were harmless as long as they were not in the drive when the computer was started. A peculiar mass infection took place at a bank in 1992. The finance department of the bank's main branch had a few infected MS-DOS computers, which copied the Form.A virus onto every disk that went through their drives. Over time, so many disks were infected that they accounted for the majority used at the main branch. However, they did not infect other machines, as the computers were restarted very rarely. It was company policy to leave computers on overnight, only turning off the screens. This changed dramatically after a brief power outage at the bank's main branch in the middle of a working day. Nearly every computer was in use, which is why nearly all disk drives had a disk in them. When power returned, the machines restarted, tried to load the operating system from their disks, and were infected.

Brain.A

In late 2010, I was invited to a meeting set up by F-Secure's public relations (PR) department. It was about Brain.A, the world's first PC virus.

Although Brain was a very basic virus, it spread around the world very efficiently. When I started working in information security, I studied all the known malware families and decompiled Brain.

Our PR team wanted to mark Brain's 25-year anniversary, suggesting that we use Brain in a campaign to raise awareness of the dangers of malware and its evolution. I listened to their proposal, asked to speak, and said, "Well, that's boring. What if, instead, I tried to find the authors of the Brain virus and ask them why they did it?"

I knew that we had a breadcrumb trail for this, since I recalled that the following text was hidden inside the virus's code:

Allama Iqbal Town is a district in Lahore, Pakistan, and Basit and Amjad are Pakistani first names. Sure, 25 years had passed, but how hard could it be to find these guys? After all, there are only 220 million people in Pakistan.

We decided to set the project in motion, agreeing that Olli from F-Secure's PR department and photographer Taito Kawata would join me in Lahore to capture the meeting on video. Our initial idea was simply to travel to Lahore and find the address, 730 Nizam Block, mentioned in the virus; however, it soon occurred to us that Basit and Amjad were probably no longer at the same address. So, I leveraged my contacts to ask for clues from IT security experts in Pakistan and was eventually given the email address of a supposed acquaintance of either Basit or Amjad. I sent this acquaintance an email asking them to forward my contact information to one of the two.

Hello!

I'm trying to reach Basit or Amjad.

Please pass my contact information to them.

With very best regards,

Mikko Hypponen

Chief Research Officer

F-Secure

Finland

Two days later, I received an email. The sender was Basit Alvi himself, one of the authors of Brain, and his contact information was included.

Hi, This is Basit, my contact details are as follows:

Basit Farooq Alvi | Director |

Brain Telecommunication Limited.

730-Nizam Block | Allama Iqbal Town |

Lahore 54570 | Pakistan.

I couldn't believe what I was reading. I had made contact with one of the Brain virus's authors, and the contact information he provided was the same as in the 25-year-old virus: 730 Nizam Block, Allama Iqbal Town.

I sent Basit a proposal by email.

Hello there!

My name is Mikko Hypponen and I work at F-Secure.

Brain.A virus will be 25 years old in January. So the whole PC virus will be 25 years old. We believe this is important and would like to do something around it. I have analysed the Brain virus myself long, long time ago when it was still spreading.

I would meet you guys at Brain Telecommunication and we would discuss the history of the worm. The end result would be published as an online video.

We're talking about a historic event and we want to discuss the background of it all.

Please let me know how you feel about this.

Basit and his brother Amjad accepted. We began preparing for our trip to Lahore.

Lahore is a city of more than 10 million people in northern Pakistan. Viewing the area in Google Maps reveals that Lahore is almost on the Indian border, which becomes a dotted line to the north of the city. This means that the area remains disputed territory prone to unrest. The conflicts have been beneficial to the extremist group Al-Qaeda, which was using the area as one of its strongholds.

I decided to contact the Finnish embassy in Islamabad and ask for advice. They quickly came back to me: "You must apply for visas and permits for the film crew from the Pakistani embassy in Stockholm. We recommend that you start doing so immediately, as the filming permit process has been up to four months long of late. In Lahore, you will need a local security team, which will not be too costly. You should also reserve transport in advance."

We immediately decided not to apply for an official filming permit, opting for normal business travel visas since we could not afford to wait several months.

The embassy recommended a local security company from which we could hire a security team. This company quickly replied to my email, explaining that they could provide bodyguards and civilian vehicles from the Pakistani police's security unit. I reserved a driver and two bodyguards. Our departure date was set for January 31, but the situation in Lahore escalated a few days prior to this. An employee of the CIA's Lahore branch had shot two Pakistani men on the street under uncertain circumstances. He was surrounded by a mob and called for help. The dispatched CIA security personnel drove along the oncoming lane to reach the site quickly, fatally injuring a bystander.

The security company sent me an email recommending that we postpone our trip due to the growing tensions.

Our travel arrangements had been made, and the flights could not be cancelled. Olli, Taito, and I met to consider what to do. On the last day of January 2011, we stepped into an airport taxi at F-Secure headquarters with fresh visas in our pockets and bandages on our arms from vaccinations. We flew from Helsinki via Frankfurt to Abu Dhabi, and overnight from there to Lahore, landing at Lahore airport at 2:30 a.m. From the plane windows, you could see the warm rain outside. The terminal emerged from the mist as the plane taxied onward. Once inside the terminal, we noticed that it was crammed with people, as if it were midday.

We...