The Early Days: Viruses and Worms
This section explores the initiation and evolution of the automated attack against computing
, including early virus and worm behavior and the drivers shaping these behaviors.
Virus Emergence and Early Propagation Methods
The concept of the computer worm or virus is not new. Those who created early computing machines conceived of malicious code or data nearly concurrently with their hardware discoveries. Early researchers used such code in elaborate
such as Core Wars in attempts to learn more about computing and how unexpected interaction between processes affects the computing environment.
The computer virus really started to have an effect at the onset of early business and consumer networking. In the mid-1980s, networking was likely to be done via
for using floppy disks to move computer programs and data from machine to machine. The earliest examples of widespread computer viruses utilized this method to propagate
. Often, the virus would reside in the boot sector of the floppy disk or attach itself to executable files. When users then moved that disk to another machine and tried to boot from it or run executables on it, the virus
itself into memory and waited to jump on the
clean boot sector or executable
. Although this form of propagation may today seem slow and primitive, it was remarkably effective. Note that this class of malicious tools was effective because it utilized the behavior of the
system itself as a weapon.
Viruses mutate and
to match their environment and to take advantage of new infection vectors. Those who write the viruses drive this mutation and evolution in the interest of getting the greatest possible impact. The first viruses were effective precisely because of the way computers operated and the way people interacted with them. The viruses took advantage of the following facts:
via floppy disks, which provided boot sector viruses fertile ground for reproduction.
Floppy disks often contained application code and data along with boot code, which application viruses easily infected.
People regularly shared floppy disks as a
way to exchange information, which enabled these early viruses to proliferate.
In addition to their simple spreading behavior, viruses often contained some
. Payload is a common term used to describe what is being delivered to the
destination; in this case, the payload was malicious and destructive code along with some identifying information. The virus payload is what usually made the virus famous and often led to the
of the virus in question. Some viruses did nothing more than place an
message on the
s screen. Others might
keystrokes occasionally. Truly nasty viruses deleted files or
the boot sector itself. Often, these viruses remained inactive within the executable files and in the computer s memory until a particular trigger date that would activate the malicious virus.
Throughout the late 1980s until the present, those who write malicious code have taken advantage of the increasingly well-connected nature of machines, operating systems, and applications, and their code has mutated and evolved
. A thorough understanding of the inherent behavior of the target system is crucial to the creation of successful virus code—crucial in fact to any attack against a particular system. To defend a system, you must have this same understanding of system behavior, architecture, and communication.
of the LAN provided the traditional virus with new propagation opportunities. These networks removed the floppy disk and human mobility requirement and
them with much faster electrons moving through
wire. With such systems, files and applications are shared with speeds orders of magnitude greater than with sneakernet.
With the introduction of LANs, viruses at first stuck to their old method of operating and
to propagate, at much higher rates, through infected application files. The problem was compounded by the fact that LANs usually contain one or more
, which are devices that act as central repositories for user files and facilitate file sharing. If a virus infected an executable in this environment, it often was not long before the entire server s complement of user executable files was likewise infected.
The WAN and Internet
After the emergence of the LAN in business computing, business soon realized the productivity gains possible by joining the LANs of their own branches and those of their
and customers across
dispersed areas. This new "super network" is called a WAN. A WAN provides the virus with an even more vast and extended network and gives an infected business the dubious
of being able to spread their infection to their partners or customers.
With the emergence of the Internet as a
business tool, all of these LANs and WANs at thousands of businesses around the world had the potential to be joined, creating the "network of networks."
realized on a global scale, this convergence represents the terminal opportunity for virus code because of the great potential for sharing infected files and creates a new kind of vulnerable system. That system is the entire Internet itself.
The Network Worm
Writers of malicious code soon realized they could build a new type of attack, one that would be independent of executable files and would instead attack systems themselves via their network connection. This new attack, called a
, was automatic and usually did not rely on a user s interaction for infection of a vulnerable system to occur. As a result, this approach is a far more rapid and advanced method of spreading malicious code than the virus and one that takes advantage of the architecture and behavior of the large network.
Like the virus, the worm may contain and carry a malicious payload. Curiously (and luckily) few worms have done so. Most worms have caused damage due to denial of service (DoS) that results from their rapid propagation. The worm s ability to use all local CPU and network resources on the infected machine often
The first known instance of a widespread network worm attack was the Morris worm of the late 1980s. This worm attacked machines connected to local networks and the Internet via the IP protocol suite. At the time of the Morris worm, the Internet was a loose
of universities, government entities, and a handful of forward-looking high-tech businesses. Because of the ubiquity of certain operating systems on the Internet at the time, the Morris worm rapidly infected a considerable percentage of available
and, because of its propagation method, swamped CPU and communication resources on the infected machine,
such machines to become unusable. It is
accepted that the creator of this worm was performing research rather than attempting to cause trouble, but the damage done was considerable. The whole tech world was suddenly awakened to this new and alarming threat.
The Single Environment and Its Consequences
The success of a worm or virus depends heavily on the prevalence of the target system or application in the environment under attack. The Morris worm was powerful because many machines were connected and running a limited set of software possibilities. The worm easily could discover new vulnerable hosts for infection. As each new host became infected, that host in
found many "neighbor" machines to
Over the past
, the Microsoft Windows environment has become the computing platform of choice for most of the world s PC users, business or individual. As a result, nearly 90 percent of the machines connected to the Internet are of the same general type and run the same basic networking, operating system, and application code. Although this
fosters productivity for connected users because of the ease of sharing, worms also benefit from such an environment and are easily "shared." A single-vendor computing environment fully interconnected with high-speed data links is fertile ground for
malicious code. Combining today s interconnected high-speed networks such as Ethernet LANs, optical WANs, and always-on home Internet connections (cable modems and DSL) with
machines operated by identical software
easy targets to the network worm or virus.