Was Cohen the first?
I ran across the following article, and it set me to wondering--did Dr. Cohen actually publish on 'computer viruses' before anybody else? He continues to use it as the bedrock of his reputation capital, so if this pre-dates his 'seminal' article, please let me know. Included message: For Liz Bass or Reg Gale Discovery 9:31 AM Friday, April 5, 1996 By Lou Dolinar This is still my favorite computer story. I'm not saying it was the first piece ever written about computer viruses, but I won't say that it isn't. I still have the original, dated April 16, 1985. In some ways I wish I hadn't written it, because it was posted and reposted on bulltetin boards all over the U.S., and seems to have subsequently inspired a whole generation of virus writers. Note to kids: back then, most computers didn't have hard disks, and started up from floppies, hence floppy based viruses were a big deal. As usual, The Hacker wasn't paying for his midnight phone call; he had stolen the line from one of the long distance phone services. What's up? I asked. The 17-year-old snickered. Doom was ahead for all Apple II owners. "Don't engage in casual disk-copying with strangers," he said. "You might catch an operating-system virus." Now the hacker has a pretty hefty national rep in the computer underground, so when he talks about this crazy stuff, it's worth listening. I've seen whole collections of pirated games software bearing his nom de hack, and his black-bag jobs on mainframes would curl your hair. In case you're not familiar with software piracy, manufacturers build protection schemes into their programs to prevent people from making illegal copies and siphoning their profits. Dedicated pirates like my friend spend hours, sometimes days, cracking these schemes then release them, illegally, free, to the public over a network of electronic bulletin boards that can be reached with a phone, a computer and a modem. The Hacker always imprinted his name, electronically, on the game that he cracked ("Cracked by The Hacker, July 4, 1978"). And therein lies this tale. A couple of years back, he recalled, some teenagers in the Milwaukee area stole his stolen programs and released them under their own names. Why bother, you ask? Because the hacker whose name the stolen program bears receives the "credit" for having cracked the piracy protected program and, thus, is viewed with some degree of appreciation by similarly larcenous wizards in the computer underground. The Hacker was outraged and plotted a diabolical revenge: A wizard of code, he constructed ted what he calls an "operating system virus" for the Apple II computer. The operating system, you may know, loads into the computer before the program and controls the functions of the computer. The Hacker modified the operating system erase whatever disks were in the computer after they had been used 25 times. Not only that, but the "virus" would attache itself to any other discs that were loaded during the particular session of computer use. Thus,k if you played a "virus" carrying pirated game, and then went on to use your $495 word processor and $795 data-base program, these too would be infected and would cash after their 25th use--and in the meantime, they would be spreading the "virus." Like any disease, then, Killer-DOS, as The Hacker dubbed it, has a latency period, which allowed it to spread to other "victims" He inserted it into a recently cracked games program, put it on an electronic bulletin board frequented by the Minneapolis crowd, and sat back to watch the fun. A couple of months later, whole libraries of disks were begin wiped out as the "disease" spread. Now Killer-DOS is common knowledge in the underground, it it wasn't the reason The Hacker called. It seems he had, in a frenzy of anti-social behavior, created a particularly virulent form of Killer-DOS that didn't crash until it had been loaded 150 times---with a longer latency period, the potential number of victims rises geometrically. But conscience prevailed. The Hacker decided not to release the bug. Then, however, just like the Andromeda Strain, the bug got loose anyway--the Killer-DOS disk got mixed in with "healthy" programs, disks that he has been handing out for the last couple of years and are now all over the country. So if you find a worm in your Apple, don't say you haven't been warned.
In article <199604070321.TAA02171@myriad>, Matthew Ghio <ghio@myriad.alias.net> wrote:
Despite this, the Apple II never became a popular virus-writing platform. There are several possible reasons for this, but one of the main ones is that few Apple II users had hard disks. On the IBM PC, it was easy for a virus to get on the hard disk, then systematically infect every floppy disk put into the system. Apple II users, in contrast, often booted from floppies, and often rebooted when switching to a different software package, thus purging the virus from memory. (Pressing control-reset on the Apple II keyboard would always pull the reset line on the CPU, so it wasn't possible to trap the interrupt like it is possible to trap ctrl-alt-del on the PC.)
Not true. Pressing ctrl-reset jumped to the interrupt routine pointed to by the vector at (I think) 1010/1011, if the contents of that vector checksummed correctly with the contents of the next byte (1012), and otherwise reset the computer. It certainly was possible (and useful) to trap ctrl-reset. Also, even when a reset occurred, not all of the memory was cleared, so you could in fact keep code in memory across a reset, if you could arrange to have it run on the other side of the boot. As you pointed out, it was very easy to write viruses for the Apple ][. The "slave" disk layout contained two blank sectors (.5 K) within the DOS image that get loaded into memory. The designers may as well have labelled it "put virus here". - Ian "Been there; done that..."
The following concerns the history of computer viruses. While an important issue in computer security, this has no direct relevance to cryptography, so skip this message if you're looking for crypto... ---
What's up? I asked. The 17-year-old snickered. Doom was ahead for all Apple II owners. "Don't engage in casual disk-copying with strangers," he said. "You might catch an operating-system virus."
One interesting fact is that after the release of DOS 3.3 in 1980, the Apple II operating system was unchanged for several years, until Apple released a completly rewritten operating system (ProDOS) in 1984. During this period, hackers disassembled DOS 3.3 and its internal functions and data structures became well-known. The Apple II ROM contained a debugger/disassembler, which allowed the operating system to be disassembled and experimentally modified while it was resident in memory. In addition, several companies, including Beagle Brothers and Quality Software, published extensive information on DOS 3.3, which had been obtained through reverse-engineering. Apple DOS behaved very predictably: it was always loaded at the same location in memory, and when it formatted a disk, always wrote the operating system into the same location on the first three tracks of the floppy disk. This allowed the development of object code patches to the DOS kernel which would work reliably because almost everyone was running identical copies of DOS. It also made it easy to write viruses. The simplest was to attach a call to the sector-write subroutine at the end of the catalog command. This only took about 16 bytes of code. (Wouldn't that have made a neat .sig for you modern-day perl hackers?) Whenever the user issued the catalog command (which gave a list of files, like the unix ls command) it would write out that page of memory onto the dos image on the disk, thus infecting the disk. This was entirely benign unless you tried to use a disk with a different or modified operating system, in which case the patch would not apply cleanly, and would likely make the disk unbootable. Despite this, the Apple II never became a popular virus-writing platform. There are several possible reasons for this, but one of the main ones is that few Apple II users had hard disks. On the IBM PC, it was easy for a virus to get on the hard disk, then systematically infect every floppy disk put into the system. Apple II users, in contrast, often booted from floppies, and often rebooted when switching to a different software package, thus purging the virus from memory. (Pressing control-reset on the Apple II keyboard would always pull the reset line on the CPU, so it wasn't possible to trap the interrupt like it is possible to trap ctrl-alt-del on the PC.) A couple bits of interesting virus trivia: Joe Dellinger, then an undergrad at Texas A&M, set out to write the "perfect" virus, that is, one that would silently replicate without causing harm, just to see how far it would spread. The virus added a tag to the end of the boot sector which read: GENxxxxxxxTAMU, where xxxxxxx was the generation counter. A destructive virus called "CyberAIDS", appeared in 1988. I just looked this one up in an old magazine article, and, when the virus destroyed a disk, it printed, among other drivel: DISTRIBUTED BY Worshippers of Pat / [WOP] The Kool/Rad Alliance The Robert Dole Presidential Campaign I wonder if Bob Dole appreciated the free advertising. (Also remember that this was in 1988!) Modern operating systems make kernel-patching viruses like the simple ten-byte hacks effectively impossible since the operating system is less predictable with respect to its memory usage, people upgrade more frequently, and many experienced users compile their own kernel. Modern protected-mode operating systems are also making boot-sector viruses obsolete as well. That leaves executable file viruses. By the late eighties, hard disks were becoming fairly standard equipment, and the "CyberAIDS" virus mentioned above attached itself to executable files. Filesystem security and read/execute-only memory pages on Unix systems make writing effective viruses of this type quite difficult. Unfortunately, Microsoft's lax attitude toward security allows viruses to persist on their operating systems, and have made Bill Gates very popular with the virus writing groups. In addition, the lack of filesystem security in Windoze makes the shared libraries, and key system files, prime targets for malicious code. Still, as the famous login hack demontrates, it's not impossible to write a unix virus, if you can get control of the compiler/linker. It's just that there are other methods of hacking unix systems (ie buffer overruns) which provide a more immediate return on the investment of time for the hacker.
participants (3)
-
iang@cs.berkeley.edu -
Matthew Ghio -
Michael Wilson