Pranks are very much a part of the computer culture. So much so, that one can now buy commercially produced joke packages which allow you to perform “Stupid Mac (or PC) Tricks”. There are numberless pranks available as shareware. Some make the computer appear to insult the user, some use sound effects or voices, some use special visual effects. A fairly common thread running through most pranks is that the computer is, in some way, non-functional. Many pretend to have detected some kind of fault in the computer (and some pretend to rectify such faults, of course making things worse). One recent entry in our own field is PARASCAN, the paranoid scanner. It tends to find large numbers of very strange viral programs, none of which, oddly, have ever appeared in the CARO index. Aside from temporary aberrations of heart rate and blood pressure, pranks do no damage.
I would not say the same of trojans. I distinguish between a prank and a trojan on the basis of intent to damage. The Trojan Horse was the gift with betrayal inside; so a trojan horse program is an apparently valuable package with a hidden, and negative, agenda.
Trojans are sometimes also referred to (less so now than in the past) as “arf arf” programs. One of the first was distributed as a program the would enable graphics on early TTL monitors. (That should have been a giveaway: such an operation was impossible.) When run, it presented a message saying “Gotcha. Arf, arf.” while the hard drive was being erased.
Trojan programs are spread almost entirely via public access electronic bulletin boards. Obviously, a damaging program which can be identified is unlikely to be distributed through a medium in which the donor can be identified. There are, as well, BBSes which are definitely hangouts for software pirates, and act as distribution points for security breaking tips and utilities. These two factors have led to a confusion of trojan programs, viral programs and “system crackers” which has proven extremely resistant to correction. It has also led to a view of BBSes as distribution points for viral programs. (Recently our local “tabloid” paper’s computer columnist, normally better versed than this, dismissed the availability of antiviral software to combat Michelangelo by saying that no self respecting company would ever use a BBS.) This in spite of the fact that the most successful viral programs, boot sector infectors, cannot be transmitted over BBS systems, at least not without sophisticated intervention (generally at both ends of the transfer.)
The “AIDS” Trojan (not virus)
I’ll conclude the introductory history with the AIDS Information Disk trojan for two reasons: 1) it deserves a place in the history of “malware” in any case and 2) it was so widely; and incorrectly; reported as a virus.
In the fall of 1989, approximately 10,000 copies of an “AIDS Information” package were sent out from a company calling itself PC Cyborg. Some were received at medical establishments, a number were received at other types of businesses. The packages appeared to have been professionally produced. Accompanying letters usually referred to them as sample or review copies. However, the packages also contained a very interesting “license agreement”:
In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement.
Further in the license is the sentence: “Warning: Do not use these programs unless you are prepared to pay for them”.
The disks contained an installation program and a very simplistic AIDS information “page turner” and risk assessment. The installation program appeared only to copy the AIDS program onto the target hard disk, but in reality did much more. A hidden directory was created with a nonprinting character name and a hidden program file with a nonprinting character in the name was installed. The AUTOEXEC.BAT file was renamed and replaced with one which called the hidden program, and then the original AUTOEXEC. The hidden program kept track of the number of times the computer was rebooted, and, after a certain number, encrypted the hard disk. The user was then presented with an invoice and a demand to pay the license fee in return for the encryption key. Two major “versions” were found to have been shipped. One, which waited for 90 reboots was thought to be the “real” attempt: an earlier version which encrypted after one reboot alerted authorities and was thought to be an error on the part of the principals of PC Cyborg.
The Panamanian address for PC Cyborg, thought by some to be a fake, turned out to be a real company. Four principals were identified, as well as an American accomplish who seems to have had plans to have sent 200,000 copies to American firms if the European “test” worked. The trial of the American has just been suspended, as his bizarre behaviour in court is seen as an indication of “diminished responsibility”.
Robert M. Slade’s history is available here with permission of Robert M. Slade. Please do not further use the material without obtaining your own permission to use it.
|Robert Slade Computer Virus History|
|Chapter 3 Fred Cohen||Chapter 5 Apple Virus|