A Trojan Anniversary

I don't suppose anyone remembers my mentioning this before, or cares much anyway, but the 19th of December marks what I consider to be the 20th official anniversary of my entry into the anti-virus/security field.

Nowadays, viruses (and, in general, worms) have declined in importance and now constitute a fairly small proportion of the totality of current malicious software. By contrast, in 1989 Trojans were an occasional blip, a smaller percentage of the problem than viruses are now.

So you might see Dr. Popp's AIDS Trojan as something of a groundbreaker, given its high profile and the nature of the threat.

A company called PC Cyborg sent out approximately 10,000 copies of a 5.25" diskette. (Remember those? Indeed, do you remember diskettes of any size?) The diskette was supposed to contain "AIDS Information". These came as quite a professional-looking package with an accompanying letter that described it as a sample or review copy, and the disk contained an installation program for a basic AIDS information and assessment package. (I still have one in my office somewhere, but at this point, no 5 1/4" drive to load it into, so I hope I'm remembering all this detail correctly.) ;-)

One of the interesting features of the package, though, was the licence agreement, which stated:

"In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other programs on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement.*

*Warning: do not use these programs unless you are prepared to pay for them."

There was (literally) a sting in this tale. When people ran the installation program, a hidden file was installed onto the target PC which, after a specific number of reboots, encrypted the hard disk, and a message was displayed demanding that the user paid the licence fee in return for the decryption key. One of the people who fell into that trap was a medical researcher in a hospital where I'd been working until a few weeks before, and on 19th December I got a phone call from that department asking for advice on how to deal with it. Fortunately, while I hadn't seen the thing myself, I knew of someone who had already cracked the encryption and produced a fix, and was able to steer them in his direction.

Ransomware, misleading EULAs and attempts to wrap extortion in legal language are, like non-replicating Trojans, all too common nowadays, but this was something of a novelty back then. However, the use of a real Panamanian address made it quite easy to track the principals behind the scheme. Dr. Popp's trial in the UK was suspended because of his bizarre behaviour: it was decided that he was unfit to plead.

You can find more detail in Chapter 12 of "Viruses Revealed", among other sources (including articles in 1989 and 1990 editions of Virus Bulletin and Virus News International). And if you're interested in exactly why I'm so sure of the exact date, you can find out why in an article published in January 2007 in Virus Bulletin  (which also entered the field in 1989) called "From Immunology to Heuristics". Ironically, that article actually predates my entry into full time research in the AV industry by a year: I joined ESET as a Research Author in 2008.

Acknowledgements are due to Jim Bates, Robert Slade and Dr. Alan Solomon, among others, for making available enough background information on the AIDS Trojan to make me look as if I knew what I was talking about, long before I actually did. ;-)

And there is a story here about the further adventures of Dr. Popp: http://blogs.villagevoice.com/runninscared/archives/2009/04/dr_popp_the_fir.php Which is interesting, even if it's not completely accurate in all respects. In particular, while there have been viruses on more than one platform called AIDS, the Cyborg malware was a Trojan, not a virus.

Harley, D.; Slade, R.; Gattiker, U. Viruses Revealed. McGraw-Hill, 2001.

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.