As promised on Friday when we introduced our series of articles marking Antimalware Day, let’s recall the early days of malicious code, putting the spotlight on the Brain Virus and the Morris Worm.
Discovered in 1986, Brain was the first virus to target IBM PC platforms (and, by extension, the MS-DOS operating system). By using techniques to hide its existence, it was also the first stealth virus. Created by two brothers from Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi, Brain infected the boot sector of a floppy disk.
But why was it written? The Alvi brothers were operating a computer store in the Pakistani city of Lahore when they noticed pirated copies of a computer program they had written being circulated by their customers. This got them thinking about how they could teach their customers a lesson: enter Brain, also known as Pakistani Brain.
As explained in an interview with security expert Mikko Hypponen in 2011, the virus was created solely for addressing illegal copies of their program. In addition to a message warning users that they were running bootleg software, the virus’s code also included the brothers’ names, phone numbers, and their store’s address. According to the brothers, the virus was “not made to destroy any data”. Rather, it was intended to ensure that users whose machines had become infected due to using pirated software could contact them for “vaccination”.
Nevertheless, they never expected that the first phone call would come from the United States, nor that the virus would spread to various parts of the world.
Here’s the interview in full:
The Morris Worm, sometimes also called the Internet Worm, entered the history books as the first computer worm that was distributed over the Internet and that compromised thousands of computers, drawing massive media attention in the process. It was written and unleashed in 1988 by Robert Tappan Morris, a 23-year-old doctoral student at Cornell University and the son of Robert Morris Sr., a famous cryptographer and formerly the chief scientist at the NSA's National Computer Security Center.
Back then, the Internet consisted of approximately 60,000 machines, some 6,000 of which were infected by the worm. After the code was released from a computer at Massachusetts Institute of Technology (MIT) in November 1988, much of the then Internet was paralyzed. This ultimately led to the establishment of the first Computer Emergency Response Team (CERT).
The worm operated by exploiting vulnerabilities in Unix's sendmail, fingerd, and rsh/rexec, while also taking advantage of weak passwords. It comprised 99 lines of code and, of course, had the ability to replicate and propagate itself. It became a dangerous threat due to a flaw in its propagation mechanism, having eventually infected thousands of computers at universities, in government laboratories, as well as in companies.
Besides the damage that it caused, the worm also exposed many security weaknesses, revealing the need for reviewing password protection procedures, among other measures.
According to statements made by Robert Morris back then, the worm was never intended to be malicious or spread so quickly. It is not certain why exactly it was created and launched, although it is often thought that Morris “only” sought to find out how big the Internet was. At any rate, when Morris realized that the worm was spreading so wildly, he asked a friend to send an email to apologize for his creation and to give instructions on how to kill it. Given the chaos that the malware caused, however, his message went unnoticed.
The worm’s creator became the first person to be convicted under the then recent Computer Fraud and Abuse Act. He was sentenced to three years of probation and ordered to pay a $10,050 fine and to perform 400 hours of community service.
Stay tuned for the second installment of our series to celebrate Antimalware Day next Monday. In the meantime, here are a few good reads to keep you busy:
Twenty years before the mouse (White paper by ESET Distinguished Researcher Aryeh Goretsky)