V I R U S -- R E S E A R C H

Form was a boot sector virus isolated in Switzerland in the summer of 1990 which became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale.

The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.

It is notable for arguably being the most common virus in the world for a period during the early 1990s.

Virus:       Boot/Stoned
Name :     Virus:Boot/Stoned
Category:  Malware
Type:    Virus
Platform:    Boot
Created:      1987
Date Discovered 1988.02.01






Summary

A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Additional Details

Virus:Boot/Stoned is a simple virus that seems to have been designed to be harmless. Due to a mistake however, it did not quite work out that way. Stone is able to infect the boot sectors of floppy disks. The virus has spawned a large number of variants.

A computer infected with this virus will sometimes display the following message when it starts.

  Your computer is now stoned.

Stoned was one of the most widespread viruses in existence.


Infection

On an infected diskette, the original boot sector is stored on track 0, head 1, sector 3. This is the last sector of the root directory on a 360K diskette, so this will work unless the root directory contains more than 96 files, which is rather unlikely. Overwriting this sector on a 1.2M diskette is, however, much more likely to cause damage.


Variants

There are a large number of Stoned variants, many with no significant differences. The most notable are:

- This virus 
This variant is one of several politically motivated viruses and contains the message:

 "Bloody! Jun. 4, 1989".

- Swedish Disaster
This virus contains the string "The Swedish Disaster", which may indicate it was written in Sweden.

First of all it would be useful to state that a Trojan horse virus represents an infectious program able to cause serious damage to a computer. The Trojan horse can infect a user's machine without being noticed. As soon as it penetrates a computer, the Trojan horse scans it with the goal of stealing personal data.

One of the earliest Trojan horse viruses was detected in the 1980s, when several computers were affected. As it was earlier mentioned Trojan horse viruses are created in order to steal useful information such as passwords. They are developed by hackers, who, after stealing data, can use the information for various purposes, including blackmailing. Some of the first Trojan horse viruses were able to infect Windows32 files, but since then these programs evolved, and today they can cause even more harm.

The name of the Trojan horse comes from a story from Greek mythology about the siege of Troy. Greeks were unable to conquer the city until they built a huge wooden Trojan horse and hid a number of warriors in it. The wooden horse was supposed to be a present from the Greeks, informing that they sailed away and no longer wanted to conquer the city. When the Trojan horse was pulled into the city, the small army of Greeks inside it waited till dark and then invaded the Troy, destroying it, thus leading to the end of the war. In contrast to the wooden Trojan horse, the Trojan horse virus spread worldwide and is still popular today.

According to some online sources the first Trojan horse virus was dubbed the pest trap, also known as Spy Sheriff. This Trojan horse managed to infect about one million PCs worldwide. It did not damage any files on a computer, instead it led to the appearance of a large number of pop-ups, most of them looking like warnings that warned users about the necessity to installs some kind of software application. As soon as the Trojan horse computer virus was installed on the machine, it was quite difficult to get rid of it. In case the user tried to erase it, the Trojan horse would simply reinstall itself from hidden affected data files on the computer.

Often Trojan horse viruses come in packages that at first sight seem to be rather harmless. However, this is exactly what a Trojan horse should do until it affects a computer so hackers could remotely control the programs of the infected machine. There was a popular case that involved a professor who was accused of downloading about 1,000 child porn images, but who was released after it was discovered that the professor's computer was affected by a Trojan horse virus that downloaded the pictures. Despite the false accusations, the outcome of the situation had a serious impact on the professor's reputation.

During the 1980s there was an increase of the Bulletin Board System, which was computer system running software that permitted users to penetrate the system through a phone line. The BBS contributed to a fast spread of Trojan horse viruses, because after users logged in, they carried out such functions as uploading and downloading software and data sharing (some of which was infected). At that time computer viruses were created to aim popular software traders.

A dangerous Trojan horse virus was the Vundo, which used a lot of memory of the operating system at different intervals and generated a lot of pop-ups that informed the user about a number of software programs that need to be installed on the computer. The installed software included one or more computer viruses. Unlike the Spy Sheriff, it was rather easy to get rid of Vundo. There is one important thing to remember: a Trojan horse virus cannot be turned on unless a user doesn't activate the program that features the virus. It is important that you do not download unknown programs, especially if someone or something persuades you to do so.

TROJAN HORSE IN HISTORY

The term comes from the a Greek story of the Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy..

TROJAN HORSES

Back to the "modern" Trojan Horses. They're pretty much the same: invisible to the naked eye; appear within harmless programs; require some form of user/operating system intervention to activate; and they do something unexpected by surprise. This article is just to convey a basic principle about the design of Trojan horse programs.

Trojans are designed to access permissions and exploit resources. The goal of password snatchers is to securely leak the login/password pairs to the Trojan author, and the goal in kleptographic attacks is to securely leak private keys to the attacker.

Nature of Trojan Horses

There is no "real" definition of a Trojan horse. It all depends on the perspective of the user that runs into it. From the perspective of a hacker (generally black-hat hackers), a reboot monitoring Trojan (useful in making sure no one used your machine) is not a Trojan to him/her since the hacker knows what it's about. From a law enforcement agent or people like that, it is a Trojan since the agent doesn't know it's there.

There are two examples of Trojans. One is a Trojan that is nothing more than a bug. Don't think that's a good thing. This bug could be bad enough that when planted properly, a Trojan author can break into the computer system. The second Trojan is a mathematical one. The statistical distribution of the output of a random number generator is affected so that it makes the generator very sensitive to the input entropy (I will not go into detail in this, please Google if you do not understand this [:)].


Trojan Horses in a text editor

An example of a text editor being used as a target for a Trojan horse:

If there was an installed text editor on a multiuser operating system which cannot be deleted or modified by the users themselves, then this program has certain unique privileges. For instance, It can access all the text files that users create or open. This would be the perfect target for a Trojan horse. When the Trojan is installed on this program, it will store data from users and makes the data accessible for the Trojan horse author.

Salami Slicing
There was once an article describing a Trojan horse attack that was intended to achieve money. This was carried out by an employee of a bank. He managed to get 70 000$ by taking a few cents from every account, and transferred it into his own account. It got the name of salami slicing because small amounts of money were taken from a lot of accounts. It's pretty useful to prevent anyone from noticing any drastic changes. The bank Trojan had access to money therefore the Trojan steals the money. Therefore, a text editor has access to documents so the Trojan steals the documents (pretty simple isn't it?).

Password Snatching
Every hacker would love to steal login/password pairs (referring to black-hat hackers). Password-snatching programs are installed when a system is infiltrated. These programs are also called rootkits. They were probably written in DOS terminate and stay resident programs (TSR). They record all keystrokes entered via the keyboard and patch the operating system hardware interrupt for key presses and log them to a file.

It is best if a password-snatching Trojan is hosted in a program that could access the passwords of users, like the UNIX "passwd" program. It verifies the identity of UNIX users by checking the login/password pairs. One could copy the Trojan to the end of the passwd program, or one could modify the source code for the password program, recompile it, and then install the compromised version (only if the root access is possible).

However, if the source code for the passwd program is updated and the administrator compiles a new version of it, then the attack would fail. So it would make sense to install a Trojan horse into the compiler which will increase the percentage of success of the attack. But if the compiler is recompiled, then the code that secretly inserts the Trojan into the passwd program would be gone.
______________________________________________________________________

There's not much left for me to explain. But one more thing for you to see :

Ken Thompson described an involved Trojan horse attack.

CODE :
compiler(char*s)
{
...
}


This is a figure of a normal compiler (ANSI C notation) (I did not create this)

The parameter s is a pointer to a string that contains the source code. The idea is to insert a source level Trojan horse into the source code of the compiler that checks for two patterns in the string s.

The first pattern is source code corresponding to the password verification program. When it is found, the password-snatching source code is added to the program before it is compiled. But the Trojan is not saved to the source file of the password program.

The second pattern is source code corresponding to the compiler. When it is found, the entire compiler Trojan is included in the compiler source code. It will contain all of the source code for the Trojan which is marked by the "if" statements in this following figure.

CODE :
compile(char*s)
{
if (match)s,pattern1) ==true)
{
compile(trojan1);
return;
}
if (match)s,pattern2) ==true)
{
compile(trojan2);
return;
}
...
}


Figure of a compiler with Trojan (ANSI C notation)(I did not create this either)

Whenever the compiler is compiled, the Trojan copies itself into the source file for the compiler. It can be added to the source for the compiler then the compiler could be recompiled, and the old compiler could be replaced. This would remove all traces of the source code for the Trojan attack. It would remain in binary form, integrated with the compiled instructions.

So Thompson's Trojan horse attack exploits the capabilities of its host. For example, it exploits the fact that compilers are used to create programs such as the passwd program and the compiler itself.
Also, it exploits the fact that the passwd program has access to login/password pairs and that the compiler has access to them as well by transitivity.

Yeah... I believe that this is okay to be an overview of Trojan horses.

Brain is the oldest known virus on the PC platform and was first detected in 1986. Several variants of the virus are known and most of them are fairly harmless. It runs on IBM-PCs and compatibles running PC-DOS or IBM-DOS operating system.


Brain is a boot sector virus, infecting the first sector of floppies as they are inserted into an infected computer. Brain is only a few kilobytes in size and most of it is located in sectors that are marked as "bad" in the FAT. Also the original boot sector is stored in these sectors.






One of the most interesting details regarding the Brain virus is the following text, which appears inside it:





Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination............ $#@%$@!!


There are many variants of the virus with different texts. Here is another version:

• Amjad Farooq Alvi
• Basit Farooq Alvi

Before Brain infects diskettes, it looks for a “signature”. This makes it possible to “inoculate” against it by putting the signature in the correct place of the boot sector of a clean floppy. Such floppies would not get infected even if they are insterted into an infected computer.


Stealth
The Brain virus tries to hide from detection by hooking interrupt 13 which is used to read the hard drive. When an attempt is made to read an infected boot sector, Brain will show you the original boot sector instead. This means that if you look at the boot sector using DEBUG or any similar program, everything will look normal, if the virus is active in memory. This means that Brain was not only the first PC virus, it was also the first rootkit.





Activity
The major effect of this fairly harmless virus is a change of the disk label (the "name" of the disk). The volume label is changed to read: "©Brain"



Name: Brain Virus.

Also known as: Ashar, (C)Brain, Clone, Nipper, Pakistani, PakistaniBrain.

Type:  Memory resident stealth boot sector infector.

Affects: PCs

Discovered: January 1986

Description:

The Brain virus is a memory resident stealth boot sector infector that changes the infected disk's volume label to "(c) brain" or "(c) ashar" depending on variant.
While no longer in-the-wild, Brain achieved notoriety for being the first known PC virus. It infected boot sectors, hooking into INT13. If the virus were resident in memory, the boot sector would look normal.

Mikko Hypponen : Interview About Brain Virus