Replacement of introduction

It is important to say that it is more important: a modern car that runs hundreds of kilometers per year at speed, or a small box that stands under the table and blinks merrily with different-colored light bulbs. In order to operate a machine, a person must undergo training and experience the skill, after which they will give up the sacred rights that confirm their knowledge and memory. When purchasing a personal computer, no one will even think about paying attention, so you have to pay for it. Of course, such concern is due to the fact that when driving on the road, unprepared water can threaten people’s lives, and the best proof of which is a car that can fly lightly.

Everything that appears in the virtual world is uncatchable. So, it is important to understand and, moreover, be aware of the dangers that may be affecting you here. Ale stinks. Nowadays there are reports about the inroads of uncatchable hackers, virus attacks, theft of bank and personal information and other insecurity.

The computer has long ceased to be something marvelous and inaccessible – today it can be seen practically in every waking moment. However, if there is a lock on the entrance doors that protects the rulers from uninvited guests, the virtual entrance is often not protected at all. Of course, with a modern computer, the skin of a housewife can be damaged, otherwise the remaining fates will show that for safe work, it is not enough to throw a mouse around.

A report recently published by Microsoft reveals that over 60% of all computers are infected with viruses or are under the control of malicious hackers. Think about this figure: it turns out that another computer of yours is under the control of the ruler and becomes unsafe for others. Some countries already have laws that allow the owner of a computer to be brought to court for viruses or spam. However, the problem is that the driver may not even know about the “hidden life” of his car.

The numbers published by Microsoft are melodious, approximate, and it is hardly possible to determine the exact number of infected computers. However, the statistics clearly indicate that the immediate need of the mother is to know that it is possible to detect a real threat from advertising stunts and bullshit - to reliably steal a computer from uninvited guests.

Type of appearance

Please send your respects, suggestions and food to your email address [email protected] (Videotype “Peter”, computer edition).

We will be happy to hear about your idea!

On the website http://www.piter.com you will find detailed information about our books.

Chapter 1
Computer theft: myths and reality

History of computer viruses

What is a virus?

Types of computer viruses

Viral hoaxes

What kind of animal is the Trojan horse?

Innovative approaches of hackers - rootkits

The spread of programs and hacker technologies

1.1. History of computer viruses

If the discoverers of first-party computers, as well as network protocols, could have been hidden in the future, then, most likely, there would be fewer problems with information theft today. Initially, computers were used for their own purposes, were expensive, and were only available to great powers and private companies. This year there was a need to exchange information - this is how the first measures appeared. Then the computers were closed systems and were handled seriously, buried in their rights by people in white coats, and no one thought about hooliganism and destruction.

Unfortunately, history has obscured a lot of facts related to the origins of computer scams, but it has still come to this day. Breast of 1949 is a fate to get rid of the cob of computer viruses. At the same time, at the University of Illinois, John von Neumann read a series of lectures “The Theory and Organization of Folding Automata,” which formed the basis of the theory of self-creating automata. However, there was a theory. The first active virus can be called the Darwin group ( http://www.cs.dartmouth.edu/~doug/darwin.pdf), which was born in 1961 as a result of the development of the Bell Telephone Laboratories company V. A. Visotsky, H. D. McIlroy and R. Morris.

Programs written in assembly language (there has not yet been a language of high rank) and called “organisms” became obsessed with the riddle about the computer and fought for resources. The stinks began to squawk through the expanse of life, trying to destroy the enemy. This process was monitored by an additional “judge”, which indicated the rules and order of struggle between superniks. The programmer, whose technology consumed all the computer's memory, overran. It was all nothing more than an experiment: the participants focused on the process itself.

The next step is the Creeper program, which moves itself, created in the early 1970s by BBN spy Bob Thomas for the RSEXEC subsystem to demonstrate the ability to move programs between computers in an instant. Creeper is not malicious: the previous copy was lost, and the virus moved to the next computer.

At this time, another program was released - Reaper, which can be used with the first antivirus. Moving along the edges, the Reaper picked up copies of the Creeper that were running and fed them to the robot.

In 1970, rock saw another significant event. In the journal Venture, a fantastic account of Gregor Benford was published, which contained one of the first descriptions of virus and anti-virus programs - Virus and Vaccine. Two years later, David Gerrold’s fantastic novel “When Harley Brewed” described programs that would destroy systems like bloodbaths. The term “chrobak” itself was first used in John Brunner’s novel “On the Shock Hill,” published in 1975.

The term “computer virus” dates back to the 1973 science fiction film Westworld. This word was vikorized by something that was significant for the everyday person - “a disgraceful program that got into the computer system.”

Nareshti, April 20, 1977, a computer was released for the purpose of mass media. The minds for implementing programs that create themselves have become noticeably brighter.

In the 1980s, computers became significantly cheaper and their quantity increased. In addition, the machines became more productive, and the number of enthusiasts who denied access to them became richer.

It’s not surprising that this decade has become rich in the computer world. Experiments were carried out on self-created programs and programs; Elk Cloner and Virus programs appeared, which are known as the first computer viruses. Just as previously experimental drugs never left the computers on which they were run, new programs were discovered “in the wild” – on the computers as a laboratory.

A further development would lead to an avalanche. In 1987, the first virus appeared that infects IBM PC computers running MS-DOS - Brain. This virus will not last long: its work has changed the label on 360 KB floppy disks. Brain was written by two Pakistani programmers, the authorities of the company Brain Computer Services (the names and names of the virus), including the advertising tag, and on its basis were created by less peaceful individuals. Also in 1987, Jerusalem (“Jerusalem virus”) appeared, programming to delete infected files on Friday the 13th. The first versions of this program were corrupted, which resulted in the re-exposure of already infected files. In newer versions the error has been corrected.

Although at that time materials had already appeared, dedicated to unnecessary information, everything was considered nothing more than a game, an experiment. The clarity came when this “toy” stopped squirming and behaved like an intelligent organism that infects everything in its path. It was two days before the leaves fell in 1988 when Cornell University student Robert Morris Jr. launched a program that was preserved in history under the name of his distributor. The Morris worm became the first hemstone worm to successfully expand “in freedom”, and one of the first known programs to exploit such spillover as buffer replenishment.

Over the course of the repeat year, the Shkidnikov managed to infect close to 6 thousand. cars What happened was shocking in its enormity: viruses had been walking around Merezha before, but no one had ever been able to infect the tenth computer. The terminology was reviewed to ensure the safety of systems and created the Institute on the CERT (Computer Emergency Response Team) system, which began to deal with the safety of computers and provide recommendations to eliminate russiv.

Computers became more accessible. Over the years, most platforms and operating systems have been unified, and Intel-based computers running under the operating systems of the spin-off company Microsoft began to dominate the market. Further developments developed with great fluidity. 1991 Roku appeared polymorphic a virus that has changed its body. The Windows 95 operating system was practically ready and the beta version was sent to 160 testers. All disks were found to be infected with the powerful Form virus, and only one tester did not bother to check the disk with antivirus. The press release dedicated to the release of the new operating system stated that it is completely protected against viruses of all types. After a few months, they announced that they would be disseminated with an unsolicited gift - the first macrovirus, which was not the original compilation file, but a script that infected Microsoft Word documents. Over the course of a month, the Concept macrovirus flew around the earth, penetrated the computers of Microsoft Word users and paralyzed the work of dozens of companies around the world.

Note

Currently, there are approximately 100 modifications of the Concept virus.

In 1996, the first virus appeared for the Windows 95 operating system – Win95.Boza, and the resident virus Win95.Punch, which appeared later, left the trust of computer users up to Windows 95. The first epidemic of the Win virus was born. Tentacle, written for Windows 3.0/3.1. By infecting computer networks in several installations in France. Until then, all Windows viruses were kept in the collections and electronic journals of virus writers, and dangerous macroviruses written for MS-DOS were free to roam freely. Why the hell was the Laroux macrovirus, written for Microsoft Excel, caught?

In 1997, new types of viruses appeared - FTP and mIRC viruses, in 1998 - the Win95.CIH virus. This virus was activated on the 26th quarter (back to 1999) and found information on the hard drive, recording it on a new account. In addition, you must overwrite the Flash BIOS if the jumper is in a position that allows writing, and reset the motherboard.

Note

The epidemic of the Win95.CIH virus, also known as “Chornobil,” which infected computers on April 26, 1999, was the most significant at that time.

The worm I love you, released in the Philippines in 2000, gave computer owners a sum that, according to some estimates, exceeds $10 billion. The next worm, which went down in history as Code Red, for 14 time to infect zooms over 300 thousand. computers connected to the Internet. After them there were others, often the first in the singing category. For example, Nimda (the word admin, read off-hand), is a rich-vectored process, expanding in many ways, including “black moves”, deprived of other processes. MyDoom is known as the best known worm that is sent by email all over the world.

How many viruses were written by me? low level- assemblers, which allow you to create a small virus optimization. The author of the story AnnaKournikova, who conquered the Internet from the cruel fate of 2001, was a Dutch student who was not able to program, but on this in simple words, yak Basic.

Today's underground river expenses of all commercial organizations due to the virus can be compared with the budget of a small country, and this amount will soon be matched. Inform your representatives about the seriousness of the problem. According to the head of the technology department of the company MessgeLabs ( http://www.messagelabs.com/) Alex Shipa, in 1999 the population recorded an average of one new virus per year, in 2000 this figure was already three times per skin program, and in 2004 the hour was reduced to a few seconds. Based on data from the St. Petersburg Anti-Virus Laboratory I. Danilova (TOV “SalD”), over 7 thousand were added to the anti-virus database in 2007. records

Gra Darwin will continue...

1.2. What is a virus?

It didn’t sound so wonderful, computer virus- The program is, as a rule, small in size. Everything on the right is widened in the same way. The primary program installs the core of the robot, making sure not to disrupt the functioning of the operating system. Most often, the user installs it independently. With the virus, everything is in jeopardy. The goal, as the author puts it, is to destroy the computer's functionality, delete it, corrupt it, and sometimes encrypt important information using the method of ransomware. Viruses are spreading between computers at intervals, increasing their work, hijacking channels and blocking the work of services.

Respect!

The main feature of any virus is that it spontaneously multiplies and spreads without the participation of the virus.

The multiplication of the virus is due to the fact that it “adds” the old code to other files or through a process transfers its body to another computer.

The goal of the virus is to infect the maximum number of computers. Today it would be possible to write a virus, provided that there would be special designers who would not require special knowledge, including programming. However, such a virus will not last long (although there are some culprits: guess AnnaKournikova). The implementation of survival and infection algorithms is dedicated to the purpose of logs, and these approaches result in logging.

To disguise the virus, it can infect other programs and cause damage to your computer, even if it’s not for the worse. It scans the disk for downloaded files (such supernatural activity indicates the presence of a virus) and, while it is in the RAM, is able to download such files. Having completed the necessary actions, the virus transfers control to the program in which it resides, and it begins to operate as before.

The virus tries to infect as many files as possible, giving priority to sensitive media and limited resources. Why? And all that you need to see: from now on it is certain that you go to the border folder from another computer. Moreover, having used a lot of viruses on the computer, they immediately began to destroy them (what are we going to do, bastard?), and we immediately installed a cleaner for successfully infected files. As long as few programs were infected on the computer, the detection of the virus could go unnoticed. The system worked smoothly, daily notifications did not appear on the screen, and customers rarely noted anything unexpected. However, if the virus infection has reached the required level, the child will begin his activities.

During the early period of the creation of unprofitable programs, there were popular fire viruses that were influ- enced by robots. Destructive individuals practically did not breed together. For example, such programs asked for additional memory (“pie”, too), and the screen was blocked, without entering the required word from the keyboard (sometimes it was necessary to guess). I was especially concerned about the virus, which, when the doctor was reset, did not allow me to launch Microsoft Word from 18:00 to 09:00, motivating us that it was necessary to work during working hours. Buli y curiosi. For example, a virus that displays a notification on the screen: “Press immediately L+A+M+E+R+F1+Alt" The user pressed, after which a message appeared that the partition table had been erased from the hard drive and stored in the RAM and that the user would like to release one key, then with his information You can say goodbye, but if you sit like this for an hour, then everything will be fine. Over the course of a year, it became clear that it was hot. No need to fry yourself.

Masove is wider personal computers has led to the emergence of people who are not convinced that the process itself is created by the virus, but the result that turns out to be a wasteful program. Things have changed and things have changed: viruses have begun to actually format disks and encode important information. Some programs vikorized the shortcomings of possession and missed it, for example, they forced the replacement of the monitor at one point, wasting it (the reliability of the devices at that time deprived most of the good ones), or they broke the hard drives, damaging the head, which I think є, behind the singing algorithm.

Today, there is a clear commercialization of viruses in the world: data is not known, but is attempted to be stolen. The way, the popular online-Igor called up to the Virusv, the specialty-aliel on the Kradyzhytsi Parliv to the Oblikovikh, the North-Oskilki Virtonnoy Tsіnovosti, the burdened by GRI, can sell for real Groshі.

1.3. Types of computer viruses

The time has come to become familiar with the peculiarities of the work of certain viruses - in order to find out about the beginning of the virus epidemic, we would not rush to disconnect the cable that leads to the modem.

No one has yet come up with an exact classification of viruses and other harmful programs. The virus often cannot be filed under the same category. In addition, antivirus companies introduce their own terminology, which in different ways indicate a new virus. However, due to certain hidden signs, free programs can be divided into groups.

The middle of life. The first classification is based on the middle stage in which the virus is “alive”.

The first viruses that were popular before the massive expansion of the Internet - files. What should we call them? traditional. Today there are programs that infect all types of files that are stored in any operating system. For example, in Windows, security problems are affected by files with EXE, COM and MSI extensions, drivers (SYS), command files (BAT) and dynamic libraries (DLLs) before they are compiled. The mechanism of infection by such viruses and their extensions were learned from the previous section.

Zavantazhuvalny Viruses were also one of the first to emerge. As is obvious from the name, such viruses do not infect files, but protected sectors of floppy disks and hard drives.

Massive developments have appeared on the Internet merezhevi viruses. According to antivirus companies, different types of hedge worms are becoming a major threat today. Its main feature is the work with different network protocols and the use of global and local networks, which allows them to transmit their code to a remote system.

A classic example of a mild virus is the Morris virus, discussed in section 1.1.

The greatest prevalence of network worms has emerged that exploit e-mail, Internet pagers, local and file-sharing (P2P) networks, IRC networks, and data exchange networks between mobile devices. Several worms, such as W32.Slammer or Sapphire, which is a vicious version of Microsoft SQL Server 2000, may not be able to save the necessary traces on the hard drive, saving them in RAM. All data is actively expanding and running on infected computers without corrupting files, such viruses are the most dangerous. They reside in the system memory, and are transferred to other computers in the form of data packets. Initially, antivirus software was no longer able to deal with such disembodied crooks.

Respect!

Merezhevy and mail viruses are the most dangerous, and they can infect a large number of systems in a short hour.

Today's most popular hedge viruses that are spread around the world via email are often seen in the following category - mail hrobaki. Thus, three of the four largest epidemics in 2005 were caused by postal workers themselves. Such viruses are most often spread through electronic mail: they are sent to addresses that are in the address book, pages with attachments in front of themselves. For transmission, the specifics of the operating system or a small mail server can be used (the function of such a server is to upload sheets).

For example, the Melissa worm got its start after activating just the first 50 addresses, and I Love You vykoristovaya all entries in the address book of mailing addresses, which ensured its high speed of distribution. Another type of creeper is the KakWorm scenario, which, after reading the infected sheet, does not grow stronger, but sticks to the skin message, which is abused by the corstuvach. In this case, on a new computer there is a generous addition, either by signing off automatically, vikoristovuyu in the mail program, or in a different way by updating the koristuvach before its launch. The infection list can come from known addresses, and you will need to pay for everything. There may be slaughter and cunning. For example, the AnnaKournikova virus asked to admire the photograph of the famous tennis player Ganni Kournikova: the truth often took the mountain over the safety, and the correspondents launched attachments before the letter was compiled.

Porada

Be careful with the sheets that are taken away from unknown people. Open files attached to such sheets only after scanning with an antivirus.

Mixed-type viruses spread very often. postal-merezhevi. In this case, they are simply called merezhevi. The bright butt is the hemstone mytob.c, which in the spring of 2005 was overpowered by the appearance of the deposit in the electronic sheets and was used for its expansion in the LSASS Microsoft Windows service.

Chrobacs are the most dangerous type of viruses. The stench is spreading even as soon as files, disks and RAM are damaged. Correctly spelled hrobak can paralyze the Internet robot either by overriding channels or by infecting servers. For example, Slammer has hit almost a quarter of the Internet. This is reflected in the lack of turbo production of the retailer company, and rumors about the spill, which was vicoristan by the author of Slammer, were already known just before the attack. It’s worth mentioning that, more than once, worms have successfully exploited Microsoft Internet Explorer, which allows you to run any file that comes from an electronic sheet, without any help.

Macrovirusesє programs written on macros - sequences of commands, like those in various data processing systems, such as text editors and spreadsheets. The macro capabilities of such systems allow the virus to transfer its code to other files that infect them. The greatest expansion has occurred in macroviruses for Microsoft Word and Excel. This virus is activated when an infected document is opened and is transferred to the computer, usually by distributing a template Zvichainy(file Normal.dot). Once someone's document is saved, it becomes infected with a virus, and if other users open it, their computers are also infected. There are also macro viruses that infect Microsoft Access databases.

Traditional and macroviruses have practically died out today, while their spread is significantly lower, the spread of rare viruses is lower, and antivirus companies may have enough time to create a vaccine against such viruses. kidniki. However, this does not mean at all that the threat has passed and such viruses are not ready to be taken seriously.

Behind the robotic algorithm. For example, there are resident and non-resident viruses.

Resident When a virus infects a computer, it removes its resident part from the RAM in order to move all the operating system’s components down to objects suitable for infection. This is the most widespread type of viruses: they are active as long as the infected program is running, and – most importantly – when the program is closed. Resident viruses remain permanently in the computer's memory and become inactive until they are installed or reinstalled.

Non-resident Viruses do not infect the computer's memory and save activity for more than an hour, despite all possible options. However, non-resident viruses are practically not eradicated today, and the stink does not multiply rapidly. It can be said that the stinks did not outshine the competition of their active brothers.

Note

I would like to once again focus on the concept of “residence” and “file virus”. Several times I have had to avoid panic when I realized that a file I had brought on a floppy disk was infected with a virus. Regardless of the fact that certain viruses can quietly multiply without the participation of a computer server, file viruses, viruses and macroviruses (resident and non-resident) cannot spread without the help of humans. For such a virus to spread to a normal robot, it must be activated. If you are running on a floppy disk or hard drive, you will not need to install an anti-virus program, and since the user cannot run it himself, the non-resident virus will not be damaged.

Dozens of viruses of this type are kept in my folder for testing and testing by anti-virus programs, and for many of them it has not occurred to them to activate on their own, so a floppy disk with an infected file is not the cause of panic, Next, evaluate the situation and make the right decision - delete Potentially unsafe file or try using it with an additional antivirus.

The first anti-virus programs quickly identified the virus with its unique signature. To make such searches more difficult, the creators of unprofitable programs began to encrypt the bodies of viruses. As a result of this, viruses appeared, called polymorphic.

Literature often guesses stealth viruses(stealth - invisible), which were expanded within hours of MS-DOS. They must establish their own personalities in order to gain their presence in the system. It is practically impossible to determine the presence of such viruses without appropriate tools.

Today, viruses use rootkit technologies to mask their presence in a system (they will be discussed later). Viruses can also be differentiated based on the following criteria:

Type of operating system (Windows, Unix, Linux, MS-DOS, Java);

destructive ability (such as those who are not harmless, who simply respect robots, those who are extremely careless);

Language, how the virus is written (assembler, language scripts, etc.).

Viruses can invade various packages that can transform known code into virtually unknown code.

The skin virus has a name. You sense it when you hear about the devil’s epidemic. Do they take the stars? Having discovered a new virus, antivirus companies give it names based on the classification adopted by each specific company, and each company has its own classification. Marvel for yourself: for example, Worm.Win32.Nuf is the same as Net-Worm.Win32.Mytob.c. It is often named after certain external signs:

The virus was recently detected (Jerusalem);

Koristuvachevi method (AnnaKournikova);

Effect (Black Friday).

It may happen that the virus changes its name several times. For example, there is a lot of talk about the “Russian virus.” They initially named it after the place of discovery – Israeli, then they thought that this name was too anti-Semitic, and replaced it with “1813” (due to the size of the virus), at which time other names were also victorious – I DF (Israeli Defense Forces), and more About an hour later the virus was named Jerusalem.

Before the speech

The smallest virus size is Repus (Win95.c) - only 156 bytes (there are, however, more important modifications, up to 256 bytes). To change the size of this virus, various software tricks and tricks are used; There is no problem, and all programs run without problems. Which has both resident and non-resident representatives of Repus (Win95.c). Despite its small size, Repus has become the first virus that exploits Windows cache memory to multiply. It looks for file headers in cache blocks, writes to them, and sets the dirty attribute for blocks, which tells the system to save them to disk. This technique allows the non-resident variant to spread beyond the presence of the resident virus.

One of the most important is the I-Worm.Hybris (Vecna) virus, which in 2002 received the fourth category of concern. You can contact us everywhere for additional e-mail. First of all, this virus infects a system file wsock32.dll, denying access to all Internet traffic, and then forces itself to remove mail addresses in this manner. It is known that this virus can spread on its own through the Internet, attracting attention from the new conference alt.comp.virus plugins that give you new capabilities.

The number of signatures in the anti-virus databases of many virus vendors has already surpassed the 400,000 mark and is steadily growing.

3. Who and what writes the virus?

4. History of computer viruses - from ancient times to the present day

4.1. Little bits of archeology

4.2. Cob way

4.5. Beyond DOS

4.6. Macro virus epidemic

4.7. Chronology of events

5. Classification of computer viruses

6. Prospects: what will happen tomorrow and after tomorrow

6.1. What will happen tomorrow?

6.2. What will happen after tomorrow?

Enter

Computer viruses What is it and how to fight it? Dozens of books and hundreds of articles have been written on this topic; hundreds (or even thousands) of fakivists from dozens (or maybe hundreds) of companies are professionally involved in the fight against computer viruses. It would seem that this topic is not so complex and relevant to be the object of such intense respect. However, this is not the case. Computer viruses are one of the most common causes of information loss. There are outbreaks when viruses block the work of organizations and enterprises. Moreover, a number of fatalities were recorded when a computer virus caused the death of a person - in one of the hospitals in the Netherlands, a patient took a lethal dose of morphine through those that the computer was infected with the virus and saw incorrectly information.

Regardless of the great efforts of anti-virus firms that compete with each other, the losses that bring computer viruses do not fall and reach astronomical values ​​of hundreds of millions of dollars. These estimates are clearly underestimated, since only a fraction of such incidents are known.

However, it is important to note that anti-virus programs do not provide any guarantee of protection against viruses. This is approximately how bad it is to deal with the other side of the “man-computer” tandem. Both professionals and professional programmers often fail to learn the basics of “self-defense”, and their detections about the virus are often superficial, and more often than not, their (discovery) never happened.

It’s much better to look at Zahod, where there is more literature (there are as many as three thousand magazines devoted to viruses and their protection), and smaller viruses (shards of “Lefty” Chinese CDs are not particularly available on the market t), and antivirus companies are becoming more active ( conducting, for example, special conferences and seminars for fakhivstvos and correspondents).

But in us, unfortunately, it’s not quite like that. And one of the most “researched” items is the literature devoted to the problems of fighting viruses. Today, antivirus products that are on store shelves have been developed, but they are either outdated, or written by non-professionals, or by authors like Khizhnyak, which is much worse.

What is also unacceptable is the outstanding work of the Russian computer “underground”: in just two years, more than a dozen electronic issues of the virus writers’ magazine “Infected Voice” have been published, a number of BBS stations and WWW pages have appeared, expansion of viruses and related information .

All this served as a precursor to collecting together all the material that had accumulated over all the years of professional work with computer viruses, their analysis and the development of methods for detection and remediation.

Varto I just want to get stuck, but right away

It's going to happen now. I wonder what

when will it be!

Lewis Carroll. "Alice in Wonderland"

1. The phenomenon of computer viruses

The 20th century is undoubtedly one of the turning points in human life. As one of the science fiction writers said, “humanity rushed forward like a driven horse,” and, having identified itself as a technocratic civilization, our fathers, fathers, and we ourselves threw all our efforts into the development of technology in various Their guises range from medical devices to cosmic ones devices, from rural combines to nuclear power plants, from transport to communication systems - the list is endless, since it is difficult to narrow down the sphere of human activity that has not been disrupted by the development of technology. // What was the reason for such a large-scale and rapid development - the military continuity of political systems, the evolutionary "intelligence" of people or their pathological laziness (to find the wheel so as not to drag a mammoth on your shoulders) - is still unclear. Let’s leave this mystery behind for historians of the next century.

Humanity is overwhelmed by technology and can hardly be bothered with the benefits it offers (few people would dare to exchange their current car for a horse-drawn one). Already a wealth of emergency mail with its envelopes and leaflets has already been completely forgotten - it has been replaced by electronic mail with its impressive speed of delivery (up to several days, regardless of the station) and even higher Iynistyu. I don’t see myself living a life without a computer, which can greatly enhance productivity and provide all possible information (in line with the principle “go there, I don’t know where, find out, I don’t know what”). I no longer marvel at a mobile phone on the street - I myself have heard a sound in just one day.

The 20th century is also one of the most numerous that the history of mankind has brought, including paradoxes, the main one being, in my opinion, the placing of man before nature. Having ceased to live in friendship with nature, having moved and reached the point where they can easily find it, people quickly realized that they themselves were dying - and the roles in the drama “People-Nature” changed. Previously, people stole nature from themselves, now they are increasingly stealing nature from themselves. Another phenomenon of the 20th century is the reduction of people to religion. Having become a technocrat, people did not stop believing in God (or his analogues). Moreover, other religions also appeared.

The main technical phenomena of the 20th century include, in my opinion, the appearance of people in space, the utilization of atomic energy, the grand progress of communication systems and information transfer, and, very interestingly, developments of micro and macro computers. And if there is a riddle about the phenomenon of computers, then another paradox of the end of our century immediately appears - the paradox of computer viruses.

It is possible that the fact that computer viruses are on a par with space exploration, the atomic nucleus and the development of electronics may be considered both funny and easily important. It’s possible that I’m wrong in my thoughts, please give me the opportunity to understand.

First of all, computer viruses are a serious and significant problem that no one is aware of. Apparently all the science fiction futurists of the past did not talk about the price of anything (as far as I know). In their numerous works, due to the different accuracy of the transfer, practically all the technical achievements of today (we can imagine, for example, Wells with his idea of ​​​​polling from Harmati to the Moon and the Martians, I hope it's like a laser). If we talk about computing machines, then this topic has been covered before - because of the great prophecy associated with computer viruses. The topic of viruses appeared in writers' works after the first real virus infected its first computer.

In other words, computer viruses are a whole new way of creating life. The test is far away, but it is not possible to say that it is corrisna - today’s computers “microorganisms” are the most likely to guess the crooked mosquitoes, which bring both problems and inconvenience.

But still - life, fragments of computer viruses have acquired all the attributes of the living - creation to reproduction, consistency to the middle, ruin, etc. (Of course, only between computers - as everything said above is correct for biological viruses between the cells of the body). Moreover, there are “two-state” viruses (the marvelous RMNS virus), and the example of “richness” can be, for example, macro-viruses that are formed from several independent macros.

And thirdly, the topic of viruses is especially important when it comes to solving problems associated with a computer (let’s forget about such specific problems as copy protection and cryptography). Practically all the problems that arise from the use of computational technology and from the continued direct struggle of people against excessive nature. The nature of placing people in a non-linear differential equation in a trivial space - people fill the computer with processors, memory, hang wires, smoke a lot and, as a result, become equal and the importance that has been achieved). Nature gives people a wire with a whole variety of characteristics - people figure out algorithms for transmitting a lot of information through this wire, suffering from modulations, compressing bytes into bits and patiently checking the reliability of Room temperature. Nature (especially at IBM) gives people the devil's attention to what looks like a damn version of the IBM PC - and people don't sleep at night, smoke heavily again, optimizing the codes of their databases in order to accommodate them in their operational resources disk memory. And so on.

And the axis of the fight against computer viruses is the fight between people and the human mind (the singing sense is also a manifestation of natural forces, although its drive requires more than one thought). This struggle is a struggle of reason, the fragments of the legacy that stand before virologists are set by the same people. They are guessing a new virus - and we have to figure it out. Then they can guess the virus, from whom it is very important to get married - but we know about it. And at the same time, there’s a guy sitting at the computer, who’s not the worst of me, who’s suffering over the worm’s monster, who I’ll have to figure out for a whole week, and then another generation to fine-tune the antivirus algorithm. Before speaking, what is not the evolution of living organisms?

Well, the appearance of computer viruses is one of the most significant moments in the history of technological progress of the 20th century, and the time has come to end with philosophical philosophies and move on to specific principles. The nutritional importance of the concept of “computer virus” is of primary importance.

What is a computer virus?

There's a floppy disk on the mountain

She has a bottle of Zips

Through the little girl near the envelope

These viruses are grieving

(Folk folklore)

2. What is a computer virus?

Explain what a virus is, you can ask. The simplest thing is a daily explanation for a housewife who has never downloaded a computer in her life, but knows that there is a virus, and that viruses live in it. This explanation is easy to complete, which cannot be said about other explanations, which are insured for the accountant in the galuz program. It is not yet possible to give a precise definition of a computer virus and draw a clear line between programs based on the “virus-non-virus” principle.

2.1. Explanation for home-gifts

An explanation will be provided on the butt of the clerk, who works inclusively with papers. The idea of ​​such an explanation belongs to D.N. Lozinsky, one of the most famous “doctors”.

Apparently a neat clerk who comes to his office for work and every day finds on his desk a hundred-fold paper with a list of items that he is guilty of violating during the working day. The clerk takes the top sheet, reads the instructions from his superiors, punctually writes them down, throws the “practice” sheet out of the bin for marking and moves on to the next sheet. It is acceptable that some malicious person secretly sneaks into the office and puts a paper bag on the pile, on which it is written:

"Copy this sheet of paper and place a copy in the pile of tasks for your neighbors"

What should the clerk do? The girls will rewrite the arkush, put it in the table, find the original and move on to the sculpting of another arkush from the table, then. continue your job. What should the neighbors spend, being such neat clerks, having discovered a new job? Those who are the first: rewrite this document and distribute it to other clerks. The office already has several copies of the original document, which have been copied and transferred to other tables.

This is approximately how a computer virus works, only with paper inserts and programs, and a computer as a clerk. Like a clerk, the computer carefully compiles all program commands (archives), starting from the first. If the first command sounds like “copy me into two other programs,” then the computer will be destroyed like that - and the virus command will be spread into two other programs. If the computer goes on to kill other “infected” programs, the virus will spread far and wide throughout the computer in the same way.

In the case of the clerk and his office, the virus does not check the document, the folder is infected in the first place. In this case, until the end of the working day, the office will be filled with such copies, and the clerks will only rewrite the same text and distribute it to their customers - even the first clerk will make two copies, the victims of the virus - even then, 8, 16, 32 64 etc., then. The number of copies will soon increase between two days.

If a clerk spends 30 seconds on rewriting one arkush and another 30 seconds on distributing copies, then in a year there are more than 1,000,000,000,000,000,000 copies in the office "Blukatim" virus! It’s better not to destroy the paper for everything, and the spread of the virus will be attributed to such a banal reason.

Although it is funny (although the participants in this incident were not at all funny), this very outbreak occurred in America in 1988 - a number of global information transfer mechanisms were re-created copies of the viral virus (in Morris Morris), who has powered himself from a computer to a computer Yutera. So the “correct” way to kill viruses is this:

“Copy this sheet of paper and place copies in a pile of papers, so that the smell of this sheet is no longer noticeable.”

The problem is real - there is no “overpopulation”, but a copy of the virus can cause the clerks to cope with their daily work.

“But what about the poverty of their tributes?” - Feeds a kindly erudovana housewife. Everything is very simple - all you have to do is write something like this on the arkush:

"1. Copy this document and place the copies in the pile of notes, as there is no longer any memory of this document.

2. Marvel at the calendar - like today’s Friday, which was wasted on the 13th, throw all the documents into the trash bag."

The well-known virus “Jerusalem” (otherwise known as “Time”) is about to end.

Before speaking, the clerk’s example clearly shows why in most cases it is not possible to accurately determine whether a virus has appeared on the computer. All clerks make the same (accurate to the handwriting) COPIES, but the original with the handwriting of the evildoer has long been lost!

This is a simple explanation of the virus. Plus, I would like to cite two axioms that, not surprisingly, are not obvious to everyone:

First of all, viruses do not disappear on their own - they are created by even evil and nasty hacker programs and then spread as data is transmitted or planted on the computers of people they know. The virus cannot appear on your computer - either it was slipped on floppy disks or on a CD, or it was suddenly stolen from computer data transmission, or the virus has been alive on your computer from the very beginning, Or (what’s worse) a programmer-hacker lives in your home.

In other words: computer viruses only infect the computer and nothing else, so you don’t need to be afraid - the stink is not transmitted through the keyboard.

2.2. Try to date the “normal” date

The first studies of artificial structures that self-replicate were carried out in the middle of this century. In the work of von Neumann, Wiener and other authors, a mathematical analysis was given and a mathematical analysis of terminal automata was carried out, including self-created ones. The term “computer virus” appeared later - it is officially recognized that it was first coined by F. Cohen, a scientist at Lehigh University (USA), born in 1984. at the 7th conference on information security, which was held in the USA. Since then, almost an hour has passed, the severity of the problem of viruses has grown enormously, despite the strict significance of a computer virus, it is not a given, regardless of those who have tried to date such a determination more than once.

The main difficulty that arises when trying to date a strictly identified virus lies in the fact that almost all the possible risks of the virus (introduction to other objects, secrecy, potential insecurity, etc.) or concealed our programs, which are usually not infected with viruses, Or there are viruses that can replace the most important rice (in addition to the possibility of expansion).

For example, since the most important characteristic of a virus is secrecy, it is easy to target a virus that does not gain its expansion. Such a virus, before infecting any file, displays a notification that there is a virus on the computer and that the virus is ready to infect the file, then display the name of the file and ask the reporter to inject the virus into the file.

As it is obvious that the virus can infect itself with thin programs and data on disks, then as a counter-example to this point, one can cite dozens of absolutely unnecessary viruses, which, in addition to their expansion, nothing more are getting excited.

The main feature of computer viruses is their ability to spread quickly to different parts of the operating system - the power of many programs, including viruses. Following, Nypo-niche Opensyna system MS-DOS MAє everything is not at one time, a bump of trash risen at the non-dos "disks. For the zyoya, the floppі-disinteen, pijot DOS, record AutoExec.bat for the offender:

Modified in this way, DOS itself will become a real virus in all practical appearances as a computer virus.

Thus, the first reason that it is not possible to date a virus precisely is the inability to clearly see noticeable signs that would indicate only viruses.

Another difficulty that arises when formulating the definition of a computer virus is that this definition may be tied to a specific operating system, in which the virus expands. For example, it is theoretically possible to destroy operating systems in which it is simply impossible to detect a virus. Such a butt can be a system, where it is blocked to create and change the areas of the configured code, etc. It is forbidden to change objects that may or may not be defeated by the system for any reason.

Therefore, it is possible to formulate the basic idea so that the sequence of the generated code becomes a virus.

OBVIOUSLY (NECESSARY) THE POWER OF A COMPUTER VIRUS is the ability to create its own duplicates (without obligatory avoidance of the original) and restore them to the computational network and/or files, system areas and the computer and other objects that need to be configured. In this case, the duplicates preserve the originality until further development.

It should be noted that this brain is not sufficient (that is, residual), as far as the inherited intelligence is concerned, the MS-DOS operating system is satisfied with this power, but the virus, which is responsible for everything, does not exist.

That's why there is no exact name for the virus, and it is unlikely to appear in the near future. There is also no precise law regarding how “good” files can be identified as “viruses”. Moreover, sometimes it is difficult to determine for a specific file whether it contains a virus or not.

Axis two butts: the KOH virus and the ALREADY.COM program.

Example 1. Is it a virus? utility? I'll call it KOH. This program encrypts/decrypts disks as quickly as possible. Vikonana looks like a fancy floppy disk - the boot sector contains the bootstrap loader KOH, and other sectors contain the main KOH code. If you are interested in a KOH floppy disk, you can install it on your hard drive like: “Can I install it on my hard drive myself?” (if it is already on a hard drive, it powers the same floppy disk). If the KOH signal is solid, transfer it from disk to disk.

As a result, KOH can be transferred (copied) to itself from a floppy disk to a hard drive, and from a hard drive to a floppy disk, without the permission of the computer owner.

Then KOH will display text about its hot-keys ("hot" keys), behind which it encrypts/decrypts disks - asks for a password, reads sectors, encrypts them and makes them inaccessible if you don't know the password. And in this case, the deinstallation key, after which it removes itself from the disk (having decrypted, initially, everything that was encrypted).

Also, KOH is a chain utility for protecting against unauthorized access. There is, however, one special feature added to it: this utility itself can be copied from disk to disk (with the permission of the user). What is the virus?.. So what is it? Thank you for everything...

And yet there was nothing, and no one would call this utility on KOH a virus, except for the bootstrap loader whose KOH is practically 100% avoided from being infected with the “popular” virus “Havoc” (“StealthBoot”)... "And that's all - and holy crap." Virus! And the official name is “StealthBoot.KOH”.

Example 2. The ALREADY.COM program, which copies itself to different subdirectories on the disk according to the system date. Virus? This is most likely the case - a typical viral virus that recognizes itself on disks (including edges). So-so!

“You gambled - but you didn’t guess the water letter!” It is not a virus, as it appears, but a component of some software. However, if this file is stolen from this software, then it is considered a typical virus.

Two live butts were aimed at once:

1. non-virus – virus

2. virus – non-virus

Dear reader, who doesn’t mind contradicting, you can cross-read:

Stop. The name “virus”, based on the program, came from biology itself as a sign of self-reproduction. This whole mind resembles, therefore, a virus (or a complex that includes a viral component).

In this case, DOS has a virus (or a complex that includes a virus component), as well as the SYS and COPY command. And if there is a file on the disk AUTOEXEC.BAT, you need to point several paragraphs above, then for reproduction you do not need to send a hand to the owner. Plus this: if we consider the ability of self-replication to be necessary and sufficient for a virus, then any program that is an installer is a virus. At once: the argument does not fail.

Well, when a virus is understood, it is not just a code that “self-replicates”, but “a code that self-replicates, does not follow the necessary actions, but in fact does harm, without obtaining/informing the customer”...

The KOH virus is a program that encrypts disks with a password that is entered by the user. KOH comments on all his activities on the screen and asks for permission from the client. Plus, the uninstaller also works - it decrypts the disks and removes its code from them. It’s all the same – it’s a virus!

If you get subjective criteria from ALREADY.COM (correct/not valid, included in the kit/self-contained, etc.), then it may not be called a virus/worm. Why not get these subjective criteria?

What kind of objective criteria can there be for the virus? Self-multiplying, secrecy and destructive power? However, two counter-attacks can be applied to the skin objective criterion - a) the butt of the virus, which does not meet the criterion, and b) the butt of the non-virus, which does meet the criterion:

Self-multiplying:

1. Intended-viruses, which cannot be multiplied through a large number of infections, but only multiply in the most limited minds.

2. MS-DOS and variations on the SYS+COPY theme.

Admission:

1. Viruses "KOH", "VirDem", "Macro.Word.Polite" and others inform the client about their presence and reproduction.

2. Approximately how many drivers (to the nearest ten) are installed under standard Windows95? It is advisable to sit among others.

Destructive power:

1. Innocent viruses, like "Yankee", how wonderful it is to live on DOS, Windows 3.x, Win95, NT and not spoil anything.

2. Old versions of Norton Disk Doctor on disk with old file names. Launching NDD in this case transforms Disk Doctor into Disk Destroyer.

Therefore, the topic of the “normal” role of a computer virus is no longer open. There are just a few precise points: for example, the COMMAND.COM file is not a virus, but a complex program with the text “Dis is one half” is a hundred-hundredth virus (“OneHalf”). Everything that lies between them can appear as a virus, but it doesn’t matter.

Don’t get too excited, Shura, you haven’t sat on the right side yet.

from Zhvanetsky

3. Who and what writes the virus?

I myself have not been involved in writing viruses, I rarely bother with their authors, and, therefore, my reflections on this drive may be too theoretical.

So who writes the virus? In my opinion, most of them are created by students and schoolchildren, who have thoroughly learned the language of assembler, who want to try their strength, but cannot find a better way for them to work. The heartening fact is that a significant portion of such viruses are often not identified by their authors, and the viruses “die” within an hour immediately from the floppy disks on which they are saved. Such viruses are written more often for the sake of self-confidence.

Another group consists of young people (usually students), who have not yet fully embraced the mystique of programming, but have already decided to dedicate themselves to the writing and development of viruses. The only reason that attracts such people to write viruses is the inferiority complex that computer hooliganism exhibits.

From the pen of such “clever people” we often come up with either numerous modifications of “classical” viruses, or extremely primitive viruses with a large number of modifications (I call such viruses “student viruses”). The life of such virus writers has significantly become easier after the release of virus designers, with the help of which new viruses can be created with minimal knowledge of the operating system and assembler, and without any problems This is a welcome manifestation. Our life has become even easier after the appearance of macro-viruses, so instead of folding Assembler language, for writing macro-viruses it is enough to use simple BASIC.

Having become senior and advanced, or still not grown up, many of these virus writers fall into the third, most dangerous group, which creates and launches “professional” viruses in the world. These programs are carefully thought out and developed by professional, often very talented programmers. Such viruses often use original algorithms, undocumented and unknown methods of penetration into system data areas. “Professional” viruses are often infected with “stealth” technology and (or) polymorphic viruses that infect not only files and other sensitive sectors of disks, but also some Windows and OS/2 files that are being deleted.

A significant part of my collection is occupied by “motherlands” - groups of many (sometimes more than a dozen) viruses. Representatives of the skin from such groups can be seen in one common pattern, which is called “handwriting”: many different viruses share the same algorithms and programming methods. Often, even all the representatives of a family belong to one author, and sometimes it’s funny to follow the “development of the pen” of such an artist - from the possibility of “student” attempts to create anything, like a virus, to a completely practical reality infections of the “professional” virus.

In my opinion, the reason that motivates such people to direct their greed to such a mindless robot is still the same - an inferiority complex that sometimes comes with a neurological psyche. Let us demonstrate the fact that this kind of virus writing is often combined with other destructive addictions. Thus, in the spring of 1997, one of the most famous authors of viruses on the drug Talon (Australia) died in 21 years from a lethal dose of heroin.

It is worth mentioning that there is a fourth group of virus authors - “pre-successors”. This group consists of many smart programmers who are engaged in the development of new methods of infection, detection, antiviruses, etc. They can guess the methods of implementation in new operating systems, virus architects and polymorphic generators. These programs write viruses not for the sake of virus control, but rather for the sake of “investigating” the potential of the “computer fauna”.

Often the authors of such viruses do not launch their creations in real life, but rather actively promote their ideas through numerous electronic publications dedicated to the created viruses. In this case, the insecurity with such “last” viruses does not fall - having reached the hands of “professionals” from the third group, new ideas are already quickly being implemented in new viruses.

I have a three-fold focus on the authors of viruses. First of all, everyone who writes viruses or injects them more widely is the “annualizers” of the antivirus industry, whose turnover I estimate at least two hundred million dollars or less more (it’s important not to forget that there are hundreds of millions of viruses) The amount of dollars spent on anti-virus programs will greatly exceed the amount spent on anti-virus programs). Since the total number of viruses until the end of 1997 was almost 20,000, it is not important to worry that the income of antivirus companies from skin viruses will soon reach a minimum of 10 thousand lariv. Of course, the authors of viruses should not rely on the material grapes: as practice shows, their work was and is becoming costless. Until then, the current position (new viruses) is entirely satisfactory (the capabilities of anti-virus firms in processing new viruses).

In other words, there are fewer authors of viruses, especially “professionals”. In order to write, write a sub -bass, it is not chilly: a) Vitrati to finish the bagato forces of the first hour, I will get a little more, it is traveled in order to rose from Virusi, to bring yogo to the basis of the Abo Encourse to write a special anti -Russian; and b) don’t bother with other, more exciting, activities. Well, the virus writers are “professionals” who complete their tasks and at the same time succumb to carelessness - the situation, as I see it, is quite precarious.

Difficult and invisible

The life of a simple programmer

(Folk folklore)

There is no limit to our integral.

(People's wisdom)

4. History of computer viruses - from ancient times to the present day

4.1. Little bits of archeology

There is a lot of thought to be given to the people of the first computer virus. Only one thing is clear: on Babbage’s machine there was none, but on the Univac 1108 and IBM-360/370 there were still stinks (“Pervading Animal” and “Christmas tree”). Thus, the first virus appeared here in the early 70s and almost in the 60s, although no one has yet been called a “virus”. On this Rozmov about vikopni kopalini proponuyu vvazhat completed.

4.2. Cob way

Let's talk about the new story: "Brain", "Vienna", "Cascade" and more. Those who started working on the IBM-PC already in the mid-80s have not yet forgotten the widespread epidemic of these viruses in 1987-89. The letters were fading on the screens, and teams of correspondents were rushing to the front office to repair the displays (all the same: the Winchester died of old age, and blame the unknown advanced science virus). Then the computer started playing the alien anthem “Yankee Doodle”, but thanks to the dynamics, no one rushed - they quickly realized that it was a virus, not just one, but a whole dozen.

So viruses began to infect files. The “Brain” virus and the “Ping-pong” virus, jumping across the screen, marked the virus’s victory over the Boot sector. Everything was no longer befitting the IBM-PC crusaders, and the anti-tinders showed up. The first antivirus that caught me was ANTI-KOT: the legendary Oleg Kotik released the first versions of his programs to the world, which eliminated as many as 4 viruses (the American SCAN appeared in our country about later). Before I speak to everyone who has already saved a copy of this antivirus, I strongly advise you to erase it (forgive me Oleg Kotik!) as a program that is worthless and nothing more than wasting your nerves and unnecessary telephone calls, What not to bring? Unfortunately, ANTI-KOT detects the "Time" virus ("Jerusalem") using the "MsDos" combination on each file, and other antivirus programs carefully attach to all files with the COM or EXE extensions.

It is important to respect that the histories of the conquest of viruses in Russia and the West differ among themselves. The first virus to rapidly expand in the West was the vandalized “Brain” virus, and then the “Vienna” and “Cascade” file viruses appeared. In Russia, however, file viruses appeared initially, and later, destructive ones.

The hour had passed, and the viruses were multiplying. All of them were similar to each other, they climbed into memory, searched for files and sectors, periodically drove in files, floppy disks and hard drives. One of the first "revealed" viruses was the "Frodo.4096" virus - the first known file-based stealth virus. This virus overcame INT 21h and, when transferred via DOS to infected files, changed the information in such a way that the file appeared before being displayed in an uninfected view. Ale tse bula lis nabudova virus over MS-DOS. The fate did not pass when electronic targans crawled into the middle of the DOS kernel (the invisible virus "Beast.512"). The idea of ​​invisibility continued to bear fruit: the outbreak of 1991 swept across computers like the bubonic plague, the “Dir_II” virus. "So-a-a!" said everyone who dug into the new one.

But the fight against the invisible would be simple: clean the RAM - and be calm, look for the bastard and rejoice in his health. The biggest problem was caused by viruses that encrypted themselves, as some of them were found in the collections. Even for this identification, it was necessary to write special subprograms and fine-tune them. But at the same time, no one has lost their respect until... Until now, the viruses of a new generation have not appeared, what are called polymorphic viruses. These viruses use a different approach to invisibility: they are encrypted (in most cases), and decrypting commands are used, which may not be repeated when different files are infected.

4.3. Polymorphism – mutation of viruses

The first polymorphic virus appeared in the beginning of the 90s codes - “Chameleon”, but the problem of polymorphic viruses became serious through the river - in 1991, since almost the entire world was affected by the epidemic. imorphic virus "Tequila" "(As far as I know, this epidemic practically did not hit Russia, but the first Russian epidemic, caused by a polymorphic virus, emerged three years later - through the river 1994, which was the “Phantom1” virus).

The popularity of the idea of ​​polymorphic viruses that encrypt themselves resulted from the emergence of polymorphic code generators - in 1992 the famous “Dedicated” virus appeared, which was based on the first known polymorphic generator MtE and hide a series of MtE viruses, and after a short hour appears himself. It represents an object module (OBJ file), and now in order to remove a polymorphic mutant from the most unencrypted virus, it is enough to combine their object modules - an OBJ file of a polymorphic generator and an OBJ file oh virus . Now the author of the virus, since he wants to create a valid polymorphic virus, will not have to tinker with the codes of the powerful encryptor. You can also connect a polymorphic generator to your virus and click on it from the codes of the virus.

Fortunately, the first MtE virus did not consume “wildlife” and did not cause an epidemic, and anti-virus program developers apparently have little time to prepare before a new scourge emerges.

Thus, through the river, the production of polymorphic viruses has become a “craft”, and in 1993 it became a “collapse”. There are more and more polymorphic viruses that can encrypt themselves in the collection of viruses. There is a feeling that one of the main directions in the development of important viruses is the development and improvement of the polymorphic mechanism, and the competition among the authors of viruses is not limited to who can write the coolest Rus, and whose polymorphic mechanism appears to be the coolest of all.

This is not a complete list of those that can be called hundreds of polymorphic (late 1993):

Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (all versions).

To identify these viruses, special methods can be used to emulate the virus code, mathematical algorithms for updating the code and data of the virus, etc. Before the multi-hundredth polymorphisms (so that you can encrypt yourself, otherwise the decryptor virus will eventually lose permanent bytes) you can add a dozen more new viruses:

Basilisk, Daemaen, Invisible (two versions), Mirea (many versions), Rasek (three versions), Sarov, Scoundrel, Seat, Silly, Simulation.

However, they require decryption of the code for their detection and updating of the assets, since the time required for the decryption code of these viruses is too small.

In parallel with polymorphic-russ, polymorphic-generators are developing. There are a number of new ones that use complex methods for generating polymorphic code, and they are expanded by BBS stations in the form of archives, which contain object modules, documentation and applications. For example, in 1993, these polymorphic code generators were already known. Tse:

MTE 0.90 (Mutation Engine), several versions TPE (Trident Polymorphic Engine), NED (Nuke Encryption Device), DAME (Dark Angel's Multiple Encryptor)

Since that time, new polymorphic generators have appeared in small numbers on the river, and making a complete list of them is hardly sensational.

4.4. Automation of virus development and virus constructors

Tench is the destructive force of progress. This folk wisdom does not require comments. Only in mid-1992 did progress appear to be made in the automation of virus development. On the fifth day of 1992, the first virus code designer for IBM-PC computers was announced - the VCL (Virus Creation Laboratory) package version 1.00.

This constructor allows you to generate output and well-commented virus texts (files containing assembly text), object modules and directly infected files. VCL provides a standard window interface. Using an additional menu system, you can select the type of virus, the type of object (COM or EXE), the presence or severity of self-encryption, anti-malware, internal text rows, connect up to ten effects that accompany the work Rusu too. Viruses can be abused standard method The level of files at their end, or write down a replacement of files that contain them in their entirety, or be companion viruses (the international term is companion viruses).

And everything suddenly became much simpler: if you want to harm your neighbor, sit down at VCL and, in 10-15 weeks, have adjusted 30-40 different viruses, run them on your computer. It's a terrible virus for the skin computer!

More to come. On April 27, the first version of the PS-MPC (Phalcon/Skism Mass-Produced Code Generator) constructor appeared. This constructor does not place the window interface and generates virus output texts according to the configuration file. This file contains a description of the virus: the type of files that are affected (COM or EXE); residency (PS-MPC also creates resident viruses, which the VCL constructor does not allow); method of installing a resident copy of the virus; Possibility of vikoristan self-encryption; The power of COMMAND.COM and a lot of other useful information.

Based on PS-MPC creations, the G2 constructor (Phalcon/Skis's G2 0.70 beta), which supports configuration files to the PS-MPC standard, prevents the virus from generating a large number of coding options the functions themselves.

The current version of G2 has been designated the first since 1993. Obviously, the G2 authors spent the new year on computers. It would be better if they drank champagne instead, although they don’t care about it alone.

So, how did the designers of viruses invade the electronic fauna? The collection of viruses that is stored in my “warehouse” has the following number of “engineered” viruses:

on the basis of VCL and G2 - a few hundred;

based on PS-MPC - over a thousand.

Thus, another trend has emerged in the development of computer viruses: “constructed” viruses are starting to take up a large part of the collections, and extremely lazy people are starting to join the ranks of their authors, creating creativity and shadyness. the profession of virus writing to cross-country craft.

4.5. Beyond DOS

The year 1992 brought more, lower polymorphic viruses and virus constructors. Finally, the first virus for Windows appeared, which thus opened a new side in the history of virus writing. Small in size (less than 1K), absolutely inexpensive and non-resident, the virus completely intelligently infects files in the new Windows format (NewEXE), which are compiled, and makes its way into the world of Windows for viruses.

Within an hour, viruses for OS/2 appeared, and in 1996, the first virus for Windows95 appeared. Today, the year has not passed without the appearance of new viruses that infect non-DOS systems, and, perhaps, the problem of non-DOS viruses will inevitably come to the fore, overshadowing the problem of DOS viruses. More than everything, it will become equivalent to the progressive extinction of DOS and the expansion of new operating systems and programs for them. Since all existing DOS add-ons will be replaced by their analogues for Windows, Win95 and OS/2, the problem of DOS viruses will disappear once again and will deprive them of theoretical interest for the computer society.

Also in 1993, the first attempt was made to write a virus that runs in protected mode Intel processor 386. This is the most popular virus "PMBS", the names are in a row with the text in the middle of the code. When captured from an infected disk, the virus switches to stealing mode, installing itself as a system supervisor and then capturing DOS in V86 virtual window mode. Fortunately, this virus turned out to be “not a bastard” - another generation was able to multiply through a few favors to the code of the virus. Before that, he “shut down” the system, because any program wanted to go beyond the boundaries of the V86, for example, indicating the presence of expanded memory.

This attempt to write a virus-supervisor in this way was lost until the spring of 1997, when one Moscow craftsman released the virus "PM.Wanderer" - completely "far away" the implementation of the virus, which operates in a protected mode i.

It is not yet clear that supervisor viruses will soon become a major problem for computer developers and anti-virus software vendors. What’s more, such viruses are responsible for “sitting” on new operating systems (Windows, Win95/NT, OS/2) for an hour, which allows them (viruses) to be easily detected and removed. However, a full-fledged virus-supervisor that uses the technology of “stealth” can bring a lot of trouble to users of “pure” DOS, and it is not possible to detect such a stealth virus under DOS.

4.6. Macro virus epidemic

Rick 1995, Serpen. All progressive people, Microsoft and Bill Gates especially celebrate the release of the new Windows95 operating system. At the same time, almost unnoticed, there was information about the emergence of a virus that uses new methods of infection, a virus that infects Microsoft Word documents.

Widely apparently, this is not the first virus that infects Word documents. These anti-virus companies have already obtained the first evidence of the virus, which they have copied from document to document. However, no one showed any serious respect for this not-so-far experiment. As a result, almost all anti-virus companies turned out to be unprepared for the further development of this epidemic - a macro-virus epidemic - and began to give in before they arrived. For example, a number of companies almost immediately released antivirus documents that acted on approximately the same principles as the virus, instead of reproducing it.

Before speaking, I quickly edited the anti-virus literature - even earlier on the question “How can you infect a computer while reading a file?” said "Definitely - no!" she produced a lot of evidence.

And the virus, which at that time took away the name “Concept”, continued to survive the collapse of the planet. Having come to the fore for everything from Microsoft's subsidiaries, "Concept" has produced thousands (not millions) of computers. It’s not surprising, even though text transmission in MS Word format has become de facto one of the standards, and in order to become infected with a virus, you need to open an infected document, and all other documents edited in infected Word also become infected. results, having downloaded an infected file from the Internet and having read it, the koristuvach, without knowing it himself, was revealed to be a “seller of infection”, and all of his browsing (which, of course, was carried out using MS Word) was also found to be infected! Thus, the possibility of MS infection Word, multiplied by the speed of the Internet, has become one of the most serious problems in the entire history of the creation of viruses.

Not long ago, in 1996, the Laroux virus appeared, infecting MS Excel spreadsheets. As with the outbreak of the “Concept” virus, a new macro-virus was discovered “in nature” almost overnight in various companies. Before speaking, in 1997 this virus became the cause of an epidemic in Moscow.

Also in 1996, the first designers of macro-viruses appeared, and in 1997, the first polymorphic macro-viruses for MS-Word and the first viruses for MS Office97 appeared. Plus, the number of different macro-viruses was constantly growing so much that it reached several hundred before the summer of 1997.

Having opened a new side in the sickle of 1995, accumulating to the fullest extent the accumulation of the virus over nearly a decade of non-stop work and perfection, macro-viruses are perhaps the biggest problem in modern virology.

4.7. Chronology of events

Now it’s time to move on to a more detailed description of this. Let's start from the cob itself.

late 1960 - early 1970s

On its mainframes, programs periodically appeared that were called “the rabbit”. These programs cloned themselves, took up system resources, and thus reduced the productivity of the system. For the most part, “rabbits” were not transmitted from system to system and were purely miscellaneous objects - tricks and twists of system programs that serviced the computer. The first incident, which can easily be called an epidemic of “computer virus”, was installed on the Univax 1108 system. russiv.

first half of the 1970s

The Creeper virus was created under the Tenex operating system, which exploited global computer networks to expand its network. The virus can escape on its own through the modem and transfer its copy to the remote system. To combat this virus, the program “The Reeper” was created - the first anti-virus program.

1980s cob

Computers are becoming more and more popular. There are more and more programs, the authors of which are not software companies, but private individuals, and these programs may be able to freely run on different servers behind the scenes - BBS. The result of this is the emergence of a large number of different “Trojan horses” - programs that, when launched, can cause any kind of mischief in the system.

Epidemic of the destructive Elk Cloner virus on Apple II computers. The virus has written itself into the infected sectors of floppy disks, which have become widespread. Revealing it in an even richer way - turning the screen over, blurring the text on the screen and displaying various notifications.

Pandemic of the first IBM-PC virus "Brain". The virus that infects 360Kb floppy disks has spread throughout the world. The reason for this “success” was, more than anything else, the unpreparedness of computers to cope with such a phenomenon as a computer virus.

The virus was written in Pakistan by the brothers Basit and Amjad Farooq Alvi, who deprived the virus of text notifications that would include their names, addresses and telephone numbers. As the authors confirmed the virus, they were the rulers of the company selling software products and wanted to understand the level of pirated copying in the country. Unfortunately, this experiment is beyond the borders of Pakistan.

It’s important that the “Brain” virus was also the first stealth virus - when trying to read an infected sector, it “represented” its non-infected original.

Also in 1986, a programmer named Ralf Burger discovered that the program could make copies of the data by adding its code to the compiled DOS files. This first virus, called VirDem, demonstrated its capacity. This virus was announced in 1986 on the forum of the computer “underground” - hackers who specialized in evil VAX/VMS systems (Chaos Computer Club in Hamburg).

The "Vienna" virus appeared. A copy of this virus reaches the hands of the same Ralph Burger, who disassembles the virus and places the result in his book “Computer Viruses: A High Tech Desease” (Russian analogue - “We write a virus and an antivirus” by M. Khizhnyak). Burger's book popularized the idea of ​​writing viruses, explained how and served in this way as a means of writing until hundreds and even thousands of computer viruses were written, and ideas from this book were often vikorized.

Regardless of this fate, there are still a number of viruses for the IBM-PC. These are famous in the past “Lehigh”, which infects only COMMAND.COM, “Suriv-1” (another name is “April1st”), which infects COM files, “Suriv-2”, which infects (primarily) EXE files, “Suriv -3”, which infects both COM and EXE files. There are also a number of popular viruses (“Yale” in the USA, “Stoned” in New Zealand and “PingPong” in Italy) and the first file virus “Cascade”, which is self-encrypting.

Parties and non-IBM computers were not spared: a number of viruses were detected for the Apple Macintosh, Commodore Amiga and Atari ST.

In 1987, there was the first epidemic of the mild "Christmas Tree" virus, written by my REXX and spreading throughout the VM/CMS operating environment. 9, the virus was launched in the Bitnet network at one of the universities of Zahidna Niměcchina, penetrated through the gateway to the European Academic Research Network (EARN) and then to the IBM VNet network. After several days (13th birthday), the virus paralyzed the border - it was filled with copies of it (a marvelous example about the clerk in several sides). When launched, the virus displays an image of a new (virtually, split) link on the screen and sends its copies to all users of the network, the addresses of which were present in the various system files NAMES and NETLOG.

On Friday the 13th of April 1988, a number of companies and universities in several parts of the world became aware of the Jerusalem virus - on this day, the virus found files when they were launched. This is, perhaps, one of the first MS-DOS viruses, which became the cause of the current pandemic - reports of infected computers came from Europe, America and the like. I will name, before speaking, the virus was eliminated after one of the incidents - the university in Jerusalem.

Together with several other viruses ("Cascade", "Stoned", "Vienna"), the "Jerusalem" virus spread across thousands of computers, becoming unmarked - anti-virus programs had not yet spread as widely as today, and A lot of hackers and fakers still believed in the emergence of computer viruses. Let us show you the fact that the same computer guru and legendary man Peter Norton fought against the creation of viruses. Having dismissed them as an unknown myth and compared with tales about crocodiles, they live near the sewers of New York. This incident, however, did not cause the Symantec company to unveil its official anti-virus project – Norton Anti-Virus – within an hour.

Obviously untrue reports about computer viruses began to appear, as no real information could be taken to counter the panic that was being brought into the fray by a number of computer hackers. One of the first of these “evil fires” (the current term is “virus hoax”) belongs to Mike RoChenle (a pseudonym similar to “Microchannel”), who sent a lot of information on the BBS station about the new virus that is transmitted modem to modem i vikoristovaya at which speed is 2400 baud. It’s not funny, a lot of customers have given up on the current standard of 2400 and reduced the speed of their modems to 1200 baud. Similar "hoax" appear simultaneously. The best news for today is GoodTimes and Aol4Free.

Leaf fall 1988: a general epidemic of the Morris virus (also known as Internet Worm). The virus infected over 6,000 computer systems in the United States (including NASA Research Institute) and practically paralyzed their work. Through a compromise in the code, the virus, like the "Christmas Tree" virus, inevitably distributed its copies to other computers in the region, thus completely taking away its resources. The total cost of the Morris virus was estimated at 96 million dollars.

The virus is designed to reproduce itself in the Unix operating system for VAX and Sun Microsystems. In addition to the benefits of Unix, the virus vikorsisted a number of other original ideas, for example, retrieving user passwords. A report about this virus and the incident associated with it can be read in the report and article by Igor Moiseev in the journal ComputerPress, 1991, N8,9.

Breast 1988 rock: the season of viral viruses is troubling, which is once again in the limits of DECNet. The HI.COM malware virus displayed an image of a web link on the screen and notified customers that they should “stop computing and have a good time at home!!!”

There are new anti-virus programs, for example, Dr.Solomon's Anti-Virus Toolkit, which is one of the most powerful anti-viruses today.

New viruses appear - “Datacrime”, “FuManchu” and members of the family - “Vacsina” and “Yankee”. The first Mav was very unsafe - from 13 months to 31 years, he formatted the Winchester. This virus has broken free and created widespread hysteria in the media in Holland and Great Britain.

Spring 1989: another antivirus program enters the market - IBM Anti-Virus.

Zhovten 1989: the DECNet network recorded another epidemic of the virus - "WANK Worm".

Breast 1989 rock: the "Trojan horse" incident "Aids". 20,000 copies were distributed on floppy disks labeled "AIDS Information Diskette Version 2.0". After 90 attacks on the system, the Trojan encrypted the names of all files on the disk, making them invisible (the “hidden” attribute) and deleting only one file on the disk - a file worth 189 dollars, which was sent to the address PO Box 7, Panama. The author of the "Trojan" was caught and condemned until he was convicted.

Consider the fact that 1989 was the beginning of a general epidemic of computer viruses in Russia - all the same viruses "Cascade", "Jerusalem" and "Vienna" filled the computers of Russian business owners. Fortunately, Russian programs have quickly come to grips with the principles of their work, and a number of anti-virus anti-viruses have appeared.

My first knowledge of a virus (called the Cascade virus) was in early 1989 - the virus was detected on my work computer. This itself became the basis for my professional reorientation towards creating anti-virus programs. Before speaking, I downloaded that first virus using Oleg Kotik’s ANTI-KOT anti-virus program, which was popular at that time. A month later, another incident (the "Vacsina" virus) was closed behind the first version of the antivirus -V (which was renamed to AVP - AntiViral Toolkit Pro). Until the end of 1989, nearly a dozen viruses were already grazed on Russian soil (rearranged in the order they appeared): two versions of “Cascade”, several viruses “Vacsina” and “Yankee”, “Jerusalem”, “Vienna”, “Eddie”, “PingPong” ".

This river brought a lot of litters. The first of these is the appearance of the first polymorphic viruses “Chameleon” (other names are “V2P1”, “V2P2” and “V2P6”). Until now, anti-virus programs for detecting viruses used so-called masks - virus code snippets. After the emergence of Chameleon viruses, antivirus software developers began to search for other methods of detecting them.

Another idea was the emergence of the Bulgarian “factory for the production of viruses”: the great number of new viruses is small in Bulgarian variation. These are the families of viruses "Murphy", "Nomenclatura", "Beast" (or "512", "Number-of-Beast"), new modifications of the "Eddie" virus and others. There are a number of new viruses that have developed fundamentally new algorithms for infection and entry into the system. Bulgaria has its first BBS, aimed at exchanging viruses and information for virus writers.

U lipny 1990 r. There was an incident with the computer magazine PC Today (Great Britain). The floppy disk is infected with the DiskKiller virus. The magazine sold over 50,000 copies.

In the other half of 1990, two stealth monsters appeared - "Frodo" and "Whale". Two viruses have been exploiting complex stealth algorithms, and the nine-kilobyte “Whale” has previously stagnated a number of encryption and anti-infestation techniques.

The first known viruses appeared: “Peterburg”, “Voronezh” and Rostov’s “LoveChild”.

The population of computer viruses is constantly growing, reaching several hundred. Anti-virus activity is growing: two software monsters (Symantec and Central Point) are releasing two anti-virus programs - Norton Anti-Virus and Central Point Anti-Virus. The traces are less visible to antiviruses like Xtree and Fifth Generation.

The city has experienced a similar epidemic of the file-obsessing polymorphic virus "Tequila", and Veresna has had a similar "story" with the virus "Amoeba". These countries practically did not touch Russia.

Summer 1991: epidemic of the “Dir_II” virus, which introduced fundamentally new methods of infecting files (link-virus).

In general, 1991 ended up being calm - the calm before the storm that hit 1992.

Viruses for non-IBM-PC and non-MS-DOS are practically forgotten: the “holes” in global borders are closed, bugs are corrected, and border viruses have lost their ability to expand. File-based viruses and file-based viruses for the most popular operating system (MS-DOS) on the most popular computer (IBM-PC) are becoming increasingly important. The number of viruses is growing with geometric progression, and various virus incidents are occurring every day. Various anti-virus programs are developing, and dozens of regular magazines dedicated to viruses are being published. Against this background a number of main points can be seen:

Cob 1992 is the first polymorphic generator of MtE, on the basis of which a number of polymorphic viruses appear within an hour. MtE also became the prototype of many new polymorphic generators.

Berezen 1992 fate: epidemic of the virus "Michelangelo" ("March6") and hysteria associated with it. Singingly, this is the first known episode, since anti-virus companies have been spreading rumors about the virus, not in order to protect the profiteers from any insecurity, but in order to attract respect to their product, then. with the method of seizing commercial profits. Thus, one American anti-virus company stated that by 6 February, more than five million computers would be exposed to information. As a result of the noise that arose after this, the profits of various anti-virus companies increased several times, and a total of about 10,000 machines were affected by the virus.

Lipen 1992: the appearance of the first designers of VCL and PS-MPC viruses, which increased the already small flow of new viruses and, like MtE in their area, advanced virus writers to a new level great, hard-working designers.

Late 1992: the first virus for Windows that infects compressed files of the operating system, revealing a new side to the virus script.

Virus writers have seriously set to work: in addition to hundreds of ordinary viruses, in principle they do not differ from their counterparts, in addition to a whole series of new polymorphic generators and constructors, in addition to new electronic viruses There are more and more viruses being described that are known to exploit unforeseen methods of infecting files and etc. The main butts are:

"PMBS", which works in the protected mode of the Intel 80386 processor.

"Strange" (or "Hmm") - a solo performance on the topic of "stealth virus", protean of wars on the level of hardware interruptions INT 0Dh and INT 76h.

"Shadowgard" and "Carbuncle", which significantly expanded the range of companion virus algorithms;

“Emmie”, “Metallica”, “Bomber”, “Uruguay” and “Cruncher” are a collection of fundamentally new techniques for “hiding” your code in infected files.

In the spring of 1993, Microsoft released its powerful antivirus MSAV, which was based on CPAV from Central Point.

all more meaning The problem of viruses on CDs is emerging. Having quickly become popular, these discs became one of the main ways of spreading viruses. A number of incidents were recorded when a virus was transmitted to the master disk during the preparation of a batch of CDs. As a result, tens of thousands of infected disks were released onto the computer market. Naturally, you can’t talk about their love - they just have to be deprived.

Recently, in the UK, two complex polymorphic viruses appeared - “SMEG.Pathogen” and “SMEG.Queeg” (still not all anti-virus programs can achieve a 100% result when they are detected). The author of the virus posted infected files on the BBS station, which caused a major epidemic and panic in the media.

Another wave of panic was triggered by the news about the new “GoodTimes” virus, which spreads throughout the Internet and infects the computer when email is snatched. We really didn’t know what kind of virus it was, but a dozen hours later the original DOS virus appeared with the text “Good Times”, which virus changed the name “GT-Spoof”.

Law enforcement agencies are becoming more active: in 1994, the author of SMEG reported “charges” and arrests. Around the same time, the same Great Britain arrested a whole group of virus writers, which they called ARCV (Association for Really Cruel Viruses). About an hour later, another virus author was arrested in Norway.

There are a number of new and unexpected viruses:

Since 1994: "Shifter" is the first virus that infects object modules (OBJ files). "Phantom1" - an epidemic of the first polymorphic virus in Moscow.

Kviten 1994: "SrcVir" is a family of viruses that infect the output texts of programs (C and Pascal).

Worm 1994 rock: “OneHalf” is the beginning of a general epidemic of the virus, which is still the most popular virus in Russia.

Spring 1994 rock: "3APA3A" - an epidemic of file-recovery virus, which introduces an unprecedented way to spread into MS-DOS. If the antivirus does not appear, we are preparing to fight with such a monster.

In 1994 (spring), one of the antivirus leaders of that time, Central Point, ceased to operate. It was joined by the company Simantek, as a number of small companies that were engaged in anti-virus software - Peter Norton Computing, Certus International and Fifth Generation Systems - had already been screwed up.

Nothing significant has been discovered in the field of DOS viruses, although there appear to be a number of complex monster viruses such as “NightFall”, “Nostradamus”, “Nutcracker” and such copper viruses as the “two-state” virus “RMNS” and BAT virus "Winstart". The "ByWay" and "DieHard2" viruses have become widespread - notifications about infected computers have been taken away from the rest of the world.

Lyuty 1995: an incident with Microsoft occurred: on the disk, which was a demo version of Windows95, a “Form” virus was detected. Microsoft sent copies of this disk to beta testers, one of whom did not bother to scan the disk for viruses.

Spring 1995: a union of two anti-virus companies was announced - ESaSS (ThunderBYTE anti-virus) and Norman Data Defense (Norman Virus Control). These companies, which produce powerful antivirus products, have joined forces and started developing a unified antivirus system.

Serpen 1995: one of the turning points in the history of viruses and antiviruses: the first virus for Microsoft Word ("Concept") was discovered in "Live View". In just a month, the virus “flew” the entire earth, filling the computers of MS-Word users and taking first place in statistical studies that conduct various types of computer data.

Today 1996: two significant events - the first virus for Windows95 ("Win95.Boza") appeared and the epidemic of the folding polymorphic virus "Zhengxi" appeared in St. Petersburg.

Berezen 1996 rock: the first virus epidemic for Windows 3.x. His name is “Win.Tentacle”. This virus infected the computer network in the hospital and many other installations in France. The strength of this idea lay in the fact that this was the FIRST Windows virus to break free. Until that time (as far as I know), all Windows viruses lived only in collections and electronic magazines of virus writers, and in the “live view” there were only a few exciting DOS and Macro viruses.

Worm 1996: "OS2.AEP" is the first virus for OS/2 that correctly infects EXE files of this operating system. Before that, in OS/2 there were only viruses that were written instead of a file that knew each other using the “companion” method.

Lipen 1996: “Laroux” is the first virus for Microsoft Excel, before it was caught in the “live view” (almost overnight from two petroleum and footwear companies in Alyastsi and in PAR). As in MS-Word viruses, the operating principle of Laroux is based on the presence of so-called macro files - the Basic program. Such programs can be included in Excel spreadsheets as well as MS-Word documents. As it turns out, the Basic language installed in Excel also allows the creation of viruses. This virus in 1997 became the cause of an epidemic in computer companies in Moscow.

Breast 1996: "Win95.Punch" - the first "resident" virus for Win95. It enters the system as a VxD driver, downloads files and infects them.

In general, the year 1996 saw the beginning of a large-scale attack by the computer underground on the Windows32 operating system (Windows95 and Windows NT) and Microsoft Office add-ons. During this period, dozens of viruses for Windows95/NT and hundreds of macro-viruses appeared. In many of them, virus writers developed new techniques and methods of infection, added stealth and polymorphic mechanisms, etc. Thus, computer viruses have entered a new stage of their development - to the level of 32-bit operating systems. Over the course of two years, viruses for Windows32 repeated approximately the same stages that DOS viruses had gone through exactly 10 years earlier, moving onto a completely new technological level.

Lyuty 1997: "Linux.Bliss" - the first virus for Linux (a variant of UNIX). So viruses occupied another “biological” niche.

Lyutiy-Kviten 1997: Macro viruses moved to Office97. The first of them appeared to be “converted” to the new format by macro-viruses for Word 6/7; then, almost immediately, viruses oriented only towards Office97 documents appeared.

Berezen 1997: "ShareFun" is a macro virus that attacks MS Word 6/7. For its reproduction, Vikorist uses the standard capabilities of MS Word, but also sends its copies by electronic mail MS-Mail.

Kviten 1997: “Homer” is the first hedgehog virus that uses File Transfer Protocol (ftp) for its propagation.

Worm 1997: The first self-encrypting virus appeared for Windows95. The virus, which may be a Russian origin, was sent to a small BBS in Moscow, which caused an epidemic.

Leaf fall 1997 rock: Virus "Esperanto". An attempt to create (fortunately, failed) a cross-platform virus that works not only under DOS and Windows, but can also infect Mac OS (Mac) files.

Breast 1997 fate: a new form of the virus has appeared - mIRC worms. It turned out that the most popular Windows IRC (Internet Relay Chat) utility, known as mIRC, has installed a “hole” that allows virus scripts to transmit IRC channels to themselves. The current version of IRC had its account closed, and mIRC hacks disappeared into oblivion.

The main anti-virus movement in 1997 was, obviously, the division of the anti-virus software from the KAMI company into the independent company Kaspersky Lab, which today has established itself as a leading technical leader of the antivirus industry. Since 1994, the company's main product, the AntiViral Toolkit Pro (AVP) antivirus scanner, has consistently shown high results in numerical tests conducted by various testing laboratories around the world. Spin-off into an independent company allowed a small group of retailers to become the first important anti-virus company on the domestic market and become a prominent figure on the light market. In a short period of time, versions were developed and released for almost all popular platforms, new anti-virus solutions were introduced, and a measure of international distribution and technical support was created.

In early 1997, the Finnish company DataFellows signed an agreement to license AVP technology for use in the new FSAV (F-Secure Anti-Virus) product. Prior to this, the DataFellows company was known as the developer of the F-PROT antivirus.

The year 1997 was also marked by a number of scandals that erupted among the main antivirus vendors in the United States and Europe. Finally, the McAfee company announced that its fakers had identified a “bookmark” in the programs of one of its main competitors – in the antivirus company Dr. Solomon. A statement from McAfee stated that the Dr.Solomon antivirus, when scanned, detects a number of viruses of different types, and then the robot runs in a stronger mode. While in basic minds on uninfected computers the antivirus from Dr.Solomon operates in the basic mode, then when testing a collection of viruses, the enhanced mode switches (in McAfee’s terminology “cheat mode”), will detect viruses, invisible for Dr. .Solomon under the hour of switching to the emergency mode. As a result, when tested on uninfected disks, the antivirus from Dr.Solomon shows good results, and when tested on virus collections, it shows poor detection results.

About an hour later, Dr. Solomon was struck by a confession, having fallen on an incorrectly prompted McAfee advertising campaign. At the same time, the McAfee company was in legal trouble with another anti-virus company, Trend Micro, about violating a patent for the technology of scanning data that is transmitted via the Internet and electronic mail. Symantec was involved in this conflict with Trend Micro, and then Symantec accused McAfee of violating Symantec codes in McAfee products.

Ending with another notable story associated with McAfee: McAfee Associates and Network General announced their merger into a single company, Network Associates, and the positioning of not only the use of anti-virus protection, and the development of universal computer systems 'European security, encryption and administration measures. From now on, McAfee's virus and anti-virus history should be read as NAI.

The virus attack on MS Windows, MS Office and other programs is not weakening. Viruses are emerging that use advanced methods of infecting computers and new methods of penetrating computer networks. In addition to viruses, numerous Trojan programs that steal Internet access passwords and a number of administrative utilities enter the arena. Incidents involving infected CDs were recorded: a number of computer logs spread disks with programs infected with Windows viruses “CIH” and “Marburg” onto the disk.

Cob of fate: An epidemic of a whole family of “Win32.HLLP.DeTroie” viruses that not only infects Windows32 files, but also transmits information about infecting the computer to its “master”. Through the use of specific libraries present only in the French version of Windows, the epidemic reached only French countries.

Lyuty 1998: another type of virus has been identified that infects Excel spreadsheets - “Excel4.Paix” (or “Formula.Paix”). This type of macro virus for its propagation in the Excel table is not unique to viruses in the area of ​​macros, but formulas, as it turns out, can also replace the code that self-propagates.

Lyuty-Berezen 1998: “Win95.HPS” and “Win95.Marburg” are the first polymorphic Windows32 viruses, previously detected “in real life”. Developers of anti-virus programs had a chance to quickly adapt to new minds methods for detecting polymorphic viruses, previously developed only for DOS viruses.

Berezen 1998 rock: "AccessiV" - the first virus for Microsoft Access. The reason for the disaster that happened with the “Word.Concept” and “Excel.Laroux” viruses, without becoming successful, was that all the fragments began to sound to the point that MS Office programs were falling one by one.

Berezen 1998: Macro virus "Cross" is the first virus that infects two different MS Office programs: Access and Word. Following this, a number of macro-viruses appeared that transferred their code from one Office application to another.

Traven 1998 rock: virus "RedTeam". It infects Windows EXE files and distributes infected files via Eudora email.

Worm: an epidemic of the "Win95.CIH" virus, which became initially widespread, then global, and then widespread - reports of infection of computer networks and home personal computers numbered in the hundreds, if not thousands. The beginning of an epidemic of registrations in Taiwan, where an unknown hacker uploaded infected files before a local Internet conference. The virus made its way to the United States, where, through negligence, a number of popular Web servers became infected - they became increasingly infected with the virus Game programs. Most of all, the infected files on the game servers themselves caused a general epidemic of the virus, which did not weaken with time. The virus followed the results of the “popularity” ratings with such viral superstars as “Word.CAP” and “Excel.Laroux”. We should also pay attention to the unsafe behavior of the virus: it is important to remember that the virus erased the Flash BIOS, which in some cases could lead to replacing the motherboard.

Serpen 1998: the appearance of the powerful "BackOrifice" ("Backdoor.BO") - a utility for hacker administration of remote computers and network. After "BackOrifice" a number of other similar programs appeared: "NetBus", "Phase" and others.

Also, the first virus has appeared in the sickle, which infects packaged Java modules - “Java.StangeBrew”. This virus, while not causing any problems for Internet users, leaves fragments on a remote computer that are essential for multiplying functions. However, this is illustrated by the fact that those attacked by viruses can also be programs that are actively attacked when viewing Web servers.

There have been significant changes in the anti-virus world. In late 1998, Symantec and IBM announced the consolidation of their efforts on the antivirus front: a joint product in which Symantec is expanding under the same brand Norton Anti-Virus, and IBM Anti-Virus (IBMAV) is using its Sleeping. The main competitors immediately reacted: Dr. Solomon and NAI (formerly McAfee) immediately released press releases with proposals about the benefits of large IBMAV vendors with their powerful antiviruses.

Not a month has passed since Dr. himself drank his dreams. Solomon. It was bought by NAI (McAfee) for 640 million dollars in a share swap. This idea caused a shock in the antivirus world: the conflict between the two largest leaders in the antivirus business ended in a purchase/sale, as a result of which one of the most prominent and technologically powerful manufacturers of anti-virus software.

Everything in the world may be perfect

wrong, so as not to make people proud,

so that the people would be ruined and ruined.

(Venedikt Erofeev. "Moscow - Pivniki")

5. Classification of computer viruses

Viruses can be divided into classes based on the following basic characteristics:

"the middle of living;

operating system (OC);

features of the robot algorithm;

destructive potential.

THE RESIDENT VIRUS CASES can be divided into:

files;

fancy;

Merezhevi.

File viruses either use different methods to propagate from concatenated files (the most widespread type of viruses), or create twin files (companion viruses), or interfere with the peculiarities of the organization of the file system (link viruses).

You can record infected viruses either in the protected sector of the disk (boot sector), or in the sector that is located in the system backup of the hard drive (Master Boot Record), or change the indicator to the active boot sector.

Macro viruses infect document files and spreadsheets of many popular editors.

Merezhevі viruses vikoristovuyut protocols or commands of computer mezhіru and e-mail for their distribution.

Of course, there is a large number of known viruses – for example, file-protecting viruses that infect both files and protected sectors of disks. Such viruses may rely on complex robotic algorithms, often use original methods of penetrating the system, use stealth and polymorphic technologies. Another example of such attack is the edge macro virus, which not only infects edited documents, but also sends its copies by electronic mail.

The OPERATING SYSTEM that is infected (or rather, the OS, an object similar to the one infected) and another class of viruses. The file edge virus infects files on any OS - DOS, Windows, Win95/NT, OS/2, etc. Macro viruses infect files in Word, Excel, Office97 formats. Vanguard viruses also target specific formats for extracting system data from vandalized disk sectors.

Among the FEATURES OF THE VIRUS ROBOT ALGORITHM, the following points can be seen:

residency;

vikoristannaya stealth algorithms;

self-encryption and polymorphism;

vikoristanny of non-standard techniques.

A RESIDENT virus, when infecting a computer, removes its resident part from the RAM, which then transfers the operating system to the infected objects and is distributed to them. p align="justify"> Resident viruses are found in memory and are active right up until the computer is turned off or the operating system is restarted. Non-resident viruses do not infect the computer's memory and save computer activity. Such viruses are stored in RAM by small resident programs, as the virus does not spread everywhere. Such viruses are affected by non-residents.

p align="justify"> Resident macro-viruses can be used, fragments of the stench are permanently present in the computer’s memory for the entire hour of operation of the infected editor. In this case, the role of the operating system is taken over by the editor, and the concept of “restarting the operating system” is interpreted as leaving the editor.

In multitasking operating systems, the life of a resident DOS virus may also be limited by the moment of closing the infected DOS window, and the activity of dangerous viruses in some operating systems may be limited by the installation of OS disk drivers.

The use of STEALTH algorithms allows viruses to easily or frequently gain access to the system. The most extensive stealth algorithm is the re-accumulation of OC queries for reading/writing infected objects. Stealth viruses at their disposal either rejoice at them, or “present” instead of themselves an uninfected piece of information. The most popular method for macro viruses is to block clicks in the macro view menu. One of the first file stealth viruses is the “Frodo” virus, the first popular stealth virus is “Brain”.

SELF-ENCRYPTION and POLYMORPHICITY are used by almost all types of viruses in order to make the virus detection procedure as simple as possible. Polymorphic viruses are important viruses that have signatures. so as not to take revenge on the code. Most outbreaks have two copies of one and the same polymorphic virus does not prevent the same escape. This is achieved by encrypting the main body of the virus and by modifying decryption programs.

Non-standard techniques are often exploited in viruses in order to more effectively capture the OS in the kernel (such as the “3APA3A” virus), to steal its resident copy from detection (the “TPVO”, “Trout2” viruses), to make it more difficult to detect against a virus (for example , having placed your copy in Flash-BIOS) etc.

ACCORDING TO DESTRUCTIVE CAPABILITIES, viruses can be divided into:

· not harmful, so as not to interfere with the work of the computer (except for changing the free memory on the disk due to your work);

Safely, any influx is limited by changes in free memory on the disk, graphics, sound, etc. effects;

dangerous viruses that can cause serious problems with your computer;

It’s even unsafe, in the algorithm of the robot there are obviously procedures that can lead to the loss of programs, data loss, erasing information necessary for the computer’s operation, recorded in the system memory areas, and so to speak, one of the non-verifications of the computer yuternikh legends , to withstand the rapid wear of loose parts of mechanisms - bring into resonance and destroy the heads of various types of hard drives.

However, since there are no bugs found in the virus’s algorithm, it can cause problems in the system, but this virus cannot necessarily be called harmless, since its penetration into a computer can result in failure and, at times, catastrophic and inheritances. Even a virus, like any program, may cause damage, which can result in zipping both files and disk sectors (for example, the DenZuk virus, which at first glance seems quite inconvenient, works correctly with 360K floppy disks, or protect information on floppy disks promise). Until now, viruses are caught that say “COM or EXE” not because of the internal file format, but because of its extension. Naturally, with a different format and extended name, the file after infection is unprofitable. It is also possible for a resident virus to become jammed in the system when using new versions of DOS, or when working with Windows or other heavy-duty software systems. And so on.

6. Prospects: what will happen tomorrow and after tomorrow

6.1. What will happen tomorrow?

What can we expect from the computer underground in the near future? After all, you will lose the main problems: 1) polymorphic DOS viruses, which will add problems with polymorphism in macro viruses and viruses for Windows and OS/2; 2) macro-viruses, which will be discovered in new and new ways, infecting and attaching their code to the system; 3) network viruses that you can use to expand the protocols and commands of computer networks.

Point 3) is still at an early stage - the first fearful attempts to independently expand your code via MS Mail and ftp problems will be eliminated, but the problem is still ahead.

It is possible that other problems will arise that will bring a lot of inconvenience to the clients and a lot of unscheduled work to the vendors of anti-virus programs. However, I look forward to the future with optimism: all the problems that have ever arisen in the history of virus development will be successfully resolved. It seems like everything is so successful in solving future problems, as ideas are still hovering in the fiery minds of virus writers.

6.2. What will happen after tomorrow?

What will happen tomorrow and how long ago the virus died out? In order to be consistent in the food supply, it is important to know where and in what minds viruses are found.

The main food source for the spread of the virus in the EOM, in my opinion, is to contain the following necessary components:

insecurity of the operating system (OS);

the presence of various features and the addition of new documentation on the OS and the “release”;

"Widely expanded OS and "climb".

It should be noted that the concept of the operating system should be extended. For example, for macro viruses, the operating system uses Word and Excel editors, since the editors themselves, and not Windows, provide macro viruses (that is, BASIC programs) with the necessary resources and functions.

Since in the operating system there are elements of information protection, as is the case in almost all operating systems, it will be extremely important for the virus to defeat the targets of its attack, which is why it is necessary (at a minimum) password and privilege system. As a result, the robot required to write a virus can only be used by high-level professionals (Morris virus for VAX is an example). And at the professor, at the miy look, the ryens is still a nabagato, nibs, the middle of the storage is a product, і, an outgo, kilkiy of a lee of the blessings of Zhitty Virusv more quickly.

For the mass proliferation of viruses, a large amount of information about their environment is also necessary and sufficient. How many system programs work on mini-EOM in UNIX, VMS, etc. operating systems? knows the system for managing processes in RAM, new formats of compiled files and interesting posts on disk? (This is information that is necessary for the creation of a virus). And then, what kind of quantity can a healthy full-fledged animal grow? Another example is the Novell NetWare operating system, which is popular, but very poorly documented. As a result, I do not yet know of any virus that will infect Novell NetWare files that are being compiled, regardless of the number of virus writers, such a virus will be released in the near future.

Well, with the wide expansion of the OS as a necessary brain for a virus influx, they say loosely: for 1000 programs, there are less than 100 copies of a virus to write, for every hundred there is one who will bring this idea to completion. Now let’s take the proportion multiplied by thousands of programs - and the result is clear: on the one hand there are 15,000 or more than 20,000 IBM-related viruses, on the other hand - there are hundreds of viruses for Apple -Macintosh. This very inconsistency in proportion is evident in the current number of viruses for Windows (several dozen) and for OS/2 (several dozen).

Let's bring more minds to the "discovery" of computer viruses in the OS (including editors) generated by Microsoft (DOS, Windows, Win95/NT and Word, Excel, Office97), which provides a fertile ground for the development of highly valuable file files and macro viruses . We are pleased to bring to mind the same standards for the distribution of hard drives. The result is a variety of variants of attacking viruses that infect the system at the time of infection.

To appreciate the severity of the invasion of computer viruses on any OS, you need to evaluate the hour of awakening of most unnecessary minds.

It is obvious that in the near future, IBM and Apple are not going to give up the mass market to their competitors (to the delight of Apple and IBM programmers), which means that these companies will have to combine their profits. It is not possible to reduce the flow of information from the most extensive systems, so as not to give them a lot of additional benefits, and also because of their “sales”. You will lose one thing - OS protection. However, the security of the OS depends on the use of certain rules (passwords, etc.) that lead to low insecurity. Therefore, it seems unlikely that such OS will become popular among ordinary business workers - secretaries, accountants, on home computers, etc., or the security functions will be enabled on PCs even when installing the OS.

Based on the above, you can draw a single conclusion: viruses have successfully invaded everyday computer life and are not going to be deprived of it in the near future.

Computer viruses – myth and reality?

E. KASPERSKY and D. ZENKIN

The epidemic of the “LoveLetter” computer virus that burned in the grass of this rock once again confirmed the danger that such a “computer fauna” lurks within itself. Having penetrated hundreds of thousands of computers around the world, the virus acquired a huge amount of important information, literally paralyzing the work of the largest commercial and government organizations.

This is what “love letters” look like, which are supported by the “LoveLetter” virus by email. To launch the virus, just click on the icon.

This little one is displayed by the “Tentacle” virus when you try to view any file with GIF extensions on infected computers. Write to the baby: I am a virus Tentacle.

The "Marburg" virus shows these charming crosses and... deletes files from disks.

The script virus "Monopoly" was felt by the head of Microsoft, Bill Gates. By showing a crappy picture, the virus inexplicably removes sensitive information from the computer.

Unfortunately, the phenomenon of the “computer virus” still evokes a great fear, a need to firmly understand the situation and live safely. What kind of stink is this virus? How bad is the stench? What antivirus protection methods are emerging today and how effective are they? On this and other topics, the leader’s fakhivts fade away Russian virobnik antivirus programs from Kaspersky Lab

WHAT IS A COMPUTER VIRUS?

At this point, it would seem, simply that no unambiguous species has yet been found. In the specialized literature, you can find hundreds of meanings of the concept of “computer virus,” many of which vary in some ways. The original “virology” is determined by its current meaning: a computer virus is a program that enters a computer without the user’s knowledge and performs various unauthorized activities there. This significance would be incomprehensible, as if we had not guessed about yet another power that was associated with a computer virus. This property “multiplies” in order to create its duplicates and transfer them to the computational network and/or files, system areas of the computer and other objects that are being compiled. Moreover, virus duplicates may not be identical to the original.

The presence of viruses before they “multiply” makes it necessary for some people to equate them with a “special form of life” and to infuse them with “evil intelligence”, which prevents them from working vilely to reach the set mark. It's all just a guess and a game of fantasy. A similar feeling is suggested by the average phenomena about evil spirits, which no one knew, but everyone was afraid of. The “reproduction” of viruses is not disrupted in any way, for example, by the program copying files from one directory to another. It is also important that you sign off without the knowledge of the account manager, so that daily notifications do not appear on the screen. In every other virus, there is a primary program that attacks other computer commands.

Computer viruses are one of a large class of programs called bogus codes. Today's concepts are often misunderstood, but from a scientific point of view this is not the case. The group of bad codes also includes the so-called “scramblers” and “Trojan horses”. The main thing about viruses is that they cannot “multiply”.

The software program expands across computer networks (local and global), without going so far as to "multiply". Natomist automatically, without the knowledge of the correspondent, sends out its original, for example, by electronic mail.

"Trojan" programs have eliminated any built-in expanded functions: they can be used on computers, including "for the help" of their authors or those who are illegally vikorist. Let's remember Homer's Iliad. After many unsuccessful attempts to take Troy by storm, the Greeks retreated to cunning. The stinks recovered the statue of a horse and deprived it to the Trojans, leaving them to advance. Proteus was in the middle empty and caught the corral of Greek soldiers. The Trojans, who worshiped the deity of the image of a horse, themselves pulled the statue into the gate of the place. "Trojan" programs use a similar method of propagation: they remove stinks from the computer under the guise of brown, coppery and often hackish programs. For example, koristuvachev receive a sheet of e-mail with a proposal and start sending a file containing, say, a million rubles. After launching this file on the computer, the program is constantly wasted, which performs all sorts of unnecessary things. For example, it can search for the password of an infected computer (check what sites it provides, what passwords it provides to access the Internet, etc.) and then forcefully remove the data from its author.

Nowadays, there have been frequent occurrences of so-called “mutants”, or useless codes that bring out the peculiarities of several classes. A typical example is the “Melissa” macrovirus, which caused a great epidemic in Bereznia in the past. It expanded with edges like a classic Internet hack. "LoveLetter" is also a mixture of the hedge worm and the virus. In some cases, the malfunctioning program may have the characteristics of all three types (such as, for example, the “BABYLONIA” virus).

SYNOPSIS OF COMPUTER VIRUSES

Surprisingly enough, the idea of ​​computer viruses appeared long before the advent of personal computers. In 1959, the American scientist L. S. Penrose published an article in the journal “Scientific American” devoted to self-creating mechanical structures. This article described in its simplest form a model of two-dimensional structures created before activation, reproduction, mutation, and burial. Nezabar, US researcher F. G. Stahl, implemented this model in additional machine code on the IBM 650.

At that time, computers were magnificent, easy to use and extremely expensive machines, so their owners could only be great companies and ordinary computing and scientific centers. On April 20, 1977, the first “people’s” personal computer, the Apple II, rolled off the assembly line. The price, reliability, simplicity and handiness of the robot mean it is widely used in the world. The total sales of computers in this series reached over three million units (not including many copies, such as Pravets 8M/S, Agat and others), which significantly exceeded the number of all other EOMs at that time. Millions of people of different professions, social beliefs and mentalities were denied access to computers. It is not surprising that at the same time the first prototypes of modern computer viruses appeared, and two of their most important developments were revealed - the expansion of the “living space” and the emergence of functions of everyday life.

In the future, minds became more hospitable to viruses. The range of personal computers available to the cross-border community has expanded, in addition to small 5-inch magnetic disks, they have become rigid, local networks have rapidly developed, as well as technologies for transmitting information using additional commutations telephone lines. The first BBS (Bulletin Board System) data banks have been released, and the “dogs are dumbfounded”, which significantly eased the exchange of programs between traders. More recently, many of them have been transferred to the great online software systems (CompuServe, AOL, etc.). Everything has brought about the emergence of the third most important mind and the development and expansion of viruses - individuals and groups of people who deal with their creations have begun to appear.

Who writes virus programs and things? This food (please indicate the address and phone number) is especially favorable to those who have already recognized a virus attack and have spent the results of a rich campaign of work. Today, the portrait of the average “virus writer” looks like this: a man, 23 years old, an employee of a bank and a financial organization, who is responsible for information security and administration. However, according to our data, this century is still lower (14-20 years), and there will be no business in the future. The idea that unites all the creators of viruses is important to see and manifest for yourself, let it be known in the herostratic field. In everyday life, such people often look like sinister quiet people, like a fly. All this living energy, hatred to the world and egoism find a way out from the created “computer abominations”. They will tremble with satisfaction when they find out that their “child” has caused a real epidemic in the computer world. However, this is also the sphere of competence of psychiatrists.

The 1990s, which were marked by the rise of the global Internet, turned out to be the best hour for computer viruses. Hundreds of millions of people around the world have spontaneously become computer literacy, and computer literacy has become just as necessary as the ability to read and write. Just as in the past computer viruses developed extensively (as their number and clear characteristics grew), today, thanks to the advanced transmission technology, one can speak of a protracted virus. The “primitive ancestors” are being replaced by “wise” and “cunning” viruses, richly better suited to new minds of living. Today's virus programs no longer interfere with the sharing of files, dangerous sectors, or the creation of unnecessary melodies. All of them collect data on motherboard microcircuits. With this technology, masking, encryption and expansion of viruses can often lead to the discovery of counterfeiters.

HOW VIRUSES ARE

To date, approximately 55 thousand computer viruses have been registered. Their number is steadily increasing, and new, previously unknown types are appearing. Classifying viruses is more important than rivers. Finally, they can be divided into groups based on the following basic characteristics: dowkill, operating system, features of the robot algorithm. Therefore, with these three classifications, the Chernobil virus, for example, can be classified as a file-resident non-polymorphic Windows virus. The report will explain what this means.

1. The center of living

It is important to separate files, viruses and macroviruses carefully.

Initially, the broadest form of computer “infection” is file viruses, which are “loitering” in files and folders of the computer’s operating system. Before them lie, for example, “overwriting” - viruses (in English “to write over”). When you put it into your computer, you write down your code instead of the code in the file that is being infected, knowing it instead. Naturally, the file stops processing and is not updated. However, it is possible to avoid primitive viruses: stinks, as a rule, are very noticeable and cannot become the cause of an epidemic.

The “companion” virus is even more “cunning” (from the English “buddy”, “companion”). You don't want to change the file itself, but create a twin file in such a way that when you run an infected file, the control removes the twin itself, like a virus. For example, “companion” viruses that run under DOS, using specific features of this operating system, firstly link files with extended COM extensions, and then with extended EXE extensions. Such viruses create duplicates for EXE files that run the same names, but with extended COM. The virus is written to the COM file and does not change the EXE file. When you run an infected DOS file, the COM file itself is first detected and installed, which is the virus, and then the virus runs the file with the EXE extension.

Other “companion” viruses simply rename the file that is being infected, and under the old names write their old code to disk. For example, the file XCOPY.EXE is renamed to XCOPY.EXD, and the virus is recorded under the names XCOPY.EXE. When the file is launched, Keruvanya receives the virus code, which already launches the original XCOPY, which is saved under the names XCOPY.EXD. A similar type of virus has been detected in many operating systems - not only in DOS, but also in Windows and OS/2.

Other ways to create duplicate files. For example, viruses of the "path-companion" type "play" on the peculiarities of the DOS PATH - a hierarchical record of file deletion in the DOS system. The virus copies its code under the name of the file it is infecting, but places it not in the same directory, but one level higher. In this case of DOS, the first thing to detect and launch is the virus file itself.

The principle of dii vandalized viruses Based on algorithms for launching the operating system. These viruses infect the boot sector of a floppy disk or hard drive - a special area on the disk that hosts the boot sector of the computer. If you change the default sector instead, you may not be able to start your computer.

Macroviruses- a variety of computer viruses created with the help of macros obtained from popular office programs on the desktop of Word, Excel, Access, PowerPoint, Project, Corel Draw and others. (div. "Science of life and living" No. 6, 2000 r.). Macro images are being used for writing special programs(macros) that allow you to improve the efficiency of office applications. For example, in Word you can create a macro that automates the process of filling and sending faxes. All you need to do is enter the data into the form fields and click the button - you can create the macro yourself. The trouble is that, in addition to the original ones, you can also use bad macros on your computer, which may allow you to create your own copies and carry out actions without the knowledge of the account manager, for example, changing settings documents, files or directories. This is a macrovirus.

The greater the capabilities of these and other macroviruses, the more cunning, sophisticated and insecure can be written on a new macrovirus. Today's most advanced macro is Visual Basic for Applications (VBA). Your capabilities are rapidly growing from a new version of your skin. In such a manner, the more thorough the office programs are, the more careless we are in them. Therefore, macroviruses are becoming a real threat to computer users today. According to our forecasts, due to the fate of the skin, the stench will become more and more elusive and unsafe, and the liquidity of its expansion will soon reach unprecedented levels.

2. The operating system that is being tested..

The file edge virus infects files on any operating system - DOS, Windows, OS/2, Linux, MacOS, etc. Which is based on another method of classifying viruses. For example, the "BOZA" virus, which only works on Windows and nowhere else, is related to Windows viruses. Virus "BLISS" - before Linux viruses, etc.

3. Robotic algorithms.

Viruses can also be separated by the robotic algorithms they use, as well as various software tricks that make their desktops unsafe and dangerous.

First of all, all viruses can be divided into resident and non-resident. A resident virus is similar to a rogue virus that is constantly operating in a foreign country. Once infected in the computer's RAM, the virus remains in it until the computer is turned off or re-enabled. Create a resident virus and continue its destructive actions. Non-resident viruses do not infect the computer’s memory and the existing ones “multiply” only when they are launched.

All macroviruses can also be classified as resident. The stench is present in the memory of the computer that has been infected with them for a long time.

Otherwise, viruses happen visible and invisible. For the common man, invisibility to the virus is perhaps the greatest mystery of its power. There is nothing demonic about him. “Invisibility” lies in the fact that the virus, through the use of software tricks, does not allow computers or anti-virus programs to mark the changes that were made to the infected file. Constantly occupying the computer's memory, the stealth virus overrides the operating system's requests to read and write such files. Having copied the request, it replaces the infected file with an unzipped option. In this manner, the coralists will always be targeted by only “clean” programs, at that time, as the virus will inevitably carry out its “black right.” One of the first invisible file viruses is “Frodo”, and the first fascinating invisible virus is the “Brain” virus.

To camouflage yourself as much as possible from anti-virus programs, almost all viruses are victorious methods self-encryption or else polymorphicity So they can encrypt and change things for themselves. By changing their external appearance (program code), viruses completely save the work of doing anything else. Previously, anti-virus programs were able to detect viruses only “in their guise”, behind their unique program code. Therefore, the appearance of polymorphic viruses somewhat inevitably marked the revolution in computer virology. Nina has already discovered universal methods of combating such viruses.

METHODS OF COMBATING COMPUTER VIRUSES

It is necessary to remember the basics of fighting computer viruses - do not panic. There are thousands of high-class anti-virus hackers in the computer security industry, whose professionalism often outweighs the combined potential of all computer hooligans - hackers. In Russia, two computer companies are engaged in anti-virus surveillance - Kaspersky Lab (www.avp.ru) and SalD (www.drweb.ru).

In order to successfully resist virus attempts to penetrate your computer, it is necessary to follow two simple minds: follow the basic rules of “computer hygiene” and use anti-virus programs.

Since the antivirus industry is strong, no cure for computer viruses has been found. The versatility and diversity of today's systems is truly shocking. Let’s try to figure out the advantages and disadvantages of these and other methods of protection and how effective they are against different types of viruses.

Today, you can see five main approaches to ensuring anti-virus security.

1. Anti-virus scanners.

The pioneer of the anti-virus revolution is a scanner program that came to light almost overnight with the computer viruses themselves. The principle of operation of the scanner is based on the examination of all files, protected sectors and memory, and the detection of virus signatures in them, making it unique program code virus.

The main part of the scanner is unavailable for various modifications of the virus. For example, there are dozens of variants of the Melissa virus, and even for each of them, antivirus companies have had to release an updated antivirus base.

This raises another problem: at any time between the appearance of a new modification of the virus and the release of a reliable antivirus, computer users are left virtually unprotected. However, later experts came up with and introduced to scanners an original algorithm for identifying unknown viruses - a heuristic analyzer, which checks program code for the possibility of the presence of a new computer virus. However, this method has a high production rate, is not reliable enough and, moreover, does not allow for the detection of the virus.

And, you will find, the third step of the anti-virus scanner is that it only scans files if you “ask” it to run the program. Sometimes, hackers often forget to check suspicious files, for example, files from the Internet, and as a result, they infect the computer with their own hands. The scanner can detect the fact of infection even after the system has already developed a virus.

2. Anti-virus monitors.

Essentially, anti-virus monitors are different types of scanners. However, in addition to the rest, they are constantly in the computer’s memory and there is a background check of files, important sectors and memory on a real-time scale. To increase the anti-virus protection of the computer, it is enough to lock the monitor at the time of locking the operating system. All files that are launched will be automatically checked for viruses.

3. Change auditors.

The work of this type of anti-virus programs is based on the extraction of original “bits” (CRC sums) from files and system sectors. These “bits” are saved in the database. When started, the auditor checks the “samples” from their originals and notifies customers about the changes that have been made.

The auditors also have limited changes. First of all, the virus does not begin to cause harm the moment it appears in the system, but only disappears within an hour, even after the virus has spread across the computer. Otherwise, they cannot detect a virus in new files (e-mail, on floppy disks, in files that are updated from backup copies, or when unpacking files from the archive), fragments in the databases of auditors information about these files daily. This is where viruses are detected, infecting only the files that are created and lost, thus invisible to auditors. Thirdly, auditors need to be launched regularly - the more often they work, the more reliable they will be in monitoring virus activity.

4. Immunizers.

Antivirus immunizer programs are divided into two types: immunizers that notify about infection, and immunizers that block infection by any type of virus.

Be sure to record each file first (following the principle of a file virus) and when starting a file, check it immediately for changes. There is only one disadvantage of such immunizers, but one important thing: they are absolutely unable to detect invisible viruses that cleverly gain their presence in an infected file.

Another type of immunizer protects the system when infected with a virus. For this purpose, the files are modified so that the virus recognizes them as already infected. For example, to prevent a COM file from being infected by the “Jerusalem” virus, it is enough to add a new row of MsDos. And to protect against a resident virus, a program that has a copy of the virus is entered into the computer’s password. When launched, the virus encounters it and assumes that the system is already infected and cannot be dealt with.

Of course, it is not possible to immunize files against all known viruses: they are subject to their own risk of infection. The immunizers themselves have not undergone a great expansion and at this time it is practically not necessary to resort to violence.

5. Behavioral blockers.

All types of antiviruses have a major problem - protection from unknown viruses. Thus, computer systems appear dry in front of them, and antivirus vendors do not disintegrate anti-drugs. Sometimes there are a lot of years on the way. In one hour you can consume all the important information.

Definitely responds to the question “how should we work with unknown viruses?” We will have more than a thousand years to come. Prote, today you can make similar forecasts. In our opinion, the most promising direct anti-virus protection is the creation of so-called behavioral blockers. They themselves are practically built with a hundred-hundred-hundred-hundred-hundred-hundred-hundred- de dekth guarantee of resistance to attacks by new viruses.

What is a behavior blocker? This is a program that constantly resides in the computer’s RAM and “moves through” various parts of the system. If “suspicious” actions are detected (which can be caused by a virus or other harmful program), the blocker blocks this action or asks for permission from the customer. In other words, the blocker does not detect the code of the virus, but instead prevents its actions.

Theoretically, the blocker can defeat all types of viruses, both known and unknown (written after the blocker). But the problem lies in the fact that “virus-like” actions can affect the operating system itself, as well as underlying programs. A behavioral blocker (here we refer to the “classic” blocker that is used to fight against file viruses) cannot independently determine whether the suspected activity is a virus, an operating system, or a program, etc. If you are worried, ask for confirmation from the correspondent. In this way, the lawyer who makes the final decision is required to have sufficient knowledge and evidence in order to give the correct testimony. There are too many such people. Moreover, blockers have not yet become popular, although the idea itself has been around for a long time. The advantages of these anti-virus programs often became their drawbacks: the stinks seemed too intrusive, burdensome with their regular drinks, and the hackers simply saw them off. Unfortunately, this situation can only be corrected by the use of human intelligence, which would independently understand the reasons for this and other suspected cases.

Today's behavioral blockers can be successfully used to fight macroviruses. In programs written in VBA macros, it is possible, with great ease, to separate out bad actions from the wrong ones. At the end of 1999, Kaspersky Lab developed a unique system for protecting against macroviruses in the MS Office package (versions 97 and 2000), based on new approaches to the principles of a behavioral blocker - AVP Office Guard. Based on the analysis of the behavior of macroviruses, the sequence of their actions was identified, which most often converge. This made it possible to introduce into the blocker program a new highly intelligent system for filtering macros, which practically and without harm reveals those of them that represent a real problem. Zyomui Tsomo Blockator AVP Office Guard, with one side, to put the Koristuvachevi nbagato Menezhee ry "Nastilka" Na'yazlivi ", yak yogo files, and in the same - practical by 100% borely macrovyrus. not written.

AVP Office Guard overcomes and blocks many platform macro viruses, such as viruses that are produced in several add-ons. In addition, the AVP Office Guard program controls the operation of macros from external programs, including email programs. Tim himself is getting tired of the expansion of macroviruses through email. And in this same way, the “LoveLetter” virus infected tens of thousands of computers around the world.

The effectiveness of the blocker would be zero, as macroviruses could completely disable it. (This is due to one of the few anti-virus protection included in MS Office add-ons.) AVP Office Guard contains a new mechanism for countering macrovirus attacks on the user by being disabled and removed from the system. Zrobiti tse mozhe lishe koristuvach himself. Thus, the use of AVP Office Guard will save you the constant headache of keeping the drive connected and updating the anti-virus database to protect against new macroviruses. Apparently installed, this program will reliably protect your computer from macro viruses right up to the release of a new version of VBA software with new functions that can be used to write viruses.

If you want a behavior blocker, the main problem is to identify and protect against a wide range of macroviruses, without the purpose of removing them. Therefore, you need to use an anti-virus scanner at the same time in order to successfully protect against virus detection. The blocker allows you to safely check the period between the detection of a new virus and the release of an updated anti-virus database for the scanner, without interrupting the operation of computer systems through the fear of losing valuable data again or seriously damaging the computer’s hardware.

COMPUTER HYGIENI RULES

"Each time, do not open files that are being used by email by people you do not know. If the addressee is known to you, be careful: your friends and partners may not suspect that you are logged into their computer Rus, who constantly sends its copies to addresses from their address book.

Be sure to check all floppy disks, CDs and other mobile media, as well as files that are retrieved from the Internet and other public resources (B BS, electronic conferences etc.).

Carry out a complete anti-virus scan of your computer after removing it from repair services. Repairmen use the same floppy disks to check all computers - they can easily be “infected” from other machines!

"You can quickly install patches in the operating systems and programs that you are using.

Be careful when allowing other hackers access to your computer.

"To enhance the security of your data, periodically back up your information on a separate media.

I often smell power coming from my computers – “My computer is broken. Burnt out, etc. They told me it was a virus. Is it true? “This way the food always makes me laugh and give a short confirmation - “it’s over, it’s not true.”
Isn’t it amazing that the majority of people who own computers believe that computer viruses can cause everyone to buy a computer from their apartment, is it really hot?

Therefore, various myths are created, and begin to expand with various obvious “computer masters”, like just yesterday they learned to drive a bear.

And this is the standard response to any breakdown - “So, maybe a virus will burn yours” or “I can’t fix it, maybe some kind of virus will do it.” Since he doesn’t know what was wrong and why, then the standard phrase is “This is the virus.” Well, then word of mouth continues to spread to people, information about vicious viruses that burn hundreds of computers in a couple of seconds is transmitted to people.

So, even more importantly, here Hollywood has again tried with its films, in which computer viruses destroy the computers of innocent profiteers, in a bad way, don’t believe everything they show in the cinema.

The main myths about computer viruses and a little humor

This is not true, a computer virus cannot cause any physical harm to your components. Of course, theoretically it is possible to make changes, for example, to a video card. But in 99% of cases it is the fault of the hacker himself, who is trying to uninstall the video card or flash it, and not a mythical virus.

I am especially not concerned with episodes of breakdown (fire) of components due to viruses.

2. Computer viruses are important.

Tezh outside madder. This is how viruses only work in the middle of the operating system, like when Windows is running. And after formatting the hard drive with Windows installed, all data, including viruses, are completely erased.

3. Viruses will stop their troubles on the right, if the computer is turned off.

No, viruses cannot be transmitted if the computer is disabled, because the virus is a program.

4. The computer has been infected with a virus and will not work.

Windows may not start due to a virus, unless the computer is turned on without them.

5. Yes! Viruses sabotage computers, sell holes in video cards and other components, multiply in the warm core of the processor radiator and maintain their power.

Of course, this point is hot, there are no viruses here. I just can’t write this article without humor and laughter. The nutrition of the active koristuvachs, which is listed at this point, is well-established.

What can viruses do?

So, viruses can be even more dangerous and capricious. But those that I described the place, they can’t smell the stench. The most common viruses are those that remove information from your disk and infect a variety of files. What you see is not a stink, but an antivirus that detected them in your file.
Zahalom, viruses, mostly building rubbish. We want to get together and our serious brothers-in-arms, but they still can’t burn down the computer.

The thing that needs to be remembered is that a virus is the same program that independently copies (multiplies) and can cause harm to other programs. If the program is broken, then you cannot go beyond the functions of the program.

I will be glad that in the comments you will hear the comical arguments of people about what viruses can do.

Illya Oleksandrov

History of computer viruses

They have already called. School computer science teachers should not be afraid of them; they should not be written about on the front pages of newspapers. Ale stinks will continue to reconcile their ruinous role in the life of koristuvachev computers.

Newsletters of electronic epidemics

It is impossible to say where and when the first virus appeared, since nature does not have such data. Since there were no viruses yet on Charles Babbage’s “computer,” the “father” of the first computing machine, until the mid-70s of the last century the stinks became even more widespread and an unacceptable phenomenon for most. Prote, their creations changed their minds immediately after the creations of the first EOMs.

Back in 1940, mathematician John von Neumann wrote a book that described mathematical machines that self-create, the principles that formed the basis of all viruses. In 1959, the American scientific journal “Scientific American” published an article by L. Penrose, which revealed about biological structures that independently grow everywhere. The author looked at the diversity of such structures before mutation, activation and reproduction. In another opinion, F. Stahl, knowledge will be obtained from this article by implementing it in practice. Working as an operator at the scientific research laboratory, he gained access to the most pressing EOM at that time - an IBM 650. The experiment had already created Stahl, having completed all his achievements. The electronic “pet”, which was the result of a “mutation” of mathematical algorithms, had seen all the traces of its “fathers” who were present in the system, and then became self-destructive.

It is clear that all the steps and traces were not designed so that today’s virus writers would release megabytes of new “infection” onto the Internet. Initially, the research into the development of artificial intelligence was of academic interest. However, if you are open to the idea of ​​a peaceful process, you can, without any particular difficulties, transform it into a hard-fought ruin.

In 1961, among computer users, the game Darwin was very popular. Its plot and setting were simple: the grave of the cherubs is a “race”, as it is not enough to protect their competitors. Having won the one who saves all the RAM allocated to the game process. The game didn’t have any special actions: it was necessary to multiply and rely on the free middle of RAM for your race, or to steal the enemy’s middle. A similar algorithm is similar to the logic of robotic destructive programs.

The wide expansion of computer networks became a catalyst for the emergence of the first destructive programs - computer viruses.

70's rocks: cob

The appearance of the world's first computer virus was recorded in the early 70s of the last century, when the Creeper program was found on the vastness of the military computer network APRAnet - the progenitor of the modern Internet. The virus was written for the then-expanded Tenex operating system, penetrating through the modem connection. The following message was periodically displayed on the screen of infected computers: “I’M THE CREEPER: CATCH ME IF YOU CAN.” The Creeper did not shy away from destructive actions, exchanging information about what they were fighting against the Koristuvachs. A little later, it was written “anti-tinder” - the Reaper program, which found a file with a virus and deleted it. It expanded to speech in a similar way to Creeper. We can say that the first antivirus in the world was created “by analogy to a useless program.”

In 1974, as a “frequent guest” on various servers, there was a program for critters called Rabbit. “Rabbit” is nothing, except for expanding and multiplying itself without timidity. The program was created with great speed, constantly occupying all system resources. Sometimes Rabbit clicks on the robot servers.

Another example is the logical game Pervading Animal for the Exec 8 operating system, which is based on the creature created by the hidden program. If this was not possible, the game decided to modernize them, after which it became possible to supply additional food.

The modified version of the program suddenly began to be copied into other directories, and as a result, within an hour, all folders on the hard drive contained a copy of Pervading Animal. Fragments of leather kilobytes of space used to be “for the sake of gold”, this behavior of the gri has calmed few people. Until now, it is unclear, this was a pardon for the programmers and the intention of the virus writers. However, the problem was quickly resolved - the new version of the Exec 8 operating system was based on a different type of file system, and the program could no longer detect the file space.

80s: first epidemics

Until the eighties of the last century, the computer ceased to be available and accessible to everyone. There are more details in Vlasnikov PCs, in addition, the exchange of information between clients using electronic boards (BBS - Buletin Board System) has reached an international scale.

In 1981, the first mass viral epidemic broke out. At that time, more Apple II computers were affected. The Elk Clone virus was registered in the vandalized sectors and floppy disks at the time of their creation by the owner. Elk Clone reversed the images on the monitor, displaying different text messages on the screen, blurring the blurred text. Unsatisfactory users fell into the grip of the virus, even as they themselves continued to “move” from one computer to another.

In 1983, American programmer Len Eidelman coined the term “virus” for the first time, defining it as a program that reproduces itself.

1986 19-year-old Pakistani Basit Farooq Alvi wrote the Brain virus. So just like Elk Clone, Brain attacked the vandalized sectors of floppy disks. The program was oriented towards basic functions, and it also changed the label of all floppy disks to “(C)Brain”. As the author asserts, there is only one thing to gain - to recognize the raging computer piracy in his country. Just a few years after the activation of the virus, thousands of computers around the world were found to be infected, which caused a major commotion among journalists and discussions in the mass media. Brain has the first advantage if, when reading an infected sector of the disk, the virus replaces this section with non-infected ones.

In 1988, a nasty program was created that not only infected the computer, but caused real harm. This virus was created at Lehigh University, where, before speaking, Fred Cohen worked on it before. The Lehigh virus has acquired information on disks, infecting COMMAND.COM system files. The availability of qualified specialists at the university was revealed in a way - they never made it beyond the initial deposit. However, Lehigh’s own algorithm played a role in eliminating the threat of an epidemic - under the hour of formatting the hard drives, it self-destructed simultaneously with the rest of the information.

At this time, a security program began to actively develop that protected computers from viruses. Anti-virus programs at that time were simple scanners that, using contextual search, were able to detect virus code in programs. The other widening “faces” of unprofitable programs at that time were “immunizers”. This type of software modified all programs in such a way that viruses treated them as already infected and did not interfere with their previous actions. After the number of viruses has grown thousands of times, the use of immunizers has become increasingly difficult.

Antivirus companies most often consisted of two or three individuals and sold their products for a symbolic sum or distributed them without cost. Even though the prevalence of sick programs was even lower, the constant emergence of new viruses left them powerless. The Internet at that time had not yet been able to “virtualize” from the “scope” of the current world, and it was practically impossible to communicate without the presence of a global measure.

In the 80s, the term “Hoax Virus” appeared - “viral hoax.” For example, in the 1980s, business owners were terribly afraid of viruses: myths about programs that messed up the hardware of a PC, riddled the mind of the computer's skin. Virus Hoax was nothing more than sweet sentiments about the new computer epidemic. History will be revealed when one roaster spreads information on the BBS about the emergence of a new virus that spread through modems that operated at a speed of 2400 bits per second. To avoid getting infected with a virus, the author recommended switching to modems with a speed of 1200 bps. And what do you value? Masa koristuvachiv rolled more Swedish modems for the sake of your “safety”.

In 1988, the first epidemic occurred, caused by a computer virus. Over the years, such viruses began to be called “chrobaks.” Created by Robert Morris, the program attacked computers that ran under the UNIX OS. The creator's plan did not include the destruction of the system, as the worm could not penetrate into the ARPAnet network and become unmarked there. The Volodya virus has a large number of passwords in the OS, and in the list of processes that were added, Morris’s child appeared in the form of an emergency hacker for the process. The worm quickly self-reproduced and devoured all the computer's resources, resulting in the destruction of entire servers. Some of them were able to return to work in less than five days, and the remaining vaccine against the disease was gone. During the hour of its “walking with the light,” the virus infected nearly 6,000 computer systems, pointing toward the computers of NASA’s Slednitsky Center. Robert Morris spent 400 years of enormous work before going down in history as the author of the first hemlock worm.

90s: polymorphic viruses

At the beginning of the 90s of the last century, the English company Sophos, led by Jan Hraske, Ed Wilding and Peter Leimer, issued an issue to the Virus Bulletin magazine. Virus Bulletin learned about computer viruses, as well as all aspects of their protection. The magazine's authors included software engineers, antivirus company developers, and software security developers. The magazine was non-commercial: in its entire history there has never been a huge advertising frenzy. Through this Virus Bulletin there is no wide expansion. His readers were most important professionals in the IT field (information technologies), as well as security specialists of computer companies.

In 1990, a new type of harmful programs appeared - polymorphic viruses. “Polymorphism” is a technology that makes it impossible to detect a virus with a scanner, which detects a virus using fragments of already known faulty code. Polymorphism allows programs to generate code as soon as they are killed, resulting in a copy of the virus being created on each new infected computer. The first such virus was Chameleon, written by Mark Washburn. After the appearance of polymorphic programs, the invisible part of the antivirus became an emulator for decrypting codes, first used by Evgen Kaspersky.

How come in Bulgaria, which was then the center of the world virus outbreak, a specialized BBS has appeared, for which the skin can be attracted by disposable programs. Conferences dedicated to the programming of viruses appeared at UseNet.

At the same time, the book “Little Black Book about Computer Viruses” by Mark Ludwig was published. It has become the “Bible” of all virus creators. A so-called “VX-scene” was formed – a group of programmers who specialized in creating computer viruses.

Constructors of free programs

In 1992, a hacker born under the name Dark Avenger released the MtE (Mutation Engine) utility. With this help, the most primitive virus could be made polymorphic. This is how people first created the Peach virus, using an anti-virus security program. Peach created the basis for changing Central Point AntiVirus programs. This program, not knowing its database, took into account what was launched previously and created it again. In this way, the virus bypassed the defense and continued to infect the system.

A group of programmers known as Nowhere Man has released a virus constructor called VCL (Virus Creation Laboratory). Now, any student, who is not subject to Volodya’s programming, can become a constructor and create a virus of some type and ruinous force. With the advent of VCL, the much smaller “stream” of new computer gadgets has become simply magnificent. Are you wondering that just a few days after Windows 3.11 appeared, the first destructive program for this platform appeared? Win.Vir_1_4 attacks the compressed files of the operating system, rendering its actions unusable.

The first virus writer to be arrested

During 1993-94, new virus designers appeared: PS-MPC and G2. The harmful programs they created have become the biggest problem on the Internet.

At the same time, there was a real “boom” among antivirus vendors - their programs, they say, became a warehouse warehouse for almost any OS. Microsoft took the lead in the security market with the release of Microsoft AntiVirus (MSAV). The program was popular initially, but later the largest manufacturer of software security in the world developed the product.

Leadership in this industry was gradually won by Symantec, which included the largest manufacturers of anti-virus software: Central Point and Fifth Generation Systems.

The epidemic of a new polymorphic virus, Pathogen, was no longer a supernatural phenomenon, but a similar kind of thing has already begun to emerge. However, this is the first virus, the author of some knowledge and judgments. Robotless Christopher Pyle was sentenced to up to 18 months in prison for creating disreputable programs.

Attack on Microsoft

In 1995, all disks with operating software were sent to beta testers Windows system 95 bullets are infected with the Form infection virus. Fortunately, one of them turned out to be bad, and a normal, uninfected system was found on store shelves.

At the same time, the first macrovirus appeared, written by my WordBasic, inspired by text editor MS Word. The Concept macrovirus infected hundreds of thousands of computers all over the world, leading to statistical research among computer magazines for a long time.

In 1996, Windows 95 users experienced the first epidemic - their computers were infected with the powerful Boza virus. At the same time, the authors of macroviruses switched from Word to the spreadsheet editor MS Excel, releasing the Laroux virus for the new virus.

They didn’t bother to check for resident viruses that vikorist the services of the “zero ring” of the OS. Win95.Punch invaded the system as a VxD driver, crawling up to the files and infecting them.

Antivirus software

Until 1997, the Linux operating system, once revered as a bastion of “purity and stability,” was no longer a platform free from viruses. Linux.Bliss, which spread throughout the UseNet conference, infecting the compiled files of the OS.

This fate marked the appearance of two new types of worms, which were distributed through IRC and FTP. IRC can “boast” of a particularly great number, largely due to its popularity, as well as the number of “doors” of mIRC – the main client of such measures.

At the end of the 20th century, in the race for leadership, scandals among antivirus vendors became common. Thus, representatives of the McAfee company announced that their programs were flawed in the antivirus company Dr. Solomon's. The essence of the statement was that Dr. Solomon's may discover new and technically refined viruses without a special “enhanced” regime, which was switched to after the discovery of basic, primitive pathogens. As a result, the antivirus showed good results when scanning uninfected disks and admin detection results when working with infected files. In conclusion, Dr. Solomon's filed a lawsuit against McAfee, the reason for which was "incorrectly instigated advertising campaign." As a result, the whole “mess” ended with McAfee purchasing a controlling stake in Dr. Solomon`s.

About an hour later, Taiwanese retailers from Trend Micro made a public statement, calling McAfee and Symantec for having “violated their data scanning patent.” The world was immediately presented with evidence about the “innocence” of the company, and Trend Micro achieved its goal by eliminating the obvious costless advertising in the mass media.

The most destructive viruses

There is no sense in continuing the reported history of computer viruses right up to the present day, since there are hundreds and thousands of new, unprofitable programs. I will share a short talk about the most common viruses that appeared after 1997:

CIH (1998)– the volumes caused by the virus were close to 80 million dollars. The virus was written by a programmer in Taiwan, and became one of the most dangerous in history. The “sneeze” infected the downloaded files and became active on the 26th of April – the day of the accident at the Chornobyl Nuclear Power Plant. CIH overwrote FlashBIOS, after which motherboards became unusable for Vikoristan. The first and last virus that caused damage to the PC hardware.

Melissa (1999)– February 26, 1999, this macrovirus spread throughout the world by electronic mail, infecting nearly 20% office computers all over the world. The largest corporations, such as Intel, were interested in deploying robots within their local boundaries. Rebates – from 300 to 500 million dollars.

ILOVEYOU (2000)- Script written in Visual Basic macros. Like Melissa, I sent an email with the theme of the sheet “I love you”. The virus has spread its copies of all the data in the mail client's address book. All logins and passwords found by Chrobak on the computer were manipulated by the author of the program. The rest, before speaking, and without trying to catch up: he is a resident of the Philippines, but punishment for computer crimes has not been transferred.

Code Red (2001)- a hemstone worm, which vikorist’s milk in hedging service Microsoft IIS. This day, infected computers launched a DDOS attack on a list of different servers, including systems in the United States. The enormous scale of the epidemic and, as a result, a surplus of 2.5 billion (!) dollars.

Blaster (2003)– a hedge worm that displays on infected computers a warning about the need to re-enable. A few days after its release on the Internet (Sickle 11), millions of computers around the world were infected.

Sobig.F (2003)- a hemstone worm that was all over the place with electronic mail. A virus that has multiplied with great speed, downloading additional files to infected computers, “burning” traffic and system resources. Tsikava peculiarity – 10th spring, the virus, having exerted its activity, does not pose a threat to the koristuvach. Author Sobig.F, for information about which Microsoft donated 250 thousand. dollars, not yet known.

Bagle (2004)– a hemstone worm that was found everywhere in the classical way, vikory and file attachments in electronic sheets. A special backdoor was installed on the infected computer, through which the malicious hacker was used to deny access to the system. The virus has over a hundred modifications.

MyDoom (2004)– since 2004, this virus has rapidly spread throughout the Internet, as a result of which the average popularity of sites globally has changed by 50%. The worm holds a record for the fastest rate of expansion: nearly two million computers were infected in less than one million dollars. It is impossible to determine an exact figure based on the scale of the epidemic. The virus was created by an unknown programmer as an experiment, and independently attributed its activity to the same fate.

Sasser (2004)– the virus called “break” from a robot of French satellite data channels, cutting off flights of various airlines, not even primary computers, whose work was completely pinned. The expansion of Sasser is effective in Windows 2000 and XP security systems by running a port scanner on the infected computer. The virus was written by a 17-year-old German schoolboy. We note the fact that the boy launched the virus on the day of his birthday.

There is no end to the edge

The history of computer viruses has not yet been completed, and continues today. It is possible, if you read these series, that some provincial program is writing a new virus, even more cunning and destructive, less overdone.

Well, we are no longer at the mercy of antivirus companies and watch out for the security of their systems.

supplement

Viruses for mobile devices

In 2000 people, a virus for the PalmOS platform was first discovered. The Phage.936 program was transferred between the PDA within an hour of transmission via the IR port. When a computer is infected, several files are deleted, and programs are often closed involuntarily. Since then, dozens of viruses have appeared for various PDA platforms, although they are not as varied and “little things” as their “brothers” for personal computers.

Nowadays, there are no surprises with cheap programs for smartphones. The first virus for the Symbian OS was the Cabir virus. Without using the same destructive actions and creations only to demonstrate the potential flexibility of mobile devices before viral attacks and epidemics. Khrobak expanded via Bluetooth connection. How many more checks are left before the emergence of new viruses for mobile devices, it’s an hour.

1. http://www.viruslist.com/ru - virus encyclopedia, description of all viruses. New and analytical views.
2. http://vx.netlux.org – magazines, articles about viruses. Weekend codes and kerivnitstva.

Dmitro Moroz

In contact with