|
NIA #14 - Spreading the Disease I: Thoughts from a
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????? ????????????????????????????????? ????????????????????
? Founded By: ? ? Network Information Access ? ? Founded By: ?
? Guardian Of Time ??? 07APR90 ??? Guardian Of Time ?
? Judge Dredd ? ? Judge Dredd ? ? Judge Dredd ?
???????????????????? ? File 14 ? ????????????????????
? ????????????????????????????????? ?
? ????????????????????????? ?
?????????????????SPREADING THE DISEASE I?????????????????
?????????????????????????
This was an article in USENET posted by the man who created the first virus
documentable. I will reprint it here for your general knowlegde and benefit.
It deals with the virus, the author/creator, and his personal frame of mind.
The article that follows is in first person told by the virus Author. You can
contact me at Mother Earth (5p-7a 24hrs weekends) and all questions will be
entertained. I am sorry about this inconvenience as I will have my NET Id soon.
$_Article
Sorry this article is rather long, but if you still have any old DOS 3.3
Apple ][ disks lying around please read it! (Feel free to read it for general
entertainment value too, of course, even if you don't possess any such
historical disks.)
I have been asked by Gene Spafford to write an article detailing the
life story of a Virus I wrote for Dos 3.3 on the Apple ][ in December, 1981
for one of his journals. Spafford wants me to write the story up because it's
the earliest _documentable_ personal computer virus he's heard of. I'm trying
to get more information that I plan to use to make that article more complete.
1) Why did I write a virus? Am I an evil scum?
At the time (remember, this was 1981) I was an undergraduate at Texas
A+M. There was an active community of Apple ][ users in my dorm (Shuhmacher),
with an _incredible_ amount of copying of pirated game programs going on. I
noted that most games were damaged in various sorts of ways, but they were
almost always still playable despite the damage. (For example, there was one
popular Star Trek game in BASIC that had occasional garbage control characters
in non-critical REM and PRINT statements; space war games often had random junk
replacing some pictures of ships, etc.) I decided that I could explain this by
invoking a sort of "evolution".
For evolution to occur, you need mutation and natural selection. Well,
there was "mutation" caused by people hacking with the games; more importantly,
many copies of games were also accidentally mangled by sick disks and computers. .
(People would keep using game disks until they literally disintegrated. My early
model Apple ][ was notoriously unreliable, and would crash about every 30
minutes in all sorts of interesting ways. A few well-placed bangs would usually
get it working again.) "Natural Selection" entered the picture with the actions
of users to either "reproduce" or "kill" copies of games. (For example, if your
copy of a game was not playable, you would go get a fresh copy of it from your
neighbor, reproducing his copy and killing yours. As there was only a finite
amount of disk space for games, there was also competition between species of
programs, too.)
This idea of programs inhabiting a sort of computer biosphere led
naturally to the idea of a "Computer Virus" as a likely accidental outcome of
such evolution. My experiments started when I tried to find out what the minimum
change to DOS was to make it viral. (I was thinking of something like a prion,
a sort of proto-virus that can be created by repeated damage to plants. A prion
can't jump from plant to plant by itself, but it will happily hitch a ride on
your machete if you let it. Supposedly prions are actually becoming a serious
agricultural problem with palm trees in some parts of the world.) As I
remember the answer for DOS 3.3 was about 16 bytes, which was within the
bounds of what could happen naturally if Apple computers with people randomly
copying games between them were to exist for a few million years! The next
logical step was trying to guess what an evolutionarily OPTIMAL program might
look like. Certainly the program would be more successful if it didn't rely on
the good will of humans to reproduce, but likewise it is a bad idea to damage
your host (or give humans a reason to expend effort trying to kill you). So
the ideal virus would spread by itself, but not cause harm or even any
"symptoms" of any kind, if it could help it.
I discussed these ideas with friends, many of whom also had Apple ]['s.
None of them had ever heard of such a thing as a "computer virus" at the time.
(Many Apple ][ users I knew scoffed at the idea that such a thing could possibly
exist.) Well, by this time creating a virus sounded like a really interesting
project, and it was a good excuse to learn 6502 machine language, so a group
of us started working on my "evolutionarily optimal program" off and on in our
(infrequent) spare time. Our first attempt, "Virus version 1" was finished
in early 1982. Virus 1 was infectious, but still caused some symptoms on my
computer despite our best efforts, so we kept it strictly quarantined and
kept hacking.
A couple months later Virus 2 was finished. It seemed to cause no ill
effects at all, so I proceeded with the next step in my experiments and turned
it loose in my own disks. The goal of this experiment was to see how quickly
such a program would spread through my own disks if I continued using my
computer normally. (So I had another good reason to want to make sure the virus
was completely innocuous. In fact, in the end almost all of Virus 2's code was
to check for various sorts of dangerous situations: non standard DOS, non
standard disks, programs altering DOS, etc. In these cases the virus would
either not attempt infection or immediately disconnect itself from DOS,
committing suicide.)
Interest in my "research" was high among the Apple community at A+M,
so I also gave copies of Virus 2 to several friends who wanted to play with
it. The idea of computer viruses spread rapidly; several other people started
working on their own "less boring" (read damaging) ones. Fortunately (as far
as I ever knew) they spent all of their time trying to dream up interesting
pranks for the virus to pull, instead of determinedly trying to produce a
working "evil" virus.
2) Did my virus ever escape?
At first we carefully kept Virus 2 quarantined, but after a few
months with no damaging symptoms we got a little lax, and the inevitable
happened. I first found out Virus 2 had escaped when one of my A+M friends who
had graduated and moved on to grad school at UIUC reported that everybody's
copy of a (pirated) game called "Congo" had mysteriously stopped working there.
Whenever people tried to get a fresh working copy, they would find that
previously working copies would then also stop working. My friend realized
what had happened and wrote me about it. We quickly wrote an "immunizer"
program and distributed it at UIUC; the standard Apple utility "master create"
sufficed as a disinfectant. We were never quite sure whether _all_ escaped
copies of Virus 2 at UIUC were killed off, though.
I was disappointed that Virus 2 was a failure, and started work on
Virus 3. It turned out that Virus 2 caused problems because it made DOS 1 sector
(256 bytes! a significant chunk of memory!) larger, to accomodate the extra
code. A very few programs would blow up in strange ways because of this. (The
solution was simply to boot from a noninfected disk, and THEN run the programs.)
So the goal for Virus 3 was that it should take up no room in memory, and no
room on disk. After some thought, we came up with a solution: Most of Virus 3's
guts resided in unprotected memory where they could be freely written over. A
small routine buried safely inside holes in DOS's Read-Write Translate Table
triple-checked the unprotected code before jumping to it. (This code was a real
nightmare; some bytes in the table served double duty as critical data values
for DOS and executable op codes for the virus.) Virus 3 was a success; we never
encountered any program whose behaviour was affected by the virus's presence.
The worst part about writing a DOS virus was that whenever I made a
mistake DOS would stop working, and I'd have to re-poke the bytes in by hand,
which I kept written down on pieces of junk mail! Using an assembler was out
of the question, as the whole thing was only about 300 bytes and scattered in
tiny bits and pieces in several places in DOS. It had lots of JMPs all over
the place, self-modifying code and other such nightmares, all to make it as
small as possible. (The larger it was and the more exposed in memory, the more
work it was to replicate itself and the more chance there was of something
unexpected going wrong.)
3) What finally happened?
Well, I don't really know. Since Virus 3 was effectively completely
invisible, after a while we lost interest and pretty much forgot about the whole
thing. We again intended to keep the virus quarantined, but a spot check in the
fall of 1983 shortly after I graduated and moved to Stanford turned it up in
several of my friends' collections on disks they thought were uninfected.
By that point they didn't think it was worth the bother of removing it, though,
so it spread unchecked. Interest in viruses at A+M had died down by this time,
too. I only heard about my virus once more: around 1984 my friend at UIUC
reported that an "evil" virus was attacking Apples there, and causing a lot of
damage by randomly initializing disks. Some disks had a form of immunity to
the evil virus, however: when infected by the evil virus, they would crash
at boot time (which was better than appearing to boot normally and then causing
damage later). It turned out the "immune" disks were ones that had previously
been infected by Virus 3!
>>>>>>>> Here's where I need your help: <<<<<<<<<<
4) Does it still exist?
That's what I'd like to find out. The Virus wasn't particularly
infectious; it only spread on "CATALOG" commands. It attached itself only
to DOS, not programs, and was very careful only to attach itself to
absolutely vanilla 48K slave DOS 3.3. Still, there are some old DOS 3.3 disks
out there yet, aren't there?
If you would like to look for it, here's where in memory to look:
beginning at B6E8 regular DOS 3.3 has a bunch of 00's. Boot the disk you want
to check to load that disk's copy of DOS into memory. Infected disks or
non-infectious descendants of infected disks will have text of the form
"(GEN 0000000 TAMU)"
(in Hex this is "A8 C7 C5 CE A0 B0 B0 B0 B0 B0 B0 B0 A0 D4 C1 CD D5 A9")
at B6E8. You can also see this text go by near the end of track 0, sector 0 if
you use some utility to dump your disk as text. The number is a generation
count, and so will be different in your copy. (13 generations saturated my own
and my friends' collections, if you're interested.) If you should find the
generation count, you might try also looking at 9CFE and 9CFF. If the virus is
alive, this should contain the initials of the friend of mine who let your
copy of the virus escape. (If it's JD, then I'm the guilty party.)
Hopefully Virus 2 was wiped out, but perhaps it wasn't. If you want to
check the version, the simplest way is to do a "CATALOG" of the disk you're
checking, and then look at B3BF. Vanilla DOS 3.3 has a "00" at this location.
Virus 2 instead has 02, and Virus 3 similarly has 03. (This "immunity" byte
can spread when a new disk is initialized, thus providing a way for immunity
to be created and passed on. For example, if a master disk is attacked it
will be left marked immune but will be free of infection. Slave disks
initialized off the master disk would then also be immune, even though they
would otherwise be susceptible.)
(If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find
the bytes I've mentioned, then I don't know any more about it than you do,
and there's not much point in getting excited and flaming me via e-mail.)
If you DO find my virus on one of your old Apple ][ disks, please
let me know! It will make the paper much more interesting! I'll acknowledge
you at the end! (And please accept my apologies!)
5) Did the idea of Viruses I started spread or die out?
Certainly everybody knows about viruses today. Did you hear rumors
of some strange person at A+M working on one around 1982-1983? (And no, I
was NOT the person who was expelled from A+M about that time for breaking
into the mainframe and stealing Chemistry exams. I never kept my activities
secret, nor did anything I thought I had to keep secret. For example, my virus
is mentioned in a "Computer Recreations" column in 1986, but the author of that
article mangled the information I sent him rather badly.)
Do you know anything about the people who were breaking and
distributing the copy-protected software turning up at A+M? The rumors
at the time at A+M were that the software was coming "from Chicago".
Many programs were "signed" by the breakers with such psuedonyms as
"The Jerk", "The Beaver", and "Apple Pirated Program Library Exchange".
Do you know anything about what happened at A+M after spring, 1983,
after I graduated? I was told by one A+M graduate I met in 1989 that Virus 3
made it into the A+M Computer User's Group's disks after I left, but I don't
really know that.
6) Any other early virus-writers have any interesting stories to confess?
I'd be curious to hear if anybody else tried to write a virus before
they became commonplace and criminal. Surely the idea must have occurred to
many other people about that time!
$_End Article
$_EOF
[OTHER WORLD BBS]
|
|
