Get best of the week

Computer viruses: a story from harmless home spies to bank card thieves



DISCLAIMER: The article is written for informational and educational purposes and does not claim to be a high level of "technical" component. The diagrams given in the article are not promotional in nature.

The history of computer viruses has been around for almost 40 years. One of the very first viruses was developed for an Apple computer (but, subsequently, it did not lead to a massive infection of apple computers). This happened in 1981, and was called the "pioneer" Elk Cloner (in the free translation "moose clone"). This “shaky” one was rather harmless, but annoying: at each boot, the user of the infected computer saw a funny (but not for the PC owner) rhyme on the screen, after which the computer started working again in normal mode.

Elk Cloner infected computers from a diskette: booting from an infected diskette, the system launched a copy of the virus. He did not have any serious impact on the computer, as it was written by an American schoolboy Richard Skrent for fun. Thus, Elk Cloner, which would be more correctly called a joke program, laid the foundation for an extensive category of “boot viruses”, as it was prescribed in the Apple II boot sector. Interestingly, on the network you can often find the statement that under OS X and iOS there are no viruses. So, in addition to the “elk clone”, there are modern viruses for the “Yabloko” software , although it must be admitted that they are several times smaller than under Windows and Android.

And the first common virus for PC running the MS DOS operating system appeared in 1986, and it was called Brain (translated from English as “brain”). However, the developers of this virus, the Pakistani brothers Farouk Alvi, did not want to harm people: they wrote Brain in order to protect the medical program they wrote from unlicensed copying.

It worked like this: if a pirated program was detected, the virus slowed down the diskette somewhat and also limited memory when interacting with the program. It is interesting that the creators of the “Brain” took care that when it was downloaded the user received not only an infection message, but also a phone number of developers who promised to send a “cure” (there were still no usual antivirus programs, of course). And for the time being, the brothers kept their word, but there were so many infections that one could speak of a whole epidemic: users from all over the world began to attack the unfortunate Pakistani number, and the brothers had no choice but to simply turn off the phone. So the world survived the first "pandemic" caused by a computer virus.

What are viruses?


Since its appearance, computer viruses have come a long evolutionary path, and modern malware works much thinner than programs of the 80s and 90s, and it is much more difficult to detect them. In this regard, computer viruses are very similar to their "older brothers" of biological viruses. Today, users may not notice for years that a program is running on their computer that either quietly collects information about a PC or other electronic device, or forces the user's computer to perform certain actions, or disguises the actions of other, much more dangerous programs. Each type of such programs has its own name and they are intended for attackers to achieve various mercenary goals.

Worms or Worms


The oldest viruses were precisely “worms”. In 1961, employees of the American Bell Labs invented a game called “Darwin,” which consisted in the fact that “organisms” of one type had to capture “organisms” of a different type, and the one whose “organisms” captured the entire computer memory won. It was this harmless toy that formed the basis of the principle of the worm program, which captures the disk space of a computer in order to slow down, and in some cases completely paralyze its work.

A special and most common group today are network worms. Using vulnerabilities in network software, such programs are automatically moved from one computer to another, infecting an increasing number of PCs. Some worms can sort passwords from compiled dictionaries and, breaking open mailboxes and accounts, spread further, independently searching for new victims. The goals of the creators of the worms may be different, but most often they are launched to send spam or hinder the work of computer networks of competitors, up to a complete block.

Trojans or trojans


Like the ancient Trojans hiding in a wooden horse to enter the Danai camp, these viruses penetrate the computer as part of other completely harmless programs, and until the user launches the program in which the Trojan hides, they behave quieter than water below the grass. However, with the launch of the executable file of the program, you activate this dangerous guest, who, depending on the type, will do you harm: steal information, spread other, no less dangerous viruses, damage certain files. With rare exceptions, the Trojans do not know how to multiply, but by the degree of harm they are much more dangerous than worms and can cause enormous damage to the owner of the computer.

Rootkits or maskers


The main goal of these seemingly harmless programs is to hide the activity of other malicious programs and the actions of attackers. To do this, rootkits are embarked on a variety of tricks: they change the operating system operating modes, quietly turn off or turn on various functions, and the most advanced ones can even almost imperceptibly block the operation of anti-virus programs so that they do not find electronic pests masked by rootkits or even more dangerous villains in human form rummaging around on your PC.

Zombies or zombies


In nature, there are so-called dementor wasps, the poison of which completely paralyzes the will of the cockroaches and subordinates the wasps to their nests in order to then lay their eggs in them - and the zombie cockroach becomes food for little donkeys. Zombies are also common in the virtual world. Such zombie viruses act like the very wasps, forcing the computer system to execute commands (for example, make massive attacks on various resources, send spam, etc.). At the same time, the majority of PC owners do not even realize that their iron friend is “zombied” and executes the commands of the attacker.

Spyware or spyware


The main task of the spy is to steal valuable information in the country where the owner sent him. Similarly, spyware programs try to steal logins and passwords for user accounts, and a significant part of them are aimed at sending information about bank cards and accounts to unsuspecting users to the virus creators.

A special type of spyware are keyloggers(from the English. Keyloggers), that is, programs that can capture the input of characters from the keyboard and, writing the entered information to the log, send these logs directly to the host server. Such programs can intercept almost any input information - from logins and passwords on websites to correspondence in instant messengers and social networks, including the total recording of keyboard input. Keyloggers are a fairly common type of spyware, and not only among hackers, but also among fans of spying on their "halves" or household members.



Adware or adware viruses


Such viruses are more harmful not to the computer, but to the user, because suddenly an advertisement starts to appear on the screen, and the frequency of display can be very different. We came across programs that included ads on a daily basis at the same time, and an Adware-infected browser constantly changed the start page or periodically went to the intruders site.

Winlocks or blockers


One of the most unpleasant types of viruses that paralyzes the PC by the appearance of a window that cannot be closed without rebooting. Blockers display information on what the user needs to do so that the virus creator unlocks his computer. In 100% of cases, this is the attacker's payment data, but take your time sending money - no one will remove the lock for you.

Bootkits or boot viruses


Unlike blockers that explicitly tell the user about their goals, bootkits act quietly, which is much more dangerous for PC owners. When registering in the boot sectors of disks, bootkits quietly take control of the OS and gain access to personal information of computer hosts. So, attackers take possession of user accounts, see all correspondence, including encrypted one (bootkits also know how to steal encryption keys) and can even steal files.

Recent threats


Modern viruses are written not only for PCs, but also for devices running Android, iOS and other mobile OS. However, the principle of their action is still the same, and in general they fit into the above classification.

Cybercriminals still use every opportunity to harm others for personal gain. So the recently announced COVID-19 pandemic has become the basis for attackers seeking to gain control of user-valuable data. So, in March, a new application was launched, stealing user data under the guise of an application from WHO on coronovirus. By launching it, a Trojan is activated, which starts collecting and sending information about user accounts to its creator.

Several cyber attacks on medical facilities were also organized - some attackers tried to paralyze the work of hospitals, while others (developers of the Maze ransomware program) tried to make money by blackmail, promising in case of failure to fulfill material requirements to merge data about patients from one research center into the network. Ransomware did not receive money, so the data of all former patients were made public.

Of other interesting news, we note on March 26, 2020 the abduction by one of the hackers of the source codes of the new AMD GPUs. An ad appeared on the network from a hacker stating that he would post this information in the public domain if he could not find a buyer. In addition, a group of cybercriminals was discovered who developed the Milum bootkit, which provides its owners with full access to infected website hosts.

Legends with a minus sign


Despite the fact that computer viruses are not even half a century old, in such a short period they have already managed to make good noise and have repeatedly caused fear among users around the world.

One of the very first epidemics of a computer virus occurred back in 1988, when the “great worm” or Morris worm, named after its creator, Robert Morris, began to walk on the Arpanet network in the USA. The worm, picking up passwords, flooded the computers of network users with its copies and managed to infect about 6 thousand PCs in this way, causing damage of about $ 100 million - a huge amount for those times, especially for a computer program. The creator of the virus voluntarily admitted everything, so he received 3 years probation, a large fine and was sent to community service. This was the first punishment for computer fraud. However, the Morris worm epidemic served a good service of computer security - it was after the attack of the "great worm" that computer scientists thought aboutthat after entering the wrong password it would be nice to pause. Morris himself was not lost and created after that several successful projects in the field of software.

In April 1999, the virtual world learned about a new threat - the Taiwanese CIH virus, deadly for information and the OS, which became known under the other name: Chernobyl (was launched on April 26). Chernobyl not only destroyed files on users' hard drives, but even damaged the pre-installed BIOS, thus infecting about 500 thousand PCs around the world. However, before the massive spread of his virus, a Taiwanese student Chen Inhao (he was arrested in 2000, but then released) first trained on cats, blithely infecting his native university’s computers in June 1998, and then the American virus was no longer controlled by the virus. computer game distribution servers. As it turned out later, Chen didn’t plan anything bad, and the virus created just for fun,and after the mass infection, he was so worried that he even publicly apologized to the Chinese Internet users, who suffered the most from Chernobyl.

In May 2000, the Philippine ILOVEYOU virus entered the computers of more than three million users worldwide via email, but it was not made for declarations of love. Unsuspecting users opened attachments and after a while discovered that important files were either destroyed or hopelessly corrupted. At the same time, the cunning ILOVEYOU disguised itself as a text program (virus files had a double extension), so it was not easy to recognize it. This "admittance" caused damage of approximately $ 10 billion - more than any other computer virus.

One of the longest-running viruses that has spread so far is the Backdoor.Win32.Sinowal bootkit. This boot virus is written into the system and takes control of it, and at the level of disk sectors. This virus steals even encryption keys and sends the developer personal data, as well as data from user accounts. It is not yet possible to calculate the exact damage from it, however, given that for several years antivirus programs were not able to even detect this pest (Backdoor.Win32.Sinowal was developed in 2009), then the loss of users can amount to many millions and even billions of dollars .

One of the most common network worms that used Windows security vulnerabilities was Conficker (a not-so-decent English-German abbreviation for Config Ficker, which can be translated as “having configurations”) launched in November 2008. Two months later, the worm infected more than 12 million computers. It was not easy to calculate the villain, since the creators learned to quickly change the servers from which the threat spread. In addition to network access, the worm could also penetrate computers through infected flash drives. Conficker delivered a lot of inconvenience to users: firstly, it was able to disable updates and the Windows Defender and block access to antivirus software sites, which made it impossible to obtain current virus databases. And the main inconvenience was a serious slowdown of the PC: the worm loaded the processor 100%,not giving to work normally. Also, this pest organized network attacks from infected computers.

Festi, the king of electronic spam, launched in 2009, sent about 2.5 billion emails from 250 thousand IPs daily, that is, generated 25% of all world spam. To complicate the recognition, the developers provided their malware with encryption, so signature-based search with antivirus programs becomes useless and only a deep scan can help out. This virus spreads through the installation of a paid code (PPI), when a webmaster receives money for someone downloading a file from his site.

The Stuxnet virus, unlike most of its “brothers,” causes damage not to virtual, but to real infrastructure, penetrating digital control systems and causing sabotage at industrial and other important facilities: for example, power plants and airports. It is believed that Stuxnet was developed by the Americans and Israelis to damage Iran’s nuclear program, but managed to harm not only Iranian facilities. This worm spreads via USB drives and works on computers running various versions of Windows.

The Carbanak virus became a real nightmare for bankers, which in 2014 caused damage to Russian, American, Swiss, Dutch, Japanese and Ukrainian banks for a total of $ 1 billion. Carbanak acted slowly, but confidently, first collecting data from ordinary bank employees, which he got through investments in emails, and then penetrating the top and withdrawing large amounts. From penetration into the bank system to a successful withdrawal, 2 to 4 months could pass.

More than 500 thousand computer users are already crying because of the WannaCry blocker (which means “I want to cry”), which appeared in May 2017. This ransomware, very common in Russia, Ukraine and India, encrypts the contents of the PC and displays information on the screen asking for money to unlock. Penetration into the system occurs through the open TCP ports of the PC. The worm itself does not select victims according to any criteria, therefore it paralyzes the work of ordinary users and various institutions. So, WannaCry caused the delay in important operations in several hospitals in the UK, and for some time online activities of the mobile operator Megafon and the Russian Ministry of Internal Affairs were paralyzed. Although the worm itself is “blind,” WannaCry can be deliberately used by hackers: for example,in the same 2017, with the help of this worm, hacker attacks were launched on the network infrastructure of Sberbank, but they were successfully repelled by the bank’s security service.

Interestingly, this blocker was not written from scratch: WannaCry is a modified version of Eternal Blue - a virus written for the needs of the US National Security Agency (NSA). Americans accuse North Korean special services of spreading the virus, the Russian government is confident that US special services contributed to the spread of WannaCry, while Microsoft uses more streamlined language and speaks of "special services from different countries."

How not to infect your computer with viruses?


We turn to the Captain's heading for obviousness :)

First of all, you need to take care of the availability of a reliable firewall, anti-virus and anti-spyware programs (the latter are more effective in detecting and removing Spyware and Adware viruses). There are also built-in antivirus solutions for browsers, but what we think is unnecessary is that the antivirus should work with protection in real time.

If there are important files on your PC or phone (for example, for work), do not forget to regularly back them up (“backup”), and the copies should not be stored on the device itself, but on external drives or in reliable cloud storages that Ideally, they should be protected by end-to-end encryption so that no one, even the owners of this repository, can access your files.

Take care of safety when surfing the Internet and unlearn the habit of thoughtlessly clicking on banners and links (especially in emails!), And it’s better to click only on those links in which you are 100% sure. Relatively recently (in 2014-2016) the method of theft of Skype accounts was very common: the user received a message from a hacked account from the contact list, which contained only a link. After clicking on the link with your account, you could say goodbye.

Ad blockers, which, among other things, are actively fighting pop-ups that may contain malicious code, can also help. Remember to periodically clean your browser cache - spyware and adware may be hidden in these files.

Do not visit dubious sites even if you really want to. With a high degree of probability, such resources contain malicious code, using which the site owner will try to install spyware or other malware in your browser. Of particular note are the so-called phishing sites, that is, fake sites. On the interface, they look one-on-one like real ones, but the devil, as always, is in the details, in this case, in the domain name. For example, they send you a link to the site of a well-known social network, but instead of the correct facebook.com there will be faceboook.com (noticed the difference?). An inattentive user will go to such a site and enter his username and password there, which is necessary for an attacker who will gain access to your account on a real Facebook. Now imaginethat you entered the details of your bank card on a fake website of the bank, on which there is a tidy sum ... In general, phishing methods will come up with a couple of dozen, but this is the topic of a separate article. Of course, the blocking itself is not a signal that the site is fake and infected, but a number of blocked sites really pose a danger to users.

If you surf the oceans of the Internet under a pirate flag, be careful when downloading and installing hacked paid programs: not all hackers are altruists and post hacked programs out of kindness. Therefore, if an antivirus program swears loudly at a crack, think about whether this program is really important for you, because no one can say with confidence that this operation is false. Do not download programs from questionable software distribution sites - they usually slip spyware and other software into installers (exe executables). So the best solution is to download applications directly on the websites of developers.

Files from third-party sources should be checked for compliance with the extension - for example, a double extension almost certainly indicates that we have a virus program, so do not forget to enable the display of extensions in Windows. Also, make a habit of always checking all downloaded files with an anti-virus program and do not open files that you are not sure about. By the way, you need to scan plug-in USB drives.



Harmless viruses - it happens too


There were in the history of computer viruses and examples of funny harmless programs that were technically viruses, but did not cause any harm to users. So, back in 1997, the HPS virus was developed, which was aimed at temporarily changing graphic bmp files that could be displayed upside down or reflected, which, however, could cause inconvenience to users of older versions of Windows, because they were built using times bmp graphics. However, HPS did not cause any real damage, so it can rightly be called a harmless comic virus.

"Caring" Welchia


The Welchia worm claims to be the most useful in history: this program, which appeared in 2003 after automatically downloading via the network, checked for PC infection with a dangerous network worm (the program was written to eliminate the Blaster w32.blaster.worm worm, also known as LoveSan), deleted it and also in auto mode, tried to install updates for Windows, covering network vulnerabilities. After successfully completing all these actions, Welchia ... self-removed. True, not everything went smoothly with Welchia either - the fact is that after installing the Windows updates, the worm issued a command to force the PC to restart. And if at this time the user was working on an important project and did not manage to save the file? In addition, fixing some vulnerabilities, Welchia added others - for example, leaving some ports open,which could then be used for network attacks.

More articles:


All Articles