“[Mikko] Our PR team had a meeting with me in 2011, saying that – hey, Mikko, this year, the first PC virus is going to be 25 years old. Should we do something about it?”
That distinctive Finnish accent belongs to Mikko Hypponen, Chief Research Officer for WithSecure – and it’s a name many of you are probably already familiar with because, in addition to being a renowned speaker and a best-selling author, Mikko is also one of the industry’s most seasoned veterans.
“[Mikko] So when I joined this small startup in 1991, I was employee number six. The company has grown over these years. It has changed names multiple times. It has done a lot of spinoffs. But technically I’m still working at the same company that I joined in 1991.”
It’s no wonder, then, that when WithSecure’s PR team was thinking about commemorating the 25th anniversary of the first PC virus, they turned to Mikko for ideas.
“[Mikko] And they were thinking about doing some kind of awareness campaign about, you know, computer security problems. And I remember very well how I said in the meeting that – you know, that’s boring. We don’t want to do that. How about if I go and find the guys who wrote the first PC virus and I go and talk with them.”
For many of our younger listeners, Mikko’s idea probably sounds unfeasible – if not outright impossible: most modern malware authors try very hard to remain anonymous, or at the very least hard to find.
But back in the early days, things were… different.
Brain
Brain, the very first virus for the IBM PC, was created in January 1986, and spread by way of floppy disks: that’s why it was first discovered in the US only two years later, in 1988. It wasn’t destructive, but its proliferation – it is estimated that Brain infected some 100,000 computers worldwide – and the sheer novelty of a self-replicating program, quickly captured the media’s attention. When experts analyzed Brain, they were quick to discover a text message embedded in the malware’s code.
“[Mikko] The original boot sector infected by Brain has, like, two lines of texts with two first names – and these are Pakistani first names, and then an address in Lahore in Pakistan.”
The names were those of brothers Farooq and Basit Amjad, and the address was for a small computer shop they owned: Brain Computer Services.
“[Mikko] So we had a clue. Granted, it was a 25 years old clue, but we had a clue about where Brain was coming from. So I floated the idea that I know I’ll just start digging into this and try to find where these two, two guys, the Alvi brothers are today. […]
[Ran] How difficult was it to track them down 25 years later?
[Mikko] Well, you wouldn’t believe it, but when I went to Lahore and when I actually met the brothers, Basit and Amjad, it was at their offices. They today run a company and the headquarters of the office are in Alama Iqbal town on the westside of Lahore, in the street address that was listed in the Brain virus 25 years earlier. They never moved.”
The two brothers, Mikko learned, were self-taught programmers and technicians, who started their tiny business in their early 20s. Apart from selling and fixing PCs, Amjad and Basit also sold pirated software, and among their clientele were many American backpackers who jumped on the opportunity to get programs and games that cost hundreds of dollars in the US, for a meager dollar and a half. However, many of these foreign customers – only foreign ones, mind you, not local buyers – left the small shop carrying an unwarranted “gift” in the floppy disks they bought: a virus created by Amjad. Eventually, these backpackers brought Brain with them back home.
Since creating computer viruses wasn’t yet considered a crime in Pakistan, Amjad and Basit didn’t think twice when they added their real names, addresses, and even their shop’s phone number to the virus. This backfired, however, when Brain became a digital epidemic – and the two surprised brothers, who never imagined that their tiny creation would travel as far as it did – were bombarded with calls from nosey journalists and angry PC users who demanded that the brothers clean their computers from the virus.
When asked about their motive for releasing the virus, Amjad and Basit gave the journalists confused and somewhat irrational answers. At first, they claimed that they wanted to track the number of pirated copies of a medical software they wrote – but the virus didn’t include any counter, nor any way of ‘phoning home’. Later they said they wanted to “punish” the American buyers for being software pirates – which of course makes no sense since they sold them the said pirated software in the first place.
Twenty-five years later, with the two brothers now considered respectable businessmen – they later created Pakistan’s first commercial email service and one of the country’s first Internet service providers – they were finally ready to confess their true motive to Mikko.
“[Mikko] The story they told me face to face was that they had been working on mainframe computers and large computers before this time. They were used to an environment which had some semblance of computing security that you had, you know, accounts, you would log into the system. Then IBM PC comes around and you boot up the machine and you’re in. There’s no security. There’s no accounts. There’s no security at all. You can do anything you want. You have full rights. If you want to write to the boot sector, you can. And they were sort of horrified about the lack of security. I mean, you could misuse these things. You could write a virus. And to prove the point, they wrote the virus, to show that, you know, you could do things like this. […] It was a much more innocent time, but I do believe that they were trying to demonstrate how insecure this new IBM PC platform was.”
Motivations
We can ask the same question for all the viruses created in the 80s & 90s. Back then, in the pre-Internet days, there was no way to make money by writing malware. So why write them in the first place?
“[Mikko] I guess the most important motivation for malware writers in the 1980s and 1990s was that they had none. They really had no real reason for doing what they were doing. Certainly, one of some of the more destructive viruses could have been ways for the authors to vent their aggressions or who knows what. But even there, it’s a little bit abstract. What do you gain from deleting files of people you don’t even know? You create a piece of malware or a piece of virus which spreads to random locations and then does damage. You’re not there to see the damage. You’re not there to see the reaction.”
The lack of a financial motivation meant that virus authors had a plethora of other motives – and this diverse mix of motives had, as we shall soon see, an interesting effect on the design and style of viruses created at that period.
Showoff
A common motivation of many virus authors was showing off their skills and creativity to their friends and fellow hackers. A prime example is the “DenZuko” virus, discovered in 1988: pressing Ctrl-Alt-Del in an infected computer caused it to briefly display the text “DenZuko” on the screen. Security experts who analyzed the virus were at a loss as to the meaning of the mysterious text. Some speculated that it was derived from the Dutch phrase “De Zoek”, meaning “The missing”, or maybe “De Zoektocht” – “The search”, but both guesses led them nowhere.
Frederick Skulason, a prominent Icelandic researcher, noticed a second, even more, inscrutable piece of text embedded in the virus: “YC1ERP.” This seemingly random string of characters reminded him of call signs, like the ones used by amateur or “ham” radio operators. And he was right: when he searched in an international directory, he found such a call sign-in, assigned to one Denny Yanuar Ramdhani from Indonesia. So Skulason – how Scandinavian of him – sent Ramdhani a polite letter asking if he was, by chance, the author of DenZuko.
Amazingly, Ramdhani replied: yes – he was, in fact, the virus’ creator. Ramdhani, a 26-year-old student, created DenZuko to impress the other hackers in his hometown of Bandung. The name “DenZuko”, he explained, was derived from a nickname his friends gave him: Danny Zuku, after John Travolta’s character in the movie “Grease.”
The drive to impress and one-up other virus authors led to some very creative viruses. The 1994 Lichen virus, for example, made its presence known to the users by displaying an impressive animation that simulated the growth pattern of a Lichen – a type of symbiotic algae – by way of cellular automation. The virus “Mars Land” displayed a scrolling animation resembling a topographic map of Mars. The Dark Avenger, a well-known Bulgarian virus author, made sure that his creations always had a round number of bytes – 1024, 1800 bytes, 2000 bytes, etc.
The 1990 “Invader” virus played a melody through the system’s speaker – specifically, Mozart’s Symphony No. 40 in G Minor. Unfortunately for the ambitious virus author, PC speakers back then weren’t exactly up to the job, and failed to impress analyst Jim Bates who wrote in the Virus Bulletin magazine:
“This is a symphony which was originally scored for a flute, two oboes, two clarinets, two bassoons, two horns and strings. It is therefore perhaps expecting rather a lot that a retarded virus writer could hope to achieve much through the 2.5 inch speakers of a PC’s sound channel.”
Communication
Often, the text messages embedded in viruses were directed at researchers who analyzed them, as a sort of covert communication channel. The anonymous author of “Concept”, discovered in 1995, wished to warn analysts of the potential danger of Macros: small scripts that were embedded in Microsoft’s Office suite of programs. Concept was such a Macro virus: it infected Word documents and spread via email messages – but its payload, the part of the virus that could inflict the actual damage, had only a single line of text: “That’s enough to prove my point.”
The 2001 “Parrot” virus contained a very different kind of message. It was written by Gigabyte, a 16-year-old female hacker from Belgium, and aimed specifically at Graham Cluley, a British security researcher who’d joked, in an interview shortly before, that there weren’t many female virus authors because “they have better things to do with their time.” Gigabyte, however, took this to mean that Cluely thought that women were incapable of writing viruses, and launched a sort of ‘crusade’ against him. Parrot contained a short voice message: “You better not [BEEP] on the table, Graham Cluley, you son of a bitch.” Coconut, another virus by Gigabyte, forced the users to play a game in which they threw virtual coconuts on a picture of Cluley: the number of files the virus infected depended on the user’s score. Cluley retorted that “all this attention from Gigabyte is flattering. Next time, chocolates or flowers would be nicer.”
Mikko says that in those days, virus authors would sometimes reach out to security experts to dispute something they wrote in their analysis of the virus – or, more commonly:
“[Mikko] They wanted to comment that, hey, why did you name my virus with this name? like you know I don’t like the name. like this malware was supposed to be called Flower, and you called it Stone. Could you please rename it?”
Virus authors had a very good reason to complain about the names given to their creations, because Mikko and his colleagues made it a point to annoy them as much as possible.
“[Mikko] Absolutely. We would try to avoid the name the malware author wanted to give to the virus. well like,why give them credit? Why make them feel better about their acts? However, quite often we couldn’t do this. You see, if it’s a piece of malware which would show something on screen, if it would announce itself and tell the world what its name is.”
…viruses such as Ambulance, which displayed an ASCII animation of an ambulance moving across the screen, or Q Walker that presented an animation of an old man holding a stick, walking across the screen. In cases like these…
“[Mikko] If the victims see the name, that’s the name of the virus. There’s no point for me to call it something else because the victims will know it by the name that they see on screen. So we would simply use the name that was visible to victims if there was a name like that.”
The downside of such flashy displays, however, was that they tended to announce the presence of the virus in the system, which often led to its prompt removal – thus severely limiting the spread of the virus…but hey, no one said that being a famous virus author was easy.
Ideology
This kind of tradeoff was doubly challenging for a specific class of virus authors: those who wished to use their creation to spread a political or ideological agenda.
A good example is that of the 2005 Cager virus. Cager would analyze the title of the current window, looking for keywords that would hint that the user was browsing a porn website. If it found such “filthy” words, it would minimize the window, lock the mouse cursor inside a box with vertical bars – i.e., a cage – and display a message with Arabic verses from the Quran, supposedly to convince the sinner to repent his or her…well, mostly his, I guess – immoral deeds.
The inescapable requirement to grab the users’ attention to expose them to the ideological message, meant that most such viruses didn’t travel very far. Some, however, did manage to spread their agendas in a more roundabout way. The 2001 Mawanella virus, for example, which spread via Microsoft’s Outlook Express email client, protested violent attacks against Muslim villages in Sri Lanka – such as the village of Mawanella – by displaying an ASCII image of a burning house and a message condemning the attacks. Curiously, the virus’ author tried to win the user’s sympathy by noting that he could have destroyed the computer if he wanted, but “I didn’t do that because I am a peace-loving citizen.” Like most politically-oriented viruses, Mawanella wasn’t very successful in its own right – but it did gain the attention of the press and numerous blog authors who reported about it, thus unwittingly spreading the message on behalf of the author.
Job Hunting
Another class of virus authors were the ones who used their creations as a sort of viral resume. The most successful of such viruses was Klez, an email worm that crippled thousands of mail servers and according to some estimates caused billions of dollars in damage. The worm’s body contained the following message:
“I am sorry to do so, but it’s helpless to say sorry. I want a good job,I must support my parents. Now you have seen my technical capabilities. […] What do you think of this fact? Don’t call my names, I have no hostility. Can you help me?”
“[Mikko] Yeah, we saw it a couple of times. […] The common theme here is that these people tell me that they wished they were in my shoes. You know, they had the technical skills. They knew how to write low-level code. They knew how to reverse engineer code. They could do virus analysis. But for a reason or another, life chose a different path for them, and now they are on the dark side and they wish they were on the side of the light. […] And of course, crossing the border is hard. It’s not so much that we think some person is evil because they wrote malware. It’s really a question of trustworthiness: The teams that work inside a security company are very closely knitted. […] And it’s kind of hard, maybe even impossible to bring an outsider who used to be on the other side and build enough trust to have someone like that successfully join a team.”
At first, when he started his career as a virus analyst in the early 90’s, Mikko didn’t have a lot of sympathy for such virus authors. But as he grew older and traveled the world, his views gradually shifted.
[Mikko] I’m here in Helsinki. You’re in Israel. Both are tech hubs that if you know networking protocols, if you know how to code, you can find a job. […] It’s a different story if you have programming knowledge, but you’re living somewhere in the middle of Siberia or in the countryside of China or in the slums of Sao Paulo or somewhere in Africa.”
Or Lahore in Pakistan, for that matter.
“[Mikko] And it’s not made any easier by these visible figureheads of cybercrime leaders who are happy to post images to Instagram about their Lamborghinis and their champagne-fueled parties. They show the image of a successful cybercriminal. Come do cybercrime. There’s a lot of money involved. It’s easy. Nobody’s getting caught. And some of these people are tempted and they choose wrongly. But it’s not as easy making these choices when you’re not living in technically advanced countries.”
Viruses As Art
Mikko’s change of heart towards these amaetur virus authors helped him see their creations in a different light.
“[Mikko] And at some stage, we realized that these early viruses from the 1990s and late 1980s, they were kind of neat, because these were still the time when malware writers, they were not after money. This was not nation states, this was hobbyists, and many of these early viruses were pretty creative. They were playing games with the user, they were playing music, they were showing animations. So we realized that this is culture, this is art, and it should be preserved.”
This is where Mikko’s unique career path, as someone who stayed with the same company for more than 30 years, turned out to be an unexpected blessing.
“[Mikko] One of the obvious downside of working at the same company all your life is that you never get a raise. You only get really raises when you switch companies. So I’ve been told because I’ve never done it myself. However, the upside is you lose all your history when you change jobs: you can’t take your emails with you, you can’t take your files with you. I’ve never done that, so I have my archive from the 1990s, I still have them today.”
All these hundreds of ancient viruses that he reverse engineered ages ago? He still had them. So Mikko turned to the Internet Archive: a non-profit organization dedicated to building a digital library of the Internet and its culture.
“[Mikko] So I started working with Jason Scott. He works at the Internet Archive. And we set up this system called Malware Museum, where you can go right now, today, and you can actually run malicious code from the 1990s inside a virtual machine, inside your web browser. You can even do it on your phone and it’s not like a video of what these programs look like. They are the actual original programs. You execute the real code that the malware was running but you do it safely inside a virtual machine.”
Epilogue
Old viruses, then, have undergone a complete transformation: from being viewed as a nasty act of vandalism, akin to graffiti, they are now considered – by some, at least – cultural heritage, and even a form of art. As someone who lived through that transformation, I can’t help but wonder – how will our current malware be viewed thirty, fifty, or more years from now?
True, modern malware is very different from the early viruses of the 80s and 90s. For example, you’ll rarely find text messages in today’s malware, unless it’s a ransom note:
“[Mikko] Today, when we find texts inside malware, it’s typically a mistake by the author, because they’re quite often leaking information. They shouldn’t be leaking evidence about their own systems. For example, file paths, where the compiled files are on their systems.[…] why would you leave messages if you’re working for an intelligence agency, or they’re professionals working for a ransomware gang or something like that. You don’t want to leave anything special in there. You don’t want to get caught. So no, it’s not common anymore.”
However, looking at our cultural history, there are quite a few examples of things that were once illegal or even seen as evil – yet have made a similar transition. Voodoo was once demonized and associated with dark magic but is now recognized as a legitimate religion with a rich cultural tradition. A 16th-century sailor would be probably stunned to learn that we dress our kids as pirates for Halloween. It’s not unthinkable that our grandchildren will regard the ransomware and Trojan horses we currently dread and fight so hard against – in a more “romantic” way, so to speak… sounds ridiculous? Maybe a visit to the Malware Museum will change your mind. After all, they do say that time heals all wounds…