The dying art of computer viruses

DOS virusI think the first time I ever heard someone talk seriously about computer viruses was in 1988.

I was studying computing in the leafy home counties of England, when I played a joke on a friend.

I showed him that everytime I typed the letter "s" on my keyboard it would come up on the screen as "ssh", slurring his words, and every now and then a loud "-HIC!-" would be injected into the text.

"You must have a virus!" my classmate exclaimed, his eyes opening widely. The truth was that he had just encountered a joke DOS TSR program I had written called "Drunk Simulation". It hid in the background and messed around with whatever you typed.

But for the first time, I had seen how strange behaviour on a computer could raise the pulse of onlookers.

It wasn't until December 1991, when I went for an interview to be a programmer at British security firm Dr Solomon's Software, that I saw some real computer viruses for the first time.

It was often hard to ignore that you had a virus in those days. The New Zealand virus declaring "Your PC is now Stoned!", Italian virus bouncing a ping-pong ball across your screen, or the Maltese Casino virus playing Russian Roulette with your file allocation table.

Casino virus

Sure, all of these viruses were irritating - they spread without your consent, and ate up system resources - but only some of them like Casino were deliberately destructive. In many ways, a lot of the malware could fairly be compared to electronic graffiti.

The Green Caterpillar, for instance, which crawled across your screen, eating up letters and pooping them out a shade of brown. Or the Plane companion file virus, which featured a stick man parachuting out of a bi-plane.

Plane virus

The media were obssessed with the Cascade virus (clearly it had decided by this point that naming viruses after the places they had first been seen was a bad idea), believing that every crime drama incorporating an infected computer had to show letters dripping down the screen like falling rain.

Even as malware turned nastier, and more destructive, there was still some art to be seen.

Virus-writing gangs like Phalcon/SKISM (Smart Kids into Sick Methods) used colourful ANSI-style art to declare that they had infected your computer.

A virus from Phalcon/SKISM

Viruses like Phantom, with its use of 256 colour palette cycling and a large skull displayed spookily on the screen, and Spanska, with its simulated flight cross the Mars landscape, probably demonstrated a highpoint for art in viruses.

Here's a video of Spanska in action, made by Danooct1 who has published a great collection of retro virus payload movies on YouTube.

And even though I knew malware was wrong, and not to be encouraged, I had a sneaking regard for the graphical payloads some of the virus writers were building into their creations. I recognised that this *was* a form of art.

And there was art in the malware's code as well. Virus writers would often spend months, tweaking their code, using innovative new techniques in an attempt to make it undetectable by anti-virus products. I didn't agree with what they were doing, but had to admire the coding skill deployed by some of them.

Like much modern art, you didn't necessarily have to like it to acknowledge the skills used to produce it.

But then things started to change. Malware got commercial.

The reasons for writing a virus, or - increasingly - a Trojan horse, became more about stealing data, or recruiting a PC into a botnet, rather than displaying a silly message or gory graphics.

The new malware creators couldn't care less about getting attention through visual payloads, and they didn't care much about the quality of their mass-produced malware either. They were churning out new Trojans, unbothered that some anti-virus products spotted them generically so long as they knew there might be *some* people out there who would get infected.

They didn't care if their latest Trojan wasn't any good, as they'd have three more along in a minute. And they certainly didn't want thm to draw attention to themselves.

Increasingly, when people asked you what visual clues they might spot that they had a virus you had to tell them that chances were they were would see a screen like this:

Windows 98 desktop

Just a regular Windows desktop, with no way of telling by the naked eye if it's infected or not.

Now, in 2013, anti-virus researchers are dealing with thousands of silent, stealthy pieces of malicious code every day, which have no intention of unnecessarily drawing attention to themselves, and mostly from families of malware that have been seen hundreds of times before.

The art has gone from malware. The commercial cybercriminals rule the roost, and the hobbyists who incorporated dramatic visual payloads and cared about the quality of their code (the artists, if you like) have largely disappeared, frightened off by stiff punishments and prison sentences.

Are we better because of it? I don't think so.

I hanker for the old days, when viruses *did* something visual to entertain you, as you reached for your backup.

A shorter version of this article first appeared in the August 2013 edition of Virus Bulletin magazine. Many thanks to them for allowing me to reproduce the full piece here.

If you want to see the payloads of more retro viruses, check out Danooct1's YouTube channel.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

11 Responses

  1. anon

    August 1, 2013 at 3:14 pm #

    Ever heard of the demoscene ?

  2. spryte

    August 1, 2013 at 3:24 pm #

    "TSR"

    Now there's an acronym I haven't seen in a long, long time !!

  3. kurt wismer

    August 1, 2013 at 3:50 pm #

    the way you described cascade all of a sudden made me make a mental connection to the matrix movie. i wonder if cascade was an influence for that effect from the movie.

    as for the commercialization of the threat landscape, the silver lining is that it's become more black and white. the people making this stuff are criminals, not just misguided kids.

  4. arizvisa

    August 1, 2013 at 5:14 pm #

    I think that as computing changes hands from the amateurs to those whom need money to survive, (i.e. artists are growing up and realizing that more engineering amounts to survival) there will be less art produced, especially as we abstract ourselves farther away from the bare metal that we had all once fallen in love with. How I hanker for those days as well.

  5. dnauk

    August 2, 2013 at 9:56 am #

    Takes me back too!

    I was working for the Greater London Council when the IBM PC started selling in the UK. Up to that point users typically either had dumb terminals or dedicated word processors like the old Wang and Xerox machines. The IT department in the GLC was terrified of the idea that users had access to the operating system and could "personalise" their computers.

    In 1986 the Council's Information Services department commissioned me to write a pair of assembly language TSR programs which would (A) run an approved menu system automatically on startup and (B) intercept and ignore any keystroke combination that would drop the user out of the menu system or other "approved" application and give the user access to the operating system (along with providing enhanced functionality).

    Incidentally, that year I also developed a terminal emulation program for the PC reverse engineering a particular mini-computer dumb terminal enabling use of a PC (£2600 each then) in place of proprietary mini-computer dumb terminals costing £3500 each!

  6. slipstream

    August 2, 2013 at 1:07 pm #

    I guess this is why I like fakeAVs, winlockers, and the installers that ask you to install adware: there's some kind of a UI there!

  7. Coyote

    August 3, 2013 at 1:05 am #

    I really like this article, Graham. It is indeed a dying art form and with the exception of viruses like Dark Avenger along up to CIH and Kriz (in general anything destructive of which the three mentioned were very destructive albeit the first and the last two differ in how; the former was silently corrupting data where as CIH and Kriz just are quite destructive and have no problems making it known) the real problem with the viruses of the older days would be only it is replicating without permission (and actually, as for the three: CIH and Kriz were not all that creative and DA was but more than creative it was clever and if I recall was the first multipartite?).

    There were several I quite liked although the names do not come to me (one had an ambulance moving across the screen as well as the ambulance sound playing by the PC speaker, another played some classical music by the PC speaker). I know of these not from being infected but an old DOS based file that had demos of the payloads of the viruses in those days. I want to say it is Kaspersky even but I'm not entirely sure.

    As for me: I found reverse engineering viruses and otherwise studying their source a fascinating way to learn assembly – especially in those days as there actually were very talented programmers (even those who wrote destructive viruses had talent just used in the wrong way). I wrote a few demos and I also loved TSRs – hooking the keyboard along with playing sound was always good fun.

    You're absolutely right though: it's quite more serious now, is far less creative and more out of the intent to harm others with no remorse or any regard to the consequences of it.

    Fascinating and thought provoking article. Do you happen to remember who or what company released the virus payloads as a demo (or what it was called; I am assuming you knew of it at some point)?

    • Graham Cluley in reply to Coyote.

      August 3, 2013 at 6:28 am #

      The demo program you are thinking of came from Kaspersky, or rather AVP (AntiViral Toolkit Pro) as it was then known.

      It was the AVP Virus Encyclopaedia if I remember correctly (AVPVE).

      • Cody in reply to Graham Cluley.

        August 25, 2013 at 5:17 am #

        Ah yes, thank you. (Yes – same person; forgot the name I used before). That is indeed it. I remember the name and you gave me enough information (avpve) to find an old copy on backup (and works fine in dosbox – excellent).

        I appreciate the response a great deal! I remember going through each of them on more than one occasion, years ago, enjoying it a great deal.

  8. Alfons Tanujaya

    August 3, 2013 at 11:49 am #

    The good old days Graham. Really miss it :(. Now what we have to face is money thirsts malware writers and a bunch of government sponsored malware. Hope that Android malware will be more artistic.

  9. dd

    September 24, 2014 at 9:07 am #

    That is what comes of criminalizing virus writing. The art dies off but the crime doesn't.

Leave a Reply