writeups History Of Malware
HistoryOfMalware/README.md
TryHackMe malware creeper arpanet reaper wabbit animal elkcloner morris cascade Join this room to learn about the first forms of malware and how they turned into the malicious code we see today.

History Of Malware

The Creeper Program

  • The concept of malware was introduced by Von Neumann around 1949

  • The Creeper Program (or “Creeper worm” or “virus”) was the first ever virus to be created, in 1971 by Bob Thomas using ARPANET to transfer itself between computers (created in PDP-10 Assembly, which ran on the OS TENEX)

    • “computers fail from time to time and work is lost. So I got interested in the possibility of moving an executing program from one computer to another without interrupting the ongoing operation of the program, at least to the extent that to an external observer nothing had happened.”

  • it did not do any harm, but it would display the message “I’m the creeper, catch me if you can!”

  • the creator designed it in such a way that it deletes older copies of itself when moving to another computer.

  • Ray Tomlinson redesigned the virus so that it won’t do this anymore

ARPANET

  • started out initially with two protocols: remote login and transferring files

  • later, the Network Working Group designed a program called Network Control Program

    • the start of computers being able to communicate within networks

  • Packet Switching is breaking data into packets and then route or send the data

    • The receiver will reassemble the packets back into whatever data was being sent (still used today)

Questions

  1. Who re-designed the Creeper Virus?

A: Ray Tomlinson

  1. How is data transferred through a network?

A: Packets Switching

  1. Who created the first concept of a virus?

A: John von Neumann

  1. What text did the Creeper program print to the screen?

A: I’m the creeper, catch me if you can!

  1. What does ARPANET stand for?

A: Advanced Research Projects Agency Network

  1. Which team created the network control program?

A: Network Working Group

  1. What is the first virus commonly known as?

A: Creeper

Reaper

  • craeted not long after Creaper by the same Ray Tomlinson

  • the first anti-virus software produced

  • Reaper’s purpose was to remove any copies of creeper that it could find

  • Bob Thomas’ main project was “to develop a resource-sharing capability”, known as RSEXEC “so that users could develop applications that could move to and run on another computer”.

  • Reference

Questions

  1. Who created Reaper?

A: Ray Tomlinson

  1. What type of malware may Reaper be known as?

A: nematode

  1. What was the first ever anti-virus program known as?

A: Reaper

  1. What was Bob Thomas’ main project to develop?

A: a resource-sharing capability

  1. Research: What does API stand for?

A: Application Programming Interface

Wabbit (Rabbit)

  • written in 1974, it is the first self-replicating malware.

  • the name comes from the fast pace in which rabbits reproduce, as the malware would work so fast on a machine, that it would enp up crashing by chocking up all of its resources.

  • it was able to infect only the macine it was put on and did not pass it via a network, hence we cannot classify it as a worm.

  • we see Rabbit nowadays as being a form of denial-of-service knows as fork bomb.

  • used on the system framework IBM OS

  • Rabbit creates an infinite loop that continually creates system processes and copies of the original file, hence creating a high number of CPU cycles.

Questions

  1. What is a modern day fork bomb also known as?

A: Denial Of Service Attack

  1. Was Rabbit one of the first malicious programs? (Y/N)

A: Y

  1. What did the name “Wabbit” derive from?

A: Lonney Tunes Cartoons

ANIMAL

  • 1975 - first Trojan, written by John Walker

    • acts as a game in which it asks the user several questions in order to guess the animal they were thinking about

  • while the user enjoys the game, another program / subroutine called PERVADE would create a copy of itself and ANIMAL in every directory that the user had access to

  • however, ANIMAL was not malicious, as the program was carefully written to ensure that no damage is done

    • it spread across UNIVACs when users with overlapping permissions discovered the game

    • it was halted unintentionally by an OS upgrade, which changed the format of the file status tables that PERVADE used to safely copy files.

Questions

  1. When was PERVADE added to ANIMAL?

A: 1975

  1. Did John think this was a good idea? (Y/N)

A: Y

  1. What computers did the program spread across?

A: UNIVACs

  1. What type of malware is ANIMAL also known as?

A: a trojan

  1. Who built the wooden horse?

A: the greeks

Elk Cloner

  • one of the first microcomputer viruses that spread in the wild (1982)

  • worked by attaching itself to the Apple II operating systems and spread via Floppy disk

  • technique used: boot sector virus

    • when a user would activate the game for the 50th time, the screen would go blank and a poem about the virus would be shown

  • if the computer booted from an infected floppy disk, a copy of the virus would be placed in the memory, this then spread to uninfected discs that were inserted into infected computers

    • Elk Cloner also wrote a signature byte to the disk’s directory, indicating it was already infected.

  • it caused accidental harm, as the Apple DOS disks has their reserved tracks overwritten, thus making it a malware.

  • boot sector viruses are less common in modern technology

    • they infect the part that starts the computer and once infected, they will try to infect every disk inserted into the computer.

    • it does not need the computer to fully boot up in order to infect it.

Questions

  1. Which US Military regiment caught the virus?

A: US Navy

  1. How many lines long is the Elk Cloner poem?

A: 7

  1. When was Elk Cloner written?

A: 1982

  1. Is a boot sector virus more or less common in modern technology?

A: less

  1. How long did it take Richard to write the program?

A: 2 weeks

  1. Which Operating System was affected?

A: Apple II

The Morris Internet Worm

  • released in 1988 by Robert Tappan Morris

  • it was supposed to highlight security flaws of the academic networks that it travelled to.

    • it worked, but not how he expected.

    • the program failed to check which computers it had already been to, hence infecting many computers multiple times and causing a DoS attack.

  • it would spread by exploiting known vulnerabilities in Unix Sendmail, rsh (remote shell)/ rexec and weak passwords

  • it would infect 2000 computers in 15 hours and it often took 2 days to get off a computer

  • it is said that around 6000 compueters were infected by it in the end, which was around 10% of the internet at that time.

  • Berkeley r-commands were a very big way that allowed Morris to access the computers - that and the weak passwords.

    • it would allow the worm to log in and execute commands on the system

  • References:

Questions

  1. What commands were a very big way that allowed Morris to access the computers?

A: Berkeley r-commands

  1. Who was one the first person prosecuted for the computer misuse act?

A: Robert Rappan Morris

  1. What type of attack is a “Fork Bomb”?

A: Denial of Service

  1. When was this worm released?

A: 1988

  1. How many computers did it infect within 15 hours?

A: 2000

  1. What does rsh mean?

A: Remote Shell

  1. Under which act was Morris arrested for?

A: 1986 Computer Fraud and Abuse act

Cascade

  • first type of malware to use a form of encryption (more to keep the program undetected than to harm the user’s data.)

  • hard to detect also because of its physical properties.

  • in the 80s, more specifically on the Digital Equipment (a large computer company) operating systems, a common file extension was .COM, which is similar to a .sh or batch file nowadays - allows execution of commands written in the file.

  • works only if the file is executed.

  • you could check if you are infected by:

    • checking the file sizes, as the infected files would have a much larger file size (usually by 1704 bytes)

    • checking the HOST file, as Cascade changed the first 3 bytes of the host file and added it to the first 3 bytes of the virus’ main file. Thus, between October 1st and December 31st the payload would activate.

  • a DOS malware

  • it would make the text fall from the screen and emit noises

  • some claim there have been 40 variants of this virus

  • Cascade

  • Cascade in action

Questions

  1. What was the name of this virus?

A: Cascade

  1. What file extensions would this virus infect?

A: .COM

  1. How many variants of there virus were possibly found?

A: 40

  1. What operating system would the virus run on?

A: DOS

  1. Which Operating System/Frame Work would Cascade try to avoid?

A: IBM

  1. How many bytes would be added onto your file if it got infected?

A: 1704

← Back to Index