At DefCon 19, F-Secure Chief Technical Officer Mikko Hypponen shows off a 5 1/4-inch floppy that has on it the first PC virus.
LAS VEGAS--The hacker conference DefCon kicked off this morning with the rare public sighting of a now-archaic piece of technology: the 5 1/4-inch floppy disk. Mikko Hypponen, the chief technical officer for the Finnish security company F-Secure, waved the disk above his head to start off his history of PC viruses, and said, "This is Brain."
Hypponen was talking about a guest of honor housed on the disk: the original computer virus. Hypponen found the disk last year in a lockbox in F-Secure's headquarters in Helsinki, and he dove in, cracked the virus code, and found in it the names and address of the virus' writers, two brothers from a town near Lahore, Pakistan. And--believe it or not--he went to the address and found the same brothers there, now running an Internet service provider called Brain Communications. (Hypponen details his trip in a short YouTube film.)
One of the important things he learned from them is that they said they had no malicious intent when they created the virus. "There was no real motive," said Hypponen. It was a proof-of-concept, created just to prove that it could be done. This was to inform computer virus development until the first years of the new century, as viruses grew more malicious and complicated, but were essentially pranks.
Just because they were pranks doesn't mean they weren't harmful, though. Hypponen demonstrated a number of early computer viruses from which he had removed the infectors, including one called Disk Destroyer. This particular piece of nastiness would copy the contents of your hard disk into the RAM, then wipe your drive. It then loaded a rudimentary slot machine-style game, and gave you five chances to win. If you won, it would reload your data back onto your hard drive. If you lost, your data was permanently wiped out.
Though viruses continued to get more and more complex, it wasn't until 2003 that things began to change. First, Microsoft began to take computer viruses seriously, he said, because worm infections were causing serious Internet traffic packet loss and causing real-world damage. Trains in 2003 were stopped around Washington, D.C., because the Windows computers controlling the signals and routing systems had crashed. "This is the basic reason why serious problems like these were finally taken seriously," Hypponen noted.
The other major change in 2003 was the Fizzer infection. "Fizzer, which nobody here remembers, is one of the most important viruses in history. It was the first virus written with one purpose only: making money." Fizzer spread e-mail spam in an effort to rake in the dough. Hypponen said that when other virus writers realized they too could earn some bucks from writing malicious code, it was game on.
This began to have even more serious real-world implications, as some virus writers were found to have used their money to buy equipment for fighters in Iraq.
"We also began to see a geographical shift [in] where viruses were written," he said. "From 1986 to 2003, it was mostly Western countries, the U.S., Western Europe, Japan. From 2003 on, it was Russia, Eastern Europe, Ukraine, China (of course), and South America, especially Brazil."
However, Hypponen said the problem was not only limited to criminals. He called out the president of Sony BMG, Thomas Hesse, to calls of derision from the audience. Hesse was instrumental in approving a DRM system that surreptitiously installed a rootkit on your computer when you played a CD from that computer. "Sony gets a lot of hate, and they deserve it. Of course, some would claim that if you listen to Celine Dion, you get what you deserve," Hypponen quipped.
But he especially called out Hesse for saying, "Most people, I think, don't even know what a rootkit is, so why should they care about it?" Hypponen retorted, "Most people don't even know what brain damage is, so why should they care about it, too?"
Hypponen shows a text file in modern ransomware, which refuses to free your computer unless you pay the virus writers.
Hypponen talked about the technical complexity of the 2008 virus Mebroot, a trojan that infects the master boot record of computers and is exceptionally difficult to remove because of it, and ransomware like GPCode, which holds your computer hostage until you wire money to the virus writers. Stuxnet, though, was an embarrassment for the security industry, Hypponen said.
"All this work did not prepare us for what we found next. It was embarrassing. We missed Stuxnet for a freaking year," he said, shaking his head.
"Today when you get infected by viruses, you will not know," Hypponen said. "It's running silently in the background. It won't slow down your system, and it won't take up too much of your resources."
"It has been a pretty wild ride over the past 25 years, from Brain to Stuxnet. Many things have changed, many things haven't changed. Brain didn't spread on the Internet, it didn't exist," Hypponen said, alluding to the spread by floppy disk. "And Stuxnet spread by USB key."