Computer Virus: A 20-Year Retrospective

In the 30 years of computer development, there has been a silent presence for twenty years: computer viruses. Humanity has invested significant effort into advancing computer science and equally into eliminating viruses. Like a chronic disease, computer viruses show no signs of abating. They continue to evolve with increasing scale and harm.

What solutions exist for computer viruses? A seemingly simple question yet still without a satisfactory answer. Let us turn back the timeline, analyze, and reflect to find solutions to this “century-spanning” problem.

Computer Viruses: A Persistent Joke

In fact, computer viruses have existed since the early 1970s. The Creeper (1970), Rabbit (1974), and Animal (1980) viruses are considered the ancestors of computer viruses. However, since they were born on mainframe computers, they only circulated within laboratories, largely unnoticed outside of computer science experts. Computer viruses only began to impact society significantly when they transitioned from mainframe computers to personal computers. Brain was the first computer virus (1986) to accomplish this task. The initial purpose of Brain was to serve as an advertisement for Brain Computer Service in Lahore, Pakistan. When a computer became infected, a screen would unexpectedly appear displaying the name, address, and even contact number of the company! Parasitizing the boot sector of the 360KB floppy disk, the most common data exchange storage medium at that time, the Brain virus spread globally. Although it caused no harm to computers, Brain instilled fear in many users.

Following Brain, other boot-sector viruses (B-viruses) appeared, such as Lehigh, Vienna, Cascade, and Pingpong… Viruses of this period were all “benign,” mostly originating from universities with many talented, energetic, and playful students. However, their harmlessness did not last long. To make a strong impression, hackers deliberately inserted malicious code into B-viruses, making them more aggressive. A representative of this type is the Disk Killer virus. After 30 hours of infection, this virus would encrypt the data that locates disk partitions, crippling the system while destroying all data.

Because it attacked computers before the operating system booted, even though small in size (512-2048 bytes), B-viruses could easily control disk access tasks at the BIOS level, independent of the operating system. The main disadvantage of B-viruses was their low activation rate (since not all computers booted from floppy disks). To combat B-viruses, ROM-BIOS manufacturers took timely action: they provided the option to disable the ability to boot from floppy disks. Some chip manufacturers even integrated procedures to recognize B-virus-like behaviors into ROM-BIOS.

In light of this situation, hackers strived to expand the target of infection to COM and EXE executable files of the operating system, giving rise to a new type of virus: file viruses (F-viruses). Although dependent on the operating system, F-viruses addressed the basic shortcomings of B-viruses. Utilizing the operating system’s scripts, F-viruses not only disabled programs that recognized virus-like behavior in ROM but also enhanced their ability to create multiple parasitic copies on other objects within the system. Vietnamese people in the 1990s still remember the impressive attacks of viruses like Friday 13th, Datalock, Little Girl, and White Rose on the MS-DOS operating system, which had a simple structure with numerous serious security vulnerabilities.

However, the worst was just beginning. Along with F-viruses, hybrid viruses (which infect both boot sectors and executable files) such as BFD, Compback, Invader, Junkie, and Natas wreaked havoc on both ROM-BIOS and operating systems. Disk structure viruses like Dir2/FAT and Weichan also joined the fray, complicating the situation further.

Recognizing the weaknesses of 16-bit products, Microsoft decided to cease development of MS-DOS and Windows 3.x. In 1995, the company launched the 32-bit graphical interface operating system. The release of Windows 95 marked a significant shift in the global information technology landscape and also shook the world of computer viruses. While MS-DOS applications ran in real mode during individual sessions, Windows 95 applications operated in protected mode under a multitasking model. Each process was assigned a separate space by Windows, completely isolated from other applications. This model disrupted the design techniques of F-viruses employed by hackers. In a single-task environment, from its own resident memory area, the F-virus could freely interfere with the space of other applications. In a multitasking environment, the F-virus could only operate within the virtual machine space of the application that contained it. Nevertheless, some F-viruses on Windows (like Spenna Spy, Bodgy, Bolzano, Pate…) attempted to exploit directory search functions to inject code into “dormant” files on the disk system. This approach only temporarily improved the situation as the viruses were easily detected (the hard disk was accessed continuously, suspicious disk space increase, significant slowdown of the machine…).

Perhaps the creators of computer viruses understand very well the meaning of the proverb “necessity is the mother of invention.” Concept is one such virus. By exploiting the macro code (VB Application) in the Microsoft Office suite, the author of this virus created a new type of virus solely to “prove my point,” demonstrating that viruses could also infect data files! Although it caused no destruction, the worst thing this hacker did was publish the entire code of the virus. This ignited the “post-Concept” phase with the emergence of macro viruses like CAP, Gold Fish, CyberHack, and JohnMMX. Not stopping there, macro viruses also “invaded” Microsoft Excel with lasting “products” like Laroux, HalfCross, and After-5h… Even PowerPoint presentation files were infected by the TriState virus.

Not content with the VBA code, hackers researched and developed other destructive propagation methods. A variety of malware such as worms, trojan horses, and backdoors emerged one after another. Not directly infecting executable files like F-viruses, they existed and operated as standalone applications. Taking advantage of network communication, they self-replicated to addresses collected from intermediate stations along the transmission path. DemiURG, a virus dubbed “7-in-1,” is a prime example. Spreading over the network to the target machine, DemiURG dispersed into 7 infection types: BAT, EXE-DOS, EXE-16, EXE-32, DLL, XLS, and VBS. When one type discovered a “prey,” it summoned its 7 siblings to infect the target. If any type was eliminated, the others would assist the fallen.

In this situation, Microsoft reluctantly added the “Warning virus macro” feature in MsOffice 97. This move reduced the number of macro viruses but also caused the giant to sweat profusely due to diminished reputation: customers were no longer enthusiastic about the VBA script, which had previously been advertised as a powerful customization tool for advanced users.

Recognizing the growing significance of the Internet, Microsoft introduced Windows 98 in 1998, adding numerous important network services. The Windows 98 and MSOffice 97 products effectively fulfilled their roles in collaborative and shared environments. However, the cloud of viruses did not truly dissipate. Although appearing superior to MS-DOS in terms of security, Windows 9x also had its vulnerabilities. CIH (also known as Chernobyl) is a testament to the looseness of this operating system. CIH was discovered in July 1998 in Southeast Asia. Its creator believed the virus’s destructive potential resembled the disasters of the Chernobyl nuclear reactor leak in Russia on April 26, 1986, which humanity must remain vigilant about. CIH variants infected Windows 9x EXE-32 files. Every time it activated, CIH checked the system’s current date to decide whether to “strike” or merely infect other EXE files. If it was the correct date of April 26 (for variants 1003 and 1049) or the 26th of any month (for variant 1019), CIH would format track 0 of all hard drives on the machine, then write “garbage” into the flash ROM, causing the machine to be completely destroyed. Exploiting the weaknesses of Windows 95, CIH changed users’ subjective perceptions that “computer viruses only destroy logical data; they cannot touch the hardware.” With its nefarious script, CIH damaged millions of “branded” computers worldwide (those using ROM chips soldered onto the motherboard).

While Microsoft had yet to “recover” from the blow of CIH, the pesky macro viruses reemerged. In March 1999, Melissa (a relative of VicodinES) made a spectacular appearance. Using only VBA scripts, Melissa became the first macro virus capable of sending its code to email addresses in the victim’s address book. Thanks to email services, Melissa infected hundreds of thousands of computers within hours, an impressive infection rate hackers longed for. In turn, Melissa set an example for other viruses like Sircam and Nimda to follow. However, these scripts differed from Melissa’s. Once they seized control of the system, they brazenly rummaged through the My Documents folder for users’ private documents and sent them to other machines. This tactic left many “dumbfounded,” especially businesspeople whose company secrets were exposed to the public.

In light of this situation, Microsoft decided to replace Windows 9x with the Windows 2000 operating system utilizing Windows NT technology with NTFS disk formatting, considered superior to FAT32 in terms of organization and security. Following the robust Windows 2000, the stylish Windows XP was promoted by Microsoft with numerous superior features: support for multiple CPUs, strict memory management, improved disk access, protection of ActiveX executable code, strong multimedia support, and remote access control… In 2003, Microsoft officially announced the cessation of technical support for Windows 9x users, meaning that Windows 95, 98, and Me were “retired.”

Despite Microsoft’s efforts to enhance security, hackers continued their destructive activities. In 2001, the Blaster worm and later Sasser exploited the Remote Access Control vulnerability to issue shutdown commands to victims’ computers. This scenario was also executed by Slammer (2003) with even greater danger: crashing SQL Servers by sending messages through ports without writing virus code to the hard drive.

The year 2005 was a turbulent one with two notable events in the security field. The most significant was the counterfeiting and theft of various international credit cards. Security experts believed that this incident undoubtedly involved the assistance of software operating like computer viruses, secretly infiltrating database storage systems and stealing user ID numbers provided to counterfeit card printing facilities. The second event, less notorious but significant in its own right, was the confrontation between hacker organizations Mydoom and Netsky. Launching attacks and eliminating each other, hacker groups from various countries created chaos in the information technology world. To this day, although the conflict has eased, the names of these viruses remain on the “top-hot” list of security firms.

Seeking Solutions Against Viruses

In the battle against computer viruses, antivirus software plays the most active role. Utilizing libraries of known virus samples, antivirus programs quickly detect the presence of viruses in users’ computers. When there are fewer viruses and the frequency of unfamiliar viruses is low, the signature-based detection method proves quite effective. As the number of viruses increases, antivirus software finds itself at a disadvantage: only about 25 major companies confront roughly 150,000 different viruses. In this situation, antivirus software seeks to take proactive measures when outbreaks occur. This plan includes two main areas: increasing update speed and proactively detecting unusual virus samples. The first area involves expanding the team of experts updating new viruses, while the second focuses on researching advanced algorithms for intelligent detection of new viruses, timely preventing them before they spread. Each antivirus company chooses a different research direction: Symantec has Bloodhound, Sophos adopts a genetic approach, McAfee studies hashing, and BitDefender employs heuristics… Due to the inherent error in predictive modeling, customers must accept the risk: occasionally, antivirus programs mistakenly identify viruses in clean data. Although challenging and complex, this strategy is the inevitable trend of antivirus software development.

Despite the many efforts of antivirus programs, the landscape of the battle remains unchanged. Over 20 years of existence and development, viruses have not (and do not need to) change their attack scenarios: they exploit vulnerabilities (system security holes, users’ naivety, and curiosity) to execute their malicious intentions. Two noteworthy factors are the system (including the operating system and applications) and the computer user. Reality shows that tightly secured systems are less frequently attacked by viruses. Patchwork operating systems (fixes, patches) always provide fertile ground for computer viruses to flourish. Each time a system is reinforced, some virus types recede, and security conditions temporarily calm down. However, it is not long before outbreaks re-emerge with more insidious new viruses. Hence, network security and protection remain Microsoft’s top priority in the development plan for future 64-bit operating systems.

Users are the critical factor determining the survival of companies operating in the information technology sector. Users choose and spend money on quality IT products, allowing companies to continue to exist and produce better products. However, due to income disparities across countries, differences in consumer psychology, inappropriate pricing policies, and many other reasons, not all users are willing to open their wallets. The prevalence of software piracy in many countries worldwide not only harms manufacturers but also fuels the growth of illegal activities. A glance at the dark web of hacker groups reveals countless tools for software cracking, guides for illegal network infiltration, embedding trojans into websites, and even tutorials on creating viruses with an extensive library of source programs.

Observing the broader picture of 20 years of global viruses, we cannot help but wonder. As society develops, and information technology grows stronger, the underground activities of hackers also increase. Today, no one can guarantee absolute safety for any system, even those once deemed “invulnerable.” If not, why have the most advanced networks of technologically developed countries like the US, Europe, and South Korea still been attacked by hackers?

As society evolves, human relationships become increasingly complex. While in the 20th century, world wars aimed to resolve conflicts between two powers, in the 21st century, humanity must endure more catastrophes: ethnic wars, religious conflicts, riots, and terrorism… The opposing forces themselves are deeply divided. In the realm of information technology, today’s security battle is not merely a fight between computer viruses and antivirus programs but also a tense confrontation among hacker groups. The incident in which the US Air Force mistakenly shot at the Chinese embassy in Yugoslavia ignited a fierce battle between hacker groups from various countries on the Internet. Following the events of 9/11, investigations by US security agencies revealed that terrorist groups had communicated with each other using the Internet. There is a hypothesis that they used computer viruses to steal intelligence from various sources to prepare for the attack. Some hackers even named viruses after Bin Laden to send warning messages to the world! Military strategists predict that future wars will be inseparable from attacks on the opponent’s computer networks, crippling communication systems and controlling the enemy’s military equipment. This is not science fiction, as the Internet originated from the military network of the US military, right?

Thus, the answer to the human factor lies in the issue of awareness. If we say this, you may exclaim: “Is the computer virus issue ultimately a social problem?” Indeed, as long as humanity continues to harbor wicked ambitions, crime will decrease, and society will become more stable and secure. This is also an ideal vision of society that humanity has aspired to build for thousands of years. Each state is based on a certain philosophical doctrine. Each doctrine has a different way of resolving conflicts in human social life. However, all aim to build a stable and sustainably developed society. The remaining issue is just a matter of time.

We can believe in a future devoid of hackers. This belief is entirely grounded, as there have been significant changes within the ranks of Vietnamese hackers in recent years. Instead of writing viruses to annoy others, Vietnamese hackers have joined reputable IT companies or shifted to security research. This is a very positive sign for the Vietnamese Internet in the context of global hackers continuously attacking domestic systems. The participation of Vietnamese hackers in clarifying the iCMS case in 2005 is also a microcosm of a safe information technology world. Through this event, some hackers have left the underground world to step into the light, raising their voices to demand fairness in the game.

Conclusion

Over the past twenty years, humanity has witnessed many significant events, both achievements and losses. The world seems more fragile, with more risks. Computer viruses have also grown fiercer and more malicious. While humanity faces daily threats from terrorism, riots, and natural disasters, computer users must remain vigilant against a myriad of attacks and disturbances from rampant online misconduct and mobile devices. Where is the future of computer viruses headed? Obviously, they will accompany the development of human society. Computer viruses are a product of humanity, embodying human wrongdoing. As long as humanity cleanses itself of its sins, viruses will have no reason to exist.

Truong Minh Nhat Quang