Confession: I was a teenage computer virus writer
Did your PC crash a lot in the 90s? Yes, sorry about that
Posted in Security, 14th September 2015 12:26 GMT
Special feature I was 17 years old, I had nothing to do, and I wanted to teach myself programming. So I decided to write a computer virus.
Don't worry. The two viruses that I ended up writing – Leprosy and Leprosy-B – were designed to infect MS-DOS computers. They knew nothing about the internet, because neither did I at the time, and these days they're as dead as smallpox.
My reasons for wanting to write software that trashed other people's PCs were manifold. For starters, as I said, I was 17. Besides computers, one of my other hobbies was blowing up public telephones with fireworks. Maybe sticking to computers was a better idea.
Perhaps the main reason, though, was that I was a bit full of myself and I wanted to do something about the arrogance that I felt existed in the underground computer scene at the time. I just wanted to prove to the scenesters that even an idiot who didn't really know how to program could write a virus.
This was 25 years ago, in 1990, and the underground computer scene lived on bulletin board systems (BBSs). These were social chat servers that you would login to by dialing a phone number with your modem. Most often they were run out of people's homes. That meant that probably only one person could be on the system at a time; only the posh ones paid for more than one phone line.
The underground at the time was interested in various things. Software piracy was a big one for me. A 17-year-old doesn't have a lot of money to buy software. Then there were the phone phreaks, who liked to find ways to make free long-distance phone calls. Some people just wanted to talk about drugs. And then there were the virus folks.
How hard could it be to write a computer virus? A snippet of the actual Leprosy source code
A lot of the computing underground bugged me, because they acted like if you were involved with this stuff it made you special. There was this term, "leet," or "1337" – meaning "elite" – that got thrown around a lot. But the virus folks bugged me the most, because they liked to hoard their little tricks and secrets like they'd personally discovered the Rosetta Stone and were planning to charge people just to look at it.
The way I saw it, if you wrote an entire spreadsheet system from scratch, I would be impressed. But all these people had done was write software that did the digital equivalent of throwing rocks through people's windows. Anybody could do that, I thought. I could do that.
And so I did.
Pranking the pranksters
The tipping point for me was when I came across a virus called (crassly enough) AIDS. The way it worked was it would find .COM files (executable programs) on your disk and write itself over them, so the next time you tried to run those programs you would actually run the virus again, and so on. Eventually your whole system would be trashed. And every time it tricked you into running it, the virus would print out a message taunting you about how stupid you were.
That's all it did! None of this stealthy business of hanging around and re-installing itself after you tried to remove it. It just blasted itself around your disk and waited for you to run it by mistake.
To me, it was the software equivalent of a whoopee cushion. The worst part was, it was written in Borland Turbo Pascal, so it was 14KB big. A lot of the .COM files it was trying to infect weren't 14KB to begin with, which meant they would grow to 14KB when it infected them, making the virus easy to spot.
And whoever wrote it had the nerve to call other people stupid!
So this became my project. I would rewrite AIDS from scratch, only I would do it properly. I would write it in C, and I would keep its size down to 666 bytes – a number chosen in advance, because the teenaged me was clever like that.
I decided to call my virus Leprosy, which I thought was way cooler than calling it something thoughtless like AIDS. And I had an additional goal in mind.
Unlike the virus folks who seemed to want you to envy them for having invented the wheel – when really, to my mind, they'd done nothing special – my virus was going to be public domain software. Anyone could have it, source code and all.
Sorry, Peter Norton
My first problem was how to build the thing. My computer at the time was an IBM PC XT clone with a 10MHz 8088 clone CPU and 640KB of RAM. Not a great machine by any means, but more importantly, I didn't really know how to program it.
I had taught myself C from books and computer magazines, but it was in a generic, high-level way. I didn't really know the PC or MS-DOS very well. Previously I'd been an Apple ][ guy. We didn't have C. We didn't even have interrupts.
I did have a secret weapon, though, and that was a book called The Peter Norton Programmer's Guide to the IBM PC. That's right, the "pink shirt book." It taught me everything I needed to know to write a dumb, annoying virus like AIDS. (Sorry, Peter.)
But I had an additional challenge. I wanted this program to be tiny, just 666 bytes. My C compiler at the time was Borland Turbo C, and while it allowed you to compile programs for various memory models, even the smallest executables had a certain amount of overhead because of the startup code. C programs were expected to parse command line arguments and do some other housekeeping when they started up. For my purpose, I didn't really need any of that.
Believe it or not, back in those days you could often spot a virus just by searching for the text it printed out. I solved that one
The answer to my problem, like so many answers in those days, came in the form of a computer magazine. Specifically, the December 26, 1989 issue of PC Magazine, which printed the assembly language source code to a startup routine that would keep your program size down to the barest possible minimum (page 297). I didn't really understand it, but it solved my issue, so I used it.
I also ended up writing my code using a bunch of inline assembly language, also to make the executable smaller. But it was all very simple stuff – just like I figured it would be. And I made sure to put a comment on nearly every line, so that neophyte programmers could know what I was doing.
Along the way, I added a few features to make Leprosy better than AIDS (boy, that was a strange sentence to write). I used a simple encryption on all the text strings to make them harder to spot with a file editor. Also, instead of taunting you when you ran it, it threw up a legitimate-looking system error message, in hopes of getting you to try running it again. It would infect more than one file at a time. And it knew how to jump directories on your disk, once it ran out of uninfected files.
And if you're wondering how I remember all of this from 25 years ago, honestly I don't. Remember how I mentioned that this was going to be a public domain virus? How I wanted to thumb my nose at the "1337" virus folks and make this software for anybody – any kid like me – to have and learn from? By the time I finished writing my code, I doubled down on that concept.
Confession time: I never actually did anything with Leprosy. The only person I ever infected with it was myself. Because after all, I had to run it to see if it worked, didn't I? So my first thought was, "Yay, it worked!" and my second thought was, "Hold on a minute, I just ran that in the same directory as my compiler and all my tools."
Lessons. Sometimes they come the hard way.
But believe it or not, I never really had any malicious intent when I wrote it. For me it had become your basic programming project. I just wanted to see if I could pull it off. I didn't have any enemies, or people who I wanted to harm with it. I didn't have any reason to inflict it on anybody.
So I gave it to somebody who did.
Too much Iron Maiden: For some reason, it was important to me that my viruses ran in just 666 bytes
Long story short, I gave it to a guy who was on one of the BBSs that I called, and who didn't share my admittedly lofty opinions of the "1337" community. He thought Leprosy was great, and the fact that nobody else had it made it even better. He thought he had a zero-day virus on his hands, and he thought that meant he had bragging rights. So the first thing he did was upload an infected file to a BBS.
Short term, he got the effect he wanted. The guy whose BBS he uploaded it to freaked out, screamed and shouted, waved all the flags. For a while I couldn't tell who was more excited, the guy who uploaded my virus or the guy whose BBS got infected with a virus that nobody had ever heard of before. Both of them seemed to think they were famous.
Long term, of course, what it meant was that every antivirus vendor in the world had a signature for the Leprosy virus in less than 24 hours' time. Hence, it was useless. It was dead almost upon arrival. The source code and manual were out there for people to read and learn from, but good luck infecting anyone with it.
So I did what any sensible person would do. I wrote another one.
On to Plan B
I had been studying since I wrote the original Leprosy and I had grown a bit more ambitious. So Leprosy Strain B – as I decided to call it – was going to be written not in C but in 100 per cent assembly language. That would both give me more control and make it easier to keep the size of the program down (that 666-byte length was still important to me).
Top of mind was this idea that the original Leprosy was now instantly detectable, because everyone had seen it. What to do about that? After all, I couldn't keep writing these things forever.
What I decided to do is have the virus encrypt itself, albeit in a trivial way. It would generate a random number and use that to XOR its own code – a reversible binary operation that would make it harder to recognize the virus, because each copy would be slightly different.
If I'm honest, probably this achieved absolutely nothing. I imagine that just the part of the code that decrypted the rest of it left a large enough signature that any antivirus software around would be able to detect it with no difficulty. But it was a challenge for me as a budding programmer, and adding this feature certainly made me feel clever.
I needed a hobby, so I taught myself 8086 assembly language. Maybe I needed a better hobby
I called this feature "Cybernetic Mutation Technology™," mainly to thumb my nose at a company called Omen Technology, which made communications software that was important at the time but which also had the habit of trademarking things. Like I said, I was a bit full of myself in those days.
So I wrote Leprosy-B, I released it ... and here is where the story gets a little hazy, because it was about this time that I lost interest in the whole project. Who knows what distracted my attention away from writing computer viruses. Horror movies? A job? God forbid, girls? It's lost to time, and I really had nothing more to do with it after that.
That is, I never heard anything about it again until a couple of years later, when my friend Thad had gone to university, got onto the internet, and discovered a digital magazine about computer viruses called 40HEX.
This self-described "down and dirty zine" was created expressly for the purpose of distributing the source code to computer viruses so that people could learn from them. In short, it was exactly the sort of thing I would have liked to have seen from the virus community when I first set out to write Leprosy. And wouldn't you know it, the very first issue listed the source code to Leprosy-B. Maybe I inspired them. Who knows?
"While the virus is no great wonder," the editors of 40HEX wrote of Leprosy-B, "the simple encryption method is what is used by almost all viruses."
That line gave me a couple of minutes' pause. Was it actually true? I had no idea what methods other viruses used, because I had never seen the source code to a virus before. With Leprosy-B, I was just trying to dream up a way to make my virus harder to spot, by making it look slightly different each time.
As it turned out, though, that was hardly even necessary. After all, mine was the public domain virus. I had given away the source code. And sure enough, hackers all around the world took it and made dozens if not hundreds of variants, each slightly different.
Some of them actually added new features, sometimes to do even nastier things to PCs than I had dreamed up. Others just changed the text strings so that the virus would give a shout-out to their girlfriends – or, more likely, would-be girlfriends – and while I wasn't impressed with their work ethic, I thought it was sort of sweet.
40HEX called my virus "no great wonder," and it surely wasn't one. It was never really meant to be. There were already viruses at the time that would terminate and stay resident, infect the boot sector of your drive, disguise themselves when you did directory listings, and various other stealthy tricks. I still maintain, though, that none of that was really very impressive compared to the programmers who were writing actual, useful software that helped people do their work, organize their lives, and everything else that personal computers are good for.
At the time I was writing my viruses, in 1990, I had never heard of Richard Stallman, the Free Software Foundation, or the GNU General Public License (GPL). And it took maybe four or five more years for me to leave BBSs behind and get onto the internet full-time.
But a couple of years after I released Leprosy-B, this Finnish guy named Linus Torvalds released the Linux kernel version 0.12 to the internet under the GPL, meaning it was Free Software. The GNU Project already had a slew of free tools to go along with this kernel, making it a complete, Unix-like OS that you could have for free. And the world started changing very rapidly after that.
I missed my opportunity to be part of something good and useful to the world by just a few short years. Instead, I was a cyber-vandal. Ironically, though, when I set out to make Leprosy the public domain virus, where the code would be free and available to anyone who wanted it, I had the right idea all along.
So how does a guy who wasted his teenage years lobbing rocks at other people's computers occupy his time in his adult life? I should think that would be obvious. He writes for The Register. ®