Early Days On The Antivirus Front: A Personal Perspective
True, some viruses did unpleasant things, such as delete executables when run on a certain date, but it was almost cute. Then viruses were discovered that did truly awful things such as erase your hard disk and all the contents thereon. Suddenly, they weren't so cute anymore.
It was the mid-1980s, and the computer revolution hadn't really started yet. A simple MS-DOS computer with monochrome monitor cost upward of $3,000, hard disks were measured in tens of megabytes, and hefty systems sometimes had as much as 256K of memory, which was fine for that new-fangled Lotus 1-2-3 spreadsheet program. The hot operating system was destined to be OS/2, which was authored by IBM and therefore could not fail. The hot chip was the 386. It had something really innovative called Protected Mode.
The time was ripe for something as unique and cool as computer viruses. And they, of course, gave birth to the computer antivirus (AV) industry. I was a member right at the beginning with my Flu_Shot antiviral program.
There were so few viruses then that the antivirus researchers knew them all by name. When I first released Flu_Shot, it protected against all known computer viruses -- 81 in all.
There were many early luminaries in the AV field, including:
Vesselin Bontchev
\
Klaus Brunnstein
\
David Chess
\
Ken Cohen
\
Jon David
\
Nick FitzGerald
\
Richard Ford
\
Sarah Gordon
\
Ross M. Greenberg
\
Dmitry Gryaznov
Mikko Hypponen
\
Andy Hopkins
\
Glenn Jordan
\
Pam Kane
\
Jeffrey Kephart
\
Jimmy Kuo
\
John McAfee
\
Padgett Peterson
\
Rob Rosenberger
\
Fridrik Skulason
Alan Solomon
\
David Stang
\
Wolfgang Stiller
\
Morton Swimmer
\
Peter Tippett
\
Ken van Wyck
\
Joseph Wells
\
Steve White
\
Ed Wilding
\
Righard Zwienenberg
In one form or another we all knew each other -- or knew of each other. Each was a character in his or her own right. For the most part we were competitors, but almost everyone was cooperative. In some cases we even held begrudging respect for each other.
In 1989, the Virus Bulletin was first published. Ed Wilding was an early editor of this monthly newsletter and came up with the concept of "The VB 100." Antivirus programs were run against a sizeable library of "found in the wild" viruses, and were ranked by their percentage of correctly identified viruses. (According to The WildList Organization, "found in the wild" means that antivirus researchers have actually discovered these viruses out in the public arena, actively infecting machines and programs.) A VB 100 rating virtually guaranteed a product's commercial success.
Rob Rosenberger was the editor of the influential tell-all site Vmyths, debunking computer virus myths and stepping on a few AV vendors' toes while he was at it. Rob and I collaborated on some articles during the virus hysteria of 1988 -- the press was going nuts. Rob was an impartial observer who was able to cut through the vendor hype and tell a clear story. (Note: The Vmyths site is currently being revamped and some articles are temporarily unavailable. A July relaunch is planned.) CARO And Beyond
Most of the early antivirus innovators became involved in a group called the Computer Antivirus Research Organization (CARO). CARO quickly proved its worth in the early '90s with the advent of polymorphic viruses, which mutated from generation to generation.
The virus writers were attempting to avoid definitive virus detection by changing their viruses so that simple signature strings -- portions of a virus, uniquely identifying it -- could not be used. For a short while, the virus writers had a slight edge over the virus busters. This edge lasted for mere weeks as the CARO community got together and rapidly implemented code, developed independently but cooperatively, to fight this new threat -- a wonderful example of competitors working together for the good of all.
\
Inventing Viruses
\
\
A persistent accusation against the antivirus community is that it devises and creates its own viruses to keep itself in business. To the best of my knowledge, no employee of any anti-malware vendor has ever created or deployed malware. With an estimated 300,000 pieces of
already out there, is there any need to do so?
Many of these vendors did insert signature strings for nonexistent viruses into their signature lists (the collection of viral signature strings used by an AV program). These bogus signature strings uniquely identified a vendor's signature list and provided an easy way to tell if dishonest competitors were helping themselves to its contents.
My own contribution to the bogus string database was for the nonexistent Capon virus. ("Capon" was the name of an acquaintance.) This is the first time this information has ever been admitted publicly. Shhh!
The antivirus world has changed dramatically since its early days. For one thing, there's a lot more than just viruses and worms to contend with. Today's list of malware includes spyware, rootkits, Trojans, drive-by downloads, phishing attempts, distributed denial of service (DDoS) attacks, and more -- and the bad guys will no doubt come up with more devious schemes.
As for me, I got out of active AV when there were too many viruses for one person to handle. There are now multimillion-dollar companies with massive staffs that protect consumers and businesses from an array of malware threats. Long gone are the days when all the AV players knew each other's names.
I took the money I made from my AV products, moved to a farm in upstate NY, and renamed it Virus Acres. I sometimes miss the excitement of the early days -- but not enough to go back into it!
Ross M. Greenberg is the author of the early antivirus programs Flu_Shot and VirexPC and was an early member of the Computer Antivirus Research Organization (CARO). He now consults and writes mainly on security-related matters.