This is the first instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.
In a Nutshell
Conventionally, the very first known PC virus, Brain, was created in Asia (Pakistan) in 1986. No doubt this fact would come as a surprise to the vast majority of the general public of computer users worldwide. Asia has a certain history of malware-creation, however, over the years, the profile of malware emanating from Asia has changed considerably in terms of, inter alia, the volume, scope, purpose and geographic hub.
It is now common knowledge that most modern malware in general are written with a financial motive, whilst older malware were written primarily for kudos. The history of Asian malware follows a similar trend. There were a few high-profile global malware epidemics which originated in Asia, and there were several examples of script-kiddy autorun worms from South-East Asia and the Indian sub-continent which contain attention-seeking messages. These have not died away completely, however, nowadays much of the malware is professionally written for revenue generation or increasingly for cyber warfare, and the geographic location has shifted to major nations in East-Asia.
The evolution of malware originating in Asia is worth investigating in order to attempt to predict its future course, whilst perhaps also beginning to find solutions to the issues to stem the flow. Let us explore the history of Asian malware, focussing on the recent past, with a look at the core issues at hand. Note, many of the sentiments expressed in this piece are my own.
The Year was 1986
A fateful year, 1986 was a watershed in the field of computer security, the very concept of which was perhaps merely embryonic at the time. Computers were not globally ubiquitous and interconnected as they are today, and negative thoughts about the ability to compromise systems were unlikely to be at the forefront of people’s minds.
However, the Brain virus, oft-quoted as the earliest PC virus, must perforce have somewhat changed the mindset about computer security. This virus, incidentally of the boot sector variety, was created in Pakistan by brothers Basit and Amjad Farooq Alvi . The creators of the virus asseverate that their intent was to protect their own medical software from piracy rather than to cause any damage. Notwithstanding, the Brain virus did spread to several computers around the world, and reportedly was the cause of more than a little irritation.
There are a couple of salient points which ought to be highlighted explicitly. Firstly, the incipient PC malware trend had its roots in Asia, and second, the misguided raison d’etre for the first known virus was the protection of intellectual property. The vital characteristics of the global malware trend were to change markedly over the next quarter of a century.
From Asia … With (Some) Love
The specifically Asian slice of the malware creation pie over the course of the ‘90s and the early 2000s may not be substantial in terms of raw volumes, however, there have been a few high-profile examples of malware which appear to have originated in Asia which are worthy of note:
The examples of malware in Table 1 were likely to have been written for kudos more than anything else.
The Autorun Worm Factory
Microsoft released the first version of Windows XP in August, 2001, and a couple of years thereafter events conspired to create a scourge of “Autorun worms”. Autorun worms, a modern ersatz avatar of the retro boot sector viruses in terms of basic intent, tend to spread from computer to computer via removable devices such as USB memory sticks. The global spread of Autorun worms has been aided greatly by the following:
- Introduction of the AutoPlay feature in Windows XP
- Windows XP being the most common operating system for PCs between 2005 and 2010
- The ubiquity of removable devices and nonchalant sharing of the same
- Increasing popularity and support for Visual Basic (VB) and Visual Basic Script (VBS)
- A proliferation of Narcissistic Asian script-kiddies seeking attention
Many of the samples of Autorun worms released during the mid-2000s originated in Asia, e.g. Indonesia, Malaysia, Philippines, and the Indian sub-continent. The main motive for writing these worms could only have been kudos since many of them had references to alleged love interests or other juvenile string content, some of it in the vernacular, embedded in the files. One family of Autorun worms from India even had resource strings calling themselves “Khatra” which means “danger” in Hindi.
Examples of Autorun worms still abound, however the origin, scope and intent of these worms are different in the more recent context. Many families of recent malware, including the notorious Conficker (aka Downadup or Kido) and Sality, do use removable device as part of their spreading mechanisms, however, the point of note is that these recent malware are written with a financial motive rather than for kudos. The infamous Stuxnet worm from 2010, which also used the Autorun feature, had a sinister, albeit non-financial, motive. Interestingly, Stuxnet almost certainly originated in Asia.
Images courtesy of:
geography.about.com
horizondatasys.com
180-media.com
all-free-download.com
clker.com
Samir Mody
Senior Manager, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/