TechnologyThe life and death of the creative computer virus
We look back at the electronic graffiti of the earliest hackers and recreate the payloads of 1991's most wanted viruses.
The early 90's were a renaissance for a certain type of computer virus. Today, we think of a virus as an insidious thing that hides and wreaks various forms of havoc like destroying a nuclear facility; never peaking its head up intentionally. But there was a time when viruses were more playful and made their presence known with creative and occasionally funny graphics or animations via "payloads." We recreated the payloads of old school viruses featured in the "wanted list" from Central Point's '91 anti-virus ad in high-res glory. "You could get by with an anti-virus program. Then again, so could these," the ad warns. Check 'em out (below) from the safe confines of your browser window, downloadable for your creative remixing needs.
While early computer viruses were certainly capable of destruction and minor havoc, they were often designed simply for the hackers' own amusement and to deliver what's known as a "payload." It might be a message that tells you that cybertron69 has owned you, or it might be an elaborate animation with a political message. Hackers have moved on to using their time in more lucrative ways and just don't get around to putting that cherry on top anymore.
The fact is, what we often consider to be a virus is no such thing. “Viruses of the 80s/90s were called so because they behaved like biological viruses,” Daniel White, an enthusiast who has built a loyal YouTube following by demonstrating old viruses and payloads, tells Hopes&Fears. “They required a host to take hold and self-replicated after an initial infection, they infected files or boot sectors much like biological viruses infect host cells, then use that infection as a way to spread itself further. In modern times, most malware is automated with email spreading routines, web exploits and trojan downloaders.”
Those players in the early days of viruses did their work “as a test of the author's skill, or to harass unsuspecting users, and generally be a big nuisance.” White says, “Some authors chose to destroy a user's files, others went for a more visual or gotcha! approach, and still others wrote viruses that simply spread without popping up any payload at all.”
Playday for the payload
“Usually, payload screens were just the author's way of announcing their virus's presence on the system," White says. "Until they dropped, the user would generally be blissfully unaware that their system is slowly becoming more and more infected as they run files during their day to day routines, and once the payload showed up they instantly knew things were wrong inside of their computer." He explains that the payload would also occasionally include useful info that might help the infected avoid serious damage, "such as Casino informing the user they needed to play a game for their data, or stuff like Nightking telling the user to avoid shutting off their PC to prevent data loss," but even then the hacker was toying with their prey and asserting dominance.
Robert Slade, who wrote a Guide to Computer Viruses tells Hopes&Fears that hackers general creativity may have stopped at the lo-fi charm of a payload screen: “Yes, there were a few who came up with new tricks but most simply copied existing viruses. It is the same today.” The majority of virus writers may not have been all that creative, but the evolution of the virus is not entirely different than an artist mucking around for fun before joining the commercial world. In the days of the payload screen, it was all for the lulz. Slade likens it to a “form of electronic graffiti.” Now modern viruses “are built functionally, to provide attacking or fraudulent services,” and animated ambulances crashing into code don’t help when “detection avoidance is a primary concern.”
Old-school virus enthusiast based in Dallas, TX. White runs the YouTube channel danooct1, where he tests out old viruses and uploads the results. His videos have been viewed more than 15 million times. He also enjoys making 8-bit music.
Information security consultant, researcher and instructor from North Vancouver, British Columbia, Canada. He is the author of numerous books including Software Forensics and Dictionary of Information Security.
Discovered in Germany in 1990, the Ambulance Virus was non-destructive. Slade says it was "rare." Its sole purpose was to display an ambulance that drove across the screen and crashed when an infected file was executed. It would often include a siren sound and a message like "BOOM!" Considering that it only existed to deliver its payload, it's fitting that ambulance virus is one of the most elaborate of all. Download the MP4.
Friday the 13th Virus
Friday the 13th was one of many variants on the Jerusalem/Suriv family which Slade says was "prevalent and used as a pattern for many other viruses and virus families." The virus would activate on Friday the 13th of any year and begin to delete files. In some variations, a window would pop-up that said "Jason Lives." According to Pando Security, it's the most famous virus in history and the Jerusalem namesake is attributed to "a celebration of the 40th anniversary of the creation of the Jewish state." Friday the 13th Part VII was released on the same day that this virus would delete your files. Was this the first example of "viral marketing?" Probably not. Download the MP4.
Disk Killer Virus
Believed to have originated in Taiwan in 1989, Slade says that Disk Killer was very destructive which in turn meant it was rare, "destructive viruses killed their "hosts" and [therefore] didn't spread much." According to f-secure it would activate after your computer was turned on for 48 hours.
Once your system was infected a message would appear that read, "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989 Warning !! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING." This pretty much meant you were screwed. The virus had begun to encrypt all files on the computer. You could ignore the message and turn off the computer to minimize damage but in those days, people weren't as used to false instructions. When it was done a final message reading, "Now you can turn off the power I wish you luck!" Luck would not be enough and you could kiss your files goodbye. Download the mp4.
420 dude! Weed legalization and hacktivism were in bed together early. The Stoned virus was "very possibly the most widespread virus before the advent of macro viruses in 1994," according to Slade and much like the Jerusalem virus it "was used as the template for a wide variety of virus families."
It is believed that the original Stoned virus was created by a University student from Wellington, New Zealand in 1987. Once a computer was infected it had a one in eight chance of activating. What horrible consequences awaited the infected? A message that read, "Your PC is now stoned! LEGALIZE MARIJUANA!" This original version was designed to be relatively harmless, but subsequent variations could be quite destructive. It's "gateway drug" of computer viruses. Download the mp4.
Slade says that Datacrime was "somewhat prevalent, but received more attention than it was worth," and indeed there is some speculation that the virus never even infected a single user. Primarily, it's believed that Datacrime created a certain level of panic due to the fact that it was set to go off on Friday, October 13th, 1989, creating a double threat with the Jerusalem/Friday the 13th virus. If a computer was successfully hit by the Datacrime, the first nine tracks of the hard disk would be formatted and a message would read, "DATACRIME VIRUS RELEASED: 1 MARCH 1989." Download the mp4.
Also known as Italian, Ping-Pong was first discovered on March 1, 1988, at the University of Turin. Slade says it was fairly widespread though the original version which was only found on floppy disks is officially considered extinct.
If a disk access was made exactly on the half hour, small "Pong" style ball would bounce around the screen and cause the text to disappear. For the most part, it was harmless and could temporarily be deactivated by rebooting. Until the Stoned virus came along and stole its thunder, Ping-Pong was considered the most widespread virus. Download the mp4.
Falling Letters Virus
Believed to have originated in Yugoslavia, Falling Letters was set to go off between Oct. 1. and Dec. 31. 1988. The original version was pretty much harmless. If activated, it would simply cause the letters onscreen to fall and pile up on the bottom. Slade counts this as one of his favorite payloads and says that it's "widely known because of the display, but seldom actually seen." Perhaps its biggest impact was prompting IBM to write its own anti-virus software. Download the mp4.
Trading the payload for the payday
White says that modern malware doesn't drop a payload for the most part because there is money to be made and the longer a virus goes unnoticed the better. There are some minor exceptions, when the hacker actually wants to be found, "such as Cryptolocker encrypting all your files and changing your background to a ransom note, or the Ashley Madison hackers playing AC/DC's 'Thunderstruck' on the office computers."
“These days, malware is a big business and is developed and spread in terms of making the most money possible," White says. "Infected computers form botnets to mass-spam email addresses for money, keyloggers steal banking credentials and other sensitive details to provide more money to hackers, and all of these details and more are sold en masse on the black market. Instead of the hobbyist scene of the late 80s and early 90s, it's very much a business nowadays."
Slade tells Hopes&Fears that the virus has morphed over the years from file and boot sector infectors that first traveled on physical disks to the phishing scams that come through random emails. “Around 2003 virus writers found ways of attaching functional blackhat payloads to viruses, forming botnets and spam nets, and found ways to monetize viruses. That completely changed the virus creation dynamic.” The modern virus usually spreads “via spam or drive-by downloads,” and “if people stopped clicking on every file or link they received in email, computer viruses would now go extinct almost overnight.” But just clicking email links isn’t the only problem; it’s indiscriminately clicking links in general. Hackers are now using absurdly cheap banner ads to spread their wares.
While the computer virus has changed in how it’s delivered and where it hides, Slade says that the crucial element has stayed the same: “Social engineering is the way to break security, and always has been.” Whether a hacker is conning a victim into inserting a floppy disk or clicking an ad for boner pills, it’s all just about manipulating people.