Pages

Monday 18 January 2016

Memories of the Brain virus

Brain was the first computer virus I saw.

It was 1987, and we were selling a range of utility programs, and had a good business in data recovery. People came to us having lost all their data, and we would get it back for them, with a no-fix, no-fee guarantee, and a 95% success rate. Hard drives were 10 or 20 megabytes, and we also did floppy disks.

So when a lady at the University of Bradford saw that the volume label "(c) Brain" was appearing on several floppy disks for no reason, she phoned us up.

Ladysolly took the call, because in those days, I had a day job. She persuaded the woman to send us the floppy, because she knew I was interested in computer viruses. There was a lot of talk on this topic at the time, but no-one seemed to actually know anything. And there was a major confusion between trojans and viruses.

I'd written a story. It was pure fiction, and I called it "The Doomsday Virus". I wrote for a lot of magazines at the time, and I sent it to PCW. The editor said that he liked the story, but didn't want to publish it in case it gave someone ideas.

So the diskette arrived. And I did nothing for several days. Ladysolly was quite disappointed, and reminded me a few times. But eventually I cleared my workload sufficiently that I could tackle it.

I took it seriously. I used a spare room that we had. I took a computer into that room that had no hard disk, and several floppy disks, and set about trying to see what was going on. Sure enough, I found that if you tried to boot from an infected floppy, even though it wasn't a boot diskette, the next disk you put in the floppy drive would be infected, and get the volume label "(c) Brain". But how was it doing this?

Because I was into data recovery, I knew that on the boot sector of the floppy disk, there's a tiny program that looks for the Dos operating system and loads it. So I looked at the boot sector of an infected floppy disk using one of my data recovery tools - it looked perfectly normal.

So I tried all sorts of other things, and after a while had passed, I'd managed to infect several of the disks in that room (except the write protected ones, which was a confirmation that you can't over-ride the write protection). Eventually, I used a program that is part of the standard Dos distribution called chkdsk, which looks for FAT chains that don't have a directory pointing to them, and various other inconsistencies, and chkdsk reported 3kb of bad clusters.

That was the clue I needed. On a 360kb floppy disk, if Dos format finds a bad sector, it marks the whole track as bad. So you can have zero bad sectors, or 5kb bad sectors, but you can't have 3kb of bad sectors. Something fishy must be going on.

So I looked at those bad sectors, which weren't actually unreadable, and one if them I recognised as a standard boot sector. So what's that doing further down the disk? I looked at sector zero again (side zero, track zero, sector one) and that looked exactly the same.

And then the penny dropped. It was fooling me. It had trapped interrupt 13h, and when I tried to look at (0, 0, 1) it was showing me the boot sector that it had parked further down the disk. At the time, we didn't have a word for this trick - later on, we called it "stealth".

So what I had to do, was boot from a clean Dos disk before looking at an infected disk. I did that, and saw on the boot sector:


Welcome to the  Dungeon
(c) 1986 Brain & Amjads (pvt) Ltd
VIRUS_SHOE  RECORD   v9.0
Dedicated to the dynamic memories
of millions of virus who are no longer with us
today - Thanks GOODNESS!!
BEWARE OF THE er..VIRUS  : \this program is catching
program follows after these messeges..... $#@%$@!!


This is one of a number of variants - another variant has three Lahore phone numbers.

So I captured the sectors of virus into a file, and worked on that, disassembling it to see how it worked - you can use debug (part of the Dos distribution) for that.

Then I wrote an article for one of the magazines I wrote for. Then other magazines asked me to write articles, because I had the advantage of being able to write about something I'd actually seen, whereas up till now, everything people had written had been speculation.

Pretty much every computer magazone you read, there was an article by me about viruses in general, and the Brain virus in particular. My recommendation was to be choosy about who you got floppy disks from, and where you got software.

I also got interviewed by various journalists, and there's where the idea came from that the first virus seen in the UK was a university in the Midlands. I wasn't actually trying to mislead, I really am that bad at geography.

As an interesting side effect, I developed a slight skin problem on my hands. Ladysolly said it was because I'd greatly inceased the frequency with which I washed them. I switched to a gentler cleanser, and the pproblem cleared up. But why was I washing my hands more often? I'm not so stupid as to think I could catch anything from a computer! But maybe something deeper inside my head didn't know that.

Brain virus spreads only on 360 kb floppy disks. I heard rumours about a version that also infects hard drives, but if you know anything about how the FAT works, you'd know that this wouldn't be a minor variant, it would need a major reprogram. No such variant was ever seen.

Since I now had an actual virus, I could test what antivirus software there was around. And it turned out to be pretty useless. One program was designed to  check programs that you ran (Brain was a boot sector), one program checksummed your files looking for changes (Brain isn't a file!) and one program was specific to Brain, it claimed that it would detect it even if you were infected, but when I tried it out, it didn't. I think the reason why all the antivirus software at that time was so awful, is that the people who wrote it, hadn't actually seen a virus.

Back in 1987, a lot of PCs were twin-floppy, which would be a good environment for Brain. But it would also spread on computers with a hard disk - if you left an infected floppy in drive A when you powered up, the boot would fail, you'd take out the floppy and continue the boot from the hard drive, but the virus had gone memory resident by then, and would infect any write-enabled diskette that you put into drive A.

I think Brain was always very rare. I only encountered a few people who got it. When I say very rare, I mean *very* rare. It wasn't until we saw Stoned (which will infect a hard drive) and the memory-resident file viruses that we began to see them in any number.

Today, viruses are pretty much irrelevant. They can't spread on floppy disks, because when was the last time you even saw a floppy disk? Most computers today don't even have a floppy disk drive. And the other means of spreading, via shared executables, doesn't happen either, because you can't just copy an exe file and expect it to run. It has to go through a whole install procedure. Today, the threat is trojans. I get dozens of these sent to me per week via email, and "antivirus" programs mostly don't flag them. The other means of travel is when you access a web site that has malvertising.

30 years ago, when I saw Brain, I predicted that there would be lots more viruses, and I was right! By six months after I saw Brain, I'd seen six viruses, and I realised that what was needed was some sort of kit of tools for dealing with them. I called mine, "Dr Solomon's Antivirus Toolkit".

And that's how it started.

1 comment:

  1. Acorns and Oak Trees spring to mind. I still think you should write an autobiography. Too many great stories not to share!
    Paul

    ReplyDelete