David Harley

Job title:
CEO, Small Blue-Green World, and independent author

Areas of expertise:
Apple security, malware, anti-malware testing, psychosocial aspects of security, user education, email management, social media, medical informatics

The Apple Security Blog, by David Harley David Harley, CITP, FBCS, CISSP, is an IT security researcher, author and consultant living in the UK. He has worked in IT (largely in medical informatics) since the 1980s, increasingly focused on security and anti-malware research since 1989. Between 2001 and 2006 he managed the UK National Health Service’s Threat Assessment Centre, and since 2006 he has provided authoring and consultancy services to the anti-virus industry. Since 2009 he has been a director of the Anti-Malware Testing Standards Organization (AMTSO). He runs the Mac Virus website and AVIEN (the Anti-Virus Information Exchange Network), and is a Fellow of the British Computer Society (now the BCS Institute). He was principle author and technical editor of “The AVIEN Malware Defense Guide for the Enterprise” and co-authored “Viruses Revealed”, as well as contributing to many other books including “OS X Exploits and Defense”. He has a daunting back-catalog of research papers and articles, and also blogs for Mac Virus, AVIEN, ESET (where he holds the title Senior Research Fellow), (ISC)², and numerous other websites.

Tag Cloud



Send in the Clones


The longer you stay in this game, the more obsolete information you have cluttering up your memory cells. Technology moves quickly, and in the tug o’ war o’ attrition between malware and anti-malware, the effective lifetime of a specific malicious binary is often very short indeed, which is one of the reasons that detection by static signature is ineffective.
(Fortunately, the AV industry realized that long ago, and so makes very little use of them nowadays. We may not be able to protect you from all malicious software, but we’re a bit more proactive than that, and have been using heuristic algorithms and dynamic analysis for decades. But I’m not here to take potshots at the “stop buying AV and buy our product instead” sector of the security industry. Not today, anyway.)
Those of us who’ve had some connection with the AV industry for 20 years or longer do, I guess, sometimes yearn for those simpler times when new viruses appeared sporadically and AV could be updated once a month (or at even longer intervals). Which might explain Mikko Hypponen’s fascination with the authors of the Brain virus. And perhaps my recent attempt to set the record a little straighter on the Michelangelo hypefest, though I didn’t go so far as to fly off anywhere in the hope of tracing its author. The Register’s John Leyden also had an attack of nostalgia recently: at any rate, he went to the trouble of talking to Rich Skrenta, author of the Elk Cloner virus that some consider to be the first in-the-wild virus (though there were actually a couple of Apple II viruses circulating at Texas A&M around that time).
Its operation was very similar to old-school PC boot sector viruses (like Brain), staying resident in RAM and infecting other floppies, and at every 50th bootup it displayed the message: 
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!
I guess it’s as well that Skrenta subsequently went into the IT industry rather than embarking on a career in literature. As verse goes, that’s really shaggy doggerel.
In fact, Elk Cloner only worked ‘reliably’ on disks in AppleDOS 3.3 format. Other disks were likely to be rendered unusable, so users of ProDOS and one or two more esoteric formats might disagree that the ‘prank... caused no real harm’, though I’ve no reason to disbelieve Skrenta’s claim that he didn’t intend any harm.
This kind of payload was very typical of the early Mac and PC viruses that followed (Brain also spread via the boot sector, and bootkits remain a problem today). They were written out of mischief, yearning for peer recognition, and in some cases out of sheer destructive impulse, but hardly ever for profit. And they quite often caused unintentional damage: even then, most malware writers weren’t the super-competent malware developers they wanted us to think they were. In fact, malware authors today are probably more careful with their code: with a few dishonourable exceptions like ransomware – you can’t make a profit out of a system you’ve just trashed.


Posted 17/12/2012 by David Harley

Tagged under: David Harley , John Leyden , Mikko Hypponen , Michelangelo , Elk Cloner , Brain , viruses , malware , Apple II

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×