Send in the Clones

Written by


The longer you stay in this game, the more obsolete information you have cluttering up your memory cells. Technology moves quickly, and in the tug o’ war o’ attrition between malware and anti-malware, the effective lifetime of a specific malicious binary is often very short indeed, which is one of the reasons that detection by static signature is ineffective.
(Fortunately, the AV industry realized that long ago, and so makes very little use of them nowadays. We may not be able to protect you from all malicious software, but we’re a bit more proactive than that, and have been using heuristic algorithms and dynamic analysis for decades. But I’m not here to take potshots at the “stop buying AV and buy our product instead” sector of the security industry. Not today, anyway.)
Those of us who’ve had some connection with the AV industry for 20 years or longer do, I guess, sometimes yearn for those simpler times when new viruses appeared sporadically and AV could be updated once a month (or at even longer intervals). Which might explain Mikko Hypponen’s fascination with the authors of the Brain virus. And perhaps my recent attempt to set the record a little straighter on the Michelangelo hypefest, though I didn’t go so far as to fly off anywhere in the hope of tracing its author. The Register’s John Leyden also had an attack of nostalgia recently: at any rate, he went to the trouble of talking to Rich Skrenta, author of the Elk Cloner virus that some consider to be the first in-the-wild virus (though there were actually a couple of Apple II viruses circulating at Texas A&M around that time).
Its operation was very similar to old-school PC boot sector viruses (like Brain), staying resident in RAM and infecting other floppies, and at every 50th bootup it displayed the message: 
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!
I guess it’s as well that Skrenta subsequently went into the IT industry rather than embarking on a career in literature. As verse goes, that’s really shaggy doggerel.
In fact, Elk Cloner only worked ‘reliably’ on disks in AppleDOS 3.3 format. Other disks were likely to be rendered unusable, so users of ProDOS and one or two more esoteric formats might disagree that the ‘prank... caused no real harm’, though I’ve no reason to disbelieve Skrenta’s claim that he didn’t intend any harm.
This kind of payload was very typical of the early Mac and PC viruses that followed (Brain also spread via the boot sector, and bootkits remain a problem today). They were written out of mischief, yearning for peer recognition, and in some cases out of sheer destructive impulse, but hardly ever for profit. And they quite often caused unintentional damage: even then, most malware writers weren’t the super-competent malware developers they wanted us to think they were. In fact, malware authors today are probably more careful with their code: with a few dishonourable exceptions like ransomware – you can’t make a profit out of a system you’ve just trashed.


What’s hot on Infosecurity Magazine?