The Birth of the Antivirus Industry

Monday, July 11, 2011

Kevin McAleavey


Note: This is the second in a multipart series on the history of the antivirus and security industry by a long time insider (Part One). We will explore how antivirus and antimalware technology works, and why a 1980's solution is no longer applicable to the current threat landscape. The series will conclude with solutions and recommendations on where we might all go next.

The first known virus to appear in the wild was "Elk Cloner" in 1981, written as a joke for the popular Apple II computer of the time. Since there were no "cures" for it though, removal was difficult. The first widespread infection for the IBM PC was "(c)Brain" in 1986 by shareware developers in Pakistan, and was intended as a digital rights management scheme that went horribly wrong, destroying many hard drives, requiring complete reformatting and reinstalls (like "Popureb" just last week) and putting the developers out of business.

Soon, computer "hackers" were sharing these "boot sector infectors" and other malcode through shareware uploaded to dialup BBS' like the one I ran at the time. When a victim discovered that a program they had downloaded was in fact a virus, about all we could do for them was remove the offending program from our download section and put out the word on Fidonet, RBBS and other "SYSOP" networks advising other BBS' to remove them as well. The end user was left to pick up the mess by themselves by whatever means they had available which usually required formatting their system and starting all over from scratch, being more careful the next time. There was no other recourse.

Perhaps the most frequently encountered virus of all spread wildly in 1987, known as the "STONED Virus" and the readily-available source code for it resulted in a literal plague of variants which varied only in the messages delivered on the victim's screen. STONED and the variants which followed added a layer of sophistication in using what was called a TSR (Terminate, Stay Resident or "memory virus") in MSDOS which caused it to infect any disk that ever came near the machine even if the original file was deleted.

By 1989, what had heretofore been annoyances were now beginning to multiply and caused significant damage to data and to institutional computers as well as home computers. At the time, I was an IT admin for a state agency and it was just me, responsible for an agency of 70 employees, a Novell LAN and all of the desktops. STONED infections alone accounted for better than 60% of my day and after cleaning up all the machines, a still infected floppy would find its way into the system from somewhere external and begin the process all over again on a daily basis. Something had to be done!

Enter John McAfee. We FidoNet BBS sysops had a private group called "VIRUS-L" and this fellow from Lockheed gave us free copies of his shareware program called "virusscan" back in 1987, and encouraged us to make it available on our BBS' to the public. It WORKED! Two years later in 1989, he quit his day job and started the "McAfee" we know today even though they made him go away shortly thereafter because John wasn't quite the "corporate image." His product however, automated the process of removing viruses and putting things back the way they were without the need for a complete rebuilding of infected systems, or firing up a sector editor and calculating the original entry point. Huzzah!

Back in the beginning, all that was required of an antivirus was to open a file, check for a valid "entry point" to the program in any executable. If the entry point was replaced with a "jump instruction" to somewhere near the end of file, it was infected with something. Better check the signature database!

A signature was made of some text or other part of the virus to name what was detected, along with a file size (resulting in a virus name like "stoned.18734") where the number was simply the number of bytes from the end of the file that contained the virus in question. Restore the entry pointer, chop off x number of bytes from the end so we wouldn't detect it again after cleaning, and cleanup of an infected file was completed. Easy, no?

By early 1991, U.S. computers were invaded by hundreds of foreign virus strains and corporate PC infection was becoming a serious problem. Symantec's Norton Group launched Norton AntiVirus for a whopping $130.00 a copy. Although it wasn't as good as McAfee, corporate licensees of the "Norton Utilities" paid for it based on Peter Norton's reputation with the innards of Microsoft stuff. Peter was also thrown overboard shortly thereafter.

Dr Solomon's anti-virus toolkit was first created in 1988 and launched commercially in 1991. This move was to rival market leaders Symantec's Norton Anti-Virus and McAfee VirusScan. "Sollie" as I've known him over the years is another incredibly remarkable compatriot and his adeptness at "heuristics" was breathtaking in his ability to handle unknown variants or "zero-days."

McAfee (then Network Associates) agreed to acquire Dr Solomon's Group P.L.C in 1998, removing yet another innovator from the pack. Another member of the old VIRUS-L group was a Russian fellow who we knew as "Gene Kaspersky" but he remained on the sidelines for almost ten years before co-founding KasperskyLab with his wife Natalya in apparent exasperation over where the industry was going by 1997. I should also mention F-PROT from Frisk International which was used by many of us on DOS systems once McAfee started going downhill too.

The original players in the old days were eccentric, innovative, and highly dedicated to the mission of eradicating malware and were all great fun to work with. All of us took great ownership in our products and protecting our customers. Sadly, the only player still in the chair is Gene Kaspersky and even he has been marginalized by his own "suits" who have made antivirus/antimalware as effective as it's become today. And yes, when the company I was with was acquired by COMODO, I too was quickly sent packing.

The entire industry (except for Kaspersky for now) has been entirely sublimated by people who have no real idea of what the mission is and only count beans. And it shows in the quality of work performed by the numerous products across the board to the detriment of those paying them for a task that they're no longer up to.

Fortunately for the corporate players, the majority of virus writers that they had to deal with were relatively few in number and not terribly sophisticated. The vast majority of viruses were jokeware, pranks, and programs designed to delete files and otherwise wreak havoc. Sort of like the Lulzers against competent administrators.

Despite performing a lobotomy on the industry's best minds, the industry was only up against pranksters and irritants for many years and sales came rolling in thanks to marketing and a liberal amount of FUD in press releases over the "infection of the week."

Microsoft's incessant missteps and holes left for the exploitation also drove the marketing and kept AV's visible for many years to follow with little need to innovate. The industry and their stockholders were fortuitous indeed ...

(To be continued...)

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Viruses & Malware
Information Security
Antivirus malware Botnets Kaspersky Information Security vendors
Post Rating I Like this!
cliff sull Excellent Article Kevin.
Kevin McAleavey We're going to really get down to the nitty gritty tomorrow with revelations as to how the industry actually works. It's a shocker.
Keith Peer Some clarifications:

VIRUS-L was a listserv hosted at moderated by Ken van Wyk

"Gene Kaspersky" is Eugene Kaspersky, and originally the software was written by Eugene Kaspersky, Vadim Bogdanov and Alexey De Mont De Rique. The antivirus software was released by KAMI in Russia in the 1991.

Fridrik Skulason still runs Frisk Software (F-Prot).

Dr. Peter Lammer and Dr. Jan Hruska still are part of Sophos.

Tjark Auerbach still leads AVIRA (formerly H+BEDV)

G Data is still lead by Dirk Hochstrate who released the first commercially available antivirus in 1987

Kevin McAleavey Thanks for that ... once upon a time, I was panning on writing this as a book but found that the publisher had a minimum order of 100 and I didn't think I'd make it. :)

Because there's just too much history, a lot of things out of necessity had to be glossed over. I was a participant of VIRUS-L back in the day through Fidonet but it had many other distribution paths as well.

Sorry for missing a few there ...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked