AIDS (Trojan horse)

AIDS Trojan
	Message after activation of AIDS
Common name	PC Cyborg Trojan
Technical name	Aids Info Disk/PC Cyborg Trojan
Aliases	AIDS!Trojan, Aidsinfo. A trojan, Aidsinfo. B trojan, Cyborg, Trj/AidsInfo. A, Trojan. AidsInfo.a, Trj/AidsInfo. B, Trojan. AidsInfo.b, Trojaids!Trojan, Love virus
Family	AIDS Trojan
Classification	Trojan
Type	DOS
Subtype	DOS scrambler
Isolation	1989
Point of isolation	Europe
Point of origin	United States
Author(s)	Dr. Joseph Popp

Last updated April 04, 2023

AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a DOS Trojan horse whose payload mungs and encrypts the names of all directories on drive C:. It was developed by Dr. Joseph Popp, an evolutionary biologist who graduated from Harvard. The virus was isolated in 1989.

Description

AIDS replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable), at which time the user is asked to 'renew the license' and contact PC Cyborg Corporation for payment (which would involve sending US$189 to a post office box in Panama). There exists more than one version of AIDS, and at least one version does not wait to mung drive C:, but will hide directories and encrypt file names upon the first boot after AIDS is installed. The AIDS software also presented to the user an end user license agreement, some of which read:

If you install [this] on a microcomputer...

then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...

In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...

These program mechanisms will adversely affect other program applications...

You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...

and your [PC] will stop functioning normally...

You are strictly prohibited from sharing [this product] with others...

AIDS is considered to be an early example of a class of malware known as "ransomware".

History

AIDS was introduced into systems through a floppy disk called the "AIDS Information Introductory Diskette", which had been mailed to a mailing list. Harvard-taught evolutionary biologist Dr. Joseph Popp was identified as the author of the AIDS trojan horse and was a subscriber to this list.^[1]

Popp was eventually discovered by the British anti-virus industry and named on a New Scotland Yard arrest warrant. He was detained in Brixton Prison. Though charged with eleven counts of blackmail and clearly tied to the AIDS trojan, Popp defended himself by saying money going to the PC Cyborg Corporation was to go to AIDS research.^[2] A Harvard-trained anthropologist, Popp was actually a collaborator of the Flying Doctors, a branch of the African Medical Research Foundation (AMREF), and a consultant for the WHO in Kenya, where he had organized a conference in the new Global AIDS Program that very year. ^[3] Popp had been behaving erratically since the day of his arrest during a routine baggage inspection at Amsterdam Schiphol Airport. He was declared mentally unfit to stand trial and was returned to the United States.^[4]

Jim Bates analyzed the AIDS Trojan in detail and published his findings in the Virus Bulletin.^[5]^[6] He wrote that the AIDS Trojan did not alter the contents of any of the user's files, just their file names. He explained that once the extension and filename encryption tables are known, restoration is possible. AIDSOUT was a reliable removal program for the Trojan and the CLEARAID program recovered encrypted plaintext after the Trojan triggered. CLEARAID automatically reversed the encryption without having to contact the extortionist.

The AIDS Trojan was analyzed even further a few years later. Young and Yung pointed out the fatal weakness in malware such as the AIDS Trojan, namely, the reliance on symmetric cryptography. They showed how to use public key cryptography to implement a secure information extortion attack. They published this discovery (and expanded upon it) in a 1996 IEEE Security and Privacy paper. ^[7] A cryptovirus, cryptotrojan, or cryptoworm hybrid encrypts the victim's files using the public key of the author and the victim must pay (with money, information, etc.) to obtain the needed session key. This is one of many attacks, both overt and covert, in the field known as cryptovirology.^[8]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed ransomware or cryptovirology.

Cryptovirology refers to the use of cryptography to devise particularly powerful malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

<span class="mw-page-title-main">Stoned (computer virus)</span> Computer virus

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s.

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Eddy Willems, is a Belgian computer security expert and author of security blogs and books, active in international computer security organizations and as a speaker at information security-related events.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Rombertik is spyware designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers. It was first publicized by researchers at Cisco Talos Security and Intelligence Group.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

<span class="mw-page-title-main">KeRanger</span>

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin. Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer", but later came to be known as "Jigsaw" due to featuring an image of Billy the Puppet from the Saw film franchise. The malware encrypts computer files and gradually deletes them, demanding payment of a ransom to decrypt the files and halt the deletion.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

References

↑ Kelly, Samantha Murphy (May 16, 2021). "The bizarre story of the inventor of ransomware". CNN Business. Warner Bros. Discovery. Archived from the original on May 16, 2021.
↑ "The Computer Virus That Haunted Early AIDS Researchers". The Atlantic . 10 May 2016.
↑ P. Mungo & B. Glough, Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals. New York, NY, Random House, 1992.
↑ P. A. Taylor, Hackers: Crime in the Digital Sublime, London, Routledge, 1999.
↑ J. Bates, "Trojan Horse: AIDS Information Introductory Diskette Version 2.0," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Jan., pages 3–6, 1990
↑ J. Bates, "High Level-Programs & the AIDS Trojan," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Feb., pages 8–10, 1990.
↑ A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," In: McHugh J, Dinolt G (eds) Symposium on Security & Privacy. IEEE Computer Society Press, Washington DC, pages 129–141, 1996.
↑ "Jahewi's Anti-Malware Information". July 18, 2006. Archived from the original on June 11, 2008.

External links

An early analysis of the trojan
THE COMPUTER INCIDENT ADVISORY CAPABILITY, by CIAC, on AIDS infection and distribution
The Original Anti-Piracy Hack, by George Smith, on the interesting AIDS EULA
Computer Viruses (A), by Probert Encyclopedia
AIDS Information Trojan, by CA
Aids Trojan, by CA

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Kelly, Samantha Murphy (May 16, 2021). "The bizarre story of the inventor of ransomware". CNN Business. Warner Bros. Discovery. Archived from the original on May 16, 2021.

[2] "The Computer Virus That Haunted Early AIDS Researchers". The Atlantic . 10 May 2016.

[3] P. Mungo & B. Glough, Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals. New York, NY, Random House, 1992.

[4] P. A. Taylor, Hackers: Crime in the Digital Sublime, London, Routledge, 1999.

[5] J. Bates, "Trojan Horse: AIDS Information Introductory Diskette Version 2.0," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Jan., pages 3–6, 1990

[6] J. Bates, "High Level-Programs & the AIDS Trojan," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Feb., pages 8–10, 1990.

[7] A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," In: McHugh J, Dinolt G (eds) Symposium on Security & Privacy. IEEE Computer Society Press, Washington DC, pages 129–141, 1996.

[8] "Jahewi's Anti-Malware Information". July 18, 2006. Archived from the original on June 11, 2008.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]