AF/91

Last updated

AF/91 was a virus hoax surrounding a computer virus purportedly created by the United States Intelligence Community as a cyberweapon during the Gulf War. The hoax originated in a 1991 InfoWorld article published as an April Fools' Day joke; in reality, no such virus ever existed, and the U.S. military is not known to have used a strategy similar to this in the Gulf War. Despite its publication date and the article clarifying it was for April Fools' Day, the story drew significant media attention, with several sources erroneously describing AF/91 as real well into the early 2000s.

Contents

Description

AF/91 originated from the article "Meta-Virus Set to Unleash Plague on Windows 3.0 Users" written by Tech Street Journal editor John Gantz, published on April 1, 1991 in InfoWorld magazine volume 13, issue 13. [1] Gantz claimed in the article that he had first heard of AF/91 in a conversation he overheard at the 1991 Federal Office Systems Expo (FOSE), a U.S. federal government office supplies convention. Most other details relating to AF/91 came from an unnamed friend, who Gantz claimed was employed as a U.S. Navy automated data processing specialist. [1]

AF/91 was described as a "meta-virus" designed as a "machine-language palindrome" and used to disable real-time computer systems by "attacking the software in printer and display controllers". AF/91 was claimed to be able to eat windows, apparently literally "gobbling them at the edges", ultimately overloading the peripherals with a broadcast storm and permanently freezing the computer. Intel and Motorola computer chips were noted to be especially vulnerable to the virus, as were computers running Microsoft Windows operating systems, namely the then-new Windows 3.0 (as mentioned in the article's title). AF/91 used a neural network that learned with each machine cycle but required lengthy periods of time to work as intended, even after its activation time was reduced by 75%, reportedly taking several weeks to set up, learn, and activate on systems operating 24 hours every day. [1]

According to the article, the National Security Agency (NSA) developed AF/91 to defeat Iraqi air defense systems during the Gulf War as part of the U.S. military's Suppression of Enemy Air Defenses operations. In the lead-up to Operation Desert Storm, AF/91 was installed on Trojan horse software for a printer and smuggled into Iraq through Jordan by the Central Intelligence Agency. After infecting an Iraqi air defense site, AF/91 remained dormant in Iraqi computer systems until the opening stages of the Gulf War air campaign—which was supposedly delayed just so AF/91 could be smuggled into Iraq and start working—at which point it was activated, disabling Iraqi air defenses and rendering half of their computers and printers unserviceable. [1]

However, AF/91 unintentionally made its way out of Iraq after Iraqi Air Force pilots deserting to Iran brought several infected printers with them; these were then used by the Ministry of Information and Communications Technology of Iran, allowing the virus to spread rapidly. By then, the virus had "mutated", capable of permanently embedding itself into a computer's display device and affecting its messaging software. The U.S. military, which had mostly committed to using Windows for their computer programs, became increasingly concerned about AF/91 potentially reaching them, hence why it was mentioned at FOSE. Though the NSA was said to have considered any computer with windowing technology to be "doomed", computers infected by AF/91 could last up to four years if used very infrequently due to the virus' neural network requiring continuous use to learn, potentially long enough for the NSA to develop dedicated antivirus software to counter AF/91. [1]

At the end of the article, Gantz revealed the secret of what "AF/91" meant: "91 is the Julian Date for April Fool's Day." [1]

Further additions

Over time, several apocryphal additions were made to the story of AF/91 that were not present in Gantz's original article, including that:

Media misinterpretation

Though AF/91 was intended as a joke, several news outlets reported AF/91's existence as though it was real, with the story presented as an early example of cyberwarfare. Media outlets said to have reported on AF/91 as fact included the Associated Press, CNN, Nightline , and several American newspapers such as The Commercial Appeal . [2] [6] Others that erroneously presented AF/91 as real included Popular Mechanics in their March 1999 issue, [4] author James Adams in his 1998 book The Next World War, [5] and a Hudson Institute analyst in a paper about Russian cyberwarfare. [2]

In U.S. News & World Report 's 1992 book Triumph Without Victory: The Unreported History of the Persian Gulf War, one section described AF/91 as though it was real, although it was not referred to by name. [7] When questioned on the topic, writer Brian Duffy claimed his sources were unnamed "senior level intelligence officers", and stated he had "no doubt" that AF/91 existed. [2] [6]

Legacy

Technology writer George Smith, remarking on the wide acceptability of AF/91's existence as fact in spite of clear evidence of its fictional nature, wrote in his SecurityFocus column that he believed it resulted from "a creepy enthusiasm" for unusual weapons, the competitiveness of the media to report "the hot scoop", and the "uniquely American" belief that technology is the answer to everything. [2]

In 2010, InfoWorld revisited Gantz's story, this time reporting that viruses similar to AF/91 had actually been developed. The real unnamed viruses, Trojan horses developed for penetration testing, were cloaked in printers and other office equipment similar to how the original article said AF/91 was smuggled into Iraq, with such viruses often effective against Windows and Linux systems. [8] [9]

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any malware that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in other malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

In computing, a Trojan horse is a malware that misleads users of its true intent by disguising itself as a normal program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and offensive power projection thanks to comparatively advanced technology and a large military budget. Cyberwarfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Camfecting, in the field of computer security, is the process of attempting to hack into a person's webcam and activate it without the webcam owner's permission. The remotely activated webcam can be used to watch anything within the webcam's field of vision, sometimes including the webcam owner themselves. Camfecting is most often carried out by infecting the victim's computer with a virus that can provide the hacker access to their webcam. This attack is specifically targeted at the victim's webcam, and hence the name camfecting, a portmanteau of the words camera and infecting.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft might have been informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

References

  1. 1 2 3 4 5 6 Gantz, John (April 1, 1991). "Meta-Virus Set to Unleash Plague on Windows 3.0 Users". InfoWorld . Retrieved November 13, 2015.
  2. 1 2 3 4 5 6 7 Smith, George (March 10, 2003). "Iraqi Cyberwar: an Ageless Joke". SecurityFocus . Archived from the original on June 5, 2003. Retrieved November 13, 2015.
  3. 1 2 "Email". Granite Island Group. February 12, 2003. Retrieved November 13, 2015.
  4. 1 2 Wilson, Jim (March 1999). "Information Warfare". Popular Mechanics . Hearst Communications . Retrieved February 17, 2023.
  5. 1 2 Adams, James (1998). The Next World War: Computers Are the Weapons and the Front Line Is Everywhere. New York: Simon & Schuster. ISBN   0-684-83452-9. OCLC   38976269.
  6. 1 2 Hambling, David (May 2, 2000). "Pentagon's 'Kill Switch': Urban Myth?". Wired. ISSN   1059-1028 . Retrieved February 17, 2023.
  7. U.S. News & World Report (February 4, 1992). Triumph Without Victory: The Unreported History of the Persian Gulf War (1st ed.). New York: Times Books. ISBN   0-8129-1948-3. OCLC   24503100.
  8. Lemos, Robert (December 1, 2010). "Attack of the Trojan printers". InfoWorld. Retrieved February 17, 2023.
  9. Moynihan, Michael (May 29, 2013). "You're Being Hacked". Newsweek . Retrieved February 17, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.