AF/91

Last updated

AF/91 was a virus hoax surrounding a computer virus purportedly created by the United States Intelligence Community as a cyberweapon during the Gulf War. The hoax originated in a 1991 InfoWorld article published as an April Fools' Day joke; in reality, no such virus ever existed, and the U.S. military is not known to have used a strategy similar to this in the Gulf War. Despite its publication date and the article clarifying it was for April Fools' Day, the story drew significant media attention, with several sources erroneously describing AF/91 as real well into the early 2000s.

Contents

Description

AF/91 originated from the article "Meta-Virus Set to Unleash Plague on Windows 3.0 Users" written by Tech Street Journal editor John Gantz, published on April 1, 1991 in InfoWorld magazine volume 13, issue 13. [1] Gantz claimed in the article that he had first heard of AF/91 in a conversation he overheard at the 1991 Federal Office Systems Expo (FOSE), a U.S. federal government office supplies convention. Most other details relating to AF/91 came from an unnamed friend, who Gantz claimed was employed as a U.S. Navy automated data processing specialist. [1]

AF/91 was described as a "meta-virus" designed as a "machine-language palindrome" and used to disable real-time computer systems by "attacking the software in printer and display controllers". AF/91 was claimed to be able to eat windows, apparently literally "gobbling them at the edges", ultimately overloading the peripherals with a broadcast storm and permanently freezing the computer. Intel and Motorola computer chips were noted to be especially vulnerable to the virus, as were computers running Microsoft Windows operating systems, namely the then-new Windows 3.0 (as mentioned in the article's title). AF/91 used a neural network that learned with each machine cycle but required lengthy periods of time to work as intended, even after its activation time was reduced by 75%, reportedly taking several weeks to set up, learn, and activate on systems operating 24 hours every day. [1]

According to the article, the National Security Agency (NSA) developed AF/91 to defeat Iraqi air defense systems during the Gulf War as part of the U.S. military's Suppression of Enemy Air Defenses operations. In the lead-up to Operation Desert Storm, AF/91 was installed on Trojan horse software for a printer and smuggled into Iraq through Jordan by the Central Intelligence Agency. After infecting an Iraqi air defense site, AF/91 remained dormant in Iraqi computer systems until the opening stages of the Gulf War air campaign—which was supposedly delayed just so AF/91 could be smuggled into Iraq and start working—at which point it was activated, disabling Iraqi air defenses and rendering half of their computers and printers unserviceable. [1]

However, AF/91 unintentionally made its way out of Iraq after Iraqi Air Force pilots deserting to Iran brought several infected printers with them; these were then used by the Ministry of Information and Communications Technology of Iran, allowing the virus to spread rapidly. By then, the virus had "mutated", capable of permanently embedding itself into a computer's display device and affecting its messaging software. The U.S. military, which had mostly committed to using Windows for their computer programs, became increasingly concerned about AF/91 potentially reaching them, hence why it was mentioned at FOSE. Though the NSA was said to have considered any computer with windowing technology to be "doomed", computers infected by AF/91 could last up to four years if used very infrequently due to the virus' neural network requiring continuous use to learn, potentially long enough for the NSA to develop dedicated antivirus software to counter AF/91. [1]

At the end of the article, Gantz revealed the secret of what "AF/91" meant: "91 is the Julian Date for April Fool's Day." [1]

Further additions

Over time, several apocryphal additions were made to the story of AF/91 that were not present in Gantz's original article, including that:

Media misinterpretation

Though AF/91 was intended as a joke, several news outlets reported AF/91's existence as though it was real, with the story presented as an early example of cyberwarfare. Media outlets said to have reported on AF/91 as fact included the Associated Press, CNN, Nightline , and several American newspapers such as The Commercial Appeal . [2] [6] Others that erroneously presented AF/91 as real included Popular Mechanics in their March 1999 issue, [4] author James Adams in his 1998 book The Next World War, [5] and a Hudson Institute analyst in a paper about Russian cyberwarfare. [2]

In U.S. News & World Report 's 1992 book Triumph Without Victory: The Unreported History of the Persian Gulf War, one section described AF/91 as though it was real, although it was not referred to by name. [7] When questioned on the topic, writer Brian Duffy claimed his sources were unnamed "senior level intelligence officers", and stated he had "no doubt" that AF/91 existed. [2] [6]

Legacy

Technology writer George Smith, remarking on the wide acceptability of AF/91's existence as fact in spite of clear evidence of its fictional nature, wrote in his SecurityFocus column that he believed it resulted from "a creepy enthusiasm" for unusual weapons, the competitiveness of the media to report "the hot scoop", and the "uniquely American" belief that technology is the answer to everything. [2]

In 2010, InfoWorld revisited Gantz' story, this time reporting that viruses similar to AF/91 had been developed. The real unnamed viruses, Trojan horses developed for penetration testing, were cloaked in printers and other office equipment similar to how AF/91 was smuggled into Iraq in the original article, with such viruses often effective against Windows and Linux systems. [8] [9]

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

The compilation of a unified list of computer viruses is made difficult due to their subsequent naming. To aid the fight against computer viruses and other types of malicious software, many security advisory organizations and developers of anti-virus software compile and publish lists of viruses. When a new virus appears, the rush begins to identify and understand it as well as develop appropriate counter-measures to stop its propagation. Along the way, a name is attached to the virus. As the developers of anti-virus software compete partly based on how quickly they react to the new threat, they usually study and name the viruses independently. By the time the virus is identified, many names have been used to denote the same virus.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Clampi is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

The following outline is provided as an overview of and topical guide to computer security:

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

References

  1. 1 2 3 4 5 6 Gantz, John (April 1, 1991). "Meta-Virus Set to Unleash Plague on Windows 3.0 Users". InfoWorld . Retrieved November 13, 2015.
  2. 1 2 3 4 5 6 7 Smith, George (March 10, 2003). "Iraqi Cyberwar: an Ageless Joke". SecurityFocus . Archived from the original on June 5, 2003. Retrieved November 13, 2015.
  3. 1 2 "Email". Granite Island Group. February 12, 2003. Retrieved November 13, 2015.
  4. 1 2 Wilson, Jim (March 1999). "Information Warfare". Popular Mechanics . Hearst Communications . Retrieved February 17, 2023.
  5. 1 2 Adams, James (1998). The Next World War: Computers Are the Weapons and the Front Line Is Everywhere. New York: Simon & Schuster. ISBN   0-684-83452-9. OCLC   38976269.
  6. 1 2 Hambling, David (May 2, 2000). "Pentagon's 'Kill Switch': Urban Myth?". Wired. ISSN   1059-1028 . Retrieved February 17, 2023.
  7. U.S. News & World Report (February 4, 1992). Triumph Without Victory: The Unreported History of the Persian Gulf War (1st ed.). New York: Times Books. ISBN   0-8129-1948-3. OCLC   24503100.
  8. Lemos, Robert (December 1, 2010). "Attack of the Trojan printers". InfoWorld. Retrieved February 17, 2023.
  9. Moynihan, Michael (May 29, 2013). "You're Being Hacked". Newsweek . Retrieved February 17, 2023.