AIDS (trojan horse)
Encyclopedia
AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse
that replaces the AUTOEXEC.BAT
file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable), at which time the user is asked to 'renew the license' and contact PC Cyborg Corporation for payment (which would involve sending 189 US$ to a post office box
in Panama
). There exists more than one version of AIDS, and at least one version does not wait to munge
drive C:, but will hide directories and encrypt file names upon the first boot after AIDS is installed. The AIDS software also presented to the user an end user license agreement, some of which read:
Popp was eventually identified by the British anti-virus industry, named on a New Scotland Yard arrest warrant
. He was detained in Brixton
Prison. Though charged with eleven counts of blackmail
and clearly tied to the AIDS trojan, Popp defended himself by saying money going to the PC Cyborg Corporation was to go to AIDS
research. A Harvard-trained anthropologist, Popp was actually a collaborator of the Flying Doctors, a branch of the African Medical Research Foundation (AMREF), and a consultant for the WHO
in Kenya, where he had organized a conference in the new Global AIDS Program that very year [MG92]. Popp had been behaving erratically since the day of his arrest during a routine baggage inspection at Amsterdam Schiphol Airport. He was declared mentally unfit to stand trial and was returned to the United States
[Ta99].
Jim Bates analyzed the AIDS Trojan in detail and published his findings in the Virus Bulletin [Ba90a,Ba90b]. He wrote that the AIDS Trojan did not alter the contents of any of the user's
files, just their file names. He explained that once the extension and filename encryption tables are known, restoration is possible. AIDSOUT was a reliable removal program for the Trojan and the CLEARAID program recovered encrypted plaintext after the Trojan triggered. CLEARAID automatically reversed the encryption without having to contact the extortionist.
The AIDS Trojan was analyzed even further a few years later. Young and Yung pointed out the fatal weakness in malware such as the AIDS Trojan, namely, the reliance on symmetric cryptography. They showed how to use public key cryptography to implement a secure information extortion attack. They published this discovery (and expanded upon it) in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan, or cryptoworm hybrid encrypts the victim's files using the public key of the author and the victim must pay (with money, information, etc.) to obtain the needed session key. This is one of many attacks, both overt and covert, in the field known as Cryptovirology
.
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that replaces the AUTOEXEC.BAT
AUTOEXEC.BAT
AUTOEXEC.BAT is a system file found originally on DOS-type operating systems. It is a plain-text batch file that is located in the root directory of the boot device...
file, which would then be used by AIDS to count the number of times the computer has booted. Once this boot count reaches 90, AIDS hides directories and encrypts the names of all files on drive C: (rendering the system unusable), at which time the user is asked to 'renew the license' and contact PC Cyborg Corporation for payment (which would involve sending 189 US$ to a post office box
Post Office box
A post-office box or Post Office box is a uniquely addressable lockable box located on the premises of a post office station....
in Panama
Panama
Panama , officially the Republic of Panama , is the southernmost country of Central America. Situated on the isthmus connecting North and South America, it is bordered by Costa Rica to the northwest, Colombia to the southeast, the Caribbean Sea to the north and the Pacific Ocean to the south. The...
). There exists more than one version of AIDS, and at least one version does not wait to munge
Munge
In computing, the term munge means to attempt to create a strong, secure password through character substitution. "Munge" is sometimes backronymmed as Modify Until Not Guessed Easily...
drive C:, but will hide directories and encrypt file names upon the first boot after AIDS is installed. The AIDS software also presented to the user an end user license agreement, some of which read:
- If you install [this] on a microcomputer...
- then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...
- In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...
- These program mechanisms will adversely affect other program applications...
- You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...
- and your [PC] will stop functioning normally...
- You are strictly prohibited from sharing [this product] with others...
History
AIDS was introduced into systems through a disk called the "AIDS Information Introductory Diskette", which had been mailed to a mailing list of which the AIDS author, Dr. Joseph Popp, subscribed.Popp was eventually identified by the British anti-virus industry, named on a New Scotland Yard arrest warrant
Arrest warrant
An arrest warrant is a warrant issued by and on behalf of the state, which authorizes the arrest and detention of an individual.-Canada:Arrest warrants are issued by a judge or justice of the peace under the Criminal Code of Canada....
. He was detained in Brixton
Brixton
Brixton is a district in the London Borough of Lambeth in south London, England. It is south south-east of Charing Cross. The area is identified in the London Plan as one of 35 major centres in Greater London....
Prison. Though charged with eleven counts of blackmail
Blackmail
In common usage, blackmail is a crime involving threats to reveal substantially true or false information about a person to the public, a family member, or associates unless a demand is met. It may be defined as coercion involving threats of physical harm, threat of criminal prosecution, or threats...
and clearly tied to the AIDS trojan, Popp defended himself by saying money going to the PC Cyborg Corporation was to go to AIDS
AIDS
Acquired immune deficiency syndrome or acquired immunodeficiency syndrome is a disease of the human immune system caused by the human immunodeficiency virus...
research. A Harvard-trained anthropologist, Popp was actually a collaborator of the Flying Doctors, a branch of the African Medical Research Foundation (AMREF), and a consultant for the WHO
Who
Who may refer to:* Who , an English-language pronoun* who , a Unix command* Who?, one of the Five Ws in journalism- Art and entertainment :* Who? , a 1958 novel by Algis Budrys...
in Kenya, where he had organized a conference in the new Global AIDS Program that very year [MG92]. Popp had been behaving erratically since the day of his arrest during a routine baggage inspection at Amsterdam Schiphol Airport. He was declared mentally unfit to stand trial and was returned to the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
[Ta99].
Jim Bates analyzed the AIDS Trojan in detail and published his findings in the Virus Bulletin [Ba90a,Ba90b]. He wrote that the AIDS Trojan did not alter the contents of any of the user's
files, just their file names. He explained that once the extension and filename encryption tables are known, restoration is possible. AIDSOUT was a reliable removal program for the Trojan and the CLEARAID program recovered encrypted plaintext after the Trojan triggered. CLEARAID automatically reversed the encryption without having to contact the extortionist.
The AIDS Trojan was analyzed even further a few years later. Young and Yung pointed out the fatal weakness in malware such as the AIDS Trojan, namely, the reliance on symmetric cryptography. They showed how to use public key cryptography to implement a secure information extortion attack. They published this discovery (and expanded upon it) in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan, or cryptoworm hybrid encrypts the victim's files using the public key of the author and the victim must pay (with money, information, etc.) to obtain the needed session key. This is one of many attacks, both overt and covert, in the field known as Cryptovirology
Cryptovirology
Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees...
.
Books
- [Ba90a] J. Bates, "Trojan Horse: AIDS Information Introductory Diskette Version 2.0," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Jan., pages 3-6, 1990.
- [Ba90b] J. Bates, "High Level-Programs & the AIDS Trojan," In: Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Feb., pages 8-10, 1990.
- [MG92]P. Mungo & B. Glough, Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals. New York, NY, Random House, 1992.
- [Ta99]P. A. Taylor, Hackers: Crime in the Digital Sublime, London, Routledge, 1999.
- [YY96] A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," In: McHugh J, Dinolt G (eds) Symposium on Security & Privacy. IEEE Computer Society Press, Washington DC, pages 129-141, 1996.
External links
- An early analysis of the trojan
- THE COMPUTER INCIDENT ADVISORY CAPABILITY, by CIAC, on AIDS infection and distribution
- The Original Anti-Piracy Hack, by George Smith, on the interesting AIDS EULA
- Computer Viruses (A), by Probert Encyclopedia
- AIDS Information Trojan, by CA
- Aids Trojan, by CA