mjhjmtu

I'm not sure if this is the correct place to ask this question or Information Security, but here it goes.

Certain storage mediums can also be bootable, for example USB drives or CD/DVDs. These storage mediums can carry and potentially transfer malware and viruses to a target computer to be executed.

As sort of a followup to this question, were bootable discs, for example, bootable games, ever seen as a security risk for computers at that time? Or was the idea of a virus or malware being transferred when using bootable media implausible?

Bootable media were in fact the primary means of spreading certain kinds of viruses, but self-booting games on write-protected media were safe because no software company would distribute games with viruses on them, and if the viruses weren't on the disks when manufactured they were unlikely to get there later unless someone's drive had the write-protect mechanism bypassed.

The normal means via which a virus would get onto a bootable disk would be by piggy-backing onto some other attempt to access the disk from an already-booted (and infested) system (since attempting to access a floppy when there was no reason for such access would have been quite noticeable). Most self-booting disks would be inserted into the system before it was powered on or booted, and removed before booting into anything else, and thus weren't terribly likely to get infected.

That having been said, the real security risk was having systems attempt to boot removable media by default. At best, this needlessly increased startup time by a couple seconds. It also meant that if one started the machine with a non-bootable floppy one would have to eject it before one could boot the hard drive.
Overall, this approach was in pretty much every way inferior to booting from the removable media unless a key was pressed (and would have been even without security issues), but relatively few systems took the latter approach.

Absolutely. Boot sector viruses were very common, like the Michaelangelo virus, which infected both the boot sector on a floppy and the MBR on a hard drive. Fortunately, many install disks and bootable games were write-protected, but that was no guarantee that the disk wasn't infected: it's really easy to make a disk read-write again!

Yes, boot sector viruses were a very real threat. In fact, up until the mid-90s they were probably the most common type of viruses on home computers.

The earliest types only infected floppy disks. When a computer was booted off an infected floppy, the virus would copy itself into RAM and wait for the unsuspecting user to insert another, uninfected disk, at which point (unless the new disk happened to have the write protect tab engaged) it would copy itself onto the new disk, possibly marking it as bootable even if it wasn't already.

This was actually a pretty effective spreading method, at least for its time. Since a single floppy disk didn't really hold that much data, people were swapping floppies all the time to switch between programs or to access files saved on different disks. And since floppies were also quite prone to failure for any number of reasons, from exposure to heat or magnets to just general wear and tear, people quickly learned to always make backup copies of them. Which, of course, provided an excellent opportunity for a virus to infect the copy.

A major factor the contributed to the success of these viruses was, of course, software piracy. At the time, pirating software commonly meant sharing copied floppy disks with your friends, and if one person happened to have an infected computer, they could easily infect their entire school or workplace. And of course, even perfectly legal sharing of public-domain software (which was also common) could spread viruses just as well.

One feature that aided the spread of these viruses was the fact that some popular home computers at the time (including, notably, the Commodore Amiga) provided a mechanism for background code to survive a warm reboot. The feature was presumably meant to allow software patches to the OS kernel (which was stored in ROM, and thus not easy to update directly) to persist over a reboot, and its description was buried rather deep in the official documentation, but it was soon discovered and enthusiastically adopted by virus writers. In fact, the very first Amiga virus used this feature to infect the next disk an infected computer was booted from after a reboot.

Of course, the virus could not survive a cold boot. But even after this infection vector became widely known, few users would bother to always perform a proper cold boot, which involved physically switching the power supply off (and, if you really wanted to be sure, waiting half a minute or so to make sure the RAM really loses its content), when it was so much easier to just press a few keys (Ctrl and both Amiga keys for the Amiga) to trigger a warm boot.

Later on, as hard disks became more popular, many boot sector viruses acquired the ability to also infect them. For the viruses, the introduction of hard disks was both good and bad. On one hand, hard disks saved users from having to switch between floppies so much, reducing the opportunities for transmission, and booting from the hard disk made it harder for viruses to infect a computer in the first place.

On the other hand, many users would still occasionally boot from floppies e.g. to run specific software that required it, or they might simply forget that they had a floppy in the drive while rebooting (BIOSes at the time being commonly set up to boot from a floppy by default, if one was present). And once a virus did manage to infect the hard disk itself, it would then be loaded on almost every reboot, and thus had ample opportunities to infect new floppies (which people did, of course, still use e.g. for sharing files).

That factors that eventually (mostly) killed off boot sector viruses were threefold:

1. The increasing popularity of hard disks during the mid to late 90s meant that fewer and fewer people were using floppy disks for anything except file sharing and installing new software.


2. The introduction of CD-ROMs around the same time made floppies obsolete as install media. As CD-ROMs were (originally) read-only, unlike floppies, they could not be infected even if used on an infected system.


3. Finally, the popularization of home and office Internet access in the late 90s, and of USB flash drives a bit later, made floppies also obsolete as file sharing media. They also opened up a lot of new and more efficient pathways for viruses to spread, so that virus writers increasingly found the relatively slow (and increasingly ineffective, for the reasons mentioned above) boot sector route no longer worth using.

So, basically, boot sector viruses died out together with their main vector, the floppy disk. To some extent they were replaced by USB AutoRun viruses, which spread in similar ways, but even those could not truly compete in transmission efficiency with e-mail viruses, document-infecting macro viruses and their hybrids.

Of course, the old viruses never really disappeared, and I'm sure that plenty of people still have old infected floppies just sitting and gathering dust somewhere. But very few if any new boot sector viruses are being written any more, and modern antivirus software tends to easily detect any remaining "fossil" infections (if they haven't dropped those ancient signatures from their database, that is). Not to mention that, since custom boot sectors aren't commonly used any more, it's pretty easy for anti-virus software to heuristically detect that something funny is going on if they see a boot sector that doesn't match the few usual patterns.

were bootable discs, for example, bootable games, ever seen as a security risk for computers at that time?

Apparently they were in some cases. In fact it might be described as "this is how it all really started."

For example, the Atari ST had many games bootable. And some viruses. Another answer said

but self-booting games on write-protected media were safe because no software company would distribute games with viruses on them

that ignores the proven mal-practice of vendors, for example Sony BMG copy protection rootkit scandal or that sometimes even well meaning manufacturers might slip up.

On the ST things were even scarier. One factor might have been that probably most games played didn't come from a manufacturer, but through shadier channels. But even original disks were seen as a potential risk as evidenced here:

Virus Warning on game disk label
I recently acquired a small lot of ST disks. On the one's for Strider by U.S. Gold/Capcom there is printed "Virus Warning - power off computer before loading this software" I've tried looking up references to this both on here and all over the net but can not find the meaning of this admonition. Can anyone here explain exactly what that means?

Actually the disk, which is the first of two, is an original. The warning is printed on the part of the label that wraps around to the reverse side of the disk. It's only on the number 1 disk. The same space on the 2nd is blank.
[…]

Ah yes back then most virus would save themselves on the bootblock of disks and spread that way, then reload themselves into memory when you loaded the disk later. But some commercial software would have custom bootloaders and if the virus saved itself on it the game would not load. This was the case for Amiga and Atari ST disks.. That is what the warning is about.

Probably the most famous example of an original manufacturer delivering an infected floppy to its customers was the MacMag or Peace virus for Macintoshes from 1988.

If Macmag is run from the original dropper, NEWAPP.STK, or if a clean disk is placed in an infected system, it will drop an INIT resource named DR. If the disk is booted, the virus will become resident in the memory and infect any disks inserted into the system.

The virus replicates until 1988.03.02. If the infected computer is booted on that date, it displays the message: "RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world." After that, it deletes itself.

One outbreak of the virus began when the president of MacroMind Inc. (later merged with another company to form Macromedia), Marc Canter, received a copy of the Mr. Potato Head game infected with the virus while visiting Canada. He claimed he used the game disk only once, but still managed to get other disks he used infected. These disks included a training program that was sent to the Aldus corporation.

There, the virus infected disks of the program Aldus Freehand (now Macromedia Freehand) a popular vector graphics program. A large number of these disks were sold, causing a major outbreak of the virus. The disks had to be recalled.

Other clients of Marc Canter included Apple, Lotus, Microsoft and Ashton-Tate. The Apple and Lotus corporations could not be reached for comment at first, but later determined that none of their software was infected. The other company, Ashton-Tate declined to comment.

As these kind of infections are still not over, since is not restricted to only bootable floppies, one more example that seems almost beyond belief:

Stoned variant Angelina:

This virus has caused major embarrassments for several companies on two occasions. In 1995 October, Seagate 5850 (850MB) IDE hard drives which were factory-sealed were found to have the virus. Again in 2007 September, Medion laptops sold by the Aldi retail chain in Germany and Denmark were found to have been infected with the virus, which by then was over 13 years old. In addition to Windows Vista, the laptops came with Bullguard Antivirus preinstalled, which detected, but failed to remove the virus.

One of the biggest virus epidemics involving games was

Virus:​DOS/CIH
The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software.

History It seems that at least four underground pirate software groups got infected with the CIH virus during summer 1998. They inadvertently spread the virus globally in new pirated softwares they released through their own channels. These releases include some new games which will spread world-wide very quickly. There's also a persistent rumor about a 'PWA-cracked copy' of Windows 98 which would be infected by the CIH virus but F-Secure has been unable to confirm this.

Later on, CIH was distributed by accident from several commercial sources, such as:

Origin Systems website where a download related to the popular Wing Commander game was infected.

At least three European PC gaming magazines shipped magazines where the cover CD-ROM was infected - one of them even included a note inside advicing users to disinfect their machines after using the CD-ROM.

Yamaha shipped an infected version of a firmware update software for their CD-R400 drives.

A widely spread demo version of the Activision game SiN was infected as well - this infection did not originate from the vendor.

IBM shipped a batch of new Aptiva PCs with the CIH virus pre-installed during March 1999, just a month before the virus activates destructively

Payload
What makes the CIH case really serious is that the virus activates destructively. When it happens the virus overwrites most of the data on the computers hard drive. This can be recovered with recent backups.

However, the virus has another, unique activation routine: It will try to overwrite the Flash BIOS chip of the machine. If this succeeds, the machine will be unable to boot at all unless the chip is reprogammed. The Flash routine will work on many types of Pentium machines - for example, on machines based on the Intel 430TX chipset. On most machines, the Flash BIOS can be protected with a jumper. By default, protection is usually off.

Back to the original question:

Elk Cloner is one of the first known microcomputer viruses that spread "in the wild", i.e., outside the computer system or laboratory in which it was written. It attached itself to the Apple II operating system and spread by floppy disk. It was written around 1982 by programmer and entrepreneur Rich Skrenta as a 15-year-old high school student, originally as a joke, and put onto a game disk.

From which I conclude that sometime after 1982 booting games must have been a security concern for anyone interested. Several outlets reported this widely over the years. In 1988 even the mainstream Time magazine ran a piece about the Brain virus ran a piece about it.

I'm not sure if this is the correct place to ask this question or Information Security, but here it goes.

If I understand your answer correctly, you are asking about the situation in MS-DOS times. You are not asking about the situation today.

And as far as I understand correctly the "Information Security" Stack Exchange site is only intended for questions about the current situation.

The answer however depends on the time you are referring to:

• 
  Today:
  
  Bootable games would be a very high security risk.


• 
  MS-DOS times:
  
  Bootable games maybe even were a lower security risk than other games.

Why?

Running (new) software on a computer always means a security risk: Any kind of software might be infected with viruses or other kind of malware.

So the question is not:

Are bootable discs a security risk?

But the actual question is:

Which is the higher security risk?

• Bootable discs or


• software not coming as bootable disc (e.g. coming as ".EXE" file)?

Modern operating systems (such as Linux or modern Windows versions) have a lot of security mechanisms. By booting software from a floppy disk you bypass these security mechanisms so today running bootable software would be a very high security risk.

The hardware of early PCs however did not even allow writing an OS that has such security mechanisms. Therefore MS-DOS could not have such security mechanisms. This is also true for early versions of MS Windows.

This means that a malware-infected game that you started by double-clicking an ".EXE" file could do the same damage to your computer a malware-infected bootable game could do to your computer. (Including writing a boot sector virus to your hard disk!)

(As far as I know this was still the case under Windows ME in September 2000!)

So booting a bootable game from a floppy disk was not a higher risk than running a game that came as ".EXE" file under MS-DOS.

And you could even represent the position that bootable games were a lower security risk than games coming as ".EXE" files in MS-DOS times:

A bootable game could not access resources that required device drivers to be loaded - such as network drives or special disk drives. A game that came as ".EXE" file could access these drives.