Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

New Removable Media gives Malware a Boost #1

Most of the security issues in 1994 were triggered by the increased popularity of removable media, especially the more and more affordable CD-ROMs. Such storage devices acted as a vector of infection, as computer users burnt not only important data, but also infected files.

A couple of CD producers unwillingly distributed already-infected products, and the situation got even more complicated as read-only disks could not be disinfected.

A new outbreak of polymorphic viruses occurred in the United Kingdom. SMEG.Pathogen and SMEG.Queeg, two extremely dangerous viruses had been uploaded on a couple of BBS boards by their creator (Shortly after the incident, Scotland Yard arrested the author - Christopher Pile, also known as Black Baron), and although their malicious potential was limited, mass-media fueled computer users' panic.

Hoaxes also gained popularity, and one of the best examples is the GoodTimes hoax. It allegedly spread via the Internet and could infect computers by simply receiving an e-mail message. The hoax was followed by a DOS virus containing the text "Good Times", which also caused panic, but it was nothing if compared to the upcoming threats.

In June, an extremely complex and dangerous polymorphic virus called One-Half caused a new epidemic. The new DOS-based polymorphic piece of malware came with a peculiar payload that would encrypt a certain part of the hard-disk drive, in order to perform on-the-fly decryptions when the user accessed the affected files. However, when the system is disinfected and the virus is deleted, the encryption process can not be reversed. When the virus has successfully encrypted half of the drive, it displays the following text:

Dis is one half.

Press any key to continue ...

The One-Half virus may be more than a decade old, but it is still active and continues to infect unprotected systems around the world.

Another significant battle was carried against a Russian virus called W97M.Zaraza.A. Its name is an Anglicized version of the Russian 3APA3A ("infection"). The new virus managed to take the antivirus world by surprise thanks to a new mode of concealment. It replaces IO.SYS with its own routine in order to get memory access and avoid detection.  The W97M.Zaraza.A unleashes its payload in August, when it displays the following message:

B BOOT CEKTOPE - 3APA3A

( " There is an infection in the boot sector ")

 

1995 was much calmer than the previous years on the security scene. While MS-DOS viruses kept increasing in both count and infection potential, no major outbreak was reported to have occurred. A couple of complex DOS viruses virus such as Nightfall, Nostradamus, and Nutcracker surfaced on miscellaneous BBS boards, as well as the RMNS virus and the Winstart .BAT-infector. ByWay and DieHard2, two new types of malware managed to find their way into a couple of systems but failed to cause an epidemic.

Believe it or not, but Microsoft managed to succeed where most of the malware authors failed. Their new operating system - Windows 95 - was shipped to worldwide beta-testers on floppy disk drives. Probably excited by the new computing environment at their fingertips, beta-testers forgot to comply with the most elementary protection rules regarding data security and proceeded with the installation. It appears that Microsoft had shipped virus-infected floppy-disks. Testing had to be postponed until the company came up with clean disks.

A couple of months later, the Microsoft Word text processor was hit by a new type of virus, called Concept. The new macro virus infected Microsoft Word documents and managed to spread across the globe in less than a month. WM/Concept was the first virus specifically written for the Microsoft Word system and discovered "in the wild".

As its name suggests, the virus was a proof-of-concept only and had no harmful payload. Instead, the text contained in the virus read "That's enough to prove my point". In spite of its low security risk, Concept become on of the most common viruses on the planet.

 

One month later, a top-tier computer manufacturer called Digital Equipment Corporation (DEC) accidentally distributed copies of the Concept virus to the attendees at a DECUS conference in Dublin. The damage was minimal, as the presence of the Concept virus was quickly detected. Macro viruses, however, set the antivirus industry on fire, as there was no existing technology capable to detect and disinfect the new threats.

Another security incident was triggered by Computer Life, a Ziff-Davis publication that sent its customers diskettes containing a Christmas greeting. However, all the shipped disks were infected with the Parity Boot virus, and many customers have been affected. This was not the only security incident triggered by a Ziff-Davis publication. The English version of PC Magazine also delivered diskettes infected with the Sampo virus. The security risk has been discovered later, and the company apologized for inconvenience. More than that, in order to keep its users safe, it offered a free antivirus utility.

Cyber-criminals continued to receive visits from Scotland Yard. Christopher Pile, the author of the SMEG.Pathogen and SMEG.Queeg polymorphic viruses was arrested for writing and distributing viruses. Later that year, he was sentenced to 18 months in prison.

In 1996, Microsoft's new operating system - Windows 95 - started to gain significant ground among computer users. As it was expected, more and more malware writers shifted their focus to the new environment, but the older Windows 3.x systems have not been spared.

Two new viruses started to decimate computers worldwide in early 1996. The first virus to hit was called Borza, followed immediately by Zhengxi, a polymorphic virus written by Russian programmer from Saint Petersburg Denis Petrovym. Borza originates in Australia and was apparently written by Quantum, a member of the VLAD virus programming group. Each time an infected program starts, it would search for up to three executable files which have not yet been infected, then append its code. Borza was a low-risk virus, given the fact that it would only display a message regarding its creators on the 31st of each month.

Early in March, the Win.Tentacle virus slammed Windows 3.x systems and caused the first virus epidemic for the respective operating system. Tentacle was able to infect a hospital computer network as well as other organizations in France. At the same time, it was the first Windows virus detected in the wild.

Another extremely interesting piece of malware was the Esperanto virus, a multi-platform infector that has the ability to adjust its code depending on the operating system. It could infect both Windows and Macintosh systems. It appears that its creator is the notorious Spanish 29A virus programming group, which also designed the WM.CAP macro virus.

As it was expected, malware authors started to build on the Microsoft Word macro virus, and they quickly came up with another piece of malware able to infect Excel files. Called the Laroux, the new creation was first spotted in July at two oil drilling companies in Alaska and South Africa respectively. The author took advantage of the Visual Basic programming language embedded in Excel. Laroux triggered a new epidemic in Moscow in April 1997.

Summer ended with the advent of two new constructors for macro viruses that would expose both the English and German versions of MS Word. Called the Word Macro Virus Construction Kit and Macro Virus Development Kit, respectively, the new malware creations were attributed to two virus writers called Nightmare Joker and Wild Worker.

Later in 1996, Microsoft's website was reportedly serving Wazzu macro-infected Word files containing support instructions for Microsoft products in Switzerland.  The same virus managed to infect Microsoft Solution Provider compact discs, as well as other CD-ROM media distributed by the company during the Orbit computer technology exhibition in Brazil.

The year ended with a massive outbreak triggered by world's first memory resident Windows 95 virus. It loaded into the system as a VXD driver, and then it intercepted file calls, in order to infect them.

Linux users were still unaffected by malware, although the first virus (Staog) had been developed in laboratory conditions for research purposes only. It never left the secure environment, and there were no reports about its presence in the wild ever.

The advent of Microsoft's new operating system marked the beginning of a new wave of attacks with both Windows 95/NT viruses and macro viruses. During the entire year, malware authors managed to improve their portfolio with more than over a hundred macro viruses and dozens of viruses for Windows 95/NT. Given the fact that the main targets were 32-bit operating environments, the antivirus industry quickly geared up to deliver appropriate protection (Cheyenne Software developed InocuLAN, an antivirus utility that was eventually bought by Computer Associates).

1997 made its debut with world's first Linux virus spotted in the wild. The Bliss virus only affects Linux-based operating systems and is the second known virus to affect this platform. It only infected Elf-style executables, and although it surely has a malicious payload, it is unsure whether it is executed or not. It also has some basic worm-like features, looking for new hosts to infect via the /etc/hosts.equiv file.

Bliss also searches for programs for which the current process has write permission, and then it overwrites them with its own code, which means that all the information contained in the infected file is instantly destroyed.

One month later, the ShareFun macro virus for MS Word 6/7 triggered a new wave of worries among computer users. ShareFun became the first piece of malware to spread using e-mail messages, especially if the infected computer was using the MS mail service.

The Homer virus arrived in April 1997 and marked a new milestone in the development of malware. The new virus had an interesting way of propagating from one system to another, namely by using the FTP protocol to make the "jumps".

Self-encrypting viruses made a comeback in June, this time especially designed for the Windows 95 operating system. The first such virus was known as Win95.Mad, a piece of malware that seems to have originated from Russia. The virus triggered a major outbreak, as it was found on almost any BBS system.

Malware found a new channel to spread at will with the appearance of mIRC (Internet Relay Chat). The first mIRC worm emerged in December - it was a fundamentally new type of malware that exploited a dangerous security loophole in the structure of IRC channels. Files downloaded using the IRC service were stored in the same directory that contained the script.ini command file. This way, an infected script.ini file would facilitate the worm's spread to other remotely located computers.

The security hole has been quickly patched, and many early IRC worms disappeared from the scene. More advanced worms would actively search for the script.ini file in order to infect it. 

 

Next Page -->