Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

New Removable Media gives Malware a Boost #2

1997 also marked the beginning of a new age for malware writers.

Microsoft managed to implement the Windows Scripting Host technology in order to meet its customers' demand for a more flexible working environment, but at the same time, it opened new opportunities for applications relying on VBScript. Malware was no exception to the rule, and took full advantage of the new environment (This is the case with the LoveLetter internet worm, as we will discuss later).

The malware scene in 1998 evolved at a steady pace. However, the quality of the new types of malware has improved dramatically. The new threats have been redesigned to make full use of the spreading capabilities offered by the Internet and IRC channels.  The first malware threat to hit in 1998 was a new family of viruses called Win32.HLLP.DeTroi. They would infect Win32 executables, but at the same time, they would also send critical information about the infected systems to their author. However, the virus exploited system libraries only available in the French distribution, which dramatically limited its infection potential on systems with different localization.

Another macro virus written for the Excel component of the Microsoft Office package started infected users' files in February. Known as Excel4Paix or Formula.Paix, it would install its code into tables by using a less common macro area of formulas. The Excel macro was almost immediately followed by a similar piece of malware that affected Access databases. Access IV was the first virus for Microsoft Access files, but it failed to trigger a security incident. Cross was another macro virus, but this time, it was able to infect both Word and Access files. However, the most complete macro virus was to be known as Triplicate or Tristate - a piece of malware that could infect Word, Excel and PowerPoint documents.

May brought another virus, known as the Read Team. Although it was clearly a virus, it could spread to other systems by attaching itself to e-mail messages sent using the Eudora mail client. Red Team could infect Windows EXE files by remaining resident in the Windows memory. Other exe files were infected as they got executed.

The most important security incident of the year was triggered by the apparition of the Win95.CIH virus, also known as Chernobyl (One year later, the Taiwanese authorities identified its author as Chen Ing Hao, a student at the Taiwan Technical Institute. His initials were allegedly used to name the virus, but, due to a lack of charges from any of the local companies, the police could not arrest him). The virus caused a worldwide outbreak with thousands of infected computer in both home and corporate environments.

It is believed that the epidemic originated in Taiwan, where a malware author sent the first copy of the virus to a local electronic list-serve. However, the virus subsequently spread via game servers. The disaster caused by CIH exceeded by far any other security threat since the beginning. The virus could trigger multiple scenarios, depending on the infection day. Users could end up with an erased Flash BIOS chip, and many of them had to replace their motherboards. The antivirus industry was taken by surprise and had to rush the development of detection and disinfection tools in order to avoid a disaster.

Computer users did not even have the time to recover from the previous attack that the next wave of malware kicked in. August 1998 witnessed a controversial security threat known as BackOrifice (or Backdoor.BO). It is alleged that the backdoor was left open on purpose, as a secret utility to allow remote host administrators to control miscellaneous machines across networks. Named after a legitimate piece of software produced by Microsoft (BackOffice Server), it was the creation of Sir Dystic, a member of the U.S. hacker organization CULT OF THE DEAD COW. He allegedly claimed that he had written this small and unobtrusive piece of software to demonstrate how unsecure Windows 98 really was.

Although the Trojan could be legitimately used for remote administration, it was also used by malicious people with no respect to users' privacy. For instance a computer infected with BackOrifice could be totally and stealthily controlled by a remote attacker. More than that, the server could be deployed as the payload of a Trojan horse.

The newly-introduced Windows Scripting Host system implemented in Windows 98 gave malware authors a new playground for their illicit activities. The first VB script virus, known as VBS.Rabbit did not cause too much damage, yet it was extremely annoying and offensive to the infected computer user. Once the virus has successfully infected a computer, it starts looking for additional .vbs files, then prepend its code to each file. Although the .vbs files can be used after they have been infected, each opened file will trigger another infection. The payload kicks in on the second day of each month between nine and ten o'clock, when the virus searches for all texts containing ".txt - and .doc" extensions, and then replaces their content with obscene drawings in ASCII code.

The HTML.Internal-Virus is also based on VBS, but only works when the user accesses infected  pages using Internet Explorer. If the user lands on a website which has been infected by the virus, the VBS code would inject text messages in any HTML document stored on users' machines.

While Win32 and VBS viruses were already a common threat in 1989, the StrangeBrew virus was a different type of malware able to infect Java files. When executed locally, the virus would spread from one Java applet / application to another by searching for existing .class files, and then appending its code to the found files.

Another interesting feature of the StrangeBrew virus is interoperability. Java is a cross-platform programming environment, which means that the virus could infect Linux, Windows  or even PDA devices with the Java environment installed.

Microsoft's PowerPoint application was about to fall victim once again in December with the advent of a virus of unknown origin, named P97M.Vic.A. The series of threats continued with PP97M.Shaper.A and PP97M.Master.A, two different viruses that probably belong to the same author. P97M.Vic.A only infected the "User Form", which is attached to a command button. Each time the button was pressed, the virus would start infecting all PowerPoint documents saved in C:\My Documents. PowerPoint viruses forced antivirus companies to rethink their strategy: as VBA modules in PPT documents are stored in compressed format, the industry had to find a new algorithm to allow scanners decompress them prior to searching them for viruses.

1999 brought quite a few new (and extremely dangerous) viruses and worms, built on top of the previous threats. The first security incident of the year was triggered by the Win95.Worm.Happy99.A virus (also known as Ska, The antimalware industry is still arguing whether Happy99 is a virus, a worm or a Trojan horse, because its combines all the features), which can be called the first modern Internet worm. In order to spread from a system to another, it used the MS Outlook mail client

W97M.Melissa.A took the same approach as its predecessor (Win95.Worm.Happy99.A) but it caused much more panic and damage to the users. It had both virus and worm capabilities as it infects Word documents, then sends itself as an e-mail message to 50 addresses in the Outlook address book. Apart from its high infection rate, the increased e-mail traffic caused a large number of mail servers to crash. The virus spread not only among average computer users, but it also affected large corporations, given the fact that Outlook had become the industry standard for sending messages. It appears that the original author of the Melissa virus was David L. Smith, a New Jersey computer programmer. When the police paid him a visit at his residence, he admitted everything (On December 9th, he was found guilty and sentenced to 10 years in prison. He also had to pay a fine of $400,000 - a high price for what was supposed to be an experiment).

Canadian software company Corel faced a new security risk as the CSC.CSV.A virus snuck its way into the corporate network. CSC.CSV.A was written in the Corel SCRIPT language and would infect Corel DRAW, Corel PHOTO-PAINT and Corel VENTURA files.

Backdoor Trojans made a comeback  on the market, this time as commercial software. Netbus 2 Pro, a remote access server utility similar to BackOrifice was released as a fully legitimate piece of software. Its author, Carl-Fredrik Neikter, asked antivirus vendors to prevent their products from reporting it, but they refused the "offer" and included a detection routine to prevent further abuses.

"Blacklisting" Netbus was the right decision, as it caused extensive damage to some users. For instance, in 1999, NetBus was used to plant child pornography on the work computer of Magnus Eriksson, a law professor at the Lund University. When the system administrator discovered "his" collection of 3,500 pictures, Eriksson was fired. Moreover, because of the media scandal that discredited his name, he was forced to leave the country and seek professional medical care to cope with the stress. When authorities found out that he had been used as a "secret stash" by a third party, the damage was beyond repair (He was acquitted from criminal charges in late 2004).

In the meantime, The Cult of the Dead Cow updated the BackOrifice code in order to make the software compliant with the NT environment. The malware team demonstrated the new version at the DefCon conference in Las Vegas.

A new virus outbreak was triggered in summer by the dangerous Internet worm ZippedFiles (ExploreZip). Once installed on a system, the virus would start deleting files associated with popular applications. Although the worm failed to match Melissa in terms of infection, it is estimated that it caused seven times more damage, as it completely wiped out users' critical data. The quick response from antivirus vendors did not stop its expansions; ZippedFiles struck again in December and caused further damage to the users. The comeback was possible mostly because its authors changed the virus body in order to bypass the scanners. In order to succeed, he packed the virus with the Neolite compression utility. As a result, antivirus manufacturers included a detection routine for any file packed with the utility.

 Mixing virus and worm features in a single deadly cocktail has become the main trend in the malware industry. A new Internet worm, called Toadie (also known as Termite) started infecting both DOS and Win32 executables, while sending copies of itself to other systems using the Pegasus e-mail client. Moreover, it also tried to send itself using IRC channels, but this approach did not quite pay off.

In early October, security researchers discovered the first virus affecting Windows NT platforms. Although WinNT.Infis.4608 was the first virus of this kind, it was extremely well coded and managed to integrate itself into the highest security level of the Windows NT OS. The virus acted as a Windows driver, which means that NT would automatically load it before the OS performs any security check. The damage inflicted by the new virus was minimal, given the fact that it was rather harmless.

Microsoft Project users were slammed by another security threat in the form of a multiplatform virus that also infected MS Word documents. Called the O97M.Corner.A, the new virus would set the Office 2000 security settings to low (The virus was unable to infect Word 200 files unless it successfully changed the security levels to "low"), disable the "Tools/Macros" menu and turn off the macro virus protection before infecting all the opened files.

A new script virus, called Freelinks, was spotted in the wild in October. At that time, it did not enjoy extensive attention, mostly because of its low infection potential, but it was to become popular in the light of a tough security threat brought by the Win32.Loveletter worm.

Despite the fact that the year was about to end, malware authors still had a surprise up their sleeve. In November, a new generation of computer worm started spreading havoc among computer users. If Internet worms usually require the user to download and execute a specific attached file in order to infect the host, the new Win32.Vbs.Bubbleboy.A worm could penetrate a computer when infected messages were previewed or read. In order to infect the system, the worm relied on an Internet Explorer loophole. Microsoft issued a fix to address the issue extremely quickly, yet another such worm, known as Win32.Vbs.Kakworm continued to exploit the same vulnerability for a few months.

The millennium finally ended with yet another disaster, triggered by the extremely dangerous Babylonia virus. The complex piece of malware originated in Brazil and was the creation of a prolific Trojan writer known as Vecna. Babylonya was the first computer virus able to update itself using a remote server. Basically, the virus would connect from time to time to a server located in Japan, and then look for a newer version of itself. If he found new modules, it would proceed with the download and update.

 

<-- Previous Page