MALWARE HISTORY

New Removable Media gives Malware a Boost #2

1997 also marked the beginning of a new age for malware writers.

Microsoft managed to
implement the Windows Scripting Host technology in order to meet its customers’
demand for a more flexible working environment, but at the same time, it opened
new opportunities for applications relying on VBScript. Malware was no
exception to the rule, and took full advantage of the new environment (This is the case with the LoveLetter internet worm, as we will
discuss later).

The malware scene
in 1998 evolved at a steady pace. However, the quality of the new types of
malware has improved dramatically. The new threats have been redesigned to make
full use of the spreading capabilities offered by the Internet and IRC
channels.  The first malware threat to
hit in 1998 was a new family of viruses called Win32.HLLP.DeTroi. They would infect Win32 executables, but at the
same time, they would also send critical information about the infected systems
to their author. However, the virus exploited system libraries only available
in the French distribution, which dramatically limited its infection potential
on systems with different localization.

Another macro
virus written for the Excel component of the Microsoft Office package started
infected users’ files in February. Known as Excel4Paix or Formula.Paix,
it would install its code into tables by using a less common macro area of
formulas. The Excel macro was almost immediately followed by a similar piece of
malware that affected Access databases. Access
IV
was the first virus for Microsoft Access files, but it failed to trigger
a security incident. Cross was
another macro virus, but this time, it was able to infect both Word and Access
files. However, the most complete macro virus was to be known as Triplicate or Tristate – a piece of malware that could infect Word, Excel and
PowerPoint documents.

May brought
another virus, known as the Read Team.
Although it was clearly a virus, it could spread to other systems by attaching
itself to e-mail messages sent using the Eudora mail client. Red Team could infect Windows EXE files
by remaining resident in the Windows memory. Other exe files were infected as
they got executed.

The most important
security incident of the year was triggered by the apparition of the Win95.CIH virus, also known as Chernobyl (One year later, the
Taiwanese authorities identified its author as Chen Ing Hao, a student at the
Taiwan Technical Institute. His initials were allegedly used to name the virus,
but, due to a lack of charges from any of the local companies, the police could
not arrest him). The virus caused a worldwide outbreak with thousands of
infected computer in both home and corporate environments.

It is believed
that the epidemic originated in Taiwan,
where a malware author sent the first copy of the virus to a local electronic
list-serve. However, the virus subsequently spread via game servers. The
disaster caused by CIH exceeded by
far any other security threat since the beginning. The virus could trigger
multiple scenarios, depending on the infection day. Users could end up with an
erased Flash BIOS chip, and many of them had to replace their motherboards. The
antivirus industry was taken by surprise and had to rush the development of
detection and disinfection tools in order to avoid a disaster.

Computer users did
not even have the time to recover from the previous attack that the next wave
of malware kicked in. August 1998 witnessed a controversial security threat
known as BackOrifice (or Backdoor.BO). It is alleged that the
backdoor was left open on purpose, as a secret utility to allow remote host
administrators to control miscellaneous machines across networks. Named after a
legitimate piece of software produced by Microsoft (BackOffice Server), it was
the creation of Sir Dystic, a member of the U.S. hacker organization CULT OF
THE DEAD COW. He allegedly claimed that he had written this small and
unobtrusive piece of software to demonstrate how unsecure Windows 98 really
was.

Although the
Trojan could be legitimately used for remote administration, it was also used
by malicious people with no respect to users’ privacy. For instance a computer
infected with BackOrifice could be
totally and stealthily controlled by a remote attacker. More than that, the
server could be deployed as the payload of a Trojan horse.

The
newly-introduced Windows Scripting Host system implemented in Windows 98 gave
malware authors a new playground for their illicit activities. The first VB
script virus, known as VBS.Rabbit did
not cause too much damage, yet it was extremely annoying and offensive to the
infected computer user. Once the virus has successfully infected a computer, it
starts looking for additional .vbs files, then prepend its code to each file.
Although the .vbs files can be used after they have been infected, each opened
file will trigger another infection. The payload kicks in on the second day of
each month between nine and ten o’clock, when the virus searches for all texts
containing “.txt – and .doc” extensions, and then replaces their
content with obscene drawings in ASCII code.

The HTML.Internal-Virus is also based on
VBS, but only works when the user accesses infected  pages using Internet Explorer. If the user
lands on a website which has been infected by the virus, the VBS code would inject
text messages in any HTML document stored on users’ machines.

While Win32 and
VBS viruses were already a common threat in 1989, the StrangeBrew virus was a different type of malware able to infect
Java files. When executed locally, the virus would spread from one Java applet
/ application to another by searching for existing .class files, and then
appending its code to the found files.

Another
interesting feature of the StrangeBrew
virus is interoperability. Java is a cross-platform programming environment,
which means that the virus could infect Linux, Windows  or even PDA devices with the Java environment
installed.

Microsoft’s
PowerPoint application was about to fall victim once again in December with the
advent of a virus of unknown origin, named P97M.Vic.A.
The series of threats continued with PP97M.Shaper.A
and PP97M.Master.A, two
different viruses that probably belong to the same author. P97M.Vic.A only infected the “User Form”, which is
attached to a command button. Each time the button was pressed, the virus would
start infecting all PowerPoint documents saved in C:My Documents. PowerPoint
viruses forced antivirus companies to rethink their strategy: as VBA modules in
PPT documents are stored in compressed format, the industry had to find a new algorithm
to allow scanners decompress them prior to searching them for viruses.

1999 brought quite
a few new (and extremely dangerous) viruses and worms, built on top of the
previous threats. The first security incident of the year was triggered by the Win95.Worm.Happy99.A virus (also known
as Ska, The antimalware industry is
still arguing whether Happy99 is a virus, a worm or a Trojan horse, because its
combines all the features), which can be called the first modern Internet worm.
In order to spread from a system to another, it used the MS Outlook mail client

W97M.Melissa.A took the
same approach as its predecessor (Win95.Worm.Happy99.A)
but it caused much more panic and damage to the users. It had both virus and
worm capabilities as it infects Word documents, then sends itself as an e-mail
message to 50 addresses in the Outlook address book. Apart from its high
infection rate, the increased e-mail traffic caused a large number of mail
servers to crash. The virus spread not only among average computer users, but
it also affected large corporations, given the fact that Outlook had become the
industry standard for sending messages. It appears that the original author of
the Melissa virus was David L.
Smith, a New Jersey
computer programmer. When the police paid him a visit at his residence, he
admitted everything (On December 9th, he was found guilty and sentenced to 10
years in prison. He also had to pay a fine of $400,000 – a high price for what
was supposed to be an experiment).

Canadian software
company Corel faced a new security risk as the CSC.CSV.A virus snuck its way into the corporate network. CSC.CSV.A was written in the Corel
SCRIPT language and would infect Corel DRAW, Corel PHOTO-PAINT and Corel
VENTURA files.

Backdoor Trojans
made a comeback  on the market, this time
as commercial software. Netbus 2 Pro,
a remote access server utility similar to BackOrifice
was released as a fully legitimate piece of software. Its author, Carl-Fredrik
Neikter, asked antivirus vendors to prevent their products from reporting it,
but they refused the “offer” and included a detection routine to prevent
further abuses.

“Blacklisting” Netbus was the right decision, as it
caused extensive damage to some users. For instance, in 1999, NetBus was used to plant child pornography
on the work computer of Magnus Eriksson, a law professor at the Lund University.
When the system administrator discovered “his” collection of 3,500 pictures,
Eriksson was fired. Moreover, because of the media scandal that discredited his
name, he was forced to leave the country and seek professional medical care to
cope with the stress. When authorities found out that he had been used as a
“secret stash” by a third party, the damage was beyond repair (He was acquitted
from criminal charges in late 2004).

In the meantime,
The Cult of the Dead Cow updated the BackOrifice
code in order to make the software compliant with the NT environment. The
malware team demonstrated the new version at the DefCon conference in Las Vegas.

A new virus
outbreak was triggered in summer by the dangerous Internet worm ZippedFiles (ExploreZip). Once installed on a system, the virus would start
deleting files associated with popular applications. Although the worm failed
to match Melissa in terms of
infection, it is estimated that it caused seven times more damage, as it
completely wiped out users’ critical data. The quick response from antivirus
vendors did not stop its expansions; ZippedFiles
struck again in December and caused further damage to the users. The
comeback was possible mostly because its authors changed the virus body in
order to bypass the scanners. In order to succeed, he packed the virus with the
Neolite compression utility. As a result, antivirus manufacturers included a
detection routine for any file packed with the utility.

 Mixing virus and worm features in a single
deadly cocktail has become the main trend in the malware industry. A new
Internet worm, called Toadie (also
known as Termite) started infecting
both DOS and Win32 executables, while sending copies of itself to other systems
using the Pegasus e-mail client. Moreover, it also tried to send itself using
IRC channels, but this approach did not quite pay off.

In early October,
security researchers discovered the first virus affecting Windows NT platforms.
Although WinNT.Infis.4608 was the
first virus of this kind, it was extremely well coded and managed to integrate
itself into the highest security level of the Windows NT OS.
The virus acted as a Windows driver, which means that NT would automatically load
it before the OS performs any security check. The damage inflicted by the new
virus was minimal, given the fact that it was rather harmless.

Microsoft Project
users were slammed by another security threat in the form of a multiplatform
virus that also infected MS Word documents. Called the O97M.Corner.A, the new virus would set the Office 2000 security
settings to low (The virus was unable to infect Word 200 files unless it
successfully changed the security levels to “low”), disable the
“Tools/Macros” menu and turn off the macro virus protection before
infecting all the opened files.

A new script
virus, called Freelinks, was spotted
in the wild in October. At that time, it did not enjoy extensive attention,
mostly because of its low infection potential, but it was to become popular in
the light of a tough security threat brought by the Win32.Loveletter worm.

Despite the fact
that the year was about to end, malware authors still had a surprise up their
sleeve. In November, a new generation of computer worm started spreading havoc
among computer users. If Internet worms usually require the user to download
and execute a specific attached file in order to infect the host, the new Win32.Vbs.Bubbleboy.A worm could
penetrate a computer when infected messages were previewed or read. In order to
infect the system, the worm relied on an Internet Explorer loophole. Microsoft
issued a fix to address the issue extremely quickly, yet another such worm,
known as Win32.Vbs.Kakworm continued
to exploit the same vulnerability for a few months.

The millennium
finally ended with yet another disaster, triggered by the extremely dangerous Babylonia
virus. The complex piece of malware originated in Brazil and was the creation of a
prolific Trojan writer known as Vecna. Babylonya
was the first computer virus able to update itself using a remote server.
Basically, the virus would connect from time to time to a server located in Japan, and then
look for a newer version of itself. If he found new modules, it would proceed
with the download and update.

 

<– Previous Page 

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.