MALWARE HISTORY

The Modern Ages: Y2K and the Digital Apocalypse

During the last days of 1999, rumors about a massive worldwide attack from underground malware communities started spreading on miscellaneous BBS systems.

Some “experts” even
claimed that the new millennium would bring hundreds of thousands new viruses
to infect all the systems on Earth at once, thus triggering a digital
apocalypse. Antivirus manufacturers rushed to ensure computer users that there
were no reasons to fear of a massive viral attack.

As the new year
arrived, the apocalyptic forecasts proved false: it is true that the new year
brought fresh security threats, but malware evolved at a steady pace, just like
in any other year. It is alleged that the Y2K virus hysteria started as a misguided description of the Y2K problem itself. It was true that the
global IT community was waiting to see how computers would react when the
system clock turned to 1/1/00, but announcing devastating viral infections was
a long shot.

The much-hyped Y2K viruses
even included viruses that had been developed in mid-90s. Not only were they
old, but none of them was Y2K-compliant. Worldwide media outlets embraced the
idea of a digital apocalypse, but journalists are not the only ones to blame.
For instance, FBI NIPC director Michael Vatis and CIA analyst Terrill Maynard
almost triggered an international incident when they claimed that hackers,
spies, and the mafia inserted malicious code in U.S. corporate software while they
were supposed to “fix” Y2K software glitches. They especially accused
India and Ireland of
staging the attack on US-based computers, but they later admitted that they
relied on suppositions rather than on facts.

Microsoft’s new operating
system called Windows 2000 had been marketed as one of the most secure and
impenetrable environments ever built by the company. While this was true to a
certain extent, underground malware group 29A (the
Spanish team that had previously designed the Esperanto virus and the WM.CAP
worm) came to prove the contrary with Inta.
It was the first virus (Inta actually appeared long before Microsoft got the
chance to introduce the new operating system) spotted in the wild, able to
infect Windows 2000 files packed with the Windows Installer.

Two new computer
viruses, called VBS.Unstable.A and Visio.Radiant.A followed shortly after Inta. The new pieces of malware aimed
at Visio users, an extremely popular and efficient application that allowed
users to create eye-candy diagrams and flow-charts for business use. Rumor has
it that Microsoft itself was behind the VBS.Unstable.A
and Visio.Radiant.A epidemic, as
shortly thereafter, it purchased Visio Corporation along with all its
intellectual assets.

In mid-February,
multiple computer networks had to face their worst nightmare: one of the biggest
denial-of-service attacks to date. It all started with a Canadian computer user
nicknamed MafiaBoy, who started a distributed denial-of-service (DdoS, a DDoS
attack sends false requests for service from multiple locations so frequently
that the attacked websites are overloaded and unable to answer legitimate
traffic requests) attack against a couple of top-tier websites such as Amazon,
CNN and Yahoo! As a result, Yahoo was taken offline for about 8 hours and lost
several million dollars in operational loss. In order to successfully carry his
plans to completion, the teenager used a network of compromised computers and
coordinated a massive Ping-of-Death attack (This type of attack was the
beginning of the DDoS era and it took the entire world by surprise. Nowadays’
networking technology includes built-in protection against Ping-of-Death
threats, so such incidents are no longer possible). Mafiaboy was taken into
custody and was sentenced to eight months detention by a Canadian judge in Quebec. He also had to
pay a fine of only $650.

Another macro virus, called
the WM97M/Proverb.A, appeared in April. It seems to have originated in Russia, and its
first target might have been the office of the British
prime minister himself. The WM97M/Proverb.A
virus was rather harmless, and probably was designed as either a hoax, or for
mere entertainment. The virus body contained a piece of code that would check
for the version number of the Word processor. If it returns eight, the virus
then would fire up the Office Assistant, then display random messages,
including animations and headings. If the returned value is different from
eight, then it would show a message box and a Russian proverb.

All hell broke
loose on May the 5th. The new Win32.Loveletter
(a.k.a. The Love Bug) script virus with worm functionality was about to set a
world record in the history of malware. The virus exploited common and native
characteristics of the human computer users such as curiosity and adventure
spirit, and managed to catch them by surprise. More than that, in spite of all
the efforts carried by the antivirus industry to educate users about the
malicious potential of VBS and txt files many of them fell for the trick.

The VBS-based
virus would distribute itself to every contact in the Outlook address book as
well as to persons using the popular mIRC service. It comes disguised as an
anonymous love letter (hence its name) and advises the human operator to run
the attached .VBS file for further details about the sender. Once installed
onto the system, it starts replacing files with set extensions (vbs, vbe, js,
jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2) with its own copies. The
infection is carried not only on local hard-disks but also on all drives mapped
to the compromised computer, such as network drives.

As part of the
payload, Win32.Loveletter will
attempt to download a file called WIN-BUGSFIX.exe from the Internet, a
password-cracking utility that steals passwords from the entire network, and
then send the collected data to the author in the Philippines.

The source code
has been already posted on several BBS systems, in order to facilitate the
appearance of new modifications over time. At the moment, there are more than
90 variants in the wild. Win32.Loveletter
was also the most damaging virus in the history, causing loses of between 5.5
and 10 billion.

June 6th
brought the first computer virus able to infect mobile phones. The VBS.Timofonica.B virus would normally spread
using e-mail services, but it was also capable of sending itself to random
mobile numbers belonging to Movistar cellular customers. The so-called virus
was merely a hoax, as its payload would only display a message written in
Spanish on the mobile phone:

“Information for you: Telefonica
is fooling you”

The virus did not
take handheld devices out of service, nor would have any effect on their
performance. However, international mass-media rushed to name VBS.Timofonica.B the first ‘cellular’
virus (Because of the significant advances in the mobile world, nowadays’
mobile phones can be easily infected and rendered inoperable by miscellaneous
security threats. In order to protect you from mobile viruses, Bitdefender has
released Mobile Security, an antivirus solution for mobile devices running
SymbianTM or Microsoft

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.