The NSA versus Morris: $100 Million in Damage

The most important security incident of the year was triggered by Robert T. Morris, Jr., a graduate student at Cornell University and son of a National Security Agency researcher.

He managed to create a piece of software that would automatically self-replicate on all the systems connected to the government’s ARPAnet. This was the first time when a computer worm triggered a large-scale security incident (Morris’ worm exploited a vulnerability in UNIX operating systems on VAX and Sun Microsystems platforms and would spread without users’ help), and according to the U.S. General Accounting Office, the damage ranged in between $10 million and $100 million, as well as thousands of infected government computers.

Although Morris claimed that he had written the virus with no malicious intention in mind (it was allegedly an experiment that got out of control), he was convicted of violating the 1986 Computer Fraud and Abuse Act and was sentenced to three years’ probation, as well as 400 hours of community service to go along with the $10,050 fine.

The increased number of computer viruses and worms called for the establishment of a new anti-malware organization, called the Computer Emergency Response Team / Coordination Center (The CERT/CC is run by the federally funded Pittsburgh based Software Engineering Institute (SEI) at Carnegie Mellon University).

Founded right after the Morris worm struck, the organization is still active and provides security and privacy advisories).

Ultimately, the security industry considered that it was high time they had taken serious measures to defend users’ computes, and the first antivirus product was launched (Dr. Solomon’s Anti-Virus Toolkit hit the market at a time when popular antivirus professionals were skeptical regarding the future of such software products. For instance, Peter Norton thought that computer viruses
were more of a myth than of a serious threat, just like the crocodiles living in New York’s sewers.). Called Dr. Solomon’s Anti-Virus Toolkit, the new piece of software was created by British programmer Alan Solomon and enjoyed great popularity among computer users.

1989 came with new challenges for the security industry, and the battle against malware moved to the United Kingdom. The Fu Manchu virus, one of the many variants of the Jerusalem, was sent to a British virus researcher. Some other researcher anonymously received the 405 virus (that had been largely documented in Burger’s book). However, other corners of the world also started boiling under the malware pressure, and some of the first countries to have geared up for the battle were Bulgaria and Russia.

March came with a brand-new computer virus, written by a Dutch programmer called Fred Vogel (Fred Vogel is an extremely common name in Holland, and can be regarded as the equivalent of the American John Doe. Therefore, details about the person who created the virus are scarce). He immediately sent an infected file to an UK virus analyst, but did not claim authorship. On the contrary, Vogel said that he had found the virus in all his files on the hard disk. According to him, the virus was called DataCrime.1168.A and would trigger on the 13th of the next month.

The British researcher found upon disassembly that Datacrime’s payload would kick in on any day after October 12th, and would trigger a low level format of cylinder zero of the hard disk. Given the fact that cylinder zero stores the File Allocation Table, this would mean that all the files saved on the respective disk would be completely wiped out. After the low-level format has been successfully performed, the virus would also display its name.

Back in Holland, police authorities had already started looking for the person who wrote the virus, since this was an electronic offense. The police commissioned a programmer to write a detector for the DataCrime.1168.A virus, and then sold it for as much as $1 at every Dutch precinct. The new cleanup piece of software sold really well, but it also triggered a couple of false alarms (The huge number of false-positives actually caused more panic than the virus itself. In fact, there were only a few computers infected with Datacrime, mostly because the virus was non-memory resident, and thus it had limited spreading capabilities), so the detector had to be rewritten.

However, the official involvement of police authorities in the computer world got computer users thinking about how serious the issue was. Small and large companies across Holland
went for advice at IBM, as the company had already been working on a commercially-available antivirus utility. The company had to hurry up and deliver its products until October 12, as many users with valuable information were expected to experience trouble with DataCrime.1168.A (Datacrime is also known as the Columbus Day virus.), Cascade, Jerusalem and the likes.

IBM managed to ship the first version of the IBM scanning software in September 1989, but it was only available for its customers only (The product was called IBM Virscan for MS DOS and could be purchased for only $35). Many large companies around the world had performed their first computer scan ever. Although DataCrime.1168.A proved to be present in fewer computers than initially estimated, the antivirus software managed to detect and neutralize instances of other common viruses.

Three days later after the DataCrime.1168.A outbreak, a new worm started showing up on the the SPAN network. The WANK worm only infected VAX/VMS computers. In order to spread from a system to another, the worm used the DECNet protocol. It also came with a payload that changed system messages to read, ‘WORMS AGAINST NUCLEAR KILLERS’ accompanied by the message, ‘Your System Has Been Officially WANKed.’ More than that, WANK also changed system passwords to random symbols, and then mailed them to a SPAN network user called GEMPAK.

Three new security risks complete the disaster started by DataCrime.1168.A and Jerusalem. However, one of the viruses (called V2Px, 1260, Washburn or Chameleon) has polymorphic abilities (Polymorphic viruses can repeatedly re-encode themselves, in order to get away from simple string antivirus scanners), which made it more difficult to detect using simple string anti-virus scanners.  Scanning for fixed strings was rendered inefficient, as most of the virus’ code suffered important transformations with each successive infection. It seems that the Chameleon virus was built on top of the Vienna virus, as it was detailed in Burger’s book (Entitled Computer Viruses: The Disease of High Technology, the book aimed at drawing users’ attention on computer viruses. Instead, it had quickly become one of the reference books for malware authors).

While the security world was busy with the Chameleon.1446 virus, a young student at the University of Wellington, New Zealand, had developed a new computer virus. Called the Boot.Stoned.Elythnia, the virus would display the message ‘Your PC is now Stoned’ one time in eight boot-ups from an infected floppy disk. In spite of the fact that the virus was only a few hundred bytes long, its memory-replication feature allowed it to spread at will (Some reports claim that Stoned caused a wave of infections that  affected about a quarter of the computers in the world). Although the Boot.Stoned.Elythnia virus was not programmed to inflict any damage to the host system (it was only used as a means to ask for the legalization of Marijuana), there were reports of it having overwrite parts of infected disks that contain directory information or portions of user data files, such as the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks.

The Dark Avenger.1800 virus has been written by a Bulgarian programmer living in Sofia. The 1800 variant would infect a program when its file is being read. This means that any program reading .EXE and .COM files could trigger an epidemic. Moreover, when an infected program is run, there is a 1-in-16 chance that the virus would overwrite a random disk sector. Unlike other viruses, Dark Avenger targets backups, not just data: if the user does not notice that data gets corrupted with each overwrite, backups would also get corrupted and useless.

The virus would also intercept any attempt to read infected files, so only the non-infected file will be seen.

Frodo unleashed its payload on September the 22nd, when it attempted to install a Trojan horse on the boot sector. However, the Trojan would only display the message “FRODO LIVES” in large letters on the screen, but some programming errors usually would make the computer hang. The most important security incident of the year is the Trojan.Agent.AIDS, a Trojan delivered by the Panama-registered PC Cyborg Corporation on floppy disks. The disks handled to the participants at an international AIDS conference (Another version of the story claims that 20,000 floppy disks containing this Trojan were mailed to addresses stolen from PC Business World and the World Health Organization.) were supposed to contain important information that had to be installed on hard-disk. However, the End-User License Agreement stated that users who plan to use the data for a long time had to pay a fee of $378.00. Otherwise, the bundled Trojan would encode critical data on the HDD(The encoding routine is triggered when the program us run for the 90th time). The company officials have been sentenced and then committed to a psychiatric institution (The software seems to have been created by an American doctor and AIDS researcher named Joseph Papp, who successfully invoked the insanity defense when he was extradited to the U.K. in 1990).

AIDS is also the first Trojan to spread using mailing lists. Once the system is infected, it then overwrites the beginning of documents and displays the message: “Your computer now has AIDS”. At this point, the infected system usually collapses, and the user has to reboot the computer.

Another type of virus is spotted late in 1989. Called the Vienna.GhostBalls, the new virus is the first multipartite piece of malware. A multipartite virus is able to infect multiple different target platforms, while remaining recursively dangerous in each target. Such examples include viruses comprised  of DOS file and PC BIOS boot sector virus code.

In order to fight back the increasingly active malware creators, McAfee released its own antivirus tool. The utility was able to detect and disinfect 44 viruses, an important improvement over IBM’s virus-search software, that was only able to detect 28.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.