Malware analysis

A History of Malware: Part Three, 1993-1999

Infosec Institute
May 29, 2014 by
Infosec Institute

In my previous article, I explained what happened to the evolution of malware when microcomputers started to become a major presence in small offices and households. That coincided with the exploding popularity of Microsoft's MS-DOS and Windows 3.1. The file systems they were based on, FAT16 and later on, FAT32, totally lacked file and folder level privileges, so it was easy for targeted malware to cause huge problems.

During the period covered in the last article, commerical ISPs made their debut. So people outside of academic settings started using email, USENET, and other Internet services. By 1991, Sir Tim Berners-Lee invented the web.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In early 1993, I was on the web for the first time, and my very first web browser was the brand new Mosaic. In response to how Mosaic made the web accessable for many people, Netscape entered the scene. I was one of the lucky few to beta test Navigator 1.0 in November 1994. What was really cool was that I could see content and text loading in my webpages before they were completely downloaded. As we had a 16 kbps modem, I really appreciated that.

Netscape, and soon after, Internet Explorer, brought the web into millions of homes for the very first time. That made the Internet a lot more popular. To this very day, I encounter end users who think the Internet and the web are one and the same. Argh!

So, there opened a huge new vector for malware, and the Internet overcame floppy disks as the leading cause of malware distribution.

And now, the history of malware is starting to get very interesting...

Don't Call My Name, Leandro

The Michelangelo virus, as mentioned in my previous article, was the first "time bomb" virus to become notably widespread. It seemed like that from then on, "time bombs" started to become very popular.

The antivirus community initially encountered the Leandro virus in 1993. As it was a "time bomb," it was set to go off on a particular date. In Leandro's case, that date was October 21st of the year of infection. Based on my research, if a PC got infected after October 21st of a calendar year, it likely would go off on that date in the following calendar year.

But like many of the earlier viruses to create a big splash, it was kind enough to print a message for the user. This was Leandro's message:

Leandro and Kelly ! GV-MG-Brazil You have this virus since XX-XX-XXXX

The date of infection, whichever date that was, as it would vary in each incidence, would be in it.

Leandro was often spread via shareware on floppies, but as Internet usage started to grow rapidly, it was found to spread via BBS as well. I remember downloading quite a bit of shareware through BBS, so that was likely a primary vector.

It was especially nasty, because it targetted the MBR of floppy disks and HDDs. So, although it could enter a system via Windows and MS-DOS vulnerabilities, it could then impact completely unrelated operating systems as well, such as the very first GNU/Linux distros.

Leandro kept infecting machines for at least a few more years, into the late 1990s. Few Windows users ran antivirus software those days, or even knew what antivirus software was. So I imagine that after Leandro made an operating system unusable on a particular year's October 21st, an awful lot of HDDs were thrown out. It's difficult to determine how many disks were infected, as most people didn't report their infections to antivirus vendors. Maybe it caused more disks to enter landfills than cartridges of E.T. for Atari, but we'll never know for sure.

Freddy

Around the same time, Freddy was discovered. Like Leandro, it appeared to come from Brazil. Like the other viruses mentioned in this article and the previous one, it targeted Windows.

.COM and .EXE executables were affected, especially COMMAND.COM. Remember how crucial that file was?

Once Freddy infected a Windows machine, every time a user launched an executable, that executable, plus a .COM file in the same directory, would become infected. The size of each infected file would grow even more, as more and more files on the same disk acquired Freddy code. So it had a devastating snowball effect that could soon crash a machine due to memory overload.

In time, an infected PC wouldn't be able to run for more than a few seconds after booting the OS.

The string "Freddy Krg" could be found encrypted in infected files. So we can easily summize what the developer's inspiration was.

A Concept is Enough to Prove My Point

Concept was the first really significant Macro virus, discovered in July 1995. It coincided with Microsoft Word surpassing WordPerfect in word processor market dominance.

MS Word 6.0 and MS Word 95 were affected. Macros made life for frequent Word users, like my late novelist father, a lot easier. But macro creation in those versions of Word wasn't very secure. It's easy to blame Microsoft developers for having a lax attitude toward security. But macros were popular in WordPerfect as well, which Microsoft didn't develop. Even antivirus vendors, at the time, were unprepared for macro viruses. Concept was the first macro virus that made them really take notice, and it revolutionized how they developed malware signatures.

Concept was also notable as the first significant virus to spread via email. As a large percentage of mid-1990s email users were using AOL, the sound of "you've got mail" was often the harbinger of doom!

After opening an infected Word document, Concept would go on to infect the NORMAL.DOT template, and then other templates as well.

The macros that Concept contained were AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad.

PayLoad was especially interesting. Its name was a misnomer, because it was no payload at all. It just contained this text:

Sub MAIN

REM That's enough to prove my point

End Sub

Point proven? The best case scenario would be if a user didn't have important documents that used infected templates. Then, they could simply backup those documents, then uninstall and reinstall Word. It was useful that people usually had factory created install floppies and CDs those days.

Concept infected more machines than any other malware into the late 1990s.

Melissa

Concept's destructive success paved the way for the Melissa virus, which was the second malware to spread to a significant extent via email.

Although email was its primary vector, it was initially discovered in the alt.sex USENET group, in the spring of 1999. It was first found in a file that supposedly contained passwords for 80 pornographic websites. But even when it spread through USENET, once it infected a user's machine, it would target email clients, namely Microsoft Outlook 97 and 98.

A user's inbox would quickly flood with infected email, and send infected emails to addresses in a user's address book. Some users were so scared of Melissa that they'd disconnect their PCs from the Internet entirely. It's a shame, because reinstalling Outlook probably would have done the trick, as would running a malware scan once antivirus vendors had a signature for it.

Considering the erotic theme of the virus, it didn't come as much of a surprise that Melissa was named after a stripper.

An investigation led by the FBI found Melissa's creator later that year. It was New Jersey resident David L. Smith.

On December 10th, 1999, he was sentenced to ten years of prison. But Mr. Smith only served twenty months, so he was released just as the 21st century started.

Which segues nicely into my next article. Because although the Y2K bug was what got ordinary people into a panic, what they really should have worried about was ILOVEYOU...

References

Trend Micro Threat Encyclopedia, Leandro

http://about-threats.trendmicro.com/us//archive/malware/LEANDRO

Panda Security, Leandro

http://www.pandasecurity.com/homeusers/security-info/1635/Leandro

ESET Threat Encyclopedia, Leandro

http://www.eset.com/us/threat-center/encyclopedia/threats/leandro/

McAfee, Leandro

http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1443

F-Secure, Freddy

http://www.f-secure.com/v-descs/freddy.shtml

VSUM, Freddy virus

http://wiw.org/~meta/vsum/view.php?vir=529

Concept, The Virus Encyclopedia

http://virus.wikidot.com/concept

Concept virus, Dr. Nikolai Bezroukov

http://www.softpanorama.org/Malware/Malware_defense_history/Ch05_macro_viruses/Zoo/concept.shtml

CERT, Melissa Macro Virus

https://www.cert.org/historical/advisories/CA-1999-04.cfm

March 26th 1999, Melissa Wreaks Havoc on the Net, Wired.com

http://www.wired.com/2010/03/0326melissa-worm-havoc/

10 Worst Computer Viruses of All Time, How Stuff Works

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

http://computer.howstuffworks.com/worst-computer-viruses1.htm

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.