In my previous article, I explained what happened to the evolution of malware when microcomputers started to become a major presence in small offices and households. That coincided with the exploding popularity of Microsoft’s MS-DOS and Windows 3.1. The file systems they were based on, FAT16 and later on, FAT32, totally lacked file and folder level privileges, so it was easy for targeted malware to cause huge problems.
During the period covered in the last article, commercial ISPs made their debut. So people outside of academic settings started using email, USENET, and other Internet services. By 1991, Sir Tim Berners-Lee invented the web.
In early 1993, I was on the web for the first time, and my very first web browser was the brand new Mosaic. In response to how Mosaic made the web accessable for many people, Netscape entered the scene. I was one of the lucky few to beta test Navigator 1.0 in November 1994. What was really cool was that I could see content and text loading in my webpages before they were completely downloaded. As we had a 16 kbps modem, I really appreciated that.
Netscape, and soon after, Internet Explorer, brought the web into millions of homes for the very first time. That made the Internet a lot more popular. To this very day, I encounter end users who think the Internet and the web are one and the same. Argh!
So, there opened a huge new vector for malware, and the Internet overcame floppy disks as the leading cause of malware distribution.
And now, the history of malware is starting to get very interesting…
Don’t Call My Name, Leandro
The Michelangelo virus, as mentioned in my previous article, was the first “time bomb” virus to become notably widespread. It seemed like that from then on, “time bombs” started to become very popular.
The antivirus community initially encountered the Leandro virus in 1993. As it was a “time bomb,” it was set to go off on a particular date. In Leandro’s case, that date was October 21st of the year of infection. Based on my research, if a PC got infected after October 21st of a calendar year, it likely would go off on that date in the following calendar year.
But like many of the earlier viruses to create a big splash, it was kind enough to print a message for the user. This was Leandro’s message:
Leandro and Kelly ! GV-MG-Brazil You have this virus since XX-XX-XXXX
The date of infection, whichever date that was, as it would vary in each incidence, would be in it.
Leandro was often spread via shareware on floppies, but as Internet usage started to grow rapidly, it was found to spread via BBS as well. I remember downloading quite a bit of shareware through BBS, so that was likely a primary vector.
It was especially nasty, because it targetted the MBR of floppy disks and HDDs. So, although it could enter a system via Windows and MS-DOS vulnerabilities, it could then impact completely unrelated operating systems as well, such as the very first GNU/Linux distros.
Leandro kept infecting machines for at least a few more years, into the late 1990s. Few Windows users ran antivirus software those days, or even knew what antivirus software was. So I imagine that after Leandro made an operating system unusable on a particular year’s October 21st, an awful lot of HDDs were thrown out. It’s difficult to determine how many disks were infected, as most people didn’t report their infections to antivirus vendors. Maybe it caused more disks to enter landfills than cartridges of E.T. for Atari, but we’ll never know for sure.
Around the same time, Freddy was discovered. Like Leandro, it appeared to come from Brazil. Like the other viruses mentioned in this article and the previous one, it targeted Windows.
.COM and .EXE executables were affected, especially COMMAND.COM. Remember how crucial that file was?
Once Freddy infected a Windows machine, every time a user launched an executable, that executable, plus a .COM file in the same directory, would become infected. The size of each infected file would grow even more, as more and more files on the same disk acquired Freddy code. So it had a devastating snowball effect that could soon crash a machine due to memory overload.
In time, an infected PC wouldn’t be able to run for more than a few seconds after booting the OS.
The string “Freddy Krg” could be found encrypted in infected files. So we can easily summize what the developer’s inspiration was.
A Concept is Enough to Prove My Point
Concept was the first really significant Macro virus, discovered in July 1995. It coincided with Microsoft Word surpassing WordPerfect in word processor market dominance.
MS Word 6.0 and MS Word 95 were affected. Macros made life for frequent Word users, like my late novelist father, a lot easier. But macro creation in those versions of Word wasn’t very secure. It’s easy to blame Microsoft developers for having a lax attitude toward security. But macros were popular in WordPerfect as well, which Microsoft didn’t develop. Even antivirus vendors, at the time, were unprepared for macro viruses. Concept was the first macro virus that made them really take notice, and it revolutionized how they developed malware signatures.
Concept was also notable as the first significant virus to spread via email. As a large percentage of mid-1990s email users were using AOL, the sound of “you’ve got mail” was often the harbinger of doom!
After opening an infected Word document, Concept would go on to infect the NORMAL.DOT template, and then other templates as well.
The macros that Concept contained were AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad.
PayLoad was especially interesting. Its name was a misnomer, because it was no payload at all. It just contained this text:
REM That’s enough to prove my point
Point proven? The best case scenario would be if a user didn’t have important documents that used infected templates. Then, they could simply backup those documents, then uninstall and reinstall Word. It was useful that people usually had factory created install floppies and CDs those days.
Concept infected more machines than any other malware into the late 1990s.
Concept’s destructive success paved the way for the Melissa virus, which was the second malware to spread to a significant extent via email.
Although email was its primary vector, it was initially discovered in the alt.sex USENET group, in the spring of 1999. It was first found in a file that supposedly contained passwords for 80 pornographic websites. But even when it spread through USENET, once it infected a user’s machine, it would target email clients, namely Microsoft Outlook 97 and 98.
A user’s inbox would quickly flood with infected email, and send infected emails to addresses in a user’s address book. Some users were so scared of Melissa that they’d disconnect their PCs from the Internet entirely. It’s a shame, because reinstalling Outlook probably would have done the trick, as would running a malware scan once antivirus vendors had a signature for it.
Considering the erotic theme of the virus, it didn’t come as much of a surprise that Melissa was named after a stripper.
An investigation led by the FBI found Melissa’s creator later that year. It was New Jersey resident David L. Smith.
On December 10th, 1999, he was sentenced to ten years of prison. But Mr. Smith only served twenty months, so he was released just as the 21st century started.
Which segues nicely into my next article. Because although the Y2K bug was what got ordinary people into a panic, what they really should have worried about was ILOVEYOU…
About the Author: Kim Crawley is currently a security author for Infosec Institute. She has worked in tech support and as an IT technician for a variety of smaller businesses. She has learned about vulnerabilities in network protocols, operating systems, applications and hardware and uses that knowledge in her everyday work in IT. Learning how malware is developed.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Microsoft Remote Desktop Protocol Vulnerability Analysis
- Patch Tuesday Rundown for June 2014
- BSidesLV Preview: Vulnerabilities in iOS URL Schemes
- Building Up an Immunity to Crimeware
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock
Trend Micro Threat Encyclopedia, Leandro
Panda Security, Leandro
ESET Threat Encyclopedia, Leandro