General security

A History of Malware: Part Four, 2000-2005

Infosec Institute
June 4, 2014 by
Infosec Institute

I remember the eager anticipation that led to the turn of century. All throughout 1999, all I ever saw or heard in the media was millenium this, millenium that. Sure, the Gregorian calendar is a completely human invention. But it has a strong social impact on our lives. Many people in Western history never experienced a century turn. Most would never experience a millenium turn, because it only happens once every thousand years. Depending on the era, people rarely lived beyond age 50, 60 or 80.

But as the turn of the millenium was a human invention, it affected other human inventions. By the end of the 20th century, computing had already entered our lives in a wide variety of facets. In fact, we were already dependent on it. (Yes, I know the 21st century started on January 1st, 2001. But the turn of the millenium definitely happened as December 31st, 1999 became January 1st, 2000.)

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

All computers run by clocks. One manages the data bus and the CPU, and the other runs the system time as maintained by firmware. The firmware in most PCs and servers record dates according to the Gregorian calendar. But as basic computing processes can calculate numbers faster than character strings that need to be converted into numbers, the dates in system time are in a numerical format- 12/31/99 or 31/12/99 for example. The standards developed by major OEMs in the 20th century, such as IBM, kept to a nice and balanced two digits, two digits, two digits.

Either the new millenium didn't occur to these technology developers, or they figured their systems would be replaced before the year 2000. Either way, our banking, governmental and institutional computing systems were going to think it was the year 1900 in the year 2000.

The news media worldwide lept at this particular bug report, frequently misunderstanding it. So, ordinary people thought they were going to lose the money in their bank accounts, the electricity would shut down, and all hell would break loose. Some people even stocked up on canned goods and other emergency supplies, awaiting speculated disaster.

Well, throughout 1999, the media buzz likely spurred the tech industry to double their efforts. So much patching and other systematic repairs were done, that as January 1st, 2000 rolled in, few people noticed any problems at all.

What an ordinary person with a home PC or an office job should have actually been worried about was ILOVEYOU.

In this fourth article in my series, malware events greatly multiply in frequency. So in my research, I've had to carefully consider which malware to write about. The ones I've chosen are the ones I've deemed to be the biggest "game changers." The malware that affected the greatest numbers of people, and the malware that set trends in malware development are the few I've selected to cover.

ILOVEYOU

It's human nature to want love, affection, and validation. Most trojan developers understand that need, and often choose to exploit it. For instance, if you don't surf the web with an ad blocker or use a strong spam filter with your email- how many times have you heard that hot Russian women want to meet you right now? I'm a Canadian woman, and they can't even resist me.

Sure, that sort of spam probably targets sexuality, but a need for love is a factor too.

Reomel Lamores of the Phillipines understood that aspect of human nature very well. In May 2000, he was a computer programmer who worked for China Bank.

He liked to play around with Visual Basic. Some people speculate that Lamores wanted to wreak havoc. Lamores himself claims that he was just experimenting with his programming and that he didn't intend for his code to escape. But if he didn't want his code to escape, why did he make a trojan? Trojan malware works by fooling users with social engineering. Unlike malware that aren't trojans, they can't spread without the intervention of end users.

Like many trojans, ILOVEYOU primarily spread via email. The subject headings of the emails contained a string roughly like "ILOVEYOU," hence its name. The body said, "kindly check the attached LOVELETTER coming from me."

So, I suppose the idea was that end users were intended to be fooled into thinking they had some sort of secret admirer. Most end users, particularly back in the year 2000, don't know to be suspicious of attachments with two file extensions, especially if one of the extensions is an executable. Lamores didn't even bother to hide the Visual Basic extension, so the name of the attachment was LOVE-LETTER-FOR-YOU.TXT.vbs

Why would he go to that effort to deceive if he didn't intend for his code to escape? I don't believe the claims he made after he was caught, so he's not as effective of a liar as he thought he was.

As it was a Visual Basic script, it targeted Microsoft Outlook and Windows. Back in 2000, no other operating system platform or email client was anywhere near as prevalent. The script made changes in two of the most crucial registry keys: HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32 and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL

ILOVEYOU would then create a malicious Internet Explorer shortcut on the desktop, send a webpage to many other people via IRC, and change a large number of scripting and media files to malicious VBS files that would keep propagating the worm to various email and IRC contacts. And so on, and so forth. The Register estimated that many millions of people worldwide were affected, and possibly hundreds of millions of dollars were lost.

Hopefully, the ILOVEYOU incident was indication to the Phillipines' government that their criminal code needed to be updated for the 21st century, because at the time there was no crime Lamores could be charged with under Filipino law.

Slam Dunk

In July 2002, IT security scientist David Litchfield discovered a vulnerability in Microsoft SQL Server and Microsoft SQL Server Desktop Engine. Considering how Microsoft's IIS webserver dominated the market, especially then, the potential for destruction was immense.

It was a buffer overflow vulnerability. Software developers understand intimately how that sort of memory management problem can cause machines and systems to crash and disable like crazy.

Fortunately, once Microsoft became aware of the bug, they quickly patched it. Unfortunately, it seems that countless institutions and corporations weren't patch managing their IIS servers properly. Oops!

On January 25th, 2003, disaster stuck, and its name was SQL Slammer. The name was based on the programs it targeted, as it wasn't written in SQL.

When servers caught SQL Slammer, no other worm in history, not even ILOVEYOU, ever spread so quickly. Once a Microsoft-based machine caught an infection, 376 bytes would be sent to UDP port 1434. Then, enough packets would be sent to that port to cause a DoS (denial of service) attack, causing the server to crash.

The payload would be sent to other connected webservers, causing huge numbers to crash, all in a matter of a couple of days.

Millions of people found that many of their favorite websites and web services didn't work properly, or would be unavailable altogether.

If anything could be learned from the incident, it's the principle of patching. Patch your servers and clients daily if possible! That sort of measure likely would've prevented SQL Slammer's immense destruction.

"I don't have to worry about viruses, I've got a Mac!"

I still hear this myth from the mouths of end users today, especially Apple fanboys and fangirls. "I don't have to worry about viruses, I've got a Mac!"

Once this series of mine entered the 1990s, Microsoft Windows became well established as the computing platform of choice for the overwhelming majority of end users and businesses worldwide. That market dominance, coupled with no file-level permissions in client Windows until Windows XP's release in 2001, led to an environment where the vast majority of malware targets were Microsoft products. So, it's still popularly believed that malware is a problem exclusive to Windows.

By 2003, Apple's new BSD/Unix-based platform, Mac OS X, was already rather popular with many users, particularly those who work in digital media. Mac OS X is definitely more secure because it's based on that tried and tested Unix code. And in the early 2000s, OS X had less than 5% of microcomputer marketshare. So, an operating system that was more difficult to exploit, coupled with only having a minority install base, made it seem like the platform was invulnerable.

If you're a malware developer, which platform would you target? One based on the inherently less secure MS-DOS and NT kernels, on over 90% of PCs? Or the one based on the considerably more secure BSD/Unix kernel, with a minority of installs? The answer should be obvious.

But my fiance Sean Rooney wanted to prove to doubters that Mac OS X malware was indeed possible, so he created a proof-of-concept back in 2003 that knocked people's socks off.

Surely enough, it wasn't too long after that the probable first Mac OS X malware was found. Its name was Renepo, discovered in 2004.

Unlike the other malware featured in this article, Renepo wasn't designed to spread via the Internet. Instead, it spread via removable media, so it affected fewer machines. So, Renepo should be a reminder to those of us in the IT security community that malware can still spread by infected disks, and can indeed affect Apple products.

Renepo was a shell script that could disable firewalls, crack passwords, and disable updates. It was truly nasty stuff, indeed.

Amphimix

Renepo was a precursor of things soon to come. The next major Mac OS X malware hit the scene mere months afterwards.

By 2004 and 2005, iPod was already a moneymaker for Apple of the likes they never had before. Initially released in 2001, a few years later the music player line was still a must-have toy, and it caused mp3 files to become immesely popular.

Apple's iPod, and iPhones and iPads today require iTunes to be installed on the PCs they're mounted to, in order for Apple's DRM to work properly. (Unless you know how to crack it, of course.) It was a good marketing decision to develop iTunes for Windows, in addition to OS X.

Months after Renepo, Amphimix was discovered. It was a file-binded mp3 that spread via P2P, email, IRC, the web, and FTP. When played in iTunes on either platform, wild laughter could be heard. And if the iTunes install was in OS X, Amphimix could cause major trouble.

Like Renepo, firewalls and AV shields were disabled. Unlike Renepo, the DNS records on infected Macs were altered. When users used DNS to surf the web, they'd be redirected to malicious IP addresses. Amphimix was a major troublemaker for Macs in 2004 and 2005.

The next article in my series is the final one. I'll cover important malware events from 2006, up until present day in 2014.

My teachers in school taught me that in order to prevent problems in the future, we must understand problems from the past. Hence, it's vital to study history!

I look forward to getting you caught up to the history of malware up to now, so we can prevent the serious destruction of computing systems in the future. Malware is a bigger issue than ever, and I figure it'll only get worse as time goes on.

References

No sorry from Love Bug author- The Register

http://theregister.co.uk/2005/05/11/love_bug_author/

The Love Bug: A Retrospect- Rixstep

http://rixstep.com/1/20040504,00.shtml

W32.SQLEXP.Worm- Symantec.com

http://symantec.com/security_response/writeup.jsp?docid=2003-012502-3306-99

Inside the Slammer Worm- IEEE Security and Privacy Magazine

http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf

10 years of Mac OS X malware- We Live Security

http://welivesecurity.com/2014/03/21/10-years-of-mac-os-x-malware/

Detailed Analysis/Renepo-A- Sophos

http://sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/SH~Renepo-A/detailed-analysis.asp

Straight facts about Mac Malware- ESET

http://eset.com/int/mac-malware-facts/

Amphimix-A- Panda Security

http://pandasecurity.com/homeusers/security-info/46902/Amphimix.A

Detailed Analysis/Amphimix-A- Sophos

http://sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mac~Amphimix-A/detailed-analysis.aspx

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.