In my previous article, I explained what happened to the evolution of malware when microcomputers started to become a major presence in small offices and households. That coincided with the exploding popularity of Microsoft’s MS-DOS and Windows 3.1. The file systems they were based on, FAT16 and later on, FAT32, totally lacked file and folder level privileges, so it was easy for targeted malware to cause huge problems.

During the period covered in the last article, commerical ISPs made their debut. So people outside of academic settings started using email, USENET, and other Internet services. By 1991, Sir Tim Berners-Lee invented the web.

In early 1993, I was on the web for the first time, and my very first web browser was the brand new Mosaic. In response to how Mosaic made the web accessable for many people, Netscape entered the scene. I was one of the lucky few to beta test Navigator 1.0 in November 1994. What was really cool was that I could see content and text loading in my webpages before they were completely downloaded. As we had a 16 kbps modem, I really appreciated that.

Netscape, and soon after, Internet Explorer, brought the web into millions of homes for the very first time. That made the Internet a lot more popular. To this very day, I encounter end users who think the Internet and the web are one and the same. Argh!

So, there opened a huge new vector for malware, and the Internet overcame floppy disks as the leading cause of malware distribution.

And now, the history of malware is starting to get very interesting…

Don’t Call My Name, Leandro

The Michelangelo virus, as mentioned in my previous article, was the first “time bomb” virus to become notably widespread. It seemed like that from then on, “time bombs” started to become very popular.

The antivirus community initially encountered the Leandro virus in 1993. As it was a “time bomb,” it was set to go off on a particular date. In Leandro’s case, that date was October 21st of the year of infection. Based on my research, if a PC got infected after October 21st of a calendar year, it likely would go off on that date in the following calendar year.

But like many of the earlier viruses to create a big splash, it was kind enough to print a message for the user. This was Leandro’s message:

Leandro and Kelly ! GV-MG-Brazil You have this virus since XX-XX-XXXX

The date of infection, whichever date that was, as it would vary in each incidence, would be in it.

Leandro was often spread via shareware on floppies, but as Internet usage started to grow rapidly, it was found to spread via BBS as well. I remember downloading quite a bit of shareware through BBS, so that was likely a primary vector.

It was especially nasty, because it targetted the MBR of floppy disks and HDDs. So, although it could enter a system via Windows and MS-DOS vulnerabilities, it could then impact completely unrelated operating systems as well, such as the very first GNU/Linux distros.

Leandro kept infecting machines for at least a few more years, into the late 1990s. Few Windows users ran antivirus software those days, or even knew what antivirus software was. So I imagine that after Leandro made an operating system unusable on a particular year’s October 21st, an awful lot of HDDs were thrown out. It’s difficult to determine how many disks were infected, as most people didn’t report their infections to antivirus vendors. Maybe it caused more disks to enter landfills than cartridges of E.T. for Atari, but we’ll never know for sure.

Freddy

Around the same time, Freddy was discovered. Like Leandro, it appeared to come from Brazil. Like the other viruses mentioned in this article and the previous one, it targeted Windows.

.COM and .EXE executables were affected, especially COMMAND.COM. Remember how crucial that file was?

Once Freddy infected a Windows machine, every time a user launched an executable, that executable, plus a .COM file in the same directory, would become infected. The size of each infected file would grow even more, as more and more files on the same disk acquired Freddy code. So it had a devastating snowball effect that could soon crash a machine due to memory overload.

In time, an infected PC wouldn’t be able to run for more than a few seconds after booting the OS.

The string “Freddy Krg” could be found encrypted in infected files. So we can easily summize what the developer’s inspiration was.

A Concept is Enough to Prove My Point

Concept was the first really significant Macro virus, discovered in July 1995. It coincided with Microsoft Word surpassing WordPerfect in word processor market dominance.

MS Word 6.0 and MS Word 95 were affected. Macros made life for frequent Word users, like my late novelist father, a lot easier. But macro creation in those versions of Word wasn’t very secure. It’s easy to blame Microsoft developers for having a lax attitude toward security. But macros were popular in WordPerfect as well, which Microsoft didn’t develop. Even antivirus vendors, at the time, were unprepared for macro viruses. Concept was the first macro virus that made them really take notice, and it revolutionized how they developed malware signatures.

Concept was also notable as the first significant virus to spread via email. As a large percentage of mid-1990s email users were using AOL, the sound of “you’ve got mail” was often the harbinger of doom!

After opening an infected Word document, Concept would go on to infect the NORMAL.DOT template, and then other templates as well.

The macros that Concept contained were AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad.

PayLoad was especially interesting. Its name was a misnomer, because it was no payload at all. It just contained this text:

Sub MAIN

REM That’s enough to prove my point

End Sub

Point proven? The best case scenario would be if a user didn’t have important documents that used infected templates. Then, they could simply backup those documents, then uninstall and reinstall Word. It was useful that people usually had factory created install floppies and CDs those days.

Concept infected more machines than any other malware into the late 1990s.

Melissa

Concept’s destructive success paved the way for the Melissa virus, which was the second malware to spread to a significant extent via email.

Although email was its primary vector, it was initially discovered in the alt.sex USENET group, in the spring of 1999. It was first found in a file that supposedly contained passwords for 80 pornographic websites. But even when it spread through USENET, once it infected a user’s machine, it would target email clients, namely Microsoft Outlook 97 and 98.

A user’s inbox would quickly flood with infected email, and send infected emails to addresses in a user’s address book. Some users were so scared of Melissa that they’d disconnect their PCs from the Internet entirely. It’s a shame, because reinstalling Outlook probably would have done the trick, as would running a malware scan once antivirus vendors had a signature for it.

Considering the erotic theme of the virus, it didn’t come as much of a surprise that Melissa was named after a stripper.

An investigation led by the FBI found Melissa’s creator later that year. It was New Jersey resident David L. Smith.

On December 10th, 1999, he was sentenced to ten years of prison. But Mr. Smith only served twenty months, so he was released just as the 21st century started.

Which segues nicely into my next article. Because although the Y2K bug was what got ordinary people into a panic, what they really should have worried about was ILOVEYOU…

References

Trend Micro Threat Encyclopedia, Leandro

http://about-threats.trendmicro.com/us//archive/malware/LEANDRO

Panda Security, Leandro

http://www.pandasecurity.com/homeusers/security-info/1635/Leandro

ESET Threat Encyclopedia, Leandro

http://www.eset.com/us/threat-center/encyclopedia/threats/leandro/

McAfee, Leandro

http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1443

F-Secure, Freddy

http://www.f-secure.com/v-descs/freddy.shtml

VSUM, Freddy virus

http://wiw.org/~meta/vsum/view.php?vir=529

Concept, The Virus Encyclopedia

http://virus.wikidot.com/concept

Concept virus, Dr. Nikolai Bezroukov

http://www.softpanorama.org/Malware/Malware_defense_history/Ch05_macro_viruses/Zoo/concept.shtml

CERT, Melissa Macro Virus

https://www.cert.org/historical/advisories/CA-1999-04.cfm

March 26th 1999, Melissa Wreaks Havoc on the Net, Wired.com

http://www.wired.com/2010/03/0326melissa-worm-havoc/

10 Worst Computer Viruses of All Time, How Stuff Works

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

http://computer.howstuffworks.com/worst-computer-viruses1.htm