A History of Malware: Part Three, 1993-1999
In my previous article, I explained what happened to the evolution of malware when microcomputers started to become a major presence in small offices and households. That coincided with the exploding popularity of Microsoft's MS-DOS and Windows 3.1. The file systems they were based on, FAT16 and later on, FAT32, totally lacked file and folder level privileges, so it was easy for targeted malware to cause huge problems.
During the period covered in the last article, commerical ISPs made their debut. So people outside of academic settings started using email, USENET, and other Internet services. By 1991, Sir Tim Berners-Lee invented the web.
Become a certified reverse engineer!
In early 1993, I was on the web for the first time, and my very first web browser was the brand new Mosaic. In response to how Mosaic made the web accessable for many people, Netscape entered the scene. I was one of the lucky few to beta test Navigator 1.0 in November 1994. What was really cool was that I could see content and text loading in my webpages before they were completely downloaded. As we had a 16 kbps modem, I really appreciated that.
Netscape, and soon after, Internet Explorer, brought the web into millions of homes for the very first time. That made the Internet a lot more popular. To this very day, I encounter end users who think the Internet and the web are one and the same. Argh!
So, there opened a huge new vector for malware, and the Internet overcame floppy disks as the leading cause of malware distribution.
And now, the history of malware is starting to get very interesting...
Don't Call My Name, Leandro
The Michelangelo virus, as mentioned in my previous article, was the first "time bomb" virus to become notably widespread. It seemed like that from then on, "time bombs" started to become very popular.
The antivirus community initially encountered the Leandro virus in 1993. As it was a "time bomb," it was set to go off on a particular date. In Leandro's case, that date was October 21st of the year of infection. Based on my research, if a PC got infected after October 21st of a calendar year, it likely would go off on that date in the following calendar year.
But like many of the earlier viruses to create a big splash, it was kind enough to print a message for the user. This was Leandro's message:
Leandro and Kelly ! GV-MG-Brazil You have this virus since XX-XX-XXXX
The date of infection, whichever date that was, as it would vary in each incidence, would be in it.
Leandro was often spread via shareware on floppies, but as Internet usage started to grow rapidly, it was found to spread via BBS as well. I remember downloading quite a bit of shareware through BBS, so that was likely a primary vector.
It was especially nasty, because it targetted the MBR of floppy disks and HDDs. So, although it could enter a system via Windows and MS-DOS vulnerabilities, it could then impact completely unrelated operating systems as well, such as the very first GNU/Linux distros.
Leandro kept infecting machines for at least a few more years, into the late 1990s. Few Windows users ran antivirus software those days, or even knew what antivirus software was. So I imagine that after Leandro made an operating system unusable on a particular year's October 21st, an awful lot of HDDs were thrown out. It's difficult to determine how many disks were infected, as most people didn't report their infections to antivirus vendors. Maybe it caused more disks to enter landfills than cartridges of E.T. for Atari, but we'll never know for sure.
Freddy
Around the same time, Freddy was discovered. Like Leandro, it appeared to come from Brazil. Like the other viruses mentioned in this article and the previous one, it targeted Windows.
.COM and .EXE executables were affected, especially COMMAND.COM. Remember how crucial that file was?
Once Freddy infected a Windows machine, every time a user launched an executable, that executable, plus a .COM file in the same directory, would become infected. The size of each infected file would grow even more, as more and more files on the same disk acquired Freddy code. So it had a devastating snowball effect that could soon crash a machine due to memory overload.
In time, an infected PC wouldn't be able to run for more than a few seconds after booting the OS.
The string "Freddy Krg" could be found encrypted in infected files. So we can easily summize what the developer's inspiration was.
A Concept is Enough to Prove My Point
Concept was the first really significant Macro virus, discovered in July 1995. It coincided with Microsoft Word surpassing WordPerfect in word processor market dominance.
MS Word 6.0 and MS Word 95 were affected. Macros made life for frequent Word users, like my late novelist father, a lot easier. But macro creation in those versions of Word wasn't very secure. It's easy to blame Microsoft developers for having a lax attitude toward security. But macros were popular in WordPerfect as well, which Microsoft didn't develop. Even antivirus vendors, at the time, were unprepared for macro viruses. Concept was the first macro virus that made them really take notice, and it revolutionized how they developed malware signatures.
Concept was also notable as the first significant virus to spread via email. As a large percentage of mid-1990s email users were using AOL, the sound of "you've got mail" was often the harbinger of doom!
After opening an infected Word document, Concept would go on to infect the NORMAL.DOT template, and then other templates as well.
The macros that Concept contained were AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad.
PayLoad was especially interesting. Its name was a misnomer, because it was no payload at all. It just contained this text:
Sub MAIN
REM That's enough to prove my point
End Sub
Point proven? The best case scenario would be if a user didn't have important documents that used infected templates. Then, they could simply backup those documents, then uninstall and reinstall Word. It was useful that people usually had factory created install floppies and CDs those days.
Concept infected more machines than any other malware into the late 1990s.
Melissa
Concept's destructive success paved the way for the Melissa virus, which was the second malware to spread to a significant extent via email.
Although email was its primary vector, it was initially discovered in the alt.sex USENET group, in the spring of 1999. It was first found in a file that supposedly contained passwords for 80 pornographic websites. But even when it spread through USENET, once it infected a user's machine, it would target email clients, namely Microsoft Outlook 97 and 98.
A user's inbox would quickly flood with infected email, and send infected emails to addresses in a user's address book. Some users were so scared of Melissa that they'd disconnect their PCs from the Internet entirely. It's a shame, because reinstalling Outlook probably would have done the trick, as would running a malware scan once antivirus vendors had a signature for it.
Considering the erotic theme of the virus, it didn't come as much of a surprise that Melissa was named after a stripper.
An investigation led by the FBI found Melissa's creator later that year. It was New Jersey resident David L. Smith.
On December 10th, 1999, he was sentenced to ten years of prison. But Mr. Smith only served twenty months, so he was released just as the 21st century started.
Which segues nicely into my next article. Because although the Y2K bug was what got ordinary people into a panic, what they really should have worried about was ILOVEYOU...
References
Trend Micro Threat Encyclopedia, Leandro
http://about-threats.trendmicro.com/us//archive/malware/LEANDRO
Panda Security, Leandro
http://www.pandasecurity.com/homeusers/security-info/1635/Leandro
ESET Threat Encyclopedia, Leandro
http://www.eset.com/us/threat-center/encyclopedia/threats/leandro/
McAfee, Leandro
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1443
F-Secure, Freddy
http://www.f-secure.com/v-descs/freddy.shtml
VSUM, Freddy virus
http://wiw.org/~meta/vsum/view.php?vir=529
Concept, The Virus Encyclopedia
http://virus.wikidot.com/concept
Concept virus, Dr. Nikolai Bezroukov
http://www.softpanorama.org/Malware/Malware_defense_history/Ch05_macro_viruses/Zoo/concept.shtml
CERT, Melissa Macro Virus
https://www.cert.org/historical/advisories/CA-1999-04.cfm
March 26th 1999, Melissa Wreaks Havoc on the Net, Wired.com
http://www.wired.com/2010/03/0326melissa-worm-havoc/
10 Worst Computer Viruses of All Time, How Stuff Works
http://computer.howstuffworks.com/worst-computer-viruses1.htm
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- A History of Malware: Part Three, 1993-1999
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis