Malware analysis

A History of Malware: Part Two, 1989-1992

Infosec Institute
May 19, 2014 by
Infosec Institute

In my previous article, I told the story of the very first worms and viruses. Interestingly, a groundbreaking mathemetician, John von Neumann, and a science fiction novelist, John Brunner, conceptualized them before anyone ever coded them.

We often see this sort of thing in the world of science and technology. One of the most frequently cited examples is how Star Trek creator Gene Roddenberry predicted smartphones and tablets, and the Enterprise crews in the original series and The Next Generation used very similiar looking and behaving devices accordingly.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

People in science, technology and academia used computers and the Internet decades before ordinary people. The advent of PCs, Berners-Lee's "World Wide Web," and ARM-based mobile devices, in that order, brought computing and computer networking into everyone's lives.

There are two key differences between the events in my first article, and the events in this one. In the first article, pretty much only people in STEM were using computers, ARPAnet and the Internet. So, the harm done by the very first generation of malware would only affect niche groups of people. The second key difference is that the first generation of malware was all experimental rather than malicious in intent. An understanding of the history of hacker culture will demonstrate that computer programmers and technicians, especially the earliest ones, were powerfully driven by the pursuit of knowledge. I have a strong feeling that some of the strings in the earliest malware, such as "I'm the Creeper, catch me if you can!" and the copyright messages in the Brain series of viruses, were intended to be playful with other people in their field. Insider jokes, if you will.

As the late 1980s led into the 1990s, it became increasingly common to see microcomputers not only in offices, but in households as well. I remember being marveled by all the time I spent playing with Commodore 64s when I was a little girl. They really were a big deal back then. Then in late 1992, my family got a 486 running Windows 3.1, and I was probably the very first kid in school with Internet access at home. Even at that young age, I could see how these technologies would be radically changing people's lives. The "early adopter" status of my childhood household likely played a major role in how I grew up to be an IT security researcher.

So it's worth noting that the second generation of malware, the focus of this article, was probably the first to affect doctor's offices, receptionists, people filing their income taxes from home, and little girls who felt compelled to download Apogee games from a BBS. (Thanks, Dad!)

Look Ma! No Permissions!

Microsoft Windows 3.1 was a major factor in getting personal computers into households and offices in the early 1990s, even though Commodore's Amiga platform dominated Europe.

But until Windows XP was released in 2001, on the client side, Windows was simply a GUI for MS-DOS. That meant that its partition would be formatted with some version of FAT (File Allocation Table) or another. All versions of FAT lack support for multiuser operating systems, and coincidingly lack any sort of file or folder level permissions. Boot up the machine, and you have full access to everything, no passwords or cracking necessary. What's especially concerning is that Windows 3.1, 95 and 98 were the first operating systems millions of people around the world used to access the Internet.

Although malware can easily be transmitted via removable media, such as floppy disks and optical discs, the Internet opened up the largest vector for malware in computing history. ARPAnet started in 1969, and the modern Internet, complete with commercial ISPs, started in the late 1980s.

Well, when most of us were using MS-DOS based Windows operating systems to access the Internet in the late 1980s and the 1990s, we were opening up our PCs to a massive malware source with no user account or file system protections whatsoever. If an executable file, regardless of where it came from, launched on our PCs, it wouldn't even have to struggle in any way to wreak havoc. When there are no permissions, everything is automatically permitted.

By 1989, Windows 2.1 and MS-DOS 4.01 were Microsoft's most current x86 operating systems. OS/2 only ran on PS/2 hardware. Although IBM's PS/2 microcomputers used x86, they never commerically took off like "IBM PC compatible" machines did. Though, we still see a remnant of PS/2 on a lot of our PCs even today, our PS/2 keyboard and mouse ports. Windows 1.x, 2.0, and MS-DOS 3.3 and older versions were still in frequent use. That was the environment we were in in the world of Microsoft computing, when the first malware to have a significant impact on that platform was discovered.

Ghostball

Icelandic computer whiz Friðrik Skúlason discovered the Ghostball virus in October 1989. It evolved from Vienna. The first Vienna virus was discovered in April 1988 by Franz Swoboda, and eventually there were hundreds of variants of it. (Skúlason went on to found antivirus firm F-Prot in 1993.)

Ghostball, like Vienna, was a .COM executable that targetted other .COM executables in MS-DOS based operating systems. So all versions of MS-DOS and client Windows were vulnerable. By changing the time stamp of files to 62 seconds (which would not be converted to 1:02), the whole OS would crash, and a complete disk reformatting and OS reinstallation was usually necessary.

It would most commonly spread via infected floppy disks, but it spread through the Internet as well.

If household Internet use was even at 1997 levels, Ghostball and other Vienna variants could've done a lot more damage than they did. Still, at least hundreds of thousands of Microsoft-based PCs were affected, with many millions of dollars worth of hardware and data lost. Why Microsoft didn't respond by launching a multiuser operating system, like UNIX and other common OSes have been using since at least the 1970s, I really don't know. It was a terrible oversight, to say the least, especially considering Microsoft's grip on OEMs.

Michelangelo

Italian Renaissance artist Michelangelo was born on March 6th, 1475. Back in 1991, the Michelangelo I was famillar with was the orange-masked Ninja Turtle.

In February of that year, the Michelangelo virus was discovered, in either Australia or New Zealand. It was named Michelangelo because it was a boot sector "time bomb" that was coded to launch from its dormant state on his 517th birthday -- March 6th, 1992. It targeted all DOS based operating systems, including all versions of Windows at the time. If a floppy disk or HDD was multiboot with a non-DOS operating system, the non-DOS operating system would still be affected because of the shared MBR.

One would've thought that it being discovered in February 1991 would've given the computing world plenty of time to get rid of it before March 6th, 1992. But alas, by January 1992, it was discovered that many products, including Intel's LANSpool print spooler, were shipped with it. Oops!

Many people in the know, especially in datacenters and institutional settings, were able to rid their machines of it before Michelangelo's 517th birthday. But antivirus programs were unheard of by most people using DOS-based PCs in offices and households. Thankfully, many of them still heard news reports, warning them to either set their BIOS clocks to March 7th, or to leave their PCs turned off on March 6th.

McAfee founder John McAfee claimed millions of PCs were infected. Other reports said only hundreds of PCs were. Especially considering Mr. McAfee's personal problems as of 2014, I don't think we'll ever be certain of the exact number.

The First Spambots

Before Sir Tim Berners-Lee's "World Wide Web" really took off later in the 1990s, many early adopters of Internet use in offices and homes in the late 1980s and early 1990s were using email, BBS, USENET and IRC.

In the early 1990s, my husband Sean Rooney was an IT security expert for the Canadian government. He could imagine spambot rootkits, in various malware varieties, taking off as more and more people started using various services on the Internet. He did, in his words, a "live-fire demonstration" of spambot malware. He tells me no one took him seriously. A few years later, by around 1996, spambot malware was seen "in the wild" for the first time.

In my next article, I'll explain the major malware events in the rest of the 1990s. That's when things started to get really interesting...

References

Ghostballs- The Virus Encyclopedia: http://virus.wikidot.com/ghostballs

Vienna- The Virus Encyclopedia: http://virus.wikidot.com/vienna

Virus.Multi.Ghostball.2351.a- Securelist: http://www.securelist.com/en/descriptions/old18707

Michelangelo Madness: https://web.archive.org/web/20080309235614/http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.distrib-node7.html

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Michelangelo- f-prot.com: http://www.f-prot.com/virusinfo/descriptions/michhelangelo.html

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.