A History Of Hacking & Viruses

A History Of Viruses & Malwares

Malicious software are nothing new. But having a bit of background about how they came into being and how they evolve helps to get an idea about how a big mistake clicking on the link on the email could be!

Viruses have been around for quite a while now, and it won’t be wrong to say that their history is almost as old as the first computer that came into being. During the first ever documented incident of what came to be known as a computer “worm” in 1979, specialists at Xerox Palo Alto Research Focus found a PC “worm” (Write Once Read Many) that was a short program that scours a system for idle processors. This worm just so happens to be related to the modern-day worm. Further research into the subject revealed the existence of the “414s”, a group of PC programmers who hacked their way into numerous PC frameworks, including (as indicated by the Detroit Free Press) the Los Alamos National Lab, Sloan-Kettering Cancer Center and Security Pacific Bank.

One of those young fellows, 17-year-old Neal Patrick, said that the main reason he did it was for the challenge of getting into places he knew he shouldn’t be, and staying there unnoticed, for as long as possible.

Sadly for him and his bunch, they were caught by the FBI in 1983. Albeit numerous saw the 414s as innocuous, they caused $1,500 worth of harm at Sloan- Kettering by deleting sensitive records and through several other malicious activities.

Khul ja SIM SIM!

The majority of this had happened before any well-known and widespread infections had took place. It wasn’t until 1986 that the first large scale “PC virus” came into being. Developed in Pakistan by a 19 yr. old programmer Basit and his brother, Amjad Farooq Alvi. It came to be known as the “Brain” virus. It infected a large number of IBM PCs (which ran on MS-DOS) all over the world. It worked by replacing a part of the boot sector of the floppy disk (which was used to boot the OS of the computer at that time), with a copy of itself. While there exist several variations to the virus, the original one made the floppy disk slower and made around 7 Kbs of sectors of the floppy disk (a lot of memory at the time) into bad sectors. According to the brothers during a TIME magazine interview, the sole purpose of the virus was to protect their medical software from piracy and discourage copyright infringement, and the spread was completely unintentional. It had spread so far and wide, that people in US were contacting Basit and his brother to disinfect their PCs. This was the first ever documented incident of wide-spread infections in the world.

The viruses just increased in magnitude and numbers after this incident. In 1988, a software engineer named Robert Morris made a worm that crippled approximately 6,000 PCs on the ARPANET (predecessor to the current Internet) by flooding their memory.

After admitting to developing the worm, he was charged under the Computer Fraud and Misuse Act, and was sentenced to 3 years
probation, 400 hours of group administration, and a $10,000 fine.

This was just the beginning. Afterwards, all kinds of malicious programs were started being filed under the name of “virus” and it became a household term. Although by definition, a virus is a piece of malicious code that replicates itself, preferably to other systems, after infecting the host, there were other malicious pieces of software that did not specifically follow this plan of action. Thus it is important to differentiate among the different type of malwares. Lets look at some more popular malwares of the decade.

I trusted you MELISSA!

During the investigation of PC infections from 1988 till the present, I came to notice that the more popular (and widespread) infections did not happen until the late 1990s. In 1999, the “Melissa” virus outbreak happened, causing around $80,000 worth of monetary losses. This infection would disable several safeguards in Microsoft Word 97 & 2000, and if the user had Microsoft Outlook installed, it would cause the virus to be emailed to the first 50 contacts in the infected system’s email address book. Other known infections include the “I Love You” virus in 2000, the “Anna Kournikova” virus and “Code Red” worm in 2001, the “Klez” worm in 2002, and “Prison” worm in 2003.

But I love you dear…

The “ILoveYou” infection took what made the Melissa infection outbreak so powerful and took it to a whole other level. The infected email would arrive with an attachment named LOVE-LETTER-FOR-YOU.TXT.vbs, which was actually a Visual Basic Script file that contained malicious code. Rather than simply sending a duplicate of itself to the first 50 email contacts, this infection would first modify the Windows Registry settings to initiate itself at every boot, and then would search out files with different formats including .js, .jse, .css, etc. replacing them with file LOVE-LETTER-FOR-YOU.TXT.vbs, and then finally would email itself to the WHOLE address book! The vulnerability that made the infection possible was that Windows, by default, does not show the extension of the files (it still doesn’t!). Thus, the users, considering it a harmless txt file, opened the attachment (and thus execute the script), and as a result, get “infected”. Within 10 days of the initial outbreak, the virus infected around 10% of all the networked computers in the world, and costed around $15b to be removed in the US alone. Not only this, due to the destructive nature of the virus, several large-scale organizations had to face severe difficulties and some even had to shutdown their mail servers, and other systems (especially the organizations that worked with mixed media documents) causing significant losses of time and money, and in some cases data. McAfee.com reported that 60 to 80 percent of its Fortune 100 customers were contaminated by the infection. Not only this, the popularity of the ILOVEYOU virus spanned several variants, with slightly different working, but eventually the same motive.

No English, but you HACKED!

2001 saw the spread of another infection, which affected around 1 mil. PCs worldwide. The Code Red worm was the culprit. It’s working was a bit more sophisticated than the previous two viruses, which depended on human fallibility alone. It exploited a crucial buffer overflow vulnerability in Microsoft’s Internet Information Server (IIS). It was the first-of-a-kind worm that ran entirely in the physical memory.

During execution, it created several copies of itself, due to which the infected computers (or servers rather) saw high CPU loads. Each instance checked for a certain file, in absence of which, the worm continued the execution. Then, it would check for the date of the month. If the date lied in between 20th — 28th day, it would send junk data to (or try to DoS) the IP address of the White House (it has been changed since). After the 28th, it went into an infinite-sleep mode and cannot be awakened unless deliberately executed. If the date was before 20th, 99 out of 100 instances (or “threads” technically speaking) would fish for more exploitable computers by targeting random IP addresses. Addresses with suffix 127.x.x.x were not targeted to avoid loop-back (as 127.0.0.1 is the localhost address). 1 of the 100 instances checked for the language of the local web page. If it was English, it would change the page to “Welcome to worm.com” & “Hacked By Chinese”, which then showed up if someone logged on to the site, instead of the original page. It propagated through connecting to a random host (assumingly an IIS server) and upon successful connection, it would send a well — crafted TCP request to exploit the vulnerability and infect the server.

It stopped propagating on 28th of July, 2001 and went into infinite sleep mode. But throughout its conquest, it resulted in an estimated $2.75 billion in clean-up costs and lost productivity, and was named “the mostly costly malware of 2001”. Just like the ILOVEYOU virus, it also spanned numerous variants, including a more violent version “Code Red v2” and an anti-worm called “Codegreen” which removed the worm and downloaded the security patches from Microsoft.

Funny that you mentioned that…

Talking of sophisticated viruses, one of my favorites is the “Klez” virus. The reason for my fascination for this piece of software is the ingenuity in its propagation. It spread using the same mechanism as the “Melissa” or the “ILOVEYOU” virus, i.e. through email (at this point you must have an idea of how human fallibility renders the best security measures useless), but it did not do so without a few malicious modifications. First, it searched the email address book of the victim and used those emails to “spoof” (fake the identity) the emails sent to other potential victims, through its personal SMTP server (server used for exchanging emails). The email carried with itself an executable, which although wasn’t designed to do any significant harm, but did caused the virus to propagate further. The subject of the email was chosen pseudo-randomly from a group of 120 possibilities. This made it far more difficult for any non-technical end user to differentiate between an important email, and one which contained the virus. Furthermore, it copied itself to the Windows registry, so as to initiate at every boot.

This virus was a result of the exploitation of a flaw present in the Microsoft Internet Explorer 5.

Get SLAMMED, m8!

One of the more relatively recent (but still quite early) worms that wreaked havoc is the “Slammer”/”SQL Slammer” virus that spread in January of 2003 and was classified as the fastest spreading worms of its time.

It worked in a relatively simple, but effective manner. From the already infected machine (initiator) it sent a UDP packet or datagram to port no. 1434 of the victim machine. The datagram exploited a buffer overflow vulnerability of the SQL Server monitor, running on the target machine, and enabled itself to execute malicious code on the machine. Once it got into the target’s memory, it sent UDP datagrams (the payload of which contained code for the exploit and worm execution, in a mere 404 bytes) and to random IP addresses to infect further machines. Since, it mostly attacked on Wide Area Networks, thus the amount of traffic that was generated was large. Although the virus did not infect any files in the host system, all it required to get rid of the virus was to just reboot the machine. However, patches were provided by Microsoft for the vulnerability.

It is I, the great Stuxnet!

Finally, no discussion about viruses and malicious code is incomplete without the mention of Stuxnet. This was the first demonstration of how computer code can be weaponized to be used against an adversary. It was one of the most sophisticated piece of software. Some even state it to “the” most sophisticated piece of software there is! (More on that here). It was developed reportedly US government engineers in liaison with the Israeli Defence Force with the intention of disrupting the Iranian Nuclear Program, although exact evidence of this coalition is yet to be found. It was targeted towards attacking the Programmable Logic Controllers (PLCs), a tool used for automation in the industrial machinery.

What made the malware so interesting is its ability to only target the machinery involved in uranium enrichment. Every other system is practically immune to the worm. Achieving this level of specification through computer code, is nothing short of a marvel. Its working was such that it targeted the PLCs controlled by Siemens STEP-7 software. Once it detected such a system, it began feeding junk data to the PLC and capturing the data the PLC generates and reporting all-is-fine back to the STEP-7 software. The sophistication also lied in the way that Stuxnet utilized four, seperate zero-day vulnerabilities to attack and infect systems. The basic outline of the working of the worm could be boiled to 3 steps.

1. The worm does the majority of the work
2. A link file was created that automated the execution of propagated worm copies
3. A rootkit was executed that removed the traces of execution of the program

According to some researchers, the first ever deployment of the worm was done against Iran’s Nuclear program as early as 2007, but it remained undiscovered till 2010. Although it only destroyed 1500 centrifuges (equipment used for the enrichment) by making them spin faster than specified limit, it did materialized the gruesome idea of cyber warfare.

Although the purpose of this article was to shed some light on the most popular and dangerous malwares in the last decade, the list is ever-growing. New threats emerge all the time. While only some are able to make a news headline (which is a good thing) a large number of them have the potential to wreak havoc on a massive scale. This is mostly credited to the due diligence of the security researchers, and analysts all around the globe, which inform us of the danger way before it had a chance to propagate, as well as the quick response of the companies involved, in the form of offering timely updates and patching any disclosed vulnerabilities that may exist due to which a large number of threats don’t get a chance to rear their ugly head. But as we saw above, a single mistake or a wrong click, as well as lack of diligence could give way to the next big malware spread at any time. And that thought itself should be enough to send a chill down your spine!

I hope that you enjoyed the article. I would love your feedback. Show some love by leaving some claps or a comment if you think that there is some thing which could be made better. Thanks for reading!

If you want to read further, head on to any one of these links:

1. pages.csam.montclair.edu/~robila/SECURITY/2008/pp29.pdf
2. https://searchsecurity.techtarget.com/definition/Melissa-virus
3. https://www.computerhope.com/vinfo/iloveyou.htm
4. http://virus.wikidot.com/codered
5. https://www.sans.org/reading-room/whitepapers/malicious/code-red-worm-45
6. https://searchsecurity.techtarget.com/definition/Klez
7. https://www.techrepublic.com/article/stuxnet-the-smart-persons-guide/