Malware then and now – a look back on the anniversary of the Melissa Virusby Steve Ragan - Mar 26 2009, 21:00
A look back on the history of Malware on the anniversary of the Melissa Virus (Img: S.Ragan)
It’s hard to believe that today, March 26, 2009, is the tenth anniversary of the Melissa Virus. How time flies. In another famous Malware birthday, The Michelangelo Virus turned 17 earlier this month.
The Tech Herald recently spoke with David Perry, the Global Director of Education for Trend Micro, to learn not just where the security industry is today, but where it came from. What follows is an interesting lesson in the history of Malware.
For the record, David Perry has been in the security industry for over 25 years. He is one of the few who worked in the security industry before the industry, as you know it today, existed. His tale of how the industry grew up is interesting, and should you ever meet him, ask for it, as the whole story is intriguing for those of us who were just kids during this time in history.
March 26, 1999, and David Perry is on vacation with his family. His phone rings and soon he is off to New York to address the media. There is a new virus online -- the name given to it is Melissa.
Melissa was, at that time, the fastest-spreading virus in history; moving so fast because it arrived via e-mail with an attachment. Once the attachment -- a DOC file that was supposed to contain porn-related passwords -- was opened by the recipient, a Macro would trigger causing the DOC to e-mail itself to 50 more people from the victim's address book. The panic that ensued caused Microsoft Corp. to shut down its e-mail servers in an effort to prevent the virus from spreading.
“The virus activates if it is executed when the minutes of the hour match the day of the month; for example, 18:27 on the 27th day of a month. At this time the virus will insert the following phrase into the current open document in Word: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here". This text, as well as the alias name of the author of the virus, "Kwyjibo", are all references to the popular cartoon TV series called "The Simpsons",” an older F-Secure brief reports.
However, the random Simpsons quote is not the fear that Melissa invoked, the fear came from the businesses who were worried that their e-mail systems would be clogged and choked off. They were right to be worried, because that’s exactly what happened.
In 2002, David L. Smith, the author of Melissa who started it all with a post to alt.sex, was sentenced to 20 months in federal prison. In addition, Smith was ordered to serve three years of supervised release upon completion of his prison sentence and fined $5,000 USD.
As David Perry tells his story about Melissa, he recalls another virus, which is also famous for being discovered in March. Oddly, this virus took on a life of its own and, once the press had sensationalized it, frenzy and fear took hold. Perry is speaking about Michelangelo, and thinking back to that reminds him of earlier days.
What follows is a history of Malware, as told by David Perry during a phone interview with The Tech Herald. If you didn’t live through it, this is an interesting tale and provides unique insight into how far the security world has come.
“The first virus was not on a PC, it was not on an Apple II, not on a Macintosh, or a mini, a mainframe, punch cards, paper tape, hardware or software of any kind,” starts Perry. “The original computer virus was in a work of fiction called Shockwave Rider by John Brunner that was released in 1975.”
Brunner is credited with the creation of the term “Worm” because, in his novel, the main character creates a self-replicating program that will propagate across a network. The character, Nick, calls this program a Worm. The term was later picked up by security researchers. The notion of a Worm, as well as the ideas in the book itself, caused serious misconceptions in the minds of the media and public at large.
“Viruses were [sic] well established in the minds of the public before they were ever exposed to them,” Perry explains.
Pointing out that, in reality, the viruses that exist in the real world and the ones in fiction stories are complete opposites, he goes on to say that: “In fiction viruses are a different sort of thing than they are in reality. In fiction, viruses are dramatic and visual, they have huge consequences, they tip over oil tankers, and they bring alien space crafts down out of the sky.”
The reality of modern viruses is nothing so glamorous. These days, viruses are silent, and, while not holding the power to knock things from the sky, they can cost you money and cripple systems, slowing them to the point that they're nothing more than expensive paperweights.
As Perry explains, the 19080s is when Malware and the security industry took off. The media started paying attention to the Internet as it was at the time, and several people stood out as experts. One such expert, Peter Norton, who is the name behind Norton Utilities and other Symantec products, was the go-to guy for the press when it came to viruses and the sensationalism surrounding them.
In a now legendary quote, Peter Norton told one reporter for Insight Magazine -- when asked about viruses -- that: “We're dealing with an urban myth. It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever seen them. Typically, these stories come up every three to five years.”
Early on in the 1980s, years before Norton gave his quote to the press, a high school student in Dallas, Texas, by the name of Rich Skrenta produced the first publicly known self-replicating computer virus: Elk Cloner.
Elk Cloner wrote a poem onto the screen and it would duplicate to the boot sectors of Apple II discs. Skrenta got into communication with Scientific American and eventually the source code was published. People would type it in themselves, as it was coded in Apple Basic.
“It’s a self-replicating boot sector virus, but people were intentionally infecting themselves so they could see it do its thing because it was like a scientific novelty,” Perry explains.
In 1986, Robert Tappan Morris released what is known as the Morris Worm, which closed down Arpanet -- the entire Internet of the day. This was the first Worm to gain what is considered mainstream media attention, something largely attributed to the fact that Morris was the son of an NSA security expert. The Morris Worm was designed to determine the size of the Internet at the time, but a design flaw unknown to Morris caused the Worm to spread quickly, infecting thousands of computers.
Morris was duly indicted under the Computer Fraud and Abuse Act -- making him the very first person to be indicted under the new law. He was later sentenced to 400 hours of community service and a fine of $10,050 USD. He currently serves as a professor at MIT.
The same year the Morris Worm was counting the size of the Internet, two brothers from Lahore, Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi, released what is known as the Pakistani Brain. Considered the first IBM PC virus, the brothers were not looking to cause harm, but gain sales.
As Perry explains: “They wrote [two variants in] the Pakistani Brain A and Brain B. It wasn't Malware yet, but it was a virus, [a] self replicating, self infecting boot sector virus for PCs. [It] would display an ad message for their store, The Brain Computer Store of Lahore, Pakistan. It was supposed to be an [anti-piracy] measure originally.”
It was during this time that John McAfee saw the television stories about the Pakistani Brain virus and realized there was business potential in all of this.
“So he hired on all the people that worked on his bulletin board system including my friend Ari Goretsky and, he hired a guy named Dave Chambers who went out and wrote the first version of McAfee AntiVirus. [McAfee] had a very interesting business model. He would give away the software, and then would only charge if you needed technical support. He made it all the way up to 25 million dollars a year with no salesmen, no boxes, no disc duplication, no copyright attorneys, and no marketing department. Just [sic] giving out software through a whole link of associated bulletin boards and then charging for tech support,” says Perry.
“That was his whole business model, but he was getting lots of media attention for one reason or another. Gordon Eubanks, who had bought the Peter Norton organization, decided that was enough and hired Dave Chambers away from John McAfee and Dave Chambers wrote the first version of Norton AntiVirus or NAV.”
Around the same time, Steve Chang founded his own anti-Virus company, Perry’s employer Trend Micro, and took the company back to Taiwan.
After the Pakistani Brain, the security industry was in full swing and the media was falling all over itself reporting the newest threats and the risks computer viruses posed.
And this is where ego starts to take hold. Virus authors started a small competition of sorts. The goal was to come up with programs that would either cause harm to a system or simply just do something that would gain attention. What they wanted was to earn a mention in the press, gaining instant fame among their peers.
Coming full circle, Perry’s story moves into the 1990s. This is when the world was introduced to Jerusalem B, also known as Friday the 13th. It was given this name because it was designed to trigger on every Friday the 13th.
“...it spawned a whole lot of imitation viruses, it spawned the Saturday the 14th virus, the Thursday the 12th virus, the any Friday not the 13th virus, and my particular favorite was somebody took a copy of Stoned -- a popular virus at the time -- and modified it to trigger one week before the Friday the 13th virus,” Perry recalls.
“The popular thing that people would do for the Friday the 13th virus is they would set their clock forward one day and skip Friday the 13th and then wait two days and then set it back, that kept them from ever triggering on Friday the 13th.”
However, this modification of Stoned took on a life of its own. Unknown at the time, the modification would earn the Stoned variant a new name: Michelangelo.
“...what somebody did was modify Stoned so that it would go off on Friday the 6th of March 1992 and this went into circulation and eventually a reporter found it and discovered that that is coincidently Michelangelo’s birthday... it was really, to the best of my knowledge, intended as a head fake on Friday the 13th,” he notes.
“What happened was, John McAfee went on television and said, ‘We don't know how many people are infected with this program [Michelangelo], it could be 5,000 it could be 50 million,’ and the media went nuts. By then everyone knew that viruses were going to tip over oil tankers... or at the very least make smoke and fire pour out of the back of your terminal like they did on voyage to the bottom of the sea and Star Trek.”
“The whole world goes nuts, everybody’s calling tech support at Peter Norton [where Perry worked at the time]. Before John McAfee was on TV, we got about 60 phone calls a day for anti-Virus. It was me and another guy... There were only about 10,000 customers. Many people considered viruses to be a dead end as a business at the time. [But, after McAfee makes his statement on TV] we go from 60 calls a day to 7,000 calls a day,” Perry continues.
“In one night the needle pegs, and the whole company has to go to answering Michelangelo questions... So it's all day all night Michelangelo, Michelangelo, Michelangelo. Right up until March the 6th, and on March the 6th -- the trigger date -- it goes dead, absolutely nobody calls on that day."
Perry explains that the reasoning for the sudden halt in calls is because, “…you either were infected with it and we had already fixed it, you were never infected with it and so [it] didn't concern you, or you were infected with it and it wiped out your system, but [it] didn't jump in your face and go [sic] ‘I'm the Michelangelo Virus’, so you had no way of knowing that it had infected you.”
“I'm sitting there and there’s nothing happening. We've been knocking ourselves out for like two weeks solid. Then it’s March 6th and nothing's happening. The doors open and in walks Cleat Robertson and [other] news reporters... and they say, ‘Who do we talk to?’ and [the staff in the office] reply, ‘Talk to David over there.' And they come over to me. They say, ‘David, show us a computer that was destroyed by the Michelangelo virus.’ And I say... ‘Well, here let me show you.’ I got out a machine, infected it with the virus and I executed it,” says Perry recalling the events of 1992.
Do you remember when on DOS system you would get a flashing white cursor on the upper left hand corner of the screen?
“If you had Michelangelo that was all you would ever see,” he adds. “I said, 'There, see, it’s wiped out the system.' They [responded by asking], 'Is that it? No smoke and fire? No melted down computer? You defrauded us!', and stomped all out the door.”
“We had not been following what they were saying, because we were busy answering 7,000 phone calls a day. So we all just kind of blinked at one another and said, 'I don't know. What is he talking about?' Then another reporter came in, same thing, and another reporter, same thing... Then we realized that the public had gotten themselves all whipped up into a frenzy about mythological or, if you prefer, fictional viruses, and that remains a problem with the world of Malware to this day. We aren't just fighting the real viruses we're fighting the fictional viruses.”
Seven years later, as the Melissa Virus was making headlines and Perry was called away to talk to the media, at the time he no-doubt recalled much of what he told The Tech Herald during his telephone interview.
If you follow the history of Malware, it's amazing to note just how little things have changed. History is still repeating itself, only now the major difference is the maliciousness of the game. 10 years ago, the Melissa Virus, Love Bug, Sub 7, and even AnnaK were famous self-propagating Worms, all of which used Social Engineering to compromise systems.
If you wanted to push things, you can look at the Melissa Virus as the grandmother to Conficker. Both spread on their own and, considering the times, both are technologically advanced.
Social Engineering is still used to this day. The only difference 10 years has made is that Malware authors are no longer working for infamy, they are working for profit. Namely, the virus market today isn’t about who has the best skill set, it's about data collection, massive computer infections, and cold hard cash. Get rich or die trying.
Want regular updates from The Tech Herald? Follow us on Twitter.