Friday the 13th, computer security, evolution and growing up
It is 13th Friday, and I have a personal story to share. Unlike typical linkedin posts, it comes without sales advices, seek and share of ultimate truth...
Back in the early late eighties-early nineties, a computer virus has been born in Jerusalem, Israel. Its' executable code was less than 2 kilobytes, and was able to infect .exe and .com files (except for command.com). According to some reports, .sys files were also affected. While these characteristics were the same for all computer viruses in those times, the impact frequency made this virus special. It only activated itself every Friday the 13th. Then it was about to delete .exe files.?
Thanks to its undercover nature, it spread unnoticed, quite quickly. Besides the super expensive antivirus programs, making all executable files read-only, or simply not switching the computers on these specific days were amongst the effective consequence mitigation possibilities.?
I remember I was switching from Commodore 64 to PC (XT and AT 286) in those times. Leaving the virus-safe world behind, most I saw PCs starting up with a message "Your PC is now stoned!" on the screen (signs of a well-know boot sector virus), leaving no doubt that the owner was not careful enough. In these cases, the best advice was to take a day off, have a nice excursion in the mountains instead of working with the computer on Friday the 13th. Though sometimes I've also seen PCs infected by so many viruses, that they've managed to block each other's activity with the mess around the famous 21h DOS interrupt handler.
领英推荐
Then around 1996, I've learned how to protect my own PC against such threats. My PC got infected by an unknown virus, which was developed by a talented but misguided boy - of a similar age to me. Fool me, I downloaded a useful looking software from a BBS (Bulletin Board System, - according to some - the predecessor of Internet), which was uploaded by the creator of the virus to be spread in the user community, but the real aim was to damage the reputation of the sysop (and owner) of the BBS.
There was no cure, as the virus was too specific and localised. So I took a specific tool to disassembly and discover the malware. It's a funny thing, but this software (gametools.exe) was originally designed to freeze memory addresses where games were keeping the number of lives left, or to find and change specific (assembly) code responsible to decrease player's energy... But good enough it was to reverse engineer the code of the virus, which was encoding itself with XOR operations, to hide the malicious patterns (like interrupt hooking). Then I was able to write a small program in Turbo Pascal which scanned, cleaned and restored .exe files on a specified drive. The virus was named as BH#8, which was an ASCII pattern appear in its non-polymorphic part of the code.
Meanwhile other users of the community have also reported the infestation. Their computers got unstable and slower, and in some cases colourful characters started to appear on the textural screen (thanks to a bug in the virus code). The sysop removed the infected uploads and sent notifications to all downloaders. When my little antivirus program was ready, he also shared it with the other unfortunate downloaders.
It was easy to track down the little cybercriminal by identifying the landline phone number associated with the call in which the infected files were uploaded. Actually, there was no need for such sophisticated actions, as the guy - monitoring the situation - has reached out for me. We had a long chat about the WHAT ending up in the WHY, which was more of a psychological / sociological experiment than technical. In the end, we agreed that he will not threat the BBS anymore in return for me convincing the sysop not to file a police report.
Lessons learned - I decided to implement new countermeasures for my computer. I could hardly have afforded to buy an expensive antivirus with my pocket money, so I started inventing and develop little pieces of:
Startup check
- monitor for boot sector changes,
- integrity checks on autoexec.bat, command.com, sys.io and msdos.sys.
Runtime protection
- monitor for code wants to become memory resident,
- interrupt hook monitoring (especially 21h),
- store and compare local .exe checksums
It was a small world, with small scale operations. And not too much has changed. Things are still the same, just impacts and operations are at large, and there are no local heroes anymore. Everyone is doing their own specialised tasks in security incident management, data protection, business continuity, vulnerability and remediation management, security architecture, network security and whatever, with little attention to the other supporting processes.
Sometimes I wonder, where could the little cybercriminal be now? Still on the wrong track, hacking accounts, diffusing malware? Or gone ethical, he might be a part of a red team... no idea.