The old days of viruses

Blogging pioneer John Dominik, inspired by my Michelangelo memories, wrote about his memories of viruses later in the decade. So now I’ll take inspiration of him and share my memories of some of those viruses. I searched my archives, and at the time it was going on, I didn’t write a lot. I was tired and angry, as you can tell from the terse posts I did write.

In 1997-98, my big worry was macro viruses. Keeping the computer labs at the University of Missouri School of Journalism free of them was part of my job for a couple of years. Delete normal.dot every so often, and you went a long way toward keeping the computers clean. We had a site license for the long-defunct Dr Solomon’s antivirus, which helped, but wasn’t 100% effective. Those viruses transmitted themselves via floppy disks the students brought in–all of these computers had a direct connection to the Internet with no firewall and nothing bad happened because of it, incredibly–and in those innocent days, it wasn’t a lot of work. Had I known then what I know now, keeping those labs clean would have taken minimal effort–just a batch file to refresh normal.dot every so often, and to update the virus definitions. Back then, centralized antivirus management was rare too.

Unlike John, I dodged the Melissa virus. It appeared in March 1999, when I was writing a book, a task that amounted to a second full-time job. I’m sure my then-employer was affected by it, but I’m equally sure it didn’t affect them as badly as the next two in line.

Love Letter appeared 5 May 2000, an example of one of the first successful viruses to spread via e-mail. That morning I deviated from my normal routine and opened my e-mail before my first cup of coffee, and in my groggy state, I opened an e-mail message from the CIO-equivalent. It had a VBS attachment, so I did what any paranoid computer technician would do–I opened the attachment  in Notepad. Even without coffee, and with a very chatty coworker doing his best to engage me in conversation, it took me a matter of minutes, at most, to figure out that it was a virus. And if this person had it, there was no telling how many other people had it.

So I called the smartest guy in the organization to ask him what he would do. He’d already seen it, and he and one staff programmers had figured out everything it does. Armed with their intel, I was able to go upstairs and restore order without interrupting much. Since Plan B was to loudly announce that everyone needed to either shut down their computers immediately or unplug them from the network until I could clean them up, that was good.

Cutting power off to the stack of network hubs wasn’t really an option–at the time I believed I’d get fired if I did something like that–but if I found myself in a similar situation today, I’d probably do that, and then start asking questions. That would have been the fastest way to contain the intrusion, and you can recover from it very quickly too. A CISSP can get away with something like that. But at the time I wasn’t a CISSP, and I was coming off the only negative annual review I’ve ever had in my career, so I wasn’t going to rock the boat.

As I recall, it only took a couple of hours to contain the damage, and a couple of days to clean it all up. Today, it would probably take me less than an hour to write a batch file to clear Love Letter’s registry entries and the files it left behind from every computer on a network, but I’m 12 years deeper into my career now.

I blame Love Letter for something else, too: An increase in spam. I got spam before Love Letter hit, but I got a lot more of it afterward. To this day, I believe that spammers collected e-mail addresses that Love Letter gathered and used them to build mailing lists. Pre-Love Letter, I received one or two spam messages an hour, which was annoying. Post-Love Letter, spam got to be a serious drain on my productivity because I would get several spam messages an hour. When I’d come back from a 3-day weekend, I’d have a couple hundred spam messages to wade through.

At the time this was going on, I believed the majority of viruses were written by thrill-seekers. They’d write a virus, release it, then watch the carnage on CNN. But I think Love Letter and its immediate successors convinced people that viruses and malware could be profitable, and soon after that we started to see a shift from viruses being written by amateurs with very mediocre programming skills to professional malware, written by talented programmers bankrolled by organized crime.

Nimda appeared on 18 September 2001, and it devastated our network. Since Nimda spread itself five different ways, it wasn’t nearly as clear whether you had it. Ultimately, we ended up spending 10 days searching every computer on the network–roughly 1,000 machines–to make sure they didn’t have Nimda. And since we were touching every PC anyway, we did some other work too. We cleaned up anything we found, and we removed any antivirus software that happened to be on the machines and replaced it with a corporate version of Symantec Antivirus, pointing at a management server to get virus updates.

Centralized antivirus management is a necessity today; this was the era that made it become a necessity. Different organizations came to that conclusion at different times, depending on which of the viruses of this era exceeded their pain threshold. For us, it was Nimda. I worked 60-hour weeks for two weeks cleaning it up and that wasn’t enough. I remember developing and writing a procedure for cleaning up machines and training upper managers–people three or more layers of management above me–to walk around from PC to PC, log on, and clean things up.

At the time, it was unclear what might be on the horizon that would be bigger and badder than Nimda, and we got the message that we couldn’t afford to find out. From that time until I left the organization in mid-2005, we had no major virus incidents.

During the late 2000s, I had some virus-related work, but generally it involved scouting out a network to see if it was infected. Someone would decide it would be a good idea to search for, say, Conficker. So I would find some common trace of it, write a batch file to search the entire network for a telltale file or registry key, then report back. And in the case of some viruses, deleting a certain set of files or registry keys would be sufficient to clean it. (Conficker was tougher.) For a while I was really adept at this, but I’m happy to say I rarely, if ever found anything. As isolated as the networks I administered in those days were, I would hope so.

Viruses are far more sophisticated today than they were 12 years ago, but they have to be. Security is far more sophisticated too. The first network I ever administered professionally had essentially no security. No firewall, every machine had its own public IP address, and antivirus was an afterthought. In the two years on my watch, the only bad thing that happened was a rogue administrator running a web server from a forgotten machine. That’s what we call shadow IT today. (He was fired–for something else.) Attempt to run your network on the public Internet today with no firewalls, and you’ll be overrun with malware in a matter of seconds.

It’s amazing how much things have changed in a relatively short time. Fifteen years ago, I worked for a large, famous organization and they didn’t even have a budgetary line item for computer security. Today I have the word “security” in my job title, in one certification, and in another pending certification. Not only does my current employer have a line item for security, it has an office of 10 people–including three CISSPs, a CISM, and five Security+s–who do nothing but security-related work.

2 thoughts on “The old days of viruses

  • March 8, 2012 at 8:36 am
    Permalink

    Pioneer? PIONEER! You started before me, buddy… ;-D

    One point of clarification – we never received a single message with the Melissa virus. I disconnected the server from the internet before we saw any, which prevented the messages from coming in. We used an external provider to handle our re-direction (some messages came to corporate, others were sent off to other addresses), and we worked with that provider to put in place a filter to stop Melissa. Once they had that in place and tested – took about 36 hours – we could plug things back in, and we never did get infected. They removed about a dozen messages from our queue that had the attachment, and from that point on, everyone who used Outlook had a rule I set up for them that automatically filed all messages with attachments into a folder called QUARANTINE, so they had to do a couple of deliberate actions to see the message attachment – insured we had no more “by accident” problems.

    • March 8, 2012 at 9:20 pm
      Permalink

      Now that you mention that solution, it sounds VERY familiar. It could be our mail administrator did something similar.

      As for who started first, that’s tough to remember, except that there were a few small bands of people blogging a decade before blogging became something that everyone tried once.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux