The Modern Ages: Y2K and the Digital Apocalypse

Some "experts" even claimed that the new millennium would bring hundreds of thousands new viruses to infect all the systems on Earth at once, thus triggering a digital apocalypse. Antivirus manufacturers rushed to ensure computer users that there were no reasons to fear of a massive viral attack.

As the new year arrived, the apocalyptic forecasts proved false: it is true that the new year brought fresh security threats, but malware evolved at a steady pace, just like in any other year. It is alleged that the Y2K virus hysteria started as a misguided description of the Y2K problem itself. It was true that the global IT community was waiting to see how computers would react when the system clock turned to 1/1/00, but announcing devastating viral infections was a long shot.

The much-hyped Y2K viruses even included viruses that had been developed in mid-90s. Not only were they old, but none of them was Y2K-compliant. Worldwide media outlets embraced the idea of a digital apocalypse, but journalists are not the only ones to blame. For instance, FBI NIPC director Michael Vatis and CIA analyst Terrill Maynard almost triggered an international incident when they claimed that hackers, spies, and the mafia inserted malicious code in U.S. corporate software while they were supposed to "fix" Y2K software glitches. They especially accused India and Ireland of staging the attack on US-based computers, but they later admitted that they relied on suppositions rather than on facts.

Microsoft's new operating system called Windows 2000 had been marketed as one of the most secure and impenetrable environments ever built by the company. While this was true to a certain extent, underground malware group 29A (the Spanish team that had previously designed the Esperanto virus and the WM.CAP worm) came to prove the contrary with Inta. It was the first virus (Inta actually appeared long before Microsoft got the chance to introduce the new operating system) spotted in the wild, able to infect Windows 2000 files packed with the Windows Installer.

Two new computer viruses, called VBS.Unstable.A and Visio.Radiant.A followed shortly after Inta. The new pieces of malware aimed at Visio users, an extremely popular and efficient application that allowed users to create eye-candy diagrams and flow-charts for business use. Rumor has it that Microsoft itself was behind the VBS.Unstable.A and Visio.Radiant.A epidemic, as shortly thereafter, it purchased Visio Corporation along with all its intellectual assets.

In mid-February, multiple computer networks had to face their worst nightmare: one of the biggest denial-of-service attacks to date. It all started with a Canadian computer user nicknamed MafiaBoy, who started a distributed denial-of-service (DdoS, a DDoS attack sends false requests for service from multiple locations so frequently that the attacked websites are overloaded and unable to answer legitimate traffic requests) attack against a couple of top-tier websites such as Amazon, CNN and Yahoo! As a result, Yahoo was taken offline for about 8 hours and lost several million dollars in operational loss. In order to successfully carry his plans to completion, the teenager used a network of compromised computers and coordinated a massive Ping-of-Death attack (This type of attack was the beginning of the DDoS era and it took the entire world by surprise. Nowadays' networking technology includes built-in protection against Ping-of-Death threats, so such incidents are no longer possible). Mafiaboy was taken into custody and was sentenced to eight months detention by a Canadian judge in Quebec. He also had to pay a fine of only $650.

Another macro virus, called the WM97M/Proverb.A, appeared in April. It seems to have originated in Russia, and its first target might have been the office of the British prime minister himself. The WM97M/Proverb.A virus was rather harmless, and probably was designed as either a hoax, or for mere entertainment. The virus body contained a piece of code that would check for the version number of the Word processor. If it returns eight, the virus then would fire up the Office Assistant, then display random messages, including animations and headings. If the returned value is different from eight, then it would show a message box and a Russian proverb.

All hell broke loose on May the 5^th. The new Win32.Loveletter (a.k.a. The Love Bug) script virus with worm functionality was about to set a world record in the history of malware. The virus exploited common and native characteristics of the human computer users such as curiosity and adventure spirit, and managed to catch them by surprise. More than that, in spite of all the efforts carried by the antivirus industry to educate users about the malicious potential of VBS and txt files many of them fell for the trick.

The VBS-based virus would distribute itself to every contact in the Outlook address book as well as to persons using the popular mIRC service. It comes disguised as an anonymous love letter (hence its name) and advises the human operator to run the attached .VBS file for further details about the sender. Once installed onto the system, it starts replacing files with set extensions (vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2) with its own copies. The infection is carried not only on local hard-disks but also on all drives mapped to the compromised computer, such as network drives.

As part of the payload, Win32.Loveletter will attempt to download a file called WIN-BUGSFIX.exe from the Internet, a password-cracking utility that steals passwords from the entire network, and then send the collected data to the author in the Philippines.

The source code has been already posted on several BBS systems, in order to facilitate the appearance of new modifications over time. At the moment, there are more than 90 variants in the wild. Win32.Loveletter was also the most damaging virus in the history, causing loses of between 5.5 and 10 billion.

June 6^th brought the first computer virus able to infect mobile phones. The VBS.Timofonica.B virus would normally spread using e-mail services, but it was also capable of sending itself to random mobile numbers belonging to Movistar cellular customers. The so-called virus was merely a hoax, as its payload would only display a message written in Spanish on the mobile phone:

"Information for you: Telefonica is fooling you"

The virus did not take handheld devices out of service, nor would have any effect on their performance. However, international mass-media rushed to name VBS.Timofonica.B the first 'cellular' virus (Because of the significant advances in the mobile world, nowadays' mobile phones can be easily infected and rendered inoperable by miscellaneous security threats. In order to protect you from mobile viruses, Bitdefender has released Mobile Security, an antivirus solution for mobile devices running Symbian^TM or Microsoft® Windows Mobile^TM. You can read more about the mobile antivirus at http://www.bitdefender.com/PRODUCT-2149-en--BitDefender-Mobile-Security-v2.html ).

The Cult of the Dead Cow shows up with an updated version of their Trojan.BackOrifice software during a DefCon conference. Posing as respectable software developers the members of the organization claimed that BO2K had been shifted to remote administration purposes only. All the signs point to the fact that The Cult of the Dead Cow planned the same strategy as the NetBus author, namely asking antivirus vendors to remove scanning routines for it. However, given the fact that it was largely used to inflict damage, antivirus manufacturers labeled it as Backdoor.Trojan and included a disinfection routine.

New malware threats were on the horizon during the summer. In early July, three new viruses emerged; while they were not as dangerous as its predecessors, they contained a couple of programming techniques that had never been seen until then. Star, the first macro virus for AutoCad packages, was extremely small (500 bytes only) and primitive. Star's apparition was in close relationship with Autodesk having introduced Microsoft's Visual basic, the macro programming interface. The virus had no malicious payload which made security experts think that it was a first draft of a more intricate creation. However, future proved that there was no second shot at infecting AutoCad files.

Win32.Unchained.B was another interesting virus to spice up the summer of 2000. One of its most interesting aspects was the fact that it practically contained a cocktail of code borrowed (or stolen) from its predecessors. Upon disassembly (The operation of taking a program piece by piece in order to figure out how it works), antivirus researchers found out that it contained code from five other viruses including CIH, SK, and Bolzano. Win32.Unchained.B also used to activate processes from other components at specific dates, which brought it the Shuttle Virus moniker.

A clumsy Internet worm called I-Worm.Jer also showed up in June. Its creator uploaded its script on a web page, and the virus would automatically kick off when a page was visited, announcing that a potentially malicious file was found on the hard-drive and asked the user for disinfection. It relied on the fact that most users would click on the "Yes" option to get rid of the message. I-Worm.Jer did not manage to create an epidemic (only about a thousand users have been tricked), but it set a new trend in infecting systems over the Internet.

The Palm.Liberty virus arrived in August and marked a new era in developing malware for PalmOS operating systems.  This was the first virus of its kind, and although it could delete files from the affected system, it was not able to replicate and spread itself easily. However, an improved version of it (Palm.Phage) would appear later in September.

Antivirus experts had to face a new challenge with the advent of the Stream virus. This piece of malware was able to manipulate the Alternate Data Stream (ADS) of the NTFS format, a location that was usually inaccessible to antivirus scanners. Although the new virus was not too much of a security threat, the new viral technology of accessing the ADS called for a complete update of the antivirus protection. Even today, scanning the ADS is a painstaking process mastered only by top-tier antivirus manufacturers.

In October, Russian virus writer Z0mbie released a metamorphic piece of malware called Virtool.Mistfall.A (also known as Zombie.Mistfall). This is the first known virus to use code integration techniques, which means that the integrated Mistfall engine was able to decompile PE files, and then inject itself into the PE code. It could also perform code moves, regenerations and relocation, but it needed more than 32 MB of RAM in order to rebuild the PE executable.

Two other interesting viruses that appeared in October were the first PIF infector (also known as Win32.Pif.Fable), as well as the first PHP virus (called the Backdoor.Php.Pirus.A). However, they are more of a curiosity, than a real threat, as they have never been seen into the wild.