One Virus + One Worm = Two Cyber Security Case Histories

CIHILYinset2

CIH VIRUS &
I LOVE YOU WORM:
Defining and Defending Information Systems Security

A Boon Bane Essay

The ramifications of the CIH virus and the ILOVEYOU worm provided cyber security insights for organizations and individuals the world over. Though outrageous financial losses were incurred, the overall technological win has been for increased software, hardware, and Internet security prevention awareness against vulnerabilities and threats.  Indeed, CIH exposed virus vulnerability and ILOVEYOU exposed worm threat in such dramatic fashion, they demanded cyberspace’s attention and commanded active change in the way we define information systems security and helped us define ways in which we can defend it. 

 

CIH is a 1998 computer virus named after Taiwanese Tatung University student Chen Ing-hau, who authored it for infecting system drives and overwriting the Basic Input/Output System (BIOS) in order to demonstrate how contemporary antivirus software failed to detect malware.  The virus was also named Chernobyl due to CIH unrelatedly debuting 26 April (the twelfth and thirteenth anniversary dates of a nuclear power plant reactor rupture in the Ukraine) and Spacefiller per CIH writing code inside file gap spaces.

On 26 April 1998, twenty-four year old Chen Ing-hau coded a virus that included a plaintext string incriminating him via his initials CIH and his location at Taipei Tatung Institute of Technology, which was renamed Tatung University in 1999:

49 48 20  h @ A @ 2 @ CIH

00 00 00  v1.2 TTIT

Payload was set for one year later, but CIH was discovered September 1998 by Tatung University peers reporting that Chen Ing-hau had forewarned them [3].  Infected computer CD-ROMs attached to various technology magazine covers helped spread CIH throughout Europe [3].  Meantime, much of North America had eight months after initial CIH victims in Asia to update antivirus software and many did so because of the Melissa virus just a month prior to 26 April 1999 [1].  CIH infected a quarter of a million Korean computers and several thousand US IBM Aptiva computers [2], eventually impacting approximately 60 million computers worldwide, costing Korea $250 million and the USA at least one billion US dollars in damages.

The host dependent virus replicates itself through EXE files in Windows 95/98/ME by overwriting BIOS and destroying the motherboard [3].  CIH exploits Portable Executable file inter-section gaps without altering the file size by integrating malicious code segments within these gaps and using jumps.  The virus intercepts and deletes software data, fragmenting the File Allocation Table (FAT), and overwriting the boot sector, therefore fatally corrupting BIOS.   Executable files transferred from one computer to another propagate the infection.

In the end, Chen Ing-hau & Tamkang University student Weng Shi-hao developed and delivered a CIH antivirus for manufacturers and public download.  Despite serious damage done in several countries, a lack of charges against Chen Ing-hau left him free until a Taiwanese student filed complaint in September 2000 when his computer was CIH infected [3].  Chen Ing-hau was reprimanded and anti-malware legislation enacted in Taiwan, Chen Ing-hau today speaking at technology conferences about cyber security and employed for a time at Gigabyte.  CIH reappeared in 2001 as a part of the ILOVEYOU malicious code.

Radiating across the Internet in a single day, ILOVEYOU (also Love Letter or Love Bug), a computer worm disguised as text file attachment LOVE-LETTER-FOR-YOU.text.vbs sent by email under the subject of “ILOVEYOU” in Manila Philippines beginning 4 May 2000, was predominantly created by twenty-three year old AMA Computer University student Onel A. de Guzman of Metro Manila’s Quezon City in cahoots with his sister’s boyfriend [6], China Bank programmer Reonel Ramones, among other indirect accomplices whose original programming is unverifiable, however, Onel de Guzman belonged to a group that sold thesis projects called GRAMMERSoft that included AMA graduate Michael Buen, whose thesis involved a program that duplicates itself.  Similarly, Onel de Guzman wanted to make a point, though unlike Chen Ing-hau’s cause for better antivirus protection, Onel de Guzman invented his malware to provide free Internet by stealing user logins and passwords, yet claiming that ILOVEYOU was accidently unleashed onto the Internet.  It was GRAMMERSoft and Onel de Guzman’s code name Spyder that were seen in coding and gave him away, as personalized coding likewise had with Chen Ing-hau.

The ILOVEYOU worm was received by around 45 million Internet users as an email message (eventually attached as a forward in Internet Relay Chat room messages too) [5], while ten percent of all computers were attacked because the attachment was opened [4].  Banks, universities, medical institutions, US federal agencies (Pentagon and CIA were penetrated with the fortunate exception of classified programs), British Parliament, and many other governments worldwide, as well as corporations across the globe, temporarily disconnected their email systems since 2.5 million files had been affected in the USA, 223 thousand in Europe, and 117 thousand in Asia within ten hours, 50 million files total at the end of ten days.  An estimated $5.5 billion was spent simply to find a remedy, recover, and reinforce throughout the world.

The network propagating worm disguised its hidden executable code as a TXT file extension email attachment and subsequently sent itself to all Windows contact addresses through Microsoft Outlook’s Microsoft Visual Basic Scripting (VBS), replacing extension files, and appending VBS in conjunction with Onel de Guzman’s student research project trojan that he designated as Barok, executing renamed WIN-BUGSFIX.EXE.  Hackers took advantage and designed many variants.  In 2001, VBS yet again was further modified for a variation that included CIH virus.

Actual fixes for ILOVEYOU were soon employed and the worm was conquered, namely thanks to software engineer Narinnat Suksawat of Thailand, writer of a worm removal and system file restoration program entitled Rational Killer that was shared some time after attacks.  Like Chen Ing-hau, charges were dropped against Onel de Guzman and anti-malware legislation enacted.

The true impact of both CIH and ILOVEYOU, resulting from the undeniable loss of time & money across business & government sectors everywhere, whether Chen Ing-hau and Onel de Guzman’s intentions were accidental or otherwise [8], proved to be the need for a redefining of information systems security and for everyone to implement stricter cyber security measures, such as encryption, authorized user installation rights, network firewalls, and antivirus software [7], all starting with public & private individuals and ending with public & private legislative protection.

©2017 BoonBane.me

CRBBM (2)

Citation Reference

[1]          E. Fitzloff. (1999, April 23). CIH virus may hit Monday [Online]. Available:

http://www.cnn.com/TECH/computing/9904/23/cihvirus.idg/index.html?iref=allsearch

[2]          N. Weil. (1999, April 8). Some Aptivas shipped with CIH virus [Online]. Available:

http://www.cnn.com/TECH/computing/9904/08/aptivirus.idg/

[3]          G. Cluley. (2011, April 26). Memories of the Chernobyl virus [Online]. Available:

http://nakedsecurity.sophos.com/2011/computing/04/26/cihvirus.idg/memories-of-the-chernobyl-virus/

[4]          J. Auza. (2008, July 8). 12 Most Devastating PC Viruses and Worms of All Time [Online]. Available:

http://www.juanza.com/2008/07/12-most-devastating-pc-viruses-and.html?m=1

[5]          M. Rouse. (2006, February). ILOVEYOUVIRUS [Online]. Available:

http://searchsecurity.techtarget.com/definition/ILOVEYOU-virus

[6]          philSTAR.com. (2000, May 6). ‘Love bug’ hacker is Pandacan man, 23 [Online].

Available:

http://www.philstar.com/networks/83717/love-bug-hacker-pandacan-man-23?nomobile=1

[7]          Tom’s Guide Staff. (2014, March 6). Computer Worms: What They Are and How to Stop Them [Online]. Available:

http://www.tomsguide.com/us/computer-worm-definition,news-18330.html

[8]          J. Aravilla and C. Lagasca. (2000, May 12). ‘Love Bug’ accidental, AMA student claims [Online]. Available:

http://www.philstar.com:8080/headlines/87969/love-bug-accidental-ama-student-claims

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s