Friday the Thirteenth - in memory of malware mayhem

Filed Under: Featured, Malware, Vulnerability

It's Friday the Thirteenth, an infamous date in the history of malware.

So here's a satirical trip down memory lane to consider other dies irae in the computer virus calendar:

* Jerusalem virus - deletes files on any Friday the 13th from 1988 onwards.

This virus came out in 1987 but explicitly suppressed its payload that year (when Friday 13ths happened in February, March and November). In those pre-internet malware days, it needed to give itself months to spread before making its bid for infamy.

* Durban virus - zaps your hard disk on any Saturday the 14th.

The Durban virus first appeared in South Africa, following advice to South African public servants to "put their computer clocks forward a day" before going home on Thursday 12th, as a temporary mechanism to minimise the risk of damage from the Jerusalem virus.

* Sunday virus - deletes files every Sunday, and asks you "Today is SunDay! Why do you work so hard?"

Except, however, that it doesn't actually trigger its warhead due to a bug. You can imagine why the malware author didn't get around to testing that part of the code.

* Honni virus - pops up a picture of Erich Honecker on Saturday 13 August 1994.

That's the 33rd anniversary of the creation of the Berlin Wall. The late and unlamented Honecker, former leader of the DDR, had recently died in exile in Chile.

* Stuxnet virus - mentions Wednesday 09 May 1979 in its code.

The virus commemorates the performance on that day of the Grateful Dead in Binghamton, New York. (You can hear the audience cheer when the lyrics of the song "Truckin'" reach New York in the sound-clip below.)

(23-second extract from Grateful Dead audience recording on 1979-09-05)

Just from these few examples, you can see that there are often interesting payloads buried away inside malware code.

There's nothing wrong with being intrigued by the backstory of a virus.

After all, many people have been seduced into seeing Stuxnet as all about Israel versus Iran, not realising that it is also a celebration of the good old days of bluesy psychedelic rock, and a surreptitious in memoriam of multi-megabyte guitar riffs.

But, whatever you do, don't get sidetracked by dates when it comes to your computer security strategy.

We do, sadly, seem to have a collective tendency to do this.

For example, we wasted billions of dollars fretting over what might happen precisely at the start of 01 Jan 2000, instead of recognising that the Millennium Bug, such as it was, could affect date-related calculations in general, not just at the stroke of midnight.

We speculated wildly that we might experience an IT meltdown 01 April 2009, when one of the variants of the the Conficker virus would start calling home. Somehow it wasn't enough that the virus was already widespread, and continuing to spread and harm networks, largely through poor security practices.

(Lessons to learn about Conficker - still relevant today)

As Chester and I discussed in a Chet Chat podcast, it's all very well to have Cybersecurity Awareness Week (as Australia does each winter), or Cybersecurity Awareness Month (as in the USA). But if that's all we have, we're not doing much better for our collective health than we would by having an annual Stop Smoking Afternoon.

(Listen to Chet and Duck discuss cybersecurity awareness)

"We need to be talking to our friends and family - and colleagues, and our bosses, and the people who work for us - all the time about security, because if we don't, the crooks are going to win....Every little step that each of us takes actually makes things much harder for the cybercrooks."

So if you're going to set goals for your business in the coming year, take Chester's advice: Make IT Security your business!


-

, , , , , , ,

You might like

8 Responses to Friday the Thirteenth - in memory of malware mayhem

  1. M.S. · 963 days ago

    Then there was the Michelangelo virus of 1991, which was designed to modify the boot sector of DOS systems on March 6, Michelangelo's birthday. McAfee told the press that it would be a widespread disaster, but that didn't exactly happen, even in places where people like me weren't up to midnight updating anti-virus signatures.

    The Dead concert on 5/9/79 wasn't in Broome, NY...it was in Binghamton, NY, at Broome County Arena.

    • Paul Ducklin · 963 days ago

      Michelangelo. Happy days. It actually zapped the first couple of megs of the hard disk, not just the boot sector. The damage typically took out both FATs, plus a sizeable portion of your raw data, plus the virus itself. (The most common size of hard disk back then was 20MByte). Ironically, 06 March was the only day Michelangelo was NOT a virus :-)

      And you're perfectly right about my ambiguity in respect of Broome. Seems that writing "Broome, NY" without the word "County" refers to a tiny town in Schoharie County, NY. And, indeed, the Dead didn't play there on 1979-05-09, nor, as far as I can tell, on any other date.

      I have updated the article accordingly.

  2. someone · 963 days ago

    Correction, 2011 was the eighth Cybersecurity Awareness Month. http://www.dhs.gov/files/programs/gc_115861159610...

    • Paul Ducklin · 963 days ago

      Oops. (Shows what a powerful effect the previous Awareness Months had on me :-)

      I have edited to suit.

  3. Bob · 963 days ago

    Why talk about about the Dead and show a picture of Hendrix?

    • Paul Ducklin · 963 days ago

      Errrrr, why not? Hendrix could play a bit, from what I've heard.

  4. johnwbaxter · 962 days ago

    We took a couple of RAID chassis out of service shortly before the end of December, 1999. They wouild have kept running fine after the start of year 2000, but would have failed to boot whenever next rebooted for whatever reason. (Vast 9G drives, too.)

    And my personal script which moved messages out of my mail client into a FileMaker database put January 2000 and part of February 2000 into year 1900 until I caught on and fixed it. Fortunately, it was fairly easy in my case to separate the actual 1900 email from what should have been 2000 and fix only the latter.

    --John

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog