Sophos Cloud Optix
Today is the 25th anniversary of the explosion at the Chernobyl nuclear power plant, which resulted in the world’s worst nuclear accident.
Vigils have been held to commemorate the disaster, where an explosion and fire released a large cloud of radioactive contamination into the air, spreading over much of Western Russia and Europe.
No doubt the anniversary has extra resonance following recent events in Japan, at the Fukushima nuclear plant.
However, the relevance of today’s date for Naked Security is the virus that bear’s Chernobyl’s name.
The CIH virus, also known as Chernobyl, was first discovered in 1998, and quickly became one of the most commonly encountered viruses in the wild.
Although never as widespread as other malware of the time such as the Melissa virus, the CIH virus still appeared high in the malware charts. The fact that a number of magazine cover CDs appeared, with programs infected with CIH, no doubt assisted its wide distribution.
But it was CIH’s payload which created the biggest cause for concern.
CIH was dubbed “Chernobyl” by the media because it was programmed to activate its destructive payload on the anniversary of the Chernobyl reactor meltdown – 26th April – wiping data from victims’ hard drives and overwriting the computer’s BIOS chip, making the computer unusable.
For the first time ever, we had encountered a virus which – if it had activated its payload – required a hardware fix. If you were unlucky enough to have your BIOS chip wiped, the Chernobyl virus had effectively turned your computer into a useless lump of plastic – the only way to get your PC working again was to open it up and replace the chip.
And don’t forget – on some computers, the BIOS chip wasn’t removable, and so it could only be replaced by swapping the entire motherboard.
For such a destructive computer virus to be so prevalent, and with April 26th 1999 approaching, was a real cause for concern. And in Asia it was reported to hit particularly hard.
For instance, South Korean government reports claimed that the Chernobyl virus caused $250 million damage, infecting a quarter of a million computers.
So who wrote the Chernobyl virus, and why?
The first point to bear in mind is that there’s no suggestion that the author of the virus intended it to be called “Chernobyl”. That was a name dreamt up purely because of the coincidence of the virus’s payload activation date, rather like the infamous Michelangelo virus was so named because it happened to be coded to trigger on the anniversary of the artist’s birth.
In fact, many in the anti-virus community chose to call the virus by another name – CIH. This name was chosen from a plaintext string inside the virus’s code:
CIH v1.2 TTIT
The Chernobyl name stuck, of course, and helped to fuel headlines about the virus and its particularly devastating payload. Little did we know that the phrase “CIH v1.2 TTIT” would not only help identify the virus’s author, but also where it had been created.
On April 30, 1999, four days after the virus’s damaging payload disrupted computers around the world, Taiwanese police announced that they were questioning 24-year-old Chen Ing Hau about the virus.
Former classmates at Taipei’s Tatung Institute of Technology said that Chen had boasted of creating the virus, and warned them not to allow their computers to become infected.
I’ll spell it out, in case you haven’t twigged yet:
Chen Ing Hau = CIH
Taipei Tatung Institute of Technology = TTIT
The Taiwanese authorities, it seemed, had got their man and it looked likely that Chen Ing Hau would be punished.
But the story doesn’t end there. Because – astonishingly – although the virus had caused serious levels of damage to computers in many countries no-one appeared to have filed a complaint in Taiwan. And without any local victims coming forward, Chen Ing Hau seemed to have got away with it.
Chen subsequently won a job at a software company on the back of his infamy.
It wasn’t until almost 18 months later, in September 2000, that a Taiwanese student reported his computer had been hit by the virus and Chen Ing Hau was finally detained.
However, as far as I have been able to determine (and I would love to hear if anyone has further information), Chen escaped with a reprimand and was never fined or imprisoned for the CIH virus he created. Possibly the computer crime laws in Taiwan had found to be lacking, and insufficient to form a case against him.
Chen Ing Hau appears to have repented for his past misdemeanours and a quick Google search discovers that he has been giving talks at technology conferences such as FreedomHEC Taipei in 2009.
Here’s a photograph of Chen speaking at that conference, in front of a large screen of code discussing how Linux drivers can be reverse engineered.
I wonder if he still signs his code “CIH”?
Viruses like CIH/Chernobyl were becoming a rarity even in the late 1990s. More and more malware authors were turning their backs on destructive payloads, and implementing sneakier forms of attack instead.
As making money, rather than wanton destruction, became the primary motivation for malware authors so cybercriminals realised that attacks which drew attention to themselves with dramatic payloads would work against their plans of stealing information from compromised PCs.
It has always struck me as slightly absurd at how easy it would be to "brick" a computer, especially now that most manufacturers are now actually using flash utilities that operate from within user space (even under Windows). Rather surprising that more of these hardware focussed blighters haven't appeared.
Ultimately you could target BIOS, Harddrive and Optical Controllers if nothing else. Would certainly cause some problems.
Perhaps this is another bonus of the Giga-byte Dual Bios technology (I'm sure other manufacturers are doing this in their own way, but it’s the first one that springs to mind!).
Funny you should mention Gigabyte.
Guess who Chen Ing Hau works for..
Huh – that figures then eh!
I remember when they launched the Dual Bios – it seemed to be a "perfect" fix for this sort of virus …
Mind you, I think there would be far more damage caused by, say, targeting the hard drive firmware — that would cause massive data loss, very quickly, and what with multi terabyte drives these days …
What has happen with the concept of placing the BIOS on a separate partition on the hard drive? This was a project proposed by Intel and Microsoft sometime ago.
Okay, so I’m fairly sure that the chances of Terry reading this reply are slim to none given how much time has past, but for the sake of anyone reading this, I’m fairly sure he was thinking of UEFI, which places the bootloader on its own partition, not the BIOS.
You still need firmware in flash to boot whateveritis off the hard disk. Having a basic “flash reflasher” in a non-rewritable part of flash (or in true ROM) so you can recover a device even after it seems to be bricked would help…but then the reflasher can’t be updated.