20 years ago today! What we can learn from the CIH virus…

It was 20 years ago today…
…as far as we can tell, anyway, that a Taiwanese university student called Chen Ing Hau set out to create a computer virus that would show the world just how jolly clever he was.
Chen’s virus was dubbed CIH, simply because those three letters were visible inside the programming code of the malware.
In 1998, when we analysed the virus for the first time, we didn’t know what CIH stood for, but it didn’t make a rude word in any language we could think of, so it was as good a moniker as any.
A lot has changed in the cybercrime scene since 1998, and CIH, or W95/CIH-10xx to use the full name that Sophos products use to identify it, is in some ways little more than a museum curiosity now.
It targeted Windows 95, which is extinct in the wild these days, so the CIH code has nowhere in the real world to live in 2018.
But there is still lots worth remembering, and plenty of lessons we can learn (or perhaps re-learn) from how CIH worked.
So CIH is far more than a museum curiosity when it comes to cybersecurity awareness.

These days, most malware takes the form of what’s called a Trojan Horse: a standalone program that looks like any other on the outside, but on the inside is malicious.
CIH, however, is a true computer virus – a piece of parasitic program code that can’t run on its own, but that needs a host file as a carrier.
If you run an infected file by mistake, then the carrier file runs the parasitic CIH code first, after which the virus transfers control back to the original program, which then runs as usual.
That’s an astonishingly effective disguise!

Viruses spread automatically

As well as hiding in files that you expect to be there, viruses spread automatically (it’s the self-spreading that makes them viruses rather than Trojan Horses), and once active, the CIH malware seeks out and infects all the other programs on your computer.
In other words, a computer that was infected by CIH didn’t just have one virus, it typically had tens, or hundreds – or, in the case of a file server, perhaps hundreds of thousands – of independently dangerous copies of the virus on it.
Those infected files didn’t have genuine looking names like 2018-04-26-invoice.PDF, they had genuinely genuine filenames, such as NOTEPAD, CALC, Winword and any other software you might have installed.
Worse still, CIH cleanup wasn’t just a question of sluicing out the infected files, because they were files you needed afterwards, converted back to a safe and uninfectious form.
Disinfection meant that you were metaphorically picking the fly out of the ointment, with an attention to detail sufficient to leave behind ointment that could still be used afterwards.
You also had to identify and disinfect all the infected jars of ointment: if you left just one of them behind, the virus might get reactivated at any time.

What’s worse than ransomware?

CIH was about showing off, not about making money by scamming victims out of paying up to get out of trouble.
Part of the showing off was that on 26 April every year – the anniversary of Chen’s creation – CIH stopped being a virus.
Instead of spreading as widely as it could, on 26 April it went into “warhead mode”, overwriting your computer BIOS with garbage.
That’s right: an unauthorised firmware update that aimed to leave your computer completely unbootable, and in many cases unrepairable, at least by software alone.
The BIOS chip contains the startup code that runs at the very instant the computer is powered up, so garbage in the BIOS means your computer hangs instead of booting.

Intel CPUs fire up with all bits in their CPU registers set to zero except for CS (the code segment register), which gets all its bits set to 1, so that the very first instruction executed comes from the 20-bit memory address FFFF:0000, 16 bytes short of the old-school PC memory limit of 1MB. That address is mapped into the BIOS chip, to ensure that there is something useful there at startup time, and the FFFF:0000 real-mode address usually contains a JMP instruction backwards to the very part of the BIOS chip that CIH overwrites. So, unless you were very lucky indeed, a PC trashed by CIH would hang at the second machine code instruction, a nanosecond or so after every restart.
In those days, there was no cryptographic verification of firmware updates, so anyone could write anything if they knew the trick to enable write access.
Also, write access to the BIOS was managed using “security through obscurity”, with many flash chips automatically activating write access after a special pattern of memory accesses that was unlikely to happen by mistake.
Once you found the chip maker’s documentation that showed the “secret” pattern, you and everyone you felt like telling would know the “secret”, too.
If you’re a network hacker who has ever experimented with port knocking on a network device, this is a similar idea for memory chips, except that you don’t get to choose your knocking sequence – it’s hard-wired into every chip.
In 1998, some motherboards still had BIOS chips plugged into sockets, so a techie user with the right sort of chip reprogrammer could reflash the BIOS externally and revive the computer.
But many motherboards had already adopted the modern, compact technique of soldering the BIOS chip directly to the surface of the board, making it as good as impossible to desolder, reprogram and replace a CIH-trashed chip.
Those victims were stuck with the time and expense of replacing their motherboards, all on account of Chen’s deliberate cybervandalism.

These days, many hackerspaces might be able to help you out, using a fine soldering iron to detach the chip, and a small pizza oven – seriously, search engine it! – to “reflow” the reflashed chip into its rightful place on the board.
As a side-branch to this story, we modified all the vulnerable malware detonation PCs in SophosLabs after we’d figured out this virus.
We carefully disconnected the write enable line on their BIOS chips, wiring it out through a switch on the front panel instead, so we could run malware tests with a hardware write block on the BIOS chip.
This protected the BIOS from modifications that might leave us with permanently broken computers, or, even worse, with research hardware that was subtly but non-obviously compromised, even after a reboot and full disk reimage.
Fortunately, the BIOS-trashing code in CIH never caught on, and apart from a few copycat CIH variants, we never faced an onslaught of computer-nuking malware.

Code caving

The final notable feature of CIH that we’ll look at here, a technique that is very much back in fashion amongst penetration testers and cybercriminals alike, is the trick of adding malicious code to an existing file without changing its size.
Early parasitic viruses were usually prependers or appenders, meaning that they inserted their modifications into the victim file at the very start, or added them at the very end, something that made the malware coding easier but unavoidably increased the size of the file, too.
CIH, in contrast, is a cavity infector, meaning that it finds unused or unimportant parts of the host file and insinuates itself there instead, so that the size of the infected file doesn’t change.
These days, this sort of code caving isn’t usually used for virus spreading, but instead to produce one-off Trojanised versions of well-known utilities that still work as they used to, using the utility as a cover story for some sort of malicious activity.

What happened to Chen?

In April 1999, a year after its creation, the CIH virus was still around, and on 26 April 1999, many motherboards did get zapped by Chen’s anniversary code.
Fortunately, the “secret” write-enable sequence used by Chen didn’t work on all chipsets (we estimated at the time that about 75% of computers in the UK at that time were immune to its BIOS wiping warhead), which reduced its impact, but plenty of users around the world were nevertheless keen to see the malware creator brought to book.
Once Chen Ing Hau was outed as the CIH author, we assumed he would end up in serious trouble, probably facing a prison sentence as well as other criminal sanctions such as a fine or a restitution payment.
As far as we know, however, he was detained and investigated in 2000, but due to the nature of cybersecurity laws in Taiwan at the time, he was never tried for or convicted of any crime.

What to learn?

• Don’t base your malware disaster recovery plans entirely around worms and Trojans. Even fast-spreading malware like 2017’s WannaCry and NotPetya outbreaks weren’t parasitic viruses, so the total number of infected objects across an affected network was much lower that after a true virus attack. Give some thought as to how you would cope with the mass modification caused by an old-school virus outbreak. Cybercrooks still unleash viruses from time to time, so they are still a realistic type of attack.
• Don’t rely on security through obscurity. If you’re an Internet of Things vendor, this warning is for you. Hidden “secrets” such as weak protocols listening on unusual ports, or undocumented, hard-wired passwords, are not only dangerous, they are disrespectful to your customers. As soon as someone knows your “secret”, everyone knows it and anyone can use it. The US Congress is proposing minimum standards for IoT devices that require vendors to publish firmware updates to fix bugs *and* to provide a safe and secure way of delivering them – so get with it now!
• Don’t bank on getting off if you’re caught. We don’t think Chen Ing Hau would be quite so fortunate today. We suspect he’d face a stiff prison sentence, a large fine, a long period of supervised release, and quite possibly a slew of court cases seeking restitution for the damage he caused.

Stay safe out there, learn from the past, and if you can guess what cybersecurity will look like 20 years from now…
…please let us know in the comments!