Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Chernobyl Plus 7 Years - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Chernobyl Plus 7 Years
Reader JD mentions that today is the anniversary of Chernobyl... both the Nucular (sic) disaster from 1986 and the flash-garbage-into-your-BIOS virus from 1999.  I guess that's sort of an indication of how geeky you are.  When I saw the news headline mentioning Chernobyl, my first though was of the virus.  Our condolences to those impacted even to this day by the worst nuclear accident in history.

But, JD (who referred to yours truly as a post-hog ;) mentioned that it was this virus (also known as CIH) that got him involved with malware research in the first place.  Blowing away the BIOS rendered many systems in 1999 totally unusable resulting in a devastating infection.  It was indeed a watershed event for a lot of us in the handlerati.  JD asks for other readers who were significantly impacted by CIH to share their recollections of that event.  Got any interesting CIH stories that you care to share?

--Ed.
Intelguardians

UPDATE: Reader John Smith recalls wistfully:

"I remember that day, April 26th 1999. It was Monday. Since April 27th is a national holiday here in Slovenia (Day of Uprising against the Occupation), almost everyone took a day off and enjoyed a 4-day weekend. And schools were closed.  High school classmate, who worked in a bakery, called me sometime around 11h. He had a major problem with computers - one of the accountants came to work to finish some monthly report and every computer she turned on started to boot Windows, then went crazy. It simply did not start, if turned off and on, it was even worse - Windows did not boot. So she went around the office and started all other computers. And guess what, all 10 of them failed to work.

By starting the computers, when first CIH infected program started, junk data was written to the beginning of hard drives. Fortunately, the motherboards on those computers were not damaged.  He brought one computer to me and after some DiskEdit exploration, I discovered that FAT2 was intact. So I copied FAT2 to FAT1 and
re-calculated the master boot sector. After booting from floppy and disinfecting the files with F-PROT, computer was operational again. We were lucky and we managed to rescue data from all computers.

BTW, I wonder what CIH author Chen Ing-Hau is doing these days. Is he reading this?"

I wonder too....  By the way, is it just me, or did anyone else notice that if you Base-64 encode "Chen Ing-Hau" and then ROT-14 it, and XOR it with "Intelguardians", it actually spells "Ekim Roop"?  Maybe it's just me. --Ed Skoudis.
Ed

57 Posts

Sign Up for Free or Log In to start participating in the conversation!