16

I've just read this passage on the October 1995 issue of Virus Bulletin:

WinWord.Concept

The WinWord.Concept virus reported in last month’s Virus Bulletin has been found on at least one CD-ROM. Shortly after the journal’s September edition went to print, VB acquired a CD entitled Snap-On Tools for the Windows NT Professional from a UK company called ServerWare. The CD contains documents infected with WinWord.Concept.

It was shipped at the end of September to more than five and a half thousand Windows NT users. The infected documents on the CD-ROM are: custom~1.50\c1prod2.doc, html\netman.doc, intergra\intergra.doc, serverwr\ashwin.doc, serverwr\octopus.doc, serverwr\octposit.doc and serverwr\winport.doc.

Considering all the incentives available to cybercriminals today, I understand people putting some effort to infect computers. But why would someone send thousand of physical CD-ROMs with a virus back in 1995? Especially a virus which does nothing at all.

This also brings some sub-questions:

  1. Around 1995, was it common for viruses to be spread by shipping CD-ROMs to victims?
  2. Wouldn't it be too expensive? Apart from the cost of the blank CDs and shipping, I guess the recorder would be a very expensive piece of equipment back then.
Alex
  • 3
  • 1
sourcream
  • 277
  • 2
  • 4
  • 20
    The creators of the virus didn't deliberately ship it out on CDs. Instead, the creators of the CD included some files that happened to have been infected. As for the motives behind the creation of such things, sometimes they're created for the purpose of testing various vulnerabilities, though safe practices would suggest that such viruses include code that checks for the existence of a certain "okay to infect this machine" indicator that would be artificially created on the machines used for vulnerability testing, but not on the machines of people not involved in such testing. – supercat Mar 18 '22 at 17:06
  • 3
    I agree; this was just a case of the compiler of the CD not 'washing his hands' carefully. @supercat, you should turn this into an answer. – dave Mar 18 '22 at 17:20
  • @supercat now I feel stupid – sourcream Mar 18 '22 at 17:22
  • 7
    @sourcream: Many people who were born in the 21st century have no concept of how things were done in the world of 1980s and 1990s computing. Questions like yours are entirely reasonable from such a perspective. I remember a video of some kids being shown a rotary dial phone, and one of them asked "If you can't send text messages, how do you communicate with people". And then a light bulb switched on in the kid's brain: "Oh, you call them." An idea that may be obvious once one thinks about it, but until then might be complete mystery. – supercat Mar 18 '22 at 17:35
  • @supercat: I'm sure you tried to cheer me up, but now I feel even more stupid given my actual age! The whole question came from the impression the article gave to me that the virus makers were shipping the CDs. – sourcream Mar 18 '22 at 17:42
  • 1
    @sourcream: Well, I hope you at least got a smile from the "Oh, you call them" line. Besides, even if you were were around in the 1980s and 1990s but not using computers then, you'd still have no reason to understand how things were done. – supercat Mar 18 '22 at 17:52
  • At the time antivirus software was not in common use and not an everyday commodity. That didn't come until Microsoft created Defender. – Thorbjørn Ravn Andersen Mar 18 '22 at 20:25
  • 8
    @ThorbjørnRavnAndersen AV software became a commodity at least a decade before Microsoft created Defender. – fraxinus Mar 19 '22 at 08:06
  • 2
    Early versions of word didn't use VBA - they used something called wordbasic. Good luck to the virus writer if they could get that working consistently and easily without hitting wordbasic error 100. Unlike VBA, wordbasic was quite difficult to use for simple stuff, let alone write a virus. – cup Mar 19 '22 at 08:29
  • @fraxinus A paid commodity. Most people didn't use them. – Thorbjørn Ravn Andersen Mar 19 '22 at 10:36
  • @ThorbjørnRavnAndersen there were free versions of AVG in the mid/late 90s. Microsoft's own products only really did full antivirus from about 2007 - so yes, a decade. But a lot of per-built PCs came with a copy of Norton AV and sometimes even updates for a year (by post) – Chris H Mar 21 '22 at 08:59

5 Answers5

37

I mean no offense to OP, but the question is an anachronism for two reasons that are likely not obvious to typical computer users today:

  1. Prior to ubiquitous wide-area networking of personal computers, removable media was the main way that viruses spread site-to-site. LAN's were becoming commonplace in 1995, but most did not stretch beyond the building.
  2. Viruses were mainly spread innocently by users sharing infected files (generally, on removable media) with other trusted individuals, not by malicious actors exploiting a centralized trusted server, like today.

Because this was a common occurrence in 1995, reading that passage at the time would not invoke surprise. You'd simply assume that the CD-ROM publisher was a victim themselves, and unknowingly spread the infected media.

If this virus had been well-known, and easily detected by virus scans at the time, then you could say the CD-ROM publisher did a poor job of vetting their product- perhaps, even accuse them of negligence. However, I'd suspect this was not the case. A well-known virus would be quickly detected by some of the users, and the vendor alerted to it, thus minimizing the impact.

Brian H
  • 60,767
  • 20
  • 200
  • 362
  • Unfortunately, I'm not so young :) I'm well aware of what it took for viruses to spread in the past. But in this particular case I was under the impression the virus makers were responsible for the shipping of the CD-ROMs. – sourcream Mar 18 '22 at 17:36
  • 4
    @sourcream It's certainly possible that they were "culpable", or "negligent". But also possible the virus was new and evaded their best efforts to vet their media as "virus-free". Viruses infecting documents for popular applications were trending at that time, but still "new" to most users. – Brian H Mar 18 '22 at 17:40
  • 6
    There were a few incidents of major software publishers accidentally shipping viruses on floppies or CDs (either because of their own negligence, or the duplicating company’s), so yes, this wouldn’t have caused much surprise. Magazines with cover disks went to great lengths to include reassurances that their disks were safe... – Stephen Kitt Mar 18 '22 at 20:28
  • On the legal side, to give negligence its technical meaning: in the UK negligence is a tort, requiring (i) duty; (ii) breach; and (iii) damage. If the virus doesn’t cause damage then technically spreading it can’t amount to legal negligence, even if the distributors had a duty to check for viruses but nevertheless couldn’t be bothered. Just as a potentially-interesting digression. – Tommy Mar 18 '22 at 23:06
  • "removable media was the main way that viruses spread site-to-site" 80s-90s I would expect BBSs – Hasse1987 Mar 19 '22 at 07:44
  • Actually, the worst for spreading viruses then was Apple Macintosh. You put in a floppy disk, it got loaded and automatically executed code in the boot sector, and your computer was infected. In order to clean it, you had to make sure to always have an unwritable floppy with you (did computer support from 1990 to 1991). – chthon Mar 19 '22 at 08:02
  • Second worst for spreading viruses locally, was of course a LAN. We didn't have much customers with a LAN, but our company LAN was infected. The virus took advantage of the LAN shared drive to spread itself to client computers (under Netware that was. Anyone remember that?) – chthon Mar 19 '22 at 08:04
  • I am not aware of any Macintosh that automatically executed code from the boot sector of floppy disks upon mounting. Perhaps you mean if you power-cycled the machine with a floppy disk inserted (a reboot would have ejected any inserted floppy)? And then, you'd be booted off the floppy, which makes it very unlikely that your computer would be infected. @chthon – Cody Gray - on strike Mar 19 '22 at 10:03
  • @CodyGray: no not power cycling. The original Macs had a mechanism which sensed when a floppy was present, then automatically inserted it and mounted it. There was definitely some code in the boot sector which got executed and could contain a virus. Or code which automatically read the resource forks and propagated this way. But it is more than 30 years ago, so I don't remember any names. – chthon Mar 19 '22 at 11:13
  • @Hasse1987: Maybe, maybe not. Probably it varied depending on time, region and socioeconomic context, but for most of that period modems were slow and kinda rare and phone calls expensive, whereas copying floppies (or cassettes in the 80s, or CD-Rs later in the 90s) from a friend or a coworker was relatively quick and easy and cheap. Sure, some folks would have modems and use them to download software (and maybe viruses along with it). But they'd probably then also share it with their friends, who'd share it with their friends, etc., all done with removable media. – Ilmari Karonen Mar 19 '22 at 11:23
  • … Sure, in the late 90s modems started getting pretty fast, up to 56 kbps near the very end of the decade. But that was also around the time when dial-up consumer Internet (and later ADSL) was introduced, marking the end of the BBS era. – Ilmari Karonen Mar 19 '22 at 11:29
  • Also, this Q&A seems to be mostly talking about workplace infections, with mentions of WinNT Professional and "sites". You wouldn't be dialing up a BBS from a computer at work — but you might well bring in an infected floppy from home to install custom software (even if it was officially forbidden) or to transfer documents so you could work from home. And then of course the virus could spread within the workplace via LAN and shared file servers, but that wouldn't be "site-to-site" spreading. – Ilmari Karonen Mar 19 '22 at 11:39
  • @IlmariKaronen Viruses like Darth Vader would not be traveling across the world in the 80s/90s were transfer limited to removable media. Modem speed is irrelevant I think? People were certainly downloading binaries on <=2400baud. – Hasse1987 Mar 19 '22 at 23:19
17

Adding to the existing answer, I remember reading about the circumstances at the time. No anti-virus software looked for Word macro viruses at that point, and the creators of the CD believed they'd done due diligence before sending it out.

Once macro viruses became known, anti-virus software was rapidly upgraded to cope with them, In late 1995, I helped my manager's manager clean an infection off his machine. Dr Solomon's Anti-Virus was racing through his documents cleaning them up, when he noticed that it was dealing with encrypted documents and claiming to clean them. I raised it with Dr Solomon's support, and got the response:

"That was Word 95? The encryption isn't much good. We just brute-force it, and that doesn't slow things down noticeably."

John Dallman
  • 13,177
  • 3
  • 46
  • 58
10

The important part to know about Concept is that it was a self-replicating virus:

When an infected document is opened, Concept [...] copies its macros to the template [NORMAL.DOT]. [...] Once NORMAL.DOT has been infected, any file created using "Save As" will be infected with the virus.

So once a user opens an infected document, any document they create will also contain the virus. Which is why legitimate organizations accidentally send out the virus on CD (as described in Brians answer).

As for incentives to create the virus: There were no financial or similar incentives. As the name suggests, it's just a proof of concept to show that it can be done.

As the author notes in their payload:

That's enough to prove my point

Though the fact that it was a "noisy" virus (showing an alert box) might suggest that it was created to draw attention to the issue of macro viruses, so that relevant parties can start protecting against actually harmful ones.

tim
  • 201
  • 1
  • 3
  • 4
    My understanding is that amusement rather than financial reward was more common then than it is now as far as motivation. – Acccumulation Mar 21 '22 at 06:14
3

I believe the motive was just to show it could be done. The following is all just by memory from news coverage at the time: There was a text string in the code somewhere saying something like "That should be enough to make the point." It was done by an individual, who did not keep his identity a secret (but I don't recall his name or anything). He just put it on some hard drives and it spread from there, eventually (as others have said) contaminating ServerWare's software.

A good source for this would be the New York Times from that era, but it would require some searching.

Mark Foskey
  • 171
  • 1
  • The point being that having macro language code embedded in Word documents made it a huge security risk. Many of us could see how dangerous that was, but not Microsoft. – Bruce Abbott Mar 22 '22 at 22:24
2

Hacking and hackers used to have different definitions. It used to be about breaking technological boundaries, gaining computer science, and doing ever-increasingly impressive feats, sometimes destructive for the sake of being destructive. Hackers in the 1980's and 1990's were generally not interested in credit card numbers or stealing money, but rather clout and "freeing" information ("data theft"). Just check out all the movies from the 90s, like Hackers and Takedown. Remember the stories of phreaking and other "victimless" crimes (corporations were often not considered "victims"). Hacking wasn't usually done for personal financial gain, just clout.

Historically, viruses would infect the boot sectors of floppy drives so it could further infect more systems if the floppy was left in the drive on bootup. They would spread over insecure network protocols to prove that those protocols were insecure. They would use system libraries and installed programs to demonstrate vulnerabilities in Flash, JPEG, or other file formats. The fact that the virus ended up on CDs was probably completely unintentional. Even as late as a few years ago, the Blue Pill hypervisor virus proved it was possible to make a virus that could hide underneath the OS, making it effectively impossible to remove while it was running.

So, to understand why this virus did "nothing," all you have to do is put yourself in the mindset of a 1990's era hacker. You had all this technology in front of you. You had no idea how it worked, but you wanted to know. You'd try all kinds of scientific experiments. Some of those experiments would have unintended side effects. For example, a virus that "accidentally" infected an insecure computer that was responsible for storing the data to be used on a CD. The purpose wasn't harm, or theft, but simply curiosity. This virus did exactly what it set out to do: prove that a system was insecure. That's not "nothing."

Nobody would have sent out CDs that just had a virus on them with nothing else. That wouldn't be how a hacker would operate. They would, however, infect a data server so that a virus could be spread to other systems, just to prove that it could be done. Many such viruses were about demonstrating vulnerabilities, and thanks to those viruses, we have robust antivirus software, many advancements in computer security at the hardware level, even to the point of encrypting an OS in memory so the hypervisor cannot read the memory, and so on. If it were not for these viruses, cybercriminals would have had a much easier time over the past few decades than they have.

phyrfox
  • 2,503
  • 1
  • 13
  • 14