Image source @视中国
文丨航通社
What day is April 26th just past, do you remember?
This day is "World Intellectual Property Day". Tsinghua University celebrated its 109th anniversary. In the past 34 years of the Chernobyl nuclear power plant accident, there is now a forest fire near the site, threatening the already fragile radiation protection "sarcophagus".
Let more people born in the 1980s remember that it is not Chernobyl, but the "Chernobyl virus."
Europe, America and Japan call this computer virus because it broke out on the anniversary of the nuclear accident. In China, more people are familiar with the virus's real name, three English letters: CIH.
CIH has unprecedented destructive power, making it a name in the history of computer viruses. In addition to destroying hard disk data, it is the first virus in history that can cause hardware damage. The following is the story about this virus.
In 1999, 60 million computers were recruited. The domestically developed chat software is called OICQ, which is very similar to the ICQ developed by Israelis, except that it supports many cute cartoon avatars.
Lin Xinglu downloaded a program package, but the anti-virus software immediately found that it was carrying the CIH computer virus that was quite popular at the time, and he deleted it without saying a word. This encounter caused him to start using QQ almost a year later than his friends.
More than two months after the Spring Festival, the CIH virus ushered in its first global outbreak.
CIH is the author of the virus, the first letter of the Weitoma pinyin of the name of the young Taiwanese Chen Yinghao, and the virus was set to be triggered on 4.26 not to commemorate the Chernobyl accident, just because it was the day when the 1.0 version was completed: 1998 April 26th.
In the remaining days of 1998, the CIH virus spread to all parts of the world in various unexpected ways.
In September 1998, the CD-R400 computer CD-R400 produced by Yamaha Corporation of Japan was found to contain CIH virus in the driver. In October, Activision, which had not merged with Blizzard, discovered that an online version of its first-person shooter game "Original Sin" (SiN) had CIH.
In March 1999, Activa, an IBM personal computer brand, announced that thousands of computers sold in the United States were shipped with CIH. At this time, it was only one month before the onset on the 26th. No one knows whether the users who bought these computers suffered losses.
These news indicate that the upcoming outbreak is a huge disaster.
On April 27, the day after the incident, the Ministry of Science, Technology, Information and Communication estimated that 2-3% of the country's 8 million computers were infected, or 240,000 computers. However, local anti-virus software developers estimate that as many as 600,000 computers have been poisoned, located in about 1,000 private companies, 200 public institutions, and 300 universities.
Xinhua News Agency stated that more than 100,000 computers in mainland China were affected, of which more than 5% were severely damaged. Liu Xu, the general manager and chief engineer of Rising, China’s largest anti-virus software manufacturer, said, “Since yesterday, all of our calls have been very busy.” The report stated that there were three variants of the virus discovered in China, on April 26, On June 26th and 26th of each month.
In addition, according to preliminary statistics from Data Fellow Inc., a security company, there are 100 machines in Hong Kong, 200 in Singapore, and 10 "large companies" in India, as well as the United Kingdom, Sweden, Japan, Malta, and Finland.Customers in Lan and New Zealand were infected.
Compared with Asia, the damage caused by CIH in Europe and the United States is generally not large; but you should not say that to students at Boston College, because what they lose is the manuscript of the final paper.
Boston College students apparently ignored the warning issued by the school’s IT department a few weeks ago. The outbreak was so bad that the school urged students not to turn on their computers before the 27th. An employee of the Boston College Computer Lab said,
"Just after midnight, people started to call and say,'My computer no longer knows that it is a computer.' Who said it's no big deal, I really hope They come and have a look.”
The final statistics show that the CIH virus has caused more than 60 million computers worldwide to be damaged, including 360,000 computers in mainland China and tens of thousands of servers paralyzed. The direct economic loss is: 160 million institutions. Yuan, corporate losses exceed 1 billion yuan, personal losses 20 million yuan (calculated by purchasing power, the amount of renminbi at that time would be multiplied by 4-7 times now).
Turkey, Bangladesh, Singapore, Malaysia, Russia and other places have many computers damaged. The most serious loss is South Korea, where 250,000 computers were poisoned, and the loss exceeded the then 250 million US dollars.
What is the concept of 60 million units worldwide and 360,000 units in China? CNNIC Internet survey shows that as of July 1999, there were only 1.46 million internet-connected computers in mainland China.
How CIH works
CIH The symptom of a poisoning attack is sudden crash or failure to boot, and the cause of the problem is more than other known computer viruses at the time It's all complicated. In addition to the hard disk data, its damage target is also the motherboard BIOS firmware.
Don’t talk about the time, even now it seems that how to make a small piece of code destroy the hardware is a very magical thing. So the president would like to spend some space and talk about the working principle of the virus as plainly as possible.
(1) How to destroy
BIOS is a program that controls the basic input/output of the computer at the lower level of operating systems such as Windows, which we are familiar with, and is a small chip stored on the motherboard in. It runs first when booting up, and only when it detects that the keyboard, monitor, etc. are working normally, you can then use the computer normally. In recent years, BIOS has been gradually replaced by more advanced UEFI. It is this fact that most computers produced in recent years can only be installed with Windows 10 and cannot be downgraded to Win7 or XP.
In the late 1990s, most computers used Intel "Pentium" processors (CPU) and Windows 95/98/ME systems. In such computers, some motherboard manufacturers allow the BIOS to be downloaded and updated in Windows. This is called "firmware upgrade". The firmware upgrade is risky. Once it fails or the power is cut off, the computer will not start.
CIH When a virus breaks out, it will call the highest authority of the CPU and try to write junk information to the hard disk and BIOS. Once the BIOS is attacked, it is equivalent to "firmware upgrade failure", usually only the BIOS chip or the entire motherboard can be replaced.
If the virus wants to "buy" the CPU, it must first be "allowed" by the operating system. The CIH virus runs unimpeded in the Win9X system, but Windows NT/2000/XP and later systems provide a targeted protection mechanism, so they are naturally "immune" to CIH.
Now installing a WeChat account will eat up at least 500MB of hard disk space, but the OICQ program Lin Xinglu downloaded at that time was only 200KB. CIH spreads by infecting applications ending in .exe, so it is smaller, only 800Multiple bytes.
When it infects a program file, it even divides the program code less than 1KB into several parts, and writes them into the unfilled parts of the program. In this way, there is no visible change in the size of the poisoned program compared with the uninfected. It can only be detected with anti-virus software. Because of this feature, CIH has another nickname called "Spacefiller".
Because antivirus manufacturers have already followed up for the first time, Lin Xinglu can find and deal with it. But the anti-virus software at the time was all charged, and the system became very lagging when it was running. Many users found it troublesome and didn't want to install it, so they let the computer run "naked". Not to mention, pirated operating systems and software were also widely circulated at the time.
The concealment that the naked eye cannot distinguish, coupled with the fact that most users use the Win9X system and lack security awareness, which together caused the virus outbreak in 1999.
(2) How to fix
We now know that the mechanism of CIH infecting a computer is not that difficult to understand. If you are lucky, you can even recover most of the hard disk data. But at the beginning of the outbreak, people did not fully understand it. Many people panic formatted their hard drives, causing further losses.
CIH virus will write 1MB bytes of empty data starting from sector 0 in the first partition of the hard disk. And this initial 1MB contains the partition table (MBR), file allocation table (FAT), boot sector and other parts. They introduce how the space on this hard disk is divided, and how a single file is allocated and stored in different spaces.
If a hard disk is divided into multiple zones (ie C, D, E...), the partition table of the restore drive will immediately restore each partition. Although the CIH virus caused extensive damage to the first partition, the subsequent partitions were completely intact.
When using the updated FAT32 file system, the partition table size is much larger than the popular FAT16 at the time, so there is a certain chance that CIH will be infected on the FAT32 hard disk partition to keep the first partition. data.
Therefore, security expert Steve Gibson (Steve Gibson) wrote a completely free hard drive data recovery tool. He received a snowy thank you letter online.
However, viruses invading the BIOS chip can cause permanent and irreparable damage. Fortunately, the BIOS and the data on the hard disk are separated from each other. The BIOS chips that are "susceptible" to viruses belong to Intel's motherboards with a specific chipset, and there are no additional protective measures to prevent random "flashing". After the
CIH incident, new motherboards generally have hardware jumpers added, and the user must disassemble the case before starting the BIOS. Gigabyte also introduced a motherboard with two BIOS chips, one of which was purely a spare, and became a special memory of that era.
After 2000, CIH continued to spread and small-scale outbreaks, but overall, with the popularization of special killing tools, the FAT32 file system and the prevalence of Windows XP, the virus went to natural extinction.
For 21 years, the public has not learned much.
If it weren’t for the fact that many users use old and pirated systems, there is no antivirus software, and lack of security awareness, CIH in 1999 The tragedy caused is completely avoidable.
The public's emphasis on computer security can be said to be "wave after wave", and it is more affected by their access to information.
During the same period, the "Y2K" issue was raging, rendering the media as if the end of the world was coming. Therefore, most of the computers at that time did an investigation for the "millennium bug". The irony is that some computers have fallen into the "Li" because of the less conspicuous CIH.In the darkness before the Ming Dynasty.
Regrettably, more than 20 years have passed, and people have not learned their lesson. This has led to this loophole that has been patched but is still being recruited, and it has been repeated many times.
In July 2001, the Code Red virus infected nearly 400,000 network servers in less than a week and spread to as many as 1 million ordinary computers. More than a month before the attack, Microsoft had targeted Patched sexually.
The famous ransomware WannaCry appeared in May 2017 and infected more than 200,000 computers in 150 regions within a few days, and hackers demanded $300 worth of Bitcoin, unlock files on the user’s computer.
WannaCry is based on the "Eternal Blue" vulnerability of the Windows XP system. At that time, Windows XP had stopped technical support for three years, but most of the recruited computers were for various reasons. Insist on using XP. Microsoft had to break the convention and patch the XP system that had already been "in the soil".
The US intelligence agency discovered this vulnerability, and they did not inform the public in time, but developed it based on it. Some "electronic warfare" weapons. Unexpectedly, before being put into actual combat, the same loopholes were caught by wild hacker circles and used as attacks on civilians for the first time.
Among the vast number of victims of WannaCry, Including the U.S. ally, the NHS of the country’s public hospital system suffered heavy losses. The Curiosity Daily concluded: “As long as the loophole exists, there is danger, no matter who it was for. ”
From showcasing skills to earning money, viruses enter a "new era"
The security awareness of ordinary computer users is as bad as ever, but WannaCry reflects modern computer security The huge difference between threats and the classical virus era.
2006 is the 20th anniversary of the discovery of computer viruses. Among the 10 most destructive viruses in history made by InformationWeek, CIH ranks among the top. Also on the list of "lovers" ( I Love You, Code Red, Blaster and Sasser all show that worms and macro viruses were the absolute mainstream of computer viruses at that time.
In 2018, the British "Daily Telegraph" made another ten Big virus selection. At this time, ransomware and mining viruses have become the new focus of attention. Viruses in the new era no longer focus on pure pranks or file destruction, but steal user privacy, steal account passwords, and ultimately make money For the purpose of earning money.
The new era virus has also evolved a more sinister new form: infecting the supply chain.
Xcode is an essential tool for developing Apple Mac and iOS software. In September 2015, some developers It was found that the Xcode used by it carried malicious code. App compiled by the contaminated Xcode will return user information to the specified URL, and there is a danger of pop-up attacks and remote control.
Xcode could have been through the Mac App Store, etc. Download through official channels. However, due to the slow speed of accessing Apple's official website in Mainland China, it is almost impossible to download the Xcode installation package with a size of 8GB directly, which gives unintentional domestic mirror sites a good opportunity.
Famous game The development tools Unity 3D and Cocos 2d-x were also found to have supply chain pollution. Within a week, 858 versions of a total of 692 mobile apps were found to have been contaminated, including WeChat, Didi, NetEase Cloud Music, Railway 12306, etc. Application.
In 2018, another "WeChat Pay" ransomware was first implanted in the "Easy Language" programming tool used by a large number of developers, and then entered various software products written. More than 100,000 using these softwareTwo terminal computers were infected. The virus has more than 50 active infection software, most of which are "gray" software of the "wool" category.
Say goodbye to the rash hero, there is no "good faith" virus author in the world
April 30, 1998, CIH virus author Chen Yinghao was taken away for questioning by the Taipei police . He was 23 years old and was doing military service. Surrounded by the reporter's flashlight, he almost collapsed to the ground. News reports at the time stated that the investigator opened the computer in the interrogation room to let him surf the Internet, and when he saw the computer, he was refreshed and returned to normal, unlike a few minutes ago.
Chen Yinghao recalled in the future that as an experimental program, CIH was stored on a host computer for personal use in the school, and a "virus" warning was added. His original intention was not to cause damage, but without his knowledge, his classmates used that computer to bring out the virus. "Otherwise, who would use his own name to name a virus?"
The computer network at the turn of the century is a world that adults do not understand at all. The society is worried that children will sink into the computer world, and reality Life is out of touch. The newspaper read "Computer Games-"Electronic Heroin" Aimed at Children". Children who can surf the Internet have been told by their parents that there are many bad guys online. Be careful when making friends in ICQ chat rooms.
Chen Yinghao in this situation is considered by the police to be:
"Usually they have very extreme personalities, they are not good at interpersonal communication, and are often dissatisfied with the current social situation, but once they enter the computer world, they react quickly. Chen Yinghao is a kind of computer person, commonly known as "computer autism." If this kind of person is not able to provide good counseling and is used by illegal organizations, it will cause a huge impact on society. Harm.”
At the end of 2006, another vicious virus that caused large-scale destruction, "Panda Burning Incense", radiated from mainland China as the epicenter. Virus author Li Jun is also a young man, with only a technical secondary school diploma. He once wrote to his pen pal, saying that the most regrettable thing was "not going to college."
Li Jun went to Beijing and Guangzhou to find a job, but was rejected by many companies such as Rising and Jinshan because of his academic qualifications. Li Jun felt that it was meaningless to attack other people's computers with viruses. He just wanted to hit the company in the face. The original original virus is just a prank and will not destroy data. The virus becomes vicious in the subsequent mutation and spreading process.
Similar to Chen Yinghao, Li Jun also gained a great sense of accomplishment in the computer world. He has participated in the domestic hacker organization "China Red Guest Alliance", and during the 2001 Sino-US plane collision incident and the visit of the former Japanese Prime Minister to the Yasukuni Shrine, he joined other Chinese Internet experts to jointly attack US and Japanese websites. But Li Jun is not satisfied in the real world, with a monthly income of less than 1,000 yuan.
The public opinion at the time felt sympathy for Li Jun’s academic discrimination. "China Youth Daily" commented: "Our society does not lack talents like Li Jun, but we don't want them to be called talents at the cost of bringing harm to society."
Back then, we could believe that Chen Yinghao was true I am too immersed in my own small world. I can believe that Li Jun is really unwilling to find a job. Most importantly, I can believe that their intentions are not bad.
Time flies, the public's awareness of safety is still messed up, but the public's mentality has undergone vicissitudes of change. No one will be “stupid” anymore to believe that a person who caused a huge loss “not intentionally”.
——Ah, also, do you dare to sympathize with criminals? "If you sympathize with the criminal, who will sympathize with the victim?"
social network basically realized the ambition of connecting everyone together, but people's hearts have also been ground rough and they have lost the perception of subtle emotions And empathy. Regarding many things and many "melons" that have been exposed on the Internet, we no longer simply discuss matters, but must stand firm and resort to motives. Your "butt" must not be crooked.
As for the party involved in the security incident, we must now preconceived that he has a funder, a backstage, and impure motives. We can't imagine anyoneWill simply do nothing for money or profit, and do earth-shattering things. The president
had to admit that this irreversible change in mentality was also due to several other iron-clad facts, educating us who were originally pure.
In 1999, when Chen Yinghao was arrested, the whole province of Taiwan could not even find a victim who had to sue for economic losses. In addition, there was no law to regulate this new thing, so he was released in this way. On June 25, 2003, Taiwan Province passed local regulations on the "crime of obstructing computer use". The legislative process also referred to Chen Yinghao's own opinions.
When the "panda burning incense" raged in 2007, the situation was different. Out of the intention of showing off his skills and communicating in the circle, Li Jun put the original virus on the Internet for sale. Those who bought it planted a Trojan horse, turning the poisoned computer into a "broiler" that can be controlled at will, in which game accounts, virtual items, currency, etc. were stolen and withdrawn. Li Jun was sentenced to 4 years in prison for causing heavy economic losses.
Both Chen Yinghao and Li Jun were invited by computer security vendors after the incident, but after Chen Yinghao took the right path in life, Li Jun failed to escape the temptation to make quick money and get rich overnight. After being released from prison, he participated in the development of a fraudulent online gambling game. He was imprisoned again in 2013 and disappeared from public view after being released from prison in 2015.
For civilian security personnel who have difficulty in showing their skills through formal channels, the door to be a reckless hero like Liangshan heroes and influence society with unofficial forces has been closed.
In July 2016, WooYun, the largest private submission platform for computer vulnerabilities in China at that time, went out of business, and founder Fang Xiaodun and other "many executives were arrested." Earlier, some users submitted loopholes on the marriage and love website "Jiayuan" on Wuyun.com. Jiayuan Station had claimed the loopholes and thanked the platform. But unexpectedly, Jiayuan turned around and called the police.
Civil security platforms like Wuyun and Leakbox, whose active people are called "white hats", as opposed to "black hats" dedicated to sabotage. Sometimes, "white hats" choose to disclose vulnerabilities in a small area in the security circle in advance, instead of contacting the company as soon as possible. This will be regarded as blackmail by the company. If the "white hat" verification loophole has a side ball behavior such as entering the database to copy information, the "black and white" of its behavior is even harder to define.
After some controversy, the industry accepted the reality that there is no room for "white hat". Most of the security experts who were supposed to be active in Wuyun and other places were "recruited" by manufacturers such as 360, Qi Anxin, Tencent, and Ali. Under the wings of Dachang, they defined their stage as a network security competition at home and abroad to win glory for the country.
At the end of the story, I want to talk about the guy who happened to be a network manager in Shenzhen in 1999 and met CIH.
Lin Xinglu was only 17 years old when he joined Yinghaiwei. After that, he went to the Hengji Weiye that "pager, mobile phone, and business communication, none of which can be less", and later launched DoNews with Liu Ren and others. In 2007, his next venture project, 265 navigation website, was sold to Google.
[Introduction to the author of Titanium Media: The first original article published by Air News, unauthorized reprinting is prohibited. Search on WeChat: Hangtongshe. 】
For more exciting content, follow Titanium Media WeChat ID (ID: taimeiti), or download Titanium Media App
