Happy Friday 13th!

Happy Friday 13th!

Friday 13th! If you’re at all superstitious, today is bad news. But for those of us in the antivirus industry, Friday 13th is a special day.

It’s not an officially recognized holiday, and of course we’re not taking the day off: we’re here 24/7/365. But Friday 13th is when we remember when and why the antivirus industry really started…

22 years ago, in October 1987, a new file virus which infected COM and EXE files was identified in Jerusalem. Like similar, earlier programs, it was able to self-replicate, but it also had an additional, malicious payload which triggered on Friday 13th: when an attempt was made to run any program, the program file would be deleted, and DOS would say that the file couldn’t be found. This meant that any file called using the Exec function got deleted.

The virus spread widely (even though neither the Internet or email had really caught on at that stage) on disks which got passed around and BBS.
13th May 1998 was D-day: thousands of messages about the virus started pouring in from around the world, and particularly from the US, Europe, and the Middle East. Jerusalem had become one of the first MS-DOS viruses to cause a pandemic.

The virus had managed to spread unnoticed to thousands of computers: antivirus software wasn’t commonly used, and lots of people simply didn’t believe that computer viruses were real. And it was in the same year that Peter Norton, a guru of the computing world, said that computer viruses were an urban legend, comparing them to the crocodiles which supposedly live in the sewers of New York. (This bold statement didn’t deter Symantec, however, from developing its own antivirus software – Norton Anti-Virus.)

It was a watershed: new companies developing antivirus software started appearing, most of them of the “two men and a dog” variety. The antivirus programs themselves were nothing more than the simplest scanners which used contextual search to detect unique strings of virus code. “Immunizers” were popular too; these modified programs so that malware would think the programs were already infected, and not “re-infect” them.

Jerusalem’s malicious payload went beyond deleting files: dozens of other viruses appeared which also had payloads designed to trigger on Friday 13th. Not surprisingly, those in the computer world started to associate Friday 13th with viruses; some people thought it was safer not to switch a computer on when the fateful date cycled round, and some altered the date on their machines, to the 12th or the 14th. The virus writers picked up on this and started playing the same game, producing “Thursday 12th” and “Saturday 14th” viruses.

As for us – well, today we want to wish everyone in the antivirus industry a happy Friday 13th! Yes, we have our differences – in ideology, philosophy, opinion and market share. But let’s remember what we have in common, and why we’re in this game in the first place. If we can’t do that – then what are we doing here?

Happy Friday 13th!

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox