Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

2001: the Year of the Worm

The malware development in 2001 was mostly driven by the Internet boom.

Worm and virus authors have previously made serious attempts at infecting computer users via the web (such as the Jer Internet worm), while others tried to use an Internet connection in order to update their creation and avoid simple string scanners (Babylonia).

Viral attacks carried over the Internet also took off. If malware authors have been tricking the user into downloading and executing files from obscure websites, the new types of infection relied on visiting an infected website, or even a legitimate URL that had been previously compromised. The rise of Internet Explorer was also a notable factor in carrying successful attacks.

More than that, the introduction of new technologies, such as the ICQ and MSN instant messaging services or the advent of file-sharing networks played a key role in distributing malicious applications.

March came with a new multi-OS, metamorphic threat called Smile. Written in assembly language, the new virus was written by the virus writer Mental Driller. Just like other creations by the same author, the Smile was extremely difficult to detect and disinfect. Upon its first launch, the virus checks the system date, and then waits dormant until on the 17th of March, June, September, or December, when it displays a random text message.

After the message has been successfully delivered, the virus starts to rebuild itself and triggers a massive infection among the local executable files. However, it cannot infect files located at more than three levels deep in the directory structure or if the folder name begins with the letter W.

The Win32.Worm.Sunos.Sadmind.B worm struck both Sun Microsystems machines and Microsoft's Internet Information Services web servers on May the 8^th. The self-propagating worm would deface websites hosted on the compromised machines using offensive messages against the US government as well as against the anti-Chinese cracking group PoizonBOx. In order to propagate from one infected server to another, the worm exploited a critical system vulnerability. Since then, both Sun and Microsoft issued security patches to prevent further attacks.

A few days later, the Win32.Worm.Sircam worm was spotted in the wild. Although its favorite means of propagation is using e-mail messages sent from Microsoft Windows systems, it was also able to send itself to other computers using unprotected network shares. When using e-mail as its main vector, the worm would randomly pick an e-mail subject form a built-in list. However, because of a programming bug, it would rarely use some other subject than the notorious "I send you this file in order to have your advice". Sircam would spread by infecting .doc and .xls files, and then send them as attachments to various e-mail addresses. During the outbreak, a couple of critical files (such as sales reports, password lists and other sensitive information) arrived in the inboxes of unauthorized persons.

We have previously said that the antivirus industry is working at full speed on the 13^th of each month falling on a Friday.  July 13, 2001 was no exception, as it was the time the famous Code Red worm hit. The worm attacked computers running Microsoft's IIS web server, an extremely popular choice among the Internet web servers. The worm would deface websites hosted on the compromised machines by displaying the phrase "Hacked by Chinese". The worm was initially spotted on July the 13^th, but the infection reached its peak six days later (July 19th), when more than 359,000 machines have been reported as compromised. A newer version of the worm, called Code Red II struck back in August, but it primarily infected Chinese web servers.

On September 18, another worm called Worm.Nimda.A (The worm's name spelled backwards is "admin". Due to its release date, the worm was alleged to be the creation of the Al-Qaeda terrorist group, but the supposition could not be verified until now.) started to spread by exploiting different vulnerabilities in Microsoft Windows, as well as some backdoors left open by its predecessors, Code Red II and Sadmind worm. However, Nimda also came with file infection capabilities, which dramatically increased its impact over the Internet infrastructure. According to those times' security reports, Nimda was the Internet's most widespread virus/worm within 22 minutes.

Last, but not least, the Klez worm started spreading havoc on October 26. Klez infected Microsoft Windows systems, exploiting a vulnerability in Internet Explorer's Trident layout engine, that was also used by both the Outlook e-mail client and Outlook Express

As far as malware activity is concerned, 2002 was a calm year, although virus and worm writers continued to release their creations into the wild. Two new Flash worms appeared in January: LFM and Donut were two proof-of-concept security threats able to work in the .NET environment. However, they have never been spotted in the wild. Four months later, Spida wrote a new chapter in the malware history as the first SQL worm spotted in the wild. It only affected SQL servers running with a blank system administrator password, a fatal configuration error that (believe it or not) was a common thing those days. Spida's author wrote the worm using JavaScript, batch files and compiled executables. Once it successfully infected a system, the worm would run a scanner in order to detect other potential SQL servers to infect.

Although the primary targets for malware authors were Microsoft Windows systems, Linux machines also got a hard time in 2002. Worm.Linux.Slapper.E was one of the first Linux worms to demonstrate that Linux computers were as vulnerable as the ones running any other operating system, in spite of all the hype regarding their increased security. Worm.Linux.Slapper.E managed to take out of service thousands of machines running Linux within a few days, causing incredible damage to the Internet infrastructure (As most Internet servers were running on Linux, plenty of services hosted on compromised machines were inaccessible for a long period of time).

While 2002 was a calm year, and no single piece of malware caused significant outbreaks (However, the combined amount of malware brought significant damage to the industry), 2003 was slightly different. Two massive Internet attacks marked the biggest security disaster in the history of computing.

The first massive outbreak was triggered by the notorious SQL worm Slammer, a piece of malware that exploited an unpatched vulnerability in the MS SQL server software. The fileless worm started to cause damage on January 25^th 2003, when it managed to globally infect hundreds of thousands of computers in span of a few minutes only. The extremely violent increase in network traffic caused some vital parts of the Internet infrastructure to completely crash. The Slammer attack on the Internet was similar to releasing a nuclear bomb in a high-density population area.

The worm penetrated the computers using the 1433 and 1434 ports. Right after it got inside the server, it did not copy on the disk, but rather it remained resident into the computer memory.

Another massive outbreak was triggered by the Win32.Worm.Blaster (also known as LoveSan) worm, which also exploited a vulnerability in Windows in order to replicate itself. However, while Slammer used the MS SQL server vulnerability, Win32.Worm.Blaster took advantage of a loophole in the RPC DCOM service working under Windows 2000 and XP. The vulnerability allowed the worm to attack almost any computer in the world that had an Internet connection. In order to spread to other systems, the worm uses the compromised computer to scan for valid IP addresses. After it has "processed" 20 IP addresses, the worm sleeps for 1.8 seconds, and then it resumes scanning. More than that, the worm comes with a payload that performs a SYN flood against port 80 (http) of www.windowsupdate.com, in order to create a distributed Denial-of-Service attack (DDoS). The attack failed, as Microsoft used the targeted domain to perform redirects to the main site (windowsupdate.microsoft.com ).