Print | Send on Yahoo! | PDF version | RSS | Filed Under: MALWARE HISTORY

2004 – Google Draws the Curtains

Malware authors continued to focus mostly on worms during 2004, just as they did in the previous year. The successful attacks carried by Slammer, Win32.Sobig and Tantalos were enough reason to keep improving worms rather than viruses.

However, the sharp increase in malware and the utter disaster caused by Slammer called for a solution, and antivirus researchers hurried their technological development. Other major industry players, such as the popular search engine Google have entered the battle against malware.

In late January, MyDoom set the tone with the first attacks carried against computers running Microsoft Windows operating systems. It started causing  panic on January 26^th, and it quickly became the fastest-spreading e-mail worm ever. Although there are no accurate reports, it is believed that MyDoom had beaten the previous infection records set by the Sobig worm.

A closer look into MyDoom's body revealed that the mass-mailer has been commissioned (The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," which might mean that the author had been paid to program it) by spammers, in order to facilitate their work. Other scenarios claim that the worm was released by a professional underground programmer located in Russia, although authorship can not be determined for sure.

On March 19, a new worm called Win32.Worm.Witty.A successfully exploited several security holes in some security system products manufactured by Internet Security Systems (ISS), and started a massive wave of destruction. The Witty came with a couple of new programming techniques and innovations which made it rather unique. For instance, it is the first worm to take advantage of vulnerabilities in the very pieces of software designed to enhance network security. More than that, it came with an extremely malicious payload: Once inside the host system, it starts attacking a pseudo-random subset of IP addresses. It repeats the attacks in sets of 20,000, but during the attack, it also overwrites sections of the computer's HDD.

The first day of May brought a new security threat in the form of the Win32.Worm.Sasser.DAN worm, a piece of malware exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service). While other viruses and worms catch system administrators and security analysts by surprise, Win32.Worm.Sasser.DAN built its attack on laziness and lack of information. Win32.Worm.Sasser.DAN would only spread on vulnerable systems, but Microsoft had released a critical patch addressing the LSASS issue 19 days prior to the first attack (Some sources claim that the authors have reverse-engineered the patch in order to discover the vulnerability, and then relied on the fact that not all system administrators deploy security patches on time). Also, the worm could be easily stopped by a properly configured firewall.

The last month of 2004 brought to life the first known "webworm". Also known as "Worm.PhpBB.Santy.A", this new type of malware was written in Perl and relied on a vulnerability in the popular phpBB forum software (which used Google)  in order to spread across the Internet. The tiny Perl worm managed to take down between 30,000 and 40,000 websites in about 24 hours. Although the worm would only deface (The worm caused writable files on the infected server to display the message "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X") websites written in PHP or HTML, Google took stance against the attack and filtered the search query used by the worm, thus putting an end to the outbreak.