MALWARE HISTORY

2001: the Year of the Worm

The malware development in 2001 was mostly driven by the Internet boom.

Normal
0

21

false
false
false

DE
X-NONE
X-NONE

st1:*{behavior:url(#ieooui) }

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

Worm and virus
authors have previously made serious attempts at infecting computer users via
the web (such as the Jer Internet
worm), while others tried to use an Internet connection in order to update
their creation and avoid simple string scanners (Babylonia).

Viral attacks
carried over the Internet also took off. If malware authors have been tricking
the user into downloading and executing files from obscure websites, the new
types of infection relied on visiting an infected website, or even a legitimate
URL that had been previously compromised. The rise of Internet Explorer was
also a notable factor in carrying successful attacks.

More than that,
the introduction of new technologies, such as the ICQ and MSN instant messaging
services or the advent of file-sharing networks played a key role in
distributing malicious applications.

March came with a
new multi-OS, metamorphic threat called Smile.
Written in assembly language, the new virus was written by the virus writer Mental
Driller. Just like other creations by the same author, the Smile was extremely difficult to detect and disinfect. Upon its
first launch, the virus checks the system date, and then waits dormant until on
the 17th of March, June, September, or December, when it displays a random text
message.

After the message
has been successfully delivered, the virus starts to rebuild itself and
triggers a massive infection among the local executable files. However, it
cannot infect files located at more than three levels deep in the directory
structure or if the folder name begins with the letter W.

The Win32.Worm.Sunos.Sadmind.B worm struck
both Sun Microsystems machines and Microsoft’s Internet Information Services
web servers on May the 8th. The self-propagating worm would deface
websites hosted on the compromised machines using offensive messages against
the US
government as well as against the anti-Chinese cracking group PoizonBOx. In
order to propagate from one infected server to another, the worm exploited a
critical system vulnerability. Since then, both Sun and Microsoft issued
security patches to prevent further attacks.

A few days later,
the Win32.Worm.Sircam worm was
spotted in the wild. Although its favorite means of propagation is using e-mail
messages sent from Microsoft Windows systems, it was also able to send itself
to other computers using unprotected network shares. When using e-mail as its
main vector, the worm would randomly pick an e-mail subject form a built-in
list. However, because of a programming bug, it would rarely use some other
subject than the notorious “I send you this file in order to have your advice”.
Sircam would spread by infecting
.doc and .xls files, and then send them as attachments to various e-mail addresses.
During the outbreak, a couple of critical files (such as sales reports,
password lists and other sensitive information) arrived in the inboxes of
unauthorized persons.

We have previously
said that the antivirus industry is working at full speed on the 13th
of each month falling on a Friday.  July
13, 2001 was no exception, as it was the time the famous Code Red worm hit. The worm attacked computers running Microsoft’s IIS
web server, an extremely popular choice among the Internet web servers. The
worm would deface websites hosted on the compromised machines by displaying the
phrase “Hacked by Chinese”. The worm was initially spotted on July the 13th,
but the infection reached its peak six days later (July 19th), when more than
359,000 machines have been reported as compromised. A newer version of the
worm, called Code Red II struck back
in August, but it primarily infected Chinese web servers.

On September 18,
another worm called Worm.Nimda.A (The
worm’s name spelled backwards is “admin”. Due to its release date,
the worm was alleged to be the creation of the Al-Qaeda terrorist group, but
the supposition could not be verified until now.) started to spread by
exploiting different vulnerabilities in Microsoft Windows, as well as some
backdoors left open by its predecessors, Code Red II and Sadmind worm. However, Nimda
also came with file infection capabilities, which dramatically increased its
impact over the Internet infrastructure. According to those times’ security
reports, Nimda was the Internet’s
most widespread virus/worm within 22 minutes.

Last, but not
least, the Klez worm started
spreading havoc on October 26. Klez
infected Microsoft Windows systems, exploiting a vulnerability in Internet Explorer’s
Trident layout engine, that was also used by both the Outlook e-mail client and
Outlook Express

As far as malware
activity is concerned, 2002 was a calm year, although virus and worm writers
continued to release their creations into the wild. Two new Flash worms
appeared in January: LFM and Donut were two proof-of-concept security threats
able to work in the .NET environment. However, they have never been spotted in
the wild. Four months later, Spida
wrote a new chapter in the malware history as the first SQL worm spotted in the
wild. It only affected SQL servers running with a blank system administrator
password, a fatal configuration error that (believe it or not) was a common
thing those days. Spida‘s author
wrote the worm using JavaScript, batch files and compiled executables. Once it
successfully infected a system, the worm would run a scanner in order to detect
other potential SQL servers to infect.

Although the
primary targets for malware authors were Microsoft Windows systems, Linux
machines also got a hard time in 2002. Worm.Linux.Slapper.E
was one of the first Linux worms to demonstrate that Linux computers were as
vulnerable as the ones running any other operating system, in spite of all the
hype regarding their increased security. Worm.Linux.Slapper.E
managed to take out of service thousands of machines running Linux within a few
days, causing incredible damage to the Internet infrastructure (As most
Internet servers were running on Linux, plenty of services hosted on
compromised machines were inaccessible for a long period of time).

While 2002 was a
calm year, and no single piece of malware caused significant outbreaks (However,
the combined amount of malware brought significant damage to the industry),
2003 was slightly different. Two massive Internet attacks marked the biggest
security disaster in the history of computing.

The first massive
outbreak was triggered by the notorious SQL worm Slammer, a piece of malware that exploited an unpatched
vulnerability in the MS SQL server software. The fileless worm started to cause
damage on January 25th 2003, when it managed to globally infect
hundreds of thousands of computers in span of a few minutes only. The extremely
violent increase in network traffic caused some vital parts of the Internet
infrastructure to completely crash. The Slammer
attack on the Internet was similar to releasing a nuclear bomb in a
high-density population area.

The worm
penetrated the computers using the 1433 and 1434 ports. Right after it got
inside the server, it did not copy on the disk, but rather it remained resident
into the computer memory.

Another massive
outbreak was triggered by the Win32.Worm.Blaster
(also known as LoveSan) worm, which
also exploited a vulnerability in Windows in order to replicate itself.
However, while Slammer used the MS
SQL server vulnerability, Win32.Worm.Blaster
took advantage of a loophole in the RPC DCOM service working under Windows 2000
and XP. The vulnerability allowed the worm to attack almost any computer in the
world that had an Internet connection. In order to spread to other systems, the
worm uses the compromised computer to scan for valid IP addresses. After it has
“processed” 20 IP addresses, the worm sleeps for 1.8 seconds, and then it
resumes scanning. More than that, the worm comes with a payload that performs a
SYN flood against port 80 (http) of www.windowsupdate.com,
in order to create a distributed Denial-of-Service attack (DDoS). The attack
failed, as Microsoft used the targeted domain to perform redirects to the main
site (windowsupdate.microsoft.com ).

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.