MALWARE HISTORY

2004

Malware authors continued to focus mostly on worms during 2004, just as they did in the previous year. The successful attacks carried by Slammer, Win32.Sobig and Tantalos were enough reason to keep improving worms rather than viruses.

Normal
0

21

false
false
false

DE
X-NONE
X-NONE

st1:*{behavior:url(#ieooui) }

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

However, the sharp
increase in malware and the utter disaster caused by Slammer called for a
solution, and antivirus researchers hurried their technological development.
Other major industry players, such as the popular search engine Google have
entered the battle against malware.

In late January, MyDoom set the tone with the first
attacks carried against computers running Microsoft Windows operating systems.
It started causing  panic on January 26th,
and it quickly became the fastest-spreading e-mail worm ever. Although there
are no accurate reports, it is believed that MyDoom had beaten the previous infection records set by the Sobig worm.

A closer look into
MyDoom‘s body revealed that the
mass-mailer has been commissioned (The worm contains the text message “andy;
I’m just doing my job, nothing personal, sorry,”
which might mean that the author had been paid to program it) by
spammers, in order to facilitate their work. Other scenarios claim that the
worm was released by a professional underground programmer located in Russia,
although authorship can not be determined for sure.

On March 19, a new
worm called Win32.Worm.Witty.A
successfully exploited several security holes in some security system products
manufactured by Internet Security Systems (ISS), and started a massive wave of
destruction. The Witty came with a couple of new programming techniques and
innovations which made it rather unique. For instance, it is the first worm to
take advantage of vulnerabilities in the very pieces of software designed to
enhance network security. More than that, it came with an extremely malicious
payload: Once inside the host system, it starts attacking a pseudo-random
subset of IP addresses. It repeats the attacks in sets of 20,000, but during
the attack, it also overwrites sections of the computer’s HDD.

The first day of
May brought a new security threat in the form of the Win32.Worm.Sasser.DAN worm, a piece of malware exploiting a buffer
overflow in the component known as LSASS (Local Security Authority Subsystem
Service). While other viruses and worms catch system administrators and
security analysts by surprise, Win32.Worm.Sasser.DAN
built its attack on laziness and lack of information. Win32.Worm.Sasser.DAN would only spread on vulnerable systems, but
Microsoft had released a critical patch addressing the LSASS issue 19 days
prior to the first attack (Some sources claim that the authors have
reverse-engineered the patch in order to discover the vulnerability, and then
relied on the fact that not all system administrators deploy security patches
on time). Also, the worm could be easily stopped by a properly configured
firewall.

The last month of
2004 brought to life the first known “webworm”. Also known as “Worm.PhpBB.Santy.A“, this new type of
malware was written in Perl and relied on a vulnerability in the popular phpBB
forum software (which used Google)  in
order to spread across the Internet. The tiny Perl worm managed to take down
between 30,000 and 40,000 websites in about 24 hours. Although the worm would
only deface (The worm caused writable files on the infected server to display
the message “This site is defaced!!! This site is defaced!!! NeverEverNoSanity
WebWorm generation X”) websites written in PHP or HTML, Google took stance
against the attack and filtered the search query used by the worm, thus putting
an end to the outbreak.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.