2005
In first
place for the top malware ranking is Sdbot.ftp, which has held this ranking for
the last six months. This generic detection of the variants of the Sdbot worm,
downloaded via FTP,
was
responsible for 3.7 percent of infections. In second place comes the tenacious
veteran Netsky.P. Since this worm first appeared in 2004, it has stubbornly
refused to leave the monthly
list of most
frequently detected viruses. Ironically, this worm exploits a vulnerability in
Internet Explorer which was detected and resolved some years ago.
2006
2006
April 07,
Cross-platform Virus Infects Linux And Windows. A security company announced
Friday that it had found a cross-over virus that can infect PCs running either
the open-source
Linux or
Microsoft Windows operating systems. Dubbed "Linux.Bi.a" and "Win32.Bi.a," the
split-personality malware doesn't do any damage. Instead, it's a
proof-of-concept to prove that a
cross-platform virus is possible. "However, experience shows that once
proof-of-concept code is released, virus writers are usually quick to take the
code, and adapt it for their own use". "It is
a sign that
the cross-platform aspects are becoming important. As the developers of viruses
continue to research this, we will see (more) cross-platform malware." Already,
malicious Web site
creators send
exploits to visitors based on what browser and/or platform the surfer is using.
Linux.Bi.a/Win32.Bi.a virus can infect either ELF binaries (Linux) or files with
the ".exe" extension
(Windows).
July 14,
The Sophos Security Threat Management Report reveals that while there has been a
vast drop in the number of new viruses and worms being written, this has been
over-compensated
by increases
in other types of malware, as cyber criminals turn their attention to stealing
information and money. Most interestingly, new Trojans now outweigh viruses and
worms by 4:1, compared
to 2:1 in the
first half of 2005. In addition, the continued dominance of Windows-based
threats has prompted Sophos to suggest that many home users should consider
switching to Apple Macs, to
shield
themselves from the malware onslaught.
Worms
The first sign of computer worm activity dates back to 1982, when a program
called Elk Cloner squirmed through Apple II systems. The SCA virus and Brain,
written for IBM PC compatibles and Amigas, would pop up in the late 1980s,
followed by the Morris Worm, the first documented "in the wild" proof-of-concept
that infected DEC VAX machines.
Those worms hardly registered on the mainstream media radar but, with the
arrival of Windows 95, all that changed in a hurry. The computer world has never
been the same.
March 1999: Melissa Strikes
Named after a lap dancer in Florida, the Melissa worm is the considered the
first destructive mass-mailer targeting Microsoft customers. The worm was
programmed to spread via Microsoft Word- and Outlook-based systems, and the
infection rate was startling.
Melissa, created by a New Jersey hacker
who would go to jail for the attack, was released on a Usenet discussion group
inside a Microsoft Word file. It spread quickly via e-mail, sending anti-virus
vendors scrambling to add detections and prompting immediate warnings from the
CERT Coordination Center.
The Explorer.zip worm appeared in the summer of 1999, following in the
footsteps of Melissa. The worm deleted Word, Excel, and PowerPoint files and
randomly altered other types of files. Like Melissa, Explorer traveled via
e-mails that appeared to be from someone the recipient knew. The message
included a file that, if activated, showed a fake error message to the user.
Unlike Melissa, this virus did not use Outlook to gather e-mail addresses.
Instead, it watched the in-box of the infected computer and then sent automatic
replies to senders, using the same e-mail subject as the original message.
May 2000: ILOVEYOU
Still widely considered one of the most costly viruses to enterprises, the
ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used social engineering
and catchy subject lines to trick Windows users into launching the executable.
The worm spread rapidly by sending out copies of itself to all entries in the
Microsoft Outlook address book. Anti-virus researchers also discovered an
additional—and dangerous—component called "WIN-BUGSFIX.EXE" that was a
password-stealing program that e-mailed cached passwords back to the attacker.
The worm also gained the attention of the mainstream press when it launched a
denial-of-service attack against the White House Web site. To this day,
anti-virus vendors report ILOVEYOU sightings in the wild.
2001: A Triple-Barreled Barrage
Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems.
This was the year that malicious worm activity exploded, with three high-profile
attacks bombarding Windows users. First up was SirCam, malicious code that
spread through e-mail and unprotected network shares. Sircam spreads personal documents over the Internet through email. The damage from SirCam was
somewhat limited, but what was to follow would set the tone for a spate of
network worms that caused billions of dollars in business costs.
In July 2001, the appearance of Code Red again set the cat among the pigeons, spreading via a flaw in Microsoft's Internet Information Server (IIS) Web
server. The worm exploited a vulnerability in the indexing software distributed with IIS and caused widespread panic by defacing Web sites with the stock phrase
"Hacked By Chinese!" CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected
approximately 359,000 hosts in the first twelve hours. Code Red spread itself by looking for more vulnerable IIS servers on the Internet and, in August, launched a
denial-of-service attack against several U.S. government Web sites, including the White House portal.
Less than a month later, a new mutant identified as Code Red II appeared and wreaked even more havoc.
BadTrans is designed to capture passwords and credit card information.
2002
The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes),
creates hidden copies of the originals, and attempts to disable common anti-virus products.
The Bugbear
worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.
Benjamin--a new breed of worm--was let loose in May 2002, and it affected users of the popular file-sharing program Kazaa. The crafty worm posed as
popular music and movie files. Kazaa users thought they were downloading a media file to their machines, but they got the imposter instead. It then set
up a Kazaa share folder and stuffed it with copies of itself posing as popular music and movie files, which other Kazaa users would download. It
congested the system's network connection and would ultimately fill up a hard drive.
2003
Slammer, Sobig and Blaster
This year Windows users had to contend with another three-pronged threat—Slammer in January 2003 and the Sobig and Blaster attacks in the summer.
Reminiscent of the Code Red worm, Slammer exploited two buffer overflow vulnerabilities in Microsoft's SQL Server database, causing major congestion of
Internet traffic throughout Asia, Europe and North America.
The worm infected about 75,000 hosts in the first 10 minutes and knocked several ISPs around the world offline for extended periods of time.
As Microsoft struggled to cope with the Slammer fallout, there were two new outbreaks in the summer with Sobig and Blaster squirming through millions of
unpatched Windows machines. The fast-spreading worms crippled network infrastructure globally and the cleanup and recovery were estimated to be tens
of billions of dollars.
Blaster was particularly nasty. The worm spread by exploiting a buffer overflow in the DCOM RPC service on Windows 2000 and Windows XP and also launched a SYN
flood attack against port 80 of Microsoft's windowsupdate.com site that is used to distribute security patches. Microsoft was able to dodge the bullet by
temporarily redirecting the site, but the media latched onto the story and forced the company to make major changes to its patching schedule to help customers cope
with the patch management nightmare.
2004: Sasser Strikes
After Slammer and Blaster, Microsoft customers complained bitterly that the company's unpredictable patching schedule was causing hiccups in the patch deployment process.
In October 2003, chief executive Steve Ballmer announced a plan to release security bulletins on a monthly cycle, except for emergency situations.
The new plan is greeted warmly, but the worm attacks showed no sign of letting up. In January 2004, the MyDoom worm was spotted.
A mass-mailer with a payload targeting the Windows operating system, MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm ever.
In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-of-service) attacks on
Microsoft's Web site.
In early May, Sasser hit. Exploiting a flaw in the LSASS (Local Security Authority Subsystem Service) component, the Sasser worm squirmed through
unpatched Windows 2000 and Windows XP machines. Sasser was particularly dangerous and spread rapidly through vulnerable network ports.
Microsoft is credited with reacting swiftly to contain the Sasser spread but, as the latest Zotob August 2005(Zotob is a worm that spreads by
exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability described in
Microsoft Security Bulletin MS05-039) attacks prove, the time to exploit an unpatched flaw has narrowed significantly since the launch of Windows 95 10 years ago.
It’s being called the worst computer worm of the year — a
fast-spreading Internet threat that looks like an official e-mail
from the CIA or FBI but can leave your computer wide open to intruders.
The bogus e-mail claims the government has discovered you visiting “illegal”
Web sites and asks you to open an attachment to answer some
official questions. If you do, your computer gets infected with malware that can
disable security and firewall programs and blast out similar
e-mails to contacts in your address book. It can also keep you from
getting to computer security Web sites that might help fix the problem, and
it may open your Windows computer to intruders who can steal your personal data.
The worm — named “Sober X” — has spread so far so fast that the CIA and
the FBI put prominent warnings on their Web sites making it clear that they did
not send out the e-mail and urging people to not open the attachment.
July 2006
Sober-Z worm
A Dominant Monopoly
Findings show that the most widespread threat from January to date (14
July 2006) is the Sober-Z worm, which, at its peak, accounted for one in every
thirteen emails. This worm's dominance is evidence of trends of moving
away from email virus attacks, since Sober-Z maintains a monopoly despite having
stopped spreading on 6 January 2006. Further reinforcing this, only one in every
91 of all emails were viral so far this year, compared with one in every 35 for
the same period in 2005. Some of the side effects of Sober-Z are: