In first place for the top malware ranking is Sdbot.ftp, which has held this ranking for the last six months. This generic detection of the variants of the Sdbot worm, downloaded via FTP,
was responsible for 3.7 percent of infections. In second place comes the tenacious veteran Netsky.P. Since this worm first appeared in 2004, it has stubbornly refused to leave the monthly
list of most frequently detected viruses. Ironically, this worm exploits a vulnerability in Internet Explorer which was detected and resolved some years ago.
April 07, Cross-platform Virus Infects Linux And Windows. A security company announced Friday that it had found a cross-over virus that can infect PCs running either the open-source
Linux or Microsoft Windows operating systems. Dubbed "Linux.Bi.a" and "Win32.Bi.a," the split-personality malware doesn't do any damage. Instead, it's a proof-of-concept to prove that a
cross-platform virus is possible. "However, experience shows that once proof-of-concept code is released, virus writers are usually quick to take the code, and adapt it for their own use". "It is
a sign that the cross-platform aspects are becoming important. As the developers of viruses continue to research this, we will see (more) cross-platform malware." Already, malicious Web site
creators send exploits to visitors based on what browser and/or platform the surfer is using. Linux.Bi.a/Win32.Bi.a virus can infect either ELF binaries (Linux) or files with the ".exe" extension
The Sophos Security Threat Management Report reveals that while there has been a
vast drop in the number of new viruses and worms being written, this has been
by increases in other types of malware, as cyber criminals turn their attention to stealing information and money. Most interestingly, new Trojans now outweigh viruses and worms by 4:1, compared
to 2:1 in the first half of 2005. In addition, the continued dominance of Windows-based threats has prompted Sophos to suggest that many home users should consider switching to Apple Macs, to
shield themselves from the malware onslaught.
The first sign of computer worm activity dates back to 1982, when a program called Elk Cloner squirmed through Apple II systems. The SCA virus and Brain, written for IBM PC compatibles and Amigas, would pop up in the late 1980s, followed by the Morris Worm, the first documented "in the wild" proof-of-concept that infected DEC VAX machines.
Those worms hardly registered on the mainstream media radar but, with the arrival of Windows 95, all that changed in a hurry. The computer world has never been the same.
March 1999: Melissa Strikes
Named after a lap dancer in Florida, the Melissa worm is the considered the first destructive mass-mailer targeting Microsoft customers. The worm was programmed to spread via Microsoft Word- and Outlook-based systems, and the infection rate was startling.
Melissa, created by a New Jersey hacker who would go to jail for the attack, was released on a Usenet discussion group inside a Microsoft Word file. It spread quickly via e-mail, sending anti-virus vendors scrambling to add detections and prompting immediate warnings from the CERT Coordination Center.
The Explorer.zip worm appeared in the summer of 1999, following in the
footsteps of Melissa. The worm deleted Word, Excel, and PowerPoint files and
randomly altered other types of files. Like Melissa, Explorer traveled via
e-mails that appeared to be from someone the recipient knew. The message
included a file that, if activated, showed a fake error message to the user.
Unlike Melissa, this virus did not use Outlook to gather e-mail addresses.
Instead, it watched the in-box of the infected computer and then sent automatic
replies to senders, using the same e-mail subject as the original message.
May 2000: ILOVEYOU
Still widely considered one of the most costly viruses to enterprises, the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used social engineering and catchy subject lines to trick Windows users into launching the executable.
The worm spread rapidly by sending out copies of itself to all entries in the Microsoft Outlook address book. Anti-virus researchers also discovered an additional—and dangerous—component called "WIN-BUGSFIX.EXE" that was a password-stealing program that e-mailed cached passwords back to the attacker.
The worm also gained the attention of the mainstream press when it launched a denial-of-service attack against the White House Web site. To this day, anti-virus vendors report ILOVEYOU sightings in the wild.
2001: A Triple-Barreled Barrage
Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems.
This was the year that malicious worm activity exploded, with three high-profile attacks bombarding Windows users. First up was SirCam, malicious code that spread through e-mail and unprotected network shares. Sircam spreads personal documents over the Internet through email. The damage from SirCam was somewhat limited, but what was to follow would set the tone for a spate of network worms that caused billions of dollars in business costs.
In July 2001, the appearance of Code Red again set the cat among the pigeons, spreading via a flaw in Microsoft's Internet Information Server (IIS) Web server. The worm exploited a vulnerability in the indexing software distributed with IIS and caused widespread panic by defacing Web sites with the stock phrase "Hacked By Chinese!" CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours. Code Red spread itself by looking for more vulnerable IIS servers on the Internet and, in August, launched a denial-of-service attack against several U.S. government Web sites, including the White House portal.
Less than a month later, a new mutant identified as Code Red II appeared and wreaked even more havoc.
BadTrans is designed to capture passwords and credit card information.
The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products.
worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.
Benjamin--a new breed of worm--was let loose in May 2002, and it affected users of the popular file-sharing program Kazaa. The crafty worm posed as
popular music and movie files. Kazaa users thought they were downloading a media file to their machines, but they got the imposter instead. It then set
up a Kazaa share folder and stuffed it with copies of itself posing as popular music and movie files, which other Kazaa users would download. It
congested the system's network connection and would ultimately fill up a hard drive.
Slammer, Sobig and Blaster
This year Windows users had to contend with another three-pronged threat—Slammer in January 2003 and the Sobig and Blaster attacks in the summer.
Reminiscent of the Code Red worm, Slammer exploited two buffer overflow vulnerabilities in Microsoft's SQL Server database, causing major congestion of Internet traffic throughout Asia, Europe and North America.
The worm infected about 75,000 hosts in the first 10 minutes and knocked several ISPs around the world offline for extended periods of time.
As Microsoft struggled to cope with the Slammer fallout, there were two new outbreaks in the summer with Sobig and Blaster squirming through millions of unpatched Windows machines. The fast-spreading worms crippled network infrastructure globally and the cleanup and recovery were estimated to be tens of billions of dollars.
Blaster was particularly nasty. The worm spread by exploiting a buffer overflow in the DCOM RPC service on Windows 2000 and Windows XP and also launched a SYN flood attack against port 80 of Microsoft's windowsupdate.com site that is used to distribute security patches. Microsoft was able to dodge the bullet by temporarily redirecting the site, but the media latched onto the story and forced the company to make major changes to its patching schedule to help customers cope with the patch management nightmare.
2004: Sasser Strikes
After Slammer and Blaster, Microsoft customers complained bitterly that the company's unpredictable patching schedule was causing hiccups in the patch deployment process. In October 2003, chief executive Steve Ballmer announced a plan to release security bulletins on a monthly cycle, except for emergency situations.
The new plan is greeted warmly, but the worm attacks showed no sign of letting up. In January 2004, the MyDoom worm was spotted. A mass-mailer with a payload targeting the Windows operating system, MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm ever. In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-of-service) attacks on Microsoft's Web site.
In early May, Sasser hit. Exploiting a flaw in the LSASS (Local Security Authority Subsystem Service) component, the Sasser worm squirmed through unpatched Windows 2000 and Windows XP machines. Sasser was particularly dangerous and spread rapidly through vulnerable network ports.
Microsoft is credited with reacting swiftly to contain the Sasser spread but, as the latest Zotob August 2005(Zotob is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability described in Microsoft Security Bulletin MS05-039) attacks prove, the time to exploit an unpatched flaw has narrowed significantly since the launch of Windows 95 10 years ago.
It’s being called the worst computer worm of the year — a
fast-spreading Internet threat that looks like an official e-mail
from the CIA or FBI but can leave your computer wide open to intruders.
The bogus e-mail claims the government has discovered you visiting “illegal” Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.
The worm — named “Sober X” — has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making it clear that they did not send out the e-mail and urging people to not open the attachment.
A Dominant Monopoly
Findings show that the most widespread threat from January to date (14 July 2006) is the Sober-Z worm, which, at its peak, accounted for one in every thirteen emails. This worm's dominance is evidence of trends of moving away from email virus attacks, since Sober-Z maintains a monopoly despite having stopped spreading on 6 January 2006. Further reinforcing this, only one in every 91 of all emails were viral so far this year, compared with one in every 35 for the same period in 2005. Some of the side effects of Sober-Z are: