A Look Into The Viruses That Caused Havoc In 2003

In a recently published report by managed e-mail security provider Message Labs, we can see a dramatical increase in e-mail borne viruses – ratio of virus infected emails to clean e-mails increased 84 percent to 1:33 against 1:212 a year ago.

Viruses and worms received an enormous amount of media coverage during this year. The year started with a bang: the Slammer worm exploited vulnerabilities in Microsoft SQL 2000 servers and hit the Internet, resulting as one of the biggest attacks to date. In January we saw the first version of now infamous worm – Sobig that used a built-in SMTP client and local Windows network shares to spread and inspired a number of new variants that wreaked havoc throughout 2003. February brought us a combination of a worm and a trojan called Lovgate.

The next few months gave us a couple of inventive worms: Ganda was using Iraqi war as its social engineering method and Fizzer was replicating over e-mail, as well over the KaZaa peer-to-peer network. August was a truly destruction derby month – it featured all the great ones: Sobig F, Blaster, Welchi and Mimail spread rapidly. Since then there was a large number of copycat worms, using mostly well known replication methods.

I’ve talked with some of the leading experts from the anti virus and data security industry, so beneath, you can see their views on the most important malware happenings in 2003, as well as their future scopes for the upcoming year.

As pictured below, from left to right: Graham Cluley (Senior Technology Consultant, Sophos), David Perry (Global Director Of Education, Trend Micro), Fernando de la Cuadra (International Technical Editor, Panda Software), Denis Zenkin (Head of Corporate Communications, Kaspersky Labs), Mikko H. Hypponen (Director of Anti-Virus Research, F-Secure Corporation) and Nick Galea (Managing Director & CEO, GFI Software).

In your opinion, what were the most important moments for the anti virus industry in the year 2003? What were the biggest infectors?

Graham Cluley: The biggest viruses were Sobig-F, Blaster and Nachi. Sobig-F showed that viruses could be a spam problem, with the sheer amount of emails it generated. Some companies received hundreds of thousands of copies of Sobig-F every day. Blaster and Nachi showed that many computers were not being properly secured against the latest vulnerabilities, and that viruses could spread very fast via a route which was not email. Other worms, such as Mimail, launched internet attacks on anti-spam organizations showing the spammers and virus writers were working closer together.

David Perry: Clearly, the rise of network viruses, starting with SLAMMER and climaxing with MS-Blast. The slammer worm was propagated on Super Bowl Weekend, which caught many American computer users unawares. It leveraged network protocols to spread from sql server to sql server. It was, however, limited to only infecting servers of that type. Slammer was so successful that it managed to obscure an entire country (South Korea) from the Internet–an unprecedented event in the history of malicious code. Blaster, on the other hand infected all copies of Microsoft NT, XP and 2000. This raised the potential victim count from several hundred thousand to hundreds of millions, worldwide. Also known as Nachia, this network virus went through a variety of versions and has had the lasting effect of disabling use of MS-Exchange from most ISP’s (exchange connect from client to server on port 135–which was one of the primary ports used by the worm. I use the terms virus and worm interchangeably because worms are a special subset of viruses, hence all worms are viruses.

All network worms share the ability to infect a machine with no interaction from the user. This makes them both more prolific and more secretive. A user has no visual clue whatsoever that he or she is infected with a network worm. This is the most pernicious of their various traits. On an entirely different front–there has been a great deal of speculation about the connection between spam and viruses. A particular email worm (SOBIG) dropped a component that could conceivably be used by spammers to spread their annoying email messages anonymously.

Fernando de la Cuadra: The year began with SQLSlammer, a really fast infector. It only collapses MS SQL Server, but the speed when infecting servers was really incredible. It was a very important milestone for AV manufacturers because most of them cannot detect the code with their obsolete technologies. The Blaster virus attacked in August, once again using system vulnerability, and having fast propagation. Both viruses are, from my point of view, the biggest infectors appeared in 2003, but there is a really important infector in 2003, that appeared a long time ago: Klez.I virus. Since its discovery, it is always on the top virus lists.

Denis Zenkin: Undoubtedly the major deplorable surprise on the virus scene this year was high proliferation of the “flash”-type network worms: Slammer and Lovesan. This implies the real start of a new era of malware creation and protection: traditional anti-virus tools are no longer enough to protect a workplace against worms, but they should be definitely strengthened with firewalls to ensure maximum security. Another disturbing trend is of course the situation with security patches. The speed they are released and the way they are distributed is not sufficient.

Mikko H. Hypponen:From my perspective, these were the top five issues:

  • Slammer: single largest attack against the internet ever
  • Sobig.F: single largest email worm ever
  • Microsoft buying RAV and entering the AV business
  • New York blackout
  • Spammers starting to use viruses
Nick Galea: E-mail viruses were again at the forefront of IT news this year – particularly with viruses like Mimail and its variants, which attempted to steal confidential information from the compromised computers. Other special occurrences include SoBig, its variants and Bugbear.B, which spoofed the sender email address to make the infected email look legitimate and the Blaster worm, which exploited a known Windows vulnerability in order to disseminate.

How come there are so many infections caused by worms that don’t offer anything new (the same old propagation tricks, using the same vulnerabilities)?

Graham Cluley: Too many companies are failing to block unwanted executable content at the email gateway. A strict policy filter can weed out dangerous content and avoid new viruses from arriving via email. Furthermore, too many users are falling for the old confidence trick of “here’s a sexy file, why not run it?”

David Perry: Email is the main propagation method for viruses today, and has been since the arrival of Melissa in 1999. E-mail makes a good medium for viruses, being almost universally used by all computer users. Note that the email virus of today is a very different animal from the ones we saw last century. In 1999 and 2000, most email viruses were restricted to only being valid in Microsoft Outlook and Outlook Express, while today’s email worms carry their own SMTP engines and will work in any machine regardless of the email platform used.

There is an important distinction between ZOO viruses and viruses in the wild (ITW). Most of the really high level virus writers are loath to face legal problems, and do not deploy their viruses into the wild. Rather, they will email copies of their viruses directly to virus researchers. The writers who release viruses into the wild, on the other hand, tend to be less experienced programmers, and are frequently characterized as ‘script kiddies’. In general the vast majority of viruses are very derivative of previous viruses, which is both easier for the virus writer, and easier for the antivirus protection effort. We are not looking forward to more innovative viruses, but we spend a lot of time and money getting ready for them.

Fernando de la Cuadra: There are a really important factor that affects to all the computers. You can upgrade the system, you can install as much barriers for security as you can, but the most dangerous element will never be removed – the users’ index finger. It’s the finger that double clicks on the dangerous elements, clicks on the links, opens the mails… If the companies do not train the users, old threats will carry on spreading.

Besides this, there is another important thing – the network administrators don’t upgrade their systems on a timely basis. There are lots of causes for this lack of updating, but they should realize that this is a big problem. Web pages as Help Net Security are making a big job on this way. If all the administrators take a weekly look, just once a week, the security will rise up.

Denis Zenkin: I agree that during this year we saw several examples of global outbreaks caused by malware using the “old good” tricks of primitive social engineering (Swen, Sobig). It is really hard to say why exactly this happened. However, we believe this is because of the new Internet users, who are more aware of malware sneaking through security breaches rather than social engineering.

Mikko H. Hypponen: Because users don’t patch their machines. And they never learn anything, ever.

Nick Galea: Because customers are not deploying technologies that focus on detecting the method used by virus writers. They are using signature-based products that are easy to fool time and time again, using the same tricks.

When taking a look at malware, what do you expect from the year 2004?

Graham Cluley: We will see more Windows viruses and worms making a big impact. We will see more evidence of virus writers and spammers working in co-operation, and more internet worms. Everyone should ensure all their PCs are properly secured for a high level of protection.

David Perry: I expect more development on the breaking trends in virus code. (pun intended), these being hybrid attacks (the so-called ‘blended threat’), network worms (these are particularly pernicious, but much harder to write–so there will be fewer of them, but more to be feared) and advances in Chat (IM, IRC) based trojans.

Finally, I always predict that there will be two major surprises in any calendar year. I don’t know what they are, or they would not be surprises–but the history of viruses shows us that there is always something around the next corner.

Fernando de la Cuadra: Personally, I expect quite a year, but you can bet that somebody will ruin my optimism. There are still a lot of servers without correct updates and with enough security holes to be afraid of. Besides Microsoft, many Linux systems may soon become attacked. With the stuff we learned from SQLSlammer and Klez, there are possibilities of seeing fast infectors, with some special features as Denial of Service, database deleting, robbery of information etc.

Denis Zenkin: We are afraid the year 2003 is the beginning of flash-worms era and this trend could have its continuance in the next years. This could lead to global outbreaks spreading all over the world in minutes and provoking mass Internet disruption.

Mikko H. Hypponen: I expect more Instant Messenger worms, really destructive widespread network worms (FORMAT C:) and directed attacks against critical infrastructure. I’m afraid there will be a lot of work for us in 2004.

Nick Galea: While some virus writers will take the already tried and tested route by releasing new viruses based on the ones that are already in the wild, more sophisticated malware creators will continue seeking new methods to disseminate the viruses they create.

For example, the threat of Trojans, used to obtain confidential information or damage a network, is on the rise. As early as 2001, an eWeek article reported that tens of thousands of machines are infected with Trojans; and in March this year, the ICSA Labs survey reported that Trojans are increasingly in use by malicious attackers. Content security products need to meet this challenge and detect unknown and dangerous executables.