[ISN] From Melissa to Zotob: 10 Years of Windows Worms

InfoSec News isn at c4i.org
Thu Aug 25 06:44:48 EDT 2005


By Ryan Naraine 
August 24, 2005 

The names roll of the tongue like characters in an episode of
"American Gladiators." Klez. Blaster. Slammer. Sasser. Zotob. Computer
viruses and worms, all targeting users of Microsoft Corp.'s Windows
operating system.

The first sign of computer worm activity dates back to 1982, when a
program called Elk Cloner squirmed through Apple II systems. The SCA
virus and Brain, written for IBM PC compatibles and Amigas, would pop
up in the late 1980s, followed by the Morris Worm, the first
documented "in the wild" proof-of-concept that infected DEC VAX

Those worms hardly registered on the mainstream media radar but, with
the arrival of Windows 95, all that changed in a hurry. The computer
world has never been the same.

March 1999: Melissa Strikes

Named after a lap dancer in Florida, the Melissa worm is the
considered the first destructive mass-mailer targeting Microsoft
customers. The worm was programmed to spread via Microsoft Word- and
Outlook-based systems, and the infection rate was startling.

Melissa, created by a New Jersey hacker who would go to jail for the
attack, was released on a Usenet discussion group inside a Microsoft
Word file. It spread quickly via e-mail, sending anti-virus vendors
scrambling to add detections and prompting immediate warnings from the
CERT Coordination Center.

May 2000: ILOVEYOU

Still widely considered one of the most costly viruses to enterprises,
the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used
social engineering and catchy subject lines to trick Windows users
into launching the executable.

The worm spread rapidly by sending out copies of itself to all entries
in the Microsoft Outlook address book. Anti-virus researchers also
discovered an additional—and dangerous—component called
"WIN-BUGSFIX.EXE" that was a password-stealing program that e-mailed
cached passwords back to the attacker.

The worm also gained the attention of the mainstream press when it
launched a denial-of-service attack against the White House Web site.  
To this day, anti-virus vendors report ILOVEYOU sightings in the wild.

2001: A Triple-Barreled Barrage

This was the year that malicious worm activity exploded, with three
high-profile attacks bombarding Windows users. First up was SirCam,
malicious code that spread through e-mail and unprotected network
shares. The damage from SirCam was somewhat limited, but what was to
follow would set the tone for a spate of network worms that caused
billions of dollars in business costs.

What will get Windows 95 die-hards to upgrade to Vista? Click here to
read more.

In July 2001, the appearance of Code Red again set the cat among the
pigeons, spreading via a flaw in Microsoft's Internet Information
Server (IIS) Web server. The worm exploited a vulnerability in the
indexing software distributed with IIS and caused widespread panic by
defacing Web sites with the stock phrase "Hacked By Chinese!" Code Red
spread itself by looking for more vulnerable IIS servers on the
Internet and, in August, launched a denial-of-service attack against
several U.S. government Web sites, including the White House portal.

Less than a month later, a new mutant identified as Code Red II
appeared and wreaked even more havoc.

Still reeling from the effects of SirCam and Code Red, Windows users
would soon have to deal with Klez, an e-mail borne virus that
exploited a flaw in Microsoft's Internet Explorer browser and targeted
both Outlook and Outlook Express users.

Because Klez required users to click on an embedded e-mail attachment,
the damage was limited, but when later variants appeared with spoofed
sender addresses, it provided the first sign that virus writers would
change tactics to avoid detection. The spoofing of e-mail addresses
would later become a standard trick to attack non-technical e-mail
(and Windows) users.

Slammer, Sobig and Blaster

After a worm-free 2002, Windows users had to contend with another
three-pronged threat - Slammer in January 2003 and the Sobig and
Blaster attacks in the summer.

Reminiscent of the Code Red worm, Slammer exploited two buffer
overflow vulnerabilities in Microsoft's SQL Server database, causing
major congestion of Internet traffic throughout Asia, Europe and North

The worm infected about 75,000 hosts in the first 10 minutes and
knocked several ISPs around the world offline for extended periods of

As Microsoft struggled to cope with the Slammer fallout, there were
two new outbreaks in the summer with Sobig and Blaster squirming
through millions of unpatched Windows machines. The fast-spreading
worms crippled network infrastructure globally and the cleanup and
recovery were estimated to be tens of billions of dollars.

Blaster was particularly nasty. The worm spread by exploiting a buffer
overflow in the DCOM RPC service on Windows 2000 and Windows XP and
also launched a SYN flood attack against port 80 of Microsoft's
windowsupdate.com site that is used to distribute security patches.  
Microsoft was able to dodge the bullet by temporarily redirecting the
site, but the media latched onto the story and forced the company to
make major changes to its patching schedule to help customers cope
with the patch management nightmare.

2004: Sasser Strikes

After Slammer and Blaster, Microsoft customers complained bitterly
that the company's unpredictable patching schedule was causing hiccups
in the patch deployment process. In October 2003, chief executive
Steve Ballmer announced a plan to release security bulletins on a
monthly cycle, except for emergency situations.

The new plan is greeted warmly, but the worm attacks showed no sign of
letting up. In January 2004, the MyDoom worm was spotted. A
mass-mailer with a payload targeting the Windows operating system,
MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm
ever. In addition to seeding Windows machines to create botnets,
MyDoom was programmed to launch DDoS (distributed denial-of-service)  
attacks on Microsoft's Web site.

In early May, Sasser hit. Exploiting a flaw in the LSASS (Local
Security Authority Subsystem Service) component, the Sasser worm
squirmed through unpatched Windows 2000 and Windows XP machines.  
Sasser was particularly dangerous and spread rapidly through
vulnerable network ports.

Microsoft is credited with reacting swiftly to contain the Sasser
spread but, as the latest Zotob attacks prove, the time to exploit an
unpatched flaw has narrowed significantly since the launch of Windows
95 10 years ago.

More information about the ISN mailing list