Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

20 years of innovative Windows malware

Woody Leonhard | Feb. 28, 2011
Windows PCs have been under siege for 20 years. What a difference those two decades make.

The BubbleBoy virus presented the first generally successful drive-by attack. If someone sent you an infected message -- no attached file necessary -- and you opened the message in Outlook or previewed it in Outlook Express, you got zapped. BubbleBoy took advantage of HTML and Outlook's propensity to run embedded Visual Basic scripts without warning.

The root of the problem? In those days, Outlook used Internet Explorer to display HTML-based emails. Even though you never saw IE in action, it was there, lurking in the background, running VBS programs without permission. Years later, the Klez worm used the same approach, but with a different security hole.

On May 5, 2000, the ILOVEYOU worm hit, and PCs will never be the same. A remarkably effective demonstration of social engineering techniques that drive malware today, the infected file arrived attached to a message. The message's subject: ILOVEYOU, and the attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs. Since Windows hid the .vbs filename extension, many people (including, it's rumored, one very senior Microsoft executive) double-clicked on what appeared to be a TXT file and shot themselves in the foot -- the same fatal flaw that took many by surprise with the Happy99 worm.

ILOVEYOU overwrites many different kinds of files and then rifles the Outlook address book, sending copies of itself to every address, much like Melissa. It started spreading on May 4, 2000. By May 13, 50 million PCs were infected.

Several hugely successful malware attacks followed in ILOVEYOU's technological footsteps. In 2001, the Anna Kournikova worm arrived in an email attachment called AnnaKournikova.jpg.vbs. Sircam grabbed a Word or Excel file on the infected PC and sent out infected versions of the file using the same technique. Many confidential files went out to unexpected recipients. Sircam also spread by copying itself onto network shares.

Beginning of the botnet

Not content to merely distribute malware over the Internet, enterprising programmers started working on ways to control Windows PCs directly using the Internet.

In December 1999, a Brazilian programmer who uses the name Vecna unleashed a new Trojan called Babylonia. While incorporating CIH-style interstitial infection and Happy99-style Winsock replacement, Babylonia brought an important new capability to the malware gene pool: It phoned home, once a minute, and updated itself if a newer version is available.

While its authors claim BackOrifice wasn't invented to subvert systems, it certainly offered that capability on Windows 95 and 98 systems. Much like today's botnet controllers, BackOrifice provides remote control -- the ability to run one PC from another, over the Internet. BackOrifice isn't a virus; rather, it's a payload waiting to be deposited by a virus or a Trojan.

 

Previous Page  1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.