The Sobig worm created the first commercially successful spam-generating botnet, and it did so through infected email attachments. At one point, 1 out of 20 email messages on the Internet contained a Sobig.f infected attachment. Sobig harvested email addresses from files on the infected computer.
Cracking into Windows
By 2001, most malware spread by sending infected files over the Internet or by dropping infected files on network shares. That year, malware writers expanded their horizons by aiming directly for security holes in Windows itself. They also jumped up several levels in sophistication. No longer intent on destroying data or playing pranks, some malware writers turned their considerable talents to making money.
CodeRed infamously infected more than 300,000 Windows Servers, using a buffer overflow to take control of IIS and deface websites on the infected server. CodeRed-infected machines send out buffer overflow packets to random machines on the Internet in a spray attack. Microsoft patched the hole a month before CodeRed appeared, but admins didn't apply the patches quickly enough. A complete rewrite, CodeRed II, not only engaged in spray attacks, it also attacked local machines.
Then Nimda took the cake. It used five different infection vectors: a blended threat of the first degree. Nimda infects with email attachments. It infects unprotected network shares. It tries to take down websites. It goes after servers in CodeRed-style. And it can use backdoors left behind by CodeRed.
SQL Slammer ricocheted across the Internet in 2003, infecting 75,000 machines in its first 10 minutes, knocking out wide swathes of the Internet. The worm exploited a security hole in SQL Server and SQL Desktop Engine, which had been patched six months previously. It doesn't put a copy of itself on a hard drive, preferring to simply stay memory resident: Reboot an infected machine, and it isn't infected any more.
Like SQL Slammer, Blaster (aka Lovsan) zoomed across the Internet at a breakneck pace by scanning machines connected to the Internet and passing itself around. Like Slammer, it used an exploit that had already been patched. Unlike Slammer, Blaster attacked every Windows XP and Windows 2000 computer. The payload tried to take out Microsoft's windowsupdate.com site with a DDoS attack.
Where the money goes today
Botnets formed years ago are still in operation -- a fact that isn't lost on the folks who bankroll the now highly lucrative malware industry.
The professionals behind these programs don't take kindly to competition. Sobig was followed by Mydoom, another email-attachment botnet generator, and a malware war broke out between Mydoom, Netsky, Sasser (which took out thousands of companies), and Bagel, each of which attempted to clobber the other. An 18-year-old computer science student in Germany was convicted for creating Sasser and the Netsky.AC variant.
Sign up for CIO Asia eNewsletters.