2001 was a mixed bag: antivirus vendors took significant strides forward, but the number of virus attacks rose nevertheless. The changeover from classic viruses to worms continued as Internet use exploded. Virus writers demonstrated a definite preference for malicious code that propagated by sending their files across local networks and the Internet.
Malicious programs that exploited vulnerabilities in applications and operating systems caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale epidemics caused by these worms changed the face of computer security and set trends for malware evolution for several years to come.
Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the malware landscape, keeping users and antivirus vendors on their toes.
A vulnerability is a hole in a legitimate application or operating system that can be exploited by a virus writer: malicious code penetrates the system via such loopholes.
Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are installed and activated automatically regardless of user action. For instance, Nimda penetrated computers even when the infected email was simply viewed through the preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for vulnerable machines and infected them. According to Kaspersky Virus Lab statistics, malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.
The interest displayed by virus writers in vulnerabilities was justified. Traditional infection techniques used by classic file viruses, where the user initiated the infection cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted the new technique.
Email and the Internet – primary sources of new threats
Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in comparison with 2000 and made up almost 90% of the total number of virus incidents in 2001.
2001 proved to be a watershed in the evolution of virus attacks via the Internet. Previously, most Internet-related infections occurred when users downloaded and executed files from untrustworthy web sites. In 2001 a new infection technique appeared: users no longer needed to download files – a visit to an infected web site was enough. Virus writers substituted infected pages for clean ones. Most users were infected by malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered free programs that turned out to be malicious.
Attacks via non-Internet technologies
2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading malicious code. A spate of worm infections turned these services into further traps for unwary users. The Internet worm Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw a proliferation of worms designed to propagate via IRC channels.
More attacks on Linux
A significant number of malicious programs targeting Linux appeared in 2001. Ramen opened the season on January 19 and penetrated a large number of corporate networks within days. Victims included NASA (USA), A&M University (USA) and hardware vendor Supermicro (Taiwan).
The attacks swelled into an avalanche with Ramen clones and new Linux worms appearing one after another. Most of these malicious programs exploited vulnerabilities in the operating system. The rapid spread of these threats underlined the lack of preparation by Linux developers, who had been sleeping peacefully, sure that Linux was a completely secure environment. Many Linux users hadn’t even bothered to install the patches that were available for some of the exploited vulnerabilities and fell easy prey for these worms.
Fileless worms – a new challenge
So-called fileless worms turned out to be one of the nastiest surprises of 2001. These worms were able to self-replicate and function on infected machines without using files. These worms exist only in RAM and spread as specially configured data packets.
This new technique gave antivirus experts some difficult moments. Traditional antivirus scanners and monitors proved helpless against this new threat, since up to that time antivirus engines had detected malicious programs during file operations. Kaspersky Lab was the first to develop a new antivirus filter that scanned incoming data packets in background mode and deleted fileless worms.
Worms for Windows increase
While classic viruses, (predominantly macro and script viruses) visibly dominated throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these worms had caused about 90% of all registered virus infections.
The reasons for this trend were two-fold: on the one hand new technologies allowed virus writers to create better worms, and on the other, antivirus vendors had developed effective protection against macro and script viruses.
Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new virus registered by March. And nervous users, frightened by the large-scale outbreaks in 2000 scrambled to forward these warnings to friends and relatives. California IBM and Girl Thing proved especially effective. A letter warning users about a new ILoveYou outbreak scheduled for Valentine’s day was also extremely effective.
Some of these hoaxes were so effective that copies of the messages were still circulating around the Internet several years later.
2001 in review:
- Email and the Internet move to the fore environments for new threats;
- Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks also gain prominence;
- Fileless worms appear on the scene;
- Worms for Windows make up the majority of new threats by mid-year, with macro- and script-viruses losing ground significantly.