In 2003 two global Internet attacks took place that could be called the biggest in the history of the Internet. The Internet worm Slammer laid the foundation for the attacks, and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic fileless worm, which fully illustrated the capabilities of a flash-worm – capabilities which had been foreseen several years before.
On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of thousands of computers throughout the world, and increased network traffic to the point where several national segments of the Internet crashed. Experts estimate that traffic increased from 40% – 80% in a variety of networks. The worm attacked computers through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk, but simply remained in computer memory. If we analyse the dynamics of the epidemic, we can assert that the worm originated in the Far East.
The second, more important epidemic was caused by the Lovesan worm, which appeared in August 2003. The worm demonstrated just how vulnerable Windows is. Just as Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself. The difference was that Lovesan used a loophole in the RPC DCOM service working under Windows 2000/XP. This led to almost every Internet user being attacked by the worm.
As for viruses penetrating new platforms and applications, the year was surprisingly quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs. This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus was undoubtedly written by a Russian.
2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron were first detected in January. The former was written in Sweden and is still one of the most widespread email worms in Scandinavia despite the fact that the Swedish police arrested the autour of the worm at the end of March.
Avron was the first worm to be created in the former USSR capable of causing a significant worldwide epidemic. The source code for the worm was published on the Internet and this has led to the appearance of a number of less effective versions.
Another important event in 2003 was the appearance of the first Sobig worm in January. Worms from this family all caused significant virus outbreaks but it was version ‘f’ which broke all records, becoming the most widely distributed worm in network traffic in Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August, could be found in every 20th email message. The virus writers who created the Sobig family, were aiming to create a network of infected machines with the aim of conducting DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.
The Tanatos.b email worm was also a notable event in virusology. The first version of Tanatos was written in the middle of 2002, but version ‘b’ appeared only a year later. The worm exploited the well-known IFRAME loophole in MS Outlook to automatically launch itself from infected messages. Tanatos caused one of the most significant email epidemics of 2003, coming second to that caused by Sobig.f, which probably has the record for the most machines infected by an email worm.
Worms from the Lentin family continued to appear. All these worms were written in India by a local hacker group as part of the ‘virtual war’ between Indian and Pakistani hackers. The most widespread versions were ‘m’ and ‘o’, where the virus replicated in the form of a ZIP archive file attached to infected messages.
Russian writers remained active; the second worm from the former USSR, which also caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet Explorer to activate itself. The vulnerability allowed binary code to be extracted from HTML files and executed. This was first used in Russia in May 2003 (Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail family and several other Trojan programs. The authors of the Mimail worm published the source code on the Internet, which led to the appearance of several new varieties of the worm in November 2003, written by other virus writers.
September was the month of Swen. I-Worm.Swen, masquerading as a patch from Microsoft, managed to infect several hundred thousand computers throughout the world and to date remains one of the most widespread email worms. The author of the virus exploited frightened users who were still nervous after the recent Lovesan and Sobig.f epidemics.
A recent significant epidemic was caused by Sober, a relatively simple mail worm written by a German, it is an imitation of the year’s leader, Sobig.f.
In 2002, the trend was towards an increase in the number of backdoor and spy Trojan programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were most notable. There are now more than 40 varieties of Agobot in existence, since the author of the original version created a network of websites and IRC channels where anyone who wanted could, for a fee starting from $150, become the owner of an ‘exclusive’ version of Backdoor, which would be created in accordance with the client’s wishes.
Afcore is slightly less widespread. However, in order to mask its presence in the system, it uses an unusual method; it places itself in additional file systems of the NTFS systems, i.e. in the catalogue stream, not the file streams.
A new and potentially dangerous trend was identified at the end of 2003; a new type of Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers uniting. Spammers began using machines infected by such Trojan programs for mass spammer attacks. It is also clear that spammers participated in a number of epidemics as malicious programs were spread using spamming technology.
Internet worms constituted the second most active class of viruses in 2003; specifically I-Worms which replicated by seizing passwords to remote network resources. As a rule, such worms are based on IRC clients, and scan the addresses of IRC users. They then attempt to penetrate computers using the NetBIOS protocol and port 445. One of the most notable viruses in this class was the Randon family of Internet worms.
Throughout the year Internet worms remained the dominant type of malicious software.
Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However, Trojan programs overtook viruses in the autumn, and this trend continues through today.