---------- Forwarded message ----------
From: Abhishek Bhuyan <abhishekbhuyan@xxxxxxxxxxx>
Date: Aug 26, 2005 9:32 AM
Subject: [orissa-netsec] Article: From Melissa to Zotob: 10 Years of
Windows Worm
To: orissa-netsec@xxxxxxxxxxxxxxx
http://www.eweek.com/article2/0,1895,1851792,00.asp
By Ryan Naraine
August 24, 2005
The names roll of the tongue like characters in an episode of
"American Gladiators." Klez. Blaster. Slammer. Sasser. Zotob.
Computer
viruses and worms, all targeting users of Microsoft Corp.'s
Windows
operating system.
The first sign of computer worm activity dates back to 1982,
when a
program called Elk Cloner squirmed through Apple II systems. The
SCA
virus and Brain, written for IBM PC compatibles and Amigas,
would pop
up in the late 1980s, followed by the Morris Worm, the first
documented "in the wild" proof-of-concept that infected DEC VAX
machines.
Those worms hardly registered on the mainstream media radar but,
with
the arrival of Windows 95, all that changed in a hurry. The
computer
world has never been the same.
March 1999: Melissa Strikes
Named after a lap dancer in Florida, the Melissa worm is the
considered the first destructive mass-mailer targeting Microsoft
customers. The worm was programmed to spread via Microsoft Word-
and
Outlook-based systems, and the infection rate was startling.
Melissa, created by a New Jersey hacker who would go to jail for
the
attack, was released on a Usenet discussion group inside a
Microsoft
Word file. It spread quickly via e-mail, sending anti-virus
vendors
scrambling to add detections and prompting immediate warnings
from the
CERT Coordination Center.
May 2000: ILOVEYOU
Still widely considered one of the most costly viruses to
enterprises,
the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug,
used
social engineering and catchy subject lines to trick Windows
users
into launching the executable.
The worm spread rapidly by sending out copies of itself to all
entries
in the Microsoft Outlook address book. Anti-virus researchers
also
discovered an additional?and dangerous?component called
"WIN-BUGSFIX.EXE" that was a password-stealing program that
e-mailed
cached passwords back to the attacker.
The worm also gained the attention of the mainstream press when
it
launched a denial-of-service attack against the White House Web
site.
To this day, anti-virus vendors report ILOVEYOU sightings in the
wild.
2001: A Triple-Barreled Barrage
This was the year that malicious worm activity exploded, with
three
high-profile attacks bombarding Windows users. First up was
SirCam,
malicious code that spread through e-mail and unprotected
network
shares. The damage from SirCam was somewhat limited, but what
was to
follow would set the tone for a spate of network worms that
caused
billions of dollars in business costs.
What will get Windows 95 die-hards to upgrade to Vista? Click
here to
read more.
In July 2001, the appearance of Code Red again set the cat among
the
pigeons, spreading via a flaw in Microsoft's Internet
Information
Server (IIS) Web server. The worm exploited a vulnerability in
the
indexing software distributed with IIS and caused widespread
panic by
defacing Web sites with the stock phrase "Hacked By Chinese!"
Code Red
spread itself by looking for more vulnerable IIS servers on the
Internet and, in August, launched a denial-of-service attack
against
several U.S. government Web sites, including the White House
portal.
Less than a month later, a new mutant identified as Code Red II
appeared and wreaked even more havoc.
Still reeling from the effects of SirCam and Code Red, Windows
users
would soon have to deal with Klez, an e-mail borne virus that
exploited a flaw in Microsoft's Internet Explorer browser and
targeted
both Outlook and Outlook Express users.
Because Klez required users to click on an embedded e-mail
attachment,
the damage was limited, but when later variants appeared with
spoofed
sender addresses, it provided the first sign that virus writers
would
change tactics to avoid detection. The spoofing of e-mail
addresses
would later become a standard trick to attack non-technical
e-mail
(and Windows) users.
Slammer, Sobig and Blaster
After a worm-free 2002, Windows users had to contend with
another
three-pronged threat - Slammer in January 2003 and the Sobig and
Blaster attacks in the summer.
Reminiscent of the Code Red worm, Slammer exploited two buffer
overflow vulnerabilities in Microsoft's SQL Server database,
causing
major congestion of Internet traffic throughout Asia, Europe and
North
America.
The worm infected about 75,000 hosts in the first 10 minutes and
knocked several ISPs around the world offline for extended
periods of
time.
As Microsoft struggled to cope with the Slammer fallout, there
were
two new outbreaks in the summer with Sobig and Blaster squirming
through millions of unpatched Windows machines. The
fast-spreading
worms crippled network infrastructure globally and the cleanup
and
recovery were estimated to be tens of billions of dollars.
Blaster was particularly nasty. The worm spread by exploiting a
buffer
overflow in the DCOM RPC service on Windows 2000 and Windows XP
and
also launched a SYN flood attack against port 80 of Microsoft's
windowsupdate.com site that is used to distribute security
patches.
Microsoft was able to dodge the bullet by temporarily
redirecting the
site, but the media latched onto the story and forced the
company to
make major changes to its patching schedule to help customers
cope
with the patch management nightmare.
2004: Sasser Strikes
After Slammer and Blaster, Microsoft customers complained
bitterly
that the company's unpredictable patching schedule was causing
hiccups
in the patch deployment process. In October 2003, chief
executive
Steve Ballmer announced a plan to release security bulletins on
a
monthly cycle, except for emergency situations.
The new plan is greeted warmly, but the worm attacks showed no
sign of
letting up. In January 2004, the MyDoom worm was spotted. A
mass-mailer with a payload targeting the Windows operating
system,
MyDoom quickly surpassed Sobig as the fastest-spreading e-mail
worm
ever. In addition to seeding Windows machines to create botnets,
MyDoom was programmed to launch DDoS (distributed
denial-of-service)
attacks on Microsoft's Web site.
In early May, Sasser hit. Exploiting a flaw in the LSASS (Local
Security Authority Subsystem Service) component, the Sasser worm
squirmed through unpatched Windows 2000 and Windows XP machines.
Sasser was particularly dangerous and spread rapidly through
vulnerable network ports.
Microsoft is credited with reacting swiftly to contain the
Sasser
spread but, as the latest Zotob attacks prove, the time to
exploit an
unpatched flaw has narrowed significantly since the launch of
Windows
95 10 years ago.
--
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
________________________________
YAHOO! GROUPS LINKS
Visit your group "orissa-netsec" on the web.
To unsubscribe from this group, send an email to:
orissa-netsec-unsubscribe@xxxxxxxxxxxxxxx
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
________________________________