Groundbreaking Windows malware sheds light on what's to come
Windows PCs have been under siege for 20 years. There's been a clear succession, with the means, methods, and goals changing definitively over time. As with any technology, innovative thinking points the way forward. Here's a look at how ingenuity to nefarious ends has transformed Windows hacking into a multi-billion-dollar industry, and where the Windows malware trail points to the future.
The next big jump in malware technology arrived as fireworks, emblazoned on a window entitled 'Happy New Year 1999!' Happy99, aka SKA, infects by hijacking a Windows program, taking over the communications program Wsock32.dll. If you send a message from an infected machine, the bogus Wsock32.dll delivers the message, but then shoots out a second, blank message to the same recipient with an attached file, usually called Happy.exe. If the recipient double-clicks on the file, they're greeted with a fireworks display - and a nasty infection.
Prior to Happy99, other malware hooked into Windows using the same sort of technique, but Happy99 had the foresight to take over the communications routine; thus, it spread prolifically. Adding to the potency: Microsoft stopped showing filename extensions starting with Windows 95, so most users receiving the Happy99.exe file only saw the name 'Happy99' - and all too frequently clicked on it.
David L. Smith, of New Jersey, wrote Melissa, a Word macro virus that scans an infected PC's Outlook address book and sends copies of itself to the first 50 entries. It was the first successful incarnation of many Windows spam-generating viruses.
Melissa was so prolific it brought down Exchange Servers all over the world on March 26, 1999. CERT says that one server received 32,000 copies of Melissa in 45 minutes. Mr. Smith served 20 months in a federal prison for his efforts. Several months later, another destructive virus, ExploreZip, also used the Outlook address book to propagate; it had a nasty habit of deleting Office documents by overwriting them.
The end of the 20th century saw malware writers take advantage of Visual Basic Script running the Windows Script Host, a combination that would become wildly successful in ensuing years.
The BubbleBoy presented the first generally successful drive-by attack. If someone sent you an infected message - no attached file necessary - and you opened the message in Outlook or previewed it in Outlook Express, you got zapped. BubbleBoy took advantage of HTML and Outlook's propensity to run embedded Visual Basic scripts without warning.
The root of the problem? In those days, Outlook used Internet Explorer to display HTML-based emails. Even though you never saw IE in action, it was there, lurking in the background, running VBS programs without permission. Years later, the Klez http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=99367 worm used the same approach, but with a different security hole.
On May 5, 2000, the ILOVEYOU worm hit, and PCs will never be the same. A remarkably effective demonstration of social engineering techniques that drive malware today, the infected file arrived attached to a message. The message's subject: ILOVEYOU, and the attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs. Since Windows hid the .vbs filename extension, many people (including, it's rumoured, one very senior Microsoft executive) double-clicked on what appeared to be a TXT file and shot themselves in the foot - the same fatal flaw that took many by surprise with the Happy99 worm.
ILOVEYOU overwrites many different kinds of files and then rifles the Outlook address book, sending copies of itself to every address, much like Melissa. It started spreading on May 4, 2000. By May 13, 50 million PCs were infected.
Several hugely successful malware attacks followed in ILOVEYOU's technological footsteps. In 2001, the Anna Kournikova worm arrived in an email attachment called AnnaKournikova.jpg.vbs. Sircam grabbed a Word or Excel file on the infected PC and sent out infected versions of the file using the same technique. Many confidential files went out to unexpected recipients. Sircam also spread by copying itself onto network shares.
NEXT PAGE: The beginning of the botnet