20 years of innovative Windows malware
- 01 March, 2011 06:25
Windows PCs have been under siege for 20 years. What a difference those two decades make.
Back when Windows was young, viruses scampered from system to system, occasionally deleting files -- which could almost always be retrieved -- and putting up dialog boxes with inscrutable contents, like the numeral 1. Nowadays, Windows malware locks up your data and holds it for ransom. It manipulates your PC into launching attacks, mines files for credit card numbers and passwords, and sets nuclear centrifuges to whirl with wild abandon -- nasty stuff.
[ Windows 7 is making huge inroads into business IT. But with it comes new security threats and security methods. InfoWorld's expert contributors show you how to secure the new OS in the "Windows 7 Security Deep Dive" PDF guide. ]
Along the way, Windows malware has spawned several billion-dollar antivirus companies, inspired enough articles to fill the Library of Alexandria, created jobs for many tens of thousands of security professionals, and caused more than half a billion king-size headaches.
These pesky programs didn't morph from toddler to kickfighter overnight. There's been a clear succession, with the means, methods, and goals changing definitively over time. As with any technology, innovative thinking points the way forward. Here's a look at how ingenuity to nefarious ends has transformed Windows hacking into a multi-billion-dollar industry, and where the Windows mailware trail points to the future.
The early rogue's gallery
Some of the most innovative and (still) pervasive malware techniques arrived at the dawn of Windows, with the years leading up to Windows 3.0 setting a strong foundation for Windows-specific malware to come.
Take, for example, VirDem, the first virus to infect an executable file. Ralf Burger created the virus in Germany in 1986 by sticking a self-replicating program at the front of a COM file and moving the original instructions to the end. This was soon followed by Cascade, which appeared in 1987 as the first virus that used encryption to disguise itself. Unfortunately, the encrypting routine was the same in all infected files, so scanners picked it up easily. #Fail.
GhostBalls (the code states proudly "Product of Iceland / Copyright © 1989") combined two infection techniques, creating the first multipartite or blended threat virus. GhostBalls attaches itself to COM files and spreads by copying itself to other COM files, but it also looks for a diskette in the A: drive and, if found, copies a modified boot sector virus onto the diskette.
Overcoming Cascade's congenital defect, in 1990 Mark Washburn came up with 1260, the first polymorphic virus. Polymorphic viruses change each time they're encrypted -- often altering the encrypting routine itself -- making detection considerably more difficult.
Flying below the radar was the modus operandi of two other viruses launched in 1990, Frodo and Whale, which both became known as stealth viruses because they took great care to hide themselves. Frodo made Windows lie about the size of infected COM files so that they appeared as if they weren't infected. Whale -- at 9KB, the largest virus to date -- used the Frodo technique to hide its size and the 1260 shtick to change itself. Neither program infected much of anything, but both excelled at staying hidden.
Twenty years later, the Windows malware pantheon runs chock-full of infected executables, multipartite, polymorphic, and stealth techniques.
The rise of Microsoft macro viruses
Windows 3.0 hit the ground running on May 22, 1990, and soon the platform would go gangbusters. With the exception of Michelangelo, a garden-variety boot sector virus that took out Windows machines, injected the phrase "computer virus" into almost every language on earth, and helped substantiate the lucrative antivirus industry, virus innovation stagnated. Then in the summer of 1995, an epiphany: Somebody -- we still don't know who -- wrote a very simple macro virus using WordBasic, the macro language behind Microsoft Word.
Documents infected with this virus, when opened using Word 6, add four macros to Word's default template, NORMAL.DOT, which then infects any subsequent Word document you save. The macro has a harmless payload, which displays an odd dialog box with the numeral 1. The macro code contains the text "That's enough to prove my point" -- thus, the name Concept.
The floodgates burst. In late August 1995, several Microsoft employees told me that more than 80 percent of all PCs on Microsoft's Redmond campus were infected by Concept, which spread across the world in a matter of weeks. Antivirus companies scrambled, trying to protect against this completely new attack vector, and virus writers, aided by macro virus construction kits widely distributed in 1996, had a field day. Word took the initial beating, but then Excel spreadsheets came under attack, first with Laroux, then with a deluge of more than 1,000 macro viruses.
Microsoft shored up security in Office 97, but virus writers quickly figured out how to get around the controls, and many old viruses automatically converted over to the new system, using Microsoft's automatic upgrade tools. The tide didn't shift until antivirus vendors started to get the upper hand, primarily by brute force, and Microsoft finally made infection more difficult in Office 2000. Even so, Word and Excel macro attacks remained an omnipresent part of the malware landscape until Microsoft finally changed the default file formats in Office 2007.
The end of the century: Communications attacks
Windows-specific malware entered the big time when a Taiwanese programmer, Chen Ing Hau, created CIH (aka Chernobyl), thereby taking stealth infection to a new height.
Using the vagaries of the Portable Executable file format, CIH tucked itself into the parts of an EXE file between the major sections, infecting files without changing their size. Those unlucky enough to have these interstitial infections on Windows 95, 98, or ME systems woke up on April 26, 1999, with bricked PCs. CIH was a devastating virus, but it didn't spread readily.
Email emerged as a potent delivery mechanism -- a point not missed by miscreants whose Good Times hoax ("if you read a message with the subject 'Good Times' your hard drive will be destroyed") scared millions.
The next big jump in malware technology arrived as fireworks, emblazoned on a window entitled "Happy New Year 1999!" Happy99, aka SKA, infects by hijacking a Windows program, taking over the communications program Wsock32.dll. If you send a message from an infected machine, the bogus Wsock32.dll delivers the message, but then shoots out a second, blank message to the same recipient with an attached file, usually called Happy.exe. If the recipient double-clicks on the file, they're greeted with a fireworks display -- and a nasty infection.
Prior to Happy99, other malware hooked into Windows using the same sort of technique, but Happy99 had the foresight to take over the communications routine; thus, it spread prolifically. Adding to the potency: Microsoft stopped showing filename extensions starting with Windows 95, so most users receiving the Happy99.exe file only saw the name "Happy99" -- and all too frequently clicked on it.
David L. Smith, of New Jersey, wrote Melissa, a Word macro virus that scans an infected PC's Outlook address book and sends copies of itself to the first 50 entries. It was the first successful incarnation of many Windows spam-generating viruses.
Melissa was so prolific it brought down Exchange Servers all over the world on March 26, 1999. CERT says that one server received 32,000 copies of Melissa in 45 minutes. Mr. Smith served 20 months in a federal prison for his efforts. Several months later, another destructive virus, ExploreZip, also used the Outlook address book to propagate; it had a nasty habit of deleting Office documents by overwriting them.
The end of the 20th century saw malware writers take advantage of Visual Basic Script running the Windows Script Host, a combination that would become wildly successful in ensuing years.
The BubbleBoy virus presented the first generally successful drive-by attack. If someone sent you an infected message -- no attached file necessary -- and you opened the message in Outlook or previewed it in Outlook Express, you got zapped. BubbleBoy took advantage of HTML and Outlook's propensity to run embedded Visual Basic scripts without warning.
The root of the problem? In those days, Outlook used Internet Explorer to display HTML-based emails. Even though you never saw IE in action, it was there, lurking in the background, running VBS programs without permission. Years later, the Klez worm used the same approach, but with a different security hole.
On May 5, 2000, the ILOVEYOU worm hit, and PCs will never be the same. A remarkably effective demonstration of social engineering techniques that drive malware today, the infected file arrived attached to a message. The message's subject: ILOVEYOU, and the attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs. Since Windows hid the .vbs filename extension, many people (including, it's rumored, one very senior Microsoft executive) double-clicked on what appeared to be a TXT file and shot themselves in the foot -- the same fatal flaw that took many by surprise with the Happy99 worm.
ILOVEYOU overwrites many different kinds of files and then rifles the Outlook address book, sending copies of itself to every address, much like Melissa. It started spreading on May 4, 2000. By May 13, 50 million PCs were infected.
Several hugely successful malware attacks followed in ILOVEYOU's technological footsteps. In 2001, the Anna Kournikova worm arrived in an email attachment called AnnaKournikova.jpg.vbs. Sircam grabbed a Word or Excel file on the infected PC and sent out infected versions of the file using the same technique. Many confidential files went out to unexpected recipients. Sircam also spread by copying itself onto network shares.
Beginning of the botnet
Not content to merely distribute malware over the Internet, enterprising programmers started working on ways to control Windows PCs directly using the Internet.
In December 1999, a Brazilian programmer who uses the name Vecna unleashed a new Trojan called Babylonia. While incorporating CIH-style interstitial infection and Happy99-style Winsock replacement, Babylonia brought an important new capability to the malware gene pool: It phoned home, once a minute, and updated itself if a newer version is available.
While its authors claim BackOrifice wasn't invented to subvert systems, it certainly offered that capability on Windows 95 and 98 systems. Much like today's botnet controllers, BackOrifice provides remote control -- the ability to run one PC from another, over the Internet. BackOrifice isn't a virus; rather, it's a payload waiting to be deposited by a virus or a Trojan.
The Sobig worm created the first commercially successful spam-generating botnet, and it did so through infected email attachments. At one point, 1 out of 20 email messages on the Internet contained a Sobig.f infected attachment. Sobig harvested email addresses from files on the infected computer.
Cracking into Windows
By 2001, most malware spread by sending infected files over the Internet or by dropping infected files on network shares. That year, malware writers expanded their horizons by aiming directly for security holes in Windows itself. They also jumped up several levels in sophistication. No longer intent on destroying data or playing pranks, some malware writers turned their considerable talents to making money.
CodeRed infamously infected more than 300,000 Windows Servers, using a buffer overflow to take control of IIS and deface websites on the infected server. CodeRed-infected machines send out buffer overflow packets to random machines on the Internet in a spray attack. Microsoft patched the hole a month before CodeRed appeared, but admins didn't apply the patches quickly enough. A complete rewrite, CodeRed II, not only engaged in spray attacks, it also attacked local machines.
Then Nimda took the cake. It used five different infection vectors: a blended threat of the first degree. Nimda infects with email attachments. It infects unprotected network shares. It tries to take down websites. It goes after servers in CodeRed-style. And it can use backdoors left behind by CodeRed.
SQL Slammer ricocheted across the Internet in 2003, infecting 75,000 machines in its first 10 minutes, knocking out wide swathes of the Internet. The worm exploited a security hole in SQL Server and SQL Desktop Engine, which had been patched six months previously. It doesn't put a copy of itself on a hard drive, preferring to simply stay memory resident: Reboot an infected machine, and it isn't infected any more.
Like SQL Slammer, Blaster (aka Lovsan) zoomed across the Internet at a breakneck pace by scanning machines connected to the Internet and passing itself around. Like Slammer, it used an exploit that had already been patched. Unlike Slammer, Blaster attacked every Windows XP and Windows 2000 computer. The payload tried to take out Microsoft's windowsupdate.com site with a DDoS attack.
Where the money goes today
Botnets formed years ago are still in operation -- a fact that isn't lost on the folks who bankroll the now highly lucrative malware industry.
The professionals behind these programs don't take kindly to competition. Sobig was followed by Mydoom, another email-attachment botnet generator, and a malware war broke out between Mydoom, Netsky, Sasser (which took out thousands of companies), and Bagel, each of which attempted to clobber the other. An 18-year-old computer science student in Germany was convicted for creating Sasser and the Netsky.AC variant.
The Zlob Trojan took a new tack by disguising itself as a video codec, deemed necessary to run video files of uncertain pedigree. Zlob has seen dozens of incarnations, most of which are notorious for pimping rogue antimalware, a moneymaking pastime. Zlob has morphed over time and emerged to notoriety five years later as the Alureon rootkit.
In 2007, Storm Worm started as yet another email-attachment botnet generator, but one with a difference: Instead of operating the botnet through a single server, Storm Worm borrowed peer-to-peer technology to disperse control. More than 1 million Windows PCs were infected. The Storm/Waledac botnet was largely broken up in late 2008, but it woke up and started spamming again last month, according to Symantec. Waldec's handlers are gathering steam for a big Round Two.
Many other botnets have come and gone in the past few years, most of them taken down or severely attenuated by breaking lines of communication and blocking compromised servers. A few remain problematic, most notably ZeuS, a do-it-yourself botnet kit designed to pick up passwords, account numbers, and the like on infected machines, then send them to the chosen drop zone, as well as Conficker, a botnet considered dormant but not completely eradicated.
Spam-generating botnets, such as Waledac, are getting hit hard by Microsoft's lawyers. Last October, one of the largest spam botnets, Bredolab, was decimated (although not completely eliminated) by the Dutch National Crime Squad.
Where malware is heading
As Windows XP machines die and get replaced by Windows 7, Windows is getting more difficult to crack by orders of magnitude. Little malware players have been squeezed out of the market, and the big players, looking for new opportunities, are finding few low-hanging fruit.
Still, Windows zero-day vulnerabilities are worth a lot of money, and those who find them these days are much less likely to use them to make funny dialog boxes with the number 1.
Because of this, we can expect Windows malware to continue evolving in innovative ways. One prominent trend is the rise of attacks outside of Microsoft-land. Koobface, for example, runs on Windows, but it's used to harvest information from Facebook and MySpace, convince Facebook users to install rogue antimalware programs, and otherwise turn social networking information into lucre. Nart Villeneuve provides an excellent PDF overview.
Another trend will likely revolve around industrial espionage. Whether or not you believe the Stuxnet worm was designed to break Iranian nuclear enrichment centrifuges, there's no question that a very capable team constructed a breathtaking array of zero-day Windows cracks and Siemens Step 7 code. Expect motivated organizations to blend innovative threats to get what they want.
As for malware construction kits, ZeuS looks to be only the beginning. By democratizing the construction of malware, sufficiently talented kit creators can make a decent living, at much reduced risk. With kits for sale, the creators don't have to worry about disseminating the malware without getting caught, keeping drop sites working, or turning information into money. Recently, Brian Krebs reported that ZeuS and SpyEye have apparently joined forces, and the latest ZeuS source code can be purchased for a paltry $100,000. With source code in hand, you can create and sell your very own customized ZeuS construction kits. Think of it as a malware multilevel marketing scheme.
But the most prolific vector for malware innovation will likely reside in social engineering. After all, while it's getting harder to crack Windows programs, it's as easy as ever to attack the weakest link: the one between users' ears. Look for more cons, more fake "Windows tech support" calls, and more bewildered users who will gladly give out sensitive information to anyone who claims they can help fix things.
Windows malware has changed a lot in the past 20 years. People haven't.
Woody Leonhard writes computer books, primarily about Windows and Office. He's senior editor at Windows Secrets Newsletter and a frequent contributor to InfoWorld's Tech Watch blog. A self-described "Windows victim," Woody specializes in telling the truth about Windows in a way that won't put you to sleep.