2001: Year of the "junkyard" virus

Virtuoso worm writing has gone out of style. If you could use a PC in 2001, it seemed, you could write a worm to cripple corporate e-mail servers. Did you?

5 min read
As antivirus companies look back to log the year's busiest viruses, it seems virtuoso worm writing has gone out of style.

At least five companies recently listed SirCam, which ravaged PCs during the summer, as one of the two most reported viruses of the year.

Central Command placed SirCam atop its "Dirty Dozen for 2001" list of viruses; Sophos, Symantec, Computer Associates and Trend Micro viewed it as number two, behind Nimda, Hybris and Badtrans, respectively.

"It was never a screaming emergency," said David Perry, global director of education for Trend Micro, "but it was always out there...It was the kind of thing that spread slowly over time."

And the fact that SirCam--a relatively unsophisticated program--spread so widely fits the year's pattern. With the possible exception of Nimda, most of 2001's most-reported viruses weren't innovative. They were "junkyard" viruses: bugs cobbled together from many different pieces of software. And according to Perry, 2001 saw an unprecedented number of them.

That's because more malicious code is becoming available through the Internet, making it easier to create new viruses.

"The Internet provides a library of virus code to raid for your viruses," Perry said.

In fact, virus writers in 2001 often took advantage of loopholes discovered and published by the security industry itself, Perry said. "These are not geniuses. They're people exploiting dumb holes."

But they're definitely having an impact. Though the level of havoc wreaked by viruses in 2001 may not have been quite as bad as that seen in prior years--Computer Economics guessed that 2000's LoveLetter cost $960 million to clean up and resulted in $7.7 billion in lost productivity; estimates of those combined costs for SirCam totaled about $1 billion at the end of August--businesses were still smarting.

And Microsoft, which repeatedly saw virus writers exploiting security holes in its products, launched an attack on hackers and security companies for publishing details about such holes online, calling the practice "information anarchy."

The first few days of 2002 have already brought reports of new threats to PC security. A destructive new worm known as Maldal.D, or "ZaCker," is targeting antivirus software on infected computers. AOL on Wednesday warned customers of a potential security hole in its popular AOL Instant Messenger (AIM) program.

Simple, stealthy
SirCam started appearing in the latter half of July as an e-mail attachment. Once activated, the virus sends itself and a randomly chosen document from the host PC to every e-mail address in the host's address book. Sophos and Central Command said SirCam generated more than a fifth of their virus reports in 2001.

Although SirCam received some press, the virus' propagation was actually helped by the fact that it never generated as much attention as more famous viruses such as the LoveLetter worm, Perry believes. Often, everyday computer users and even network administrators only do something about viruses when they read warnings in the mass media, he said.

Showing up nearly as often as SirCam in 2001 were Nimda and Badtrans.

Despite appearing relatively late in the year, Nimda topped at least two lists, those of Sophos and Trend Micro, and proved to be the year's most original bug: While other viruses rely on PCs to spread, Nimda attacks at the server level.

Still, while not a product of the junkyard, Nimda's level of ingenuity left something to be desired. The idea of attacking servers and PCs at the same time is a new one, Perry said, but the actual exploit used by Nimda is an old server hole for which a patch already exists; the virus simply took advantage of unpatched servers.

Badtrans' mission
On its initial appearance, in April, antivirus experts considered the Badtrans worm nothing more than a midlevel threat, but a more dangerous variant appeared in time for the holidays.

Badtrans, which attacks PCs running Microsoft's Outlook e-mail program and unpatched 5.01 and 5.5 versions of the company's Internet Explorer browser, installs a program that records keystrokes on the PC and sends the data to an e-mail address held by the virus' author.

Badtrans replicates by replying to unread messages in an Outlook mailbox and sending itself to e-mail addresses contained in Web pages in the IE browser cache and the Windows folder labeled "My Documents."

Three lists included Badtrans as one of the top three viruses, and the fourth, Sophos, released its list in late November, just as reports of the new Badtrans variant started to appear. Badtrans still made Sophos' top 10.

SirCam and the latest Badtrans appeared in the top three positions most frequently, but some relatively old viruses still managed to crack several top 10 lists. "And in the top 100 you have plenty of viruses that are five or six years old," Perry said.

Hybris, which was in the top six in several lists, first appeared in reports for October 2000. The worm spreads by using addresses in the headers of incoming e-mail messages and produces a slow, steady stream of e-mail, rather than a barrage.

Kakworm made the top 10 for Sophos, Central Command and Symantec. Although Kakworm is older than SirCam and Badtrans--Kakworm reports date back to at least the first half of 2000, if not earlier--the bug represents a newer trend: viruses embedded directly in the text of e-mail messages themselves, rather than in attached files.

Get smart
E-mail attachments continued to be the most popular means of spreading viruses--more than 90 percent of all virus reports came from e-mail, according to CA.

Viruses largely work through what antivirus specialists term "social engineering"--techniques that take advantage of people's social habits and expectations to trick them into opening attachments or visiting harmful Web pages--an e-mail written in a conversational tone is an example.

Unless people increase their caution and change their behavior, e-mail viruses will continue to do damage in 2002 because virus writers are getting better, said Ian Hameroff, director of antivirus solutions for CA. No security technology, Hameroff said, can take the place of common sense moves such as updating antivirus software regularly, patching operating systems and applications, and deleting suspicious attachments without opening them

"You can have a fire extinguisher in your house, but if you walk around setting fires and dropping matches...you're going to get burned," Hameroff said.

The best solution is to stop viruses before they reach users, said Perry, whose employer specializes in "gateway" level antivirus protection. Companies like Trend Micro have long argued that the security benefits of filtering e-mail for viruses outweighs any potential invasion of privacy, especially in a corporate setting. Courts have ruled that companies have the right to search their employees' e-mail.

Luckily, PC users are gradually becoming smarter about e-mail, Perry and Hameroff said.