Twenty glorious years of Windows malware
The evolution of groundbreaking Windows malware sheds light on what's to come
By Woody Leonhard | InfoWorld | Published: 15:40, 01 March 2011
The end of the century: Communications attacks
Windows-specific malware entered the big time when a Taiwanese programmer, Chen Ing Hau, created CIH (aka Chernobyl), thereby taking stealth infection to a new height.
Using the vagaries of the Portable Executable file format, CIH tucked itself into the parts of an EXE file between the major sections, infecting files without changing their size. Those unlucky enough to have these interstitial infections on Windows 95, 98, or ME systems woke up on April 26, 1999, with bricked PCs. CIH was a devastating virus, but it didn't spread readily.
Email emerged as a potent delivery mechanism, a point not missed by miscreants whose Good Times hoax ("if you read a message with the subject 'Good Times' your hard drive will be destroyed") scared millions.
The next big jump in malware technology arrived as fireworks, emblazoned on a window entitled "Happy New Year 1999!" Happy99, aka SKA, infects by hijacking a Windows program, taking over the communications program Wsock32.dll. If you send a message from an infected machine, the bogus Wsock32.dll delivers the message, but then shoots out a second, blank message to the same recipient with an attached file, usually called Happy.exe. If the recipient double-clicks on the file, they're greeted with a fireworks display and a nasty infection.
Prior to Happy99, other malware hooked into Windows using the same sort of technique, but Happy99 had the foresight to take over the communications routine. Thus, it spread prolifically. Adding to the potency: Microsoft stopped showing filename extensions starting with Windows 95, so most users receiving the Happy99.exe file only saw the name "Happy99" and all too frequently clicked on it.
David L Smith wrote Melissa, a Word macro virus that scans an infected PC's Outlook address book and sends copies of itself to the first 50 entries. It was the first successful incarnation of many Windows spam-generating viruses.
Melissa was so prolific it brought down Exchange Servers all over the world on March 26, 1999. CERT says that one server received 32,000 copies of Melissa in 45 minutes. Mr. Smith served 20 months in a federal prison for his efforts. Several months later, another destructive virus, ExploreZip, also used the Outlook address book to propagate. It had a nasty habit of deleting Office documents by overwriting them.
The end of the 20th century saw malware writers take advantage of Visual Basic Script running the Windows Script Host, a combination that would become wildly successful in ensuing years.
The BubbleBoy virus presented the first generally successful drive-by attack. If someone sent you an infected message, no attached file necessary, and you opened the message in Outlook or previewed it in Outlook Express, you got zapped. BubbleBoy took advantage of HTML and Outlook's propensity to run embedded Visual Basic scripts without warning.
The root of the problem? In those days, Outlook used Internet Explorer to display HTML-based emails. Even though you never saw IE in action, it was there, lurking in the background, running VBS programs without permission. Years later, the Klez worm used the same approach, but with a different security hole.
On May 5, 2000, the ILOVEYOU worm hit, and PCs will never be the same. A remarkably effective demonstration of social engineering techniques that drive malware today, the infected file arrived attached to a message. The message's subject: ILOVEYOU, and the attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs. Since Windows hid the .vbs filename extension, many people (including, it's rumoured, one very senior Microsoft executive) double-clicked on what appeared to be a TXT file and shot themselves in the foot, the same fatal flaw that took many by surprise with the Happy99 worm.
ILOVEYOU overwrites many different kinds of files and then rifles the Outlook address book, sending copies of itself to every address, much like Melissa. It started spreading on May 4, 2000. By May 13, 50 million PCs were infected.
Several hugely successful malware attacks followed in ILOVEYOU's technological footsteps. In 2001, the Anna Kournikova worm arrived in an email attachment called AnnaKournikova.jpg.vbs.
Sircam grabbed a Word or Excel file on the infected PC and sent out infected versions of the file using the same technique. Many confidential files went out to unexpected recipients. Sircam also spread by copying itself onto network shares.