Twenty glorious years of Windows malware

Where the money goes today

Botnets formed years ago are still in operation, a fact that isn't lost on the folks who bankroll the now highly lucrative malware industry.

The professionals behind these programs don't take kindly to competition. Sobig was followed by Mydoom, another email-attachment botnet generator, and a malware war broke out between Mydoom, Netsky, Sasser (which took out thousands of companies), and Bagel, each of which attempted to clobber the other. An 18-year-old computer science student in Germany was convicted for creating Sasser and the Netsky.AC variant.

The Zlob Trojan took a new tack by disguising itself as a video codec, deemed necessary to run video files of uncertain pedigree. Zlob has seen dozens of incarnations, most of which are notorious for pimping rogue anti-malware, a moneymaking pastime. Zlob has morphed over time and emerged to notoriety five years later as the Alureon rootkit.

In 2007, Storm Worm started as yet another email attachment botnet generator, but one with a difference: Instead of operating the botnet through a single server, Storm Worm borrowed peer-to-peer technology to disperse control. More than 1 million Windows PCs were infected. The Storm/Waledac botnet was largely broken up in late 2008, but it woke up and started spamming again last month, according to Symantec. Waldec's handlers are gathering steam for a big Round Two.

Many other botnets have come and gone in the past few years, most of them taken down or severely attenuated by breaking lines of communication and blocking compromised servers. A few remain problematic, most notably ZeuS, a do-it-yourself botnet kit designed to pick up passwords, account numbers and the like on infected machines, then send them to the chosen drop zone, as well as Conficker, a botnet considered dormant but not completely eradicated.

Spam-generating botnets, such as Waledac, are getting hit hard by Microsoft's lawyers. Last October, one of the largest spam botnets, Bredolab, was decimated (although not completely eliminated) by the Dutch National Crime Squad.

Where malware is heading

As Windows XP machines die and get replaced by Windows 7, Windows is getting more difficult to crack by orders of magnitude. Little malware players have been squeezed out of the market, and the big players, looking for new opportunities, are finding few low-hanging fruit.

Still, Windows zero-day vulnerabilities are worth a lot of money, and those who find them these days are much less likely to use them to make funny dialog boxes with the number 1.

Because of this, we can expect Windows malware to continue evolving in innovative ways. One prominent trend is the rise of attacks outside of Microsoftland. Koobface, for example, runs on Windows, but it's used to harvest information from Facebook and MySpace, convince Facebook users to install rogue anti-malware programs, and otherwise turn social networking information into lucre. Nart Villeneuve provides an excellent PDF overview.

Another trend will likely revolve around industrial espionage. Whether or not you believe the Stuxnet worm was designed to break Iranian nuclear enrichment centrifuges, there's no question that a very capable team constructed a breathtaking array of zero-day Windows cracks and Siemens Step 7 code. Expect motivated organisations to blend innovative threats to get what they want.

As for malware construction kits, ZeuS looks to be only the beginning. By democratising the construction of malware, sufficiently talented kit creators can make a decent living, at much reduced risk. With kits for sale, the creators don't have to worry about disseminating the malware without getting caught, keeping drop sites working or turning information into money.

Recently, Brian Krebs reported that ZeuS and SpyEye have apparently joined forces, and the latest ZeuS source code can be purchased for a paltry $100,000. With source code in hand, you can create and sell your very own customised ZeuS construction kits. Think of it as a malware multi-level marketing scheme.

But the most prolific vector for malware innovation will likely reside in social engineering. After all, while it's getting harder to crack Windows programs, it's as easy as ever to attack the weakest link: the one between users' ears. Look for more cons, more fake "Windows tech support" calls, and more bewildered users who will gladly give out sensitive information to anyone who claims they can help fix things.

Windows malware has changed a lot in the past 20 years. People haven't.