An overview of virus activity in 2003.Kaspersky Labs Nine major virus outbreaks were registered in 2003, and 26 less significant ones, mainly of a local nature. This figure is lower than that of 2002, when there were 12 major outbreaks and 34 minor incidents. However, even though the number of outbreaks has decreased, their scale and the impact they have on the Internet has increased significantly. Major virus outbreaks There were two global outbreaks in 2003, which were the biggest in the history of the Internet. It should be noted that these outbreaks were hot caused by classic email worms, but by worms modified for the Internet which spread as network data packets. The foundations of the first outbreak were laid on the 25th January by the Internet worm (networking, security) Internet Worm - The November 1988 worm perpetrated by Robert T. Morris. The worm was a program which took advantage of bugs in the Sun Unix sendmail program, Vax programs, and other security loopholes to distribute itself to over 6000 computers on the Slammer A worm that caused a billion dollars worth of damage on the Internet on January 25, 2003. Slammer infected computers all over the Internet by generating random IP addresses and causing the computer's buffer to overflow with its own instructions that replicate itself and start the process (Helkem), which used a vulnerability in the Microsoft SQL Server A relational DBMS from Microsoft that is a major component of the Windows Server System. It is Microsoft's high-end client/server database and is closely integrated with Microsoft Visual Studio and the Microsoft Office System. in order to replicate. Slammer became the first fileless Internet worm which fully demonstrated the capabilities of flashworms, first described in 2001. On 25th January 2003, in a matter of mere minutes, the worm infected millions of computers throughout the world, and increased network traffic by between 40% and 80% (estimates vary), causing national backbone servers to crash. The worm attacked through ports 1433 and 1434; on penetration it did not replicate itself on the disk, but simply remained in the memory of the infected machine. An analysis of the outbreak shows that the worm probably originated from East Asia East Asia A region of Asia coextensive with the Far East. East Asian adj. & n. . The second outbreak, which was no less damaging than the first, was started on the 12th August by Lovesan (Blaster). Lovesan clearly demonstrated to the entire world just how vulnerable the popular operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. Windows is. Lovesan used a Windows security breach to propagate. However, in contrast to Slammer, Lovesan used a breach in the RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. service, which is present on every computer working under Windows 2000/XT. This meant that the majority of Internet users that day was exposed to the worm. Only a few days after the worm first appeared, three other versions of Lovesan were detected. Then the Welchia worm, which used the same Windows breach, exploded onto the Internet. However, Welchia differed from the original worm. It deleted copies of Lovesan on infected computers, and attempted to install a patch for the RPC DCOM service. 2003 was the year of ceaseless email worm outbreaks. Ganda and Avron were detected in January. The former was written in Sweden, and is still one of the most wide-spread email worms in Scandinavia. The author was arrested by the Swedish police at the end of March. Avron was the first worm written in Kazakhstan to cause a global outhreal The source code of the worm was published on virus web sites, which led to the creation of several less successful versions of the worm. January also saw the appearance of the first worm in the Sobig family, which caused regular outbreaks. Version Sobig.f broke all records, becoming the most widespread email worm in the history of the Internet. At the peak of the outbreak in August, Sobig.f could be found in every 20th email message. This particular piece of malicious program was especially dangerous: one of the aims of the authors of the Sobig family was to create an infected network of computers in order to carry out distributed DoS attacks on random web sites. The infected network of computers was also intended to ad as a proxy servers for distributing spam. The email worm Tanatos.b was another notable piece of malicious program which appeared in 2003. The first version of Tanatos (Bugbear) was written in mid 2002, with the second version appearing nearly a year later. The worm used a breach long known about in the Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook security system (the IFRAME breach) to automatically launch itself from infected messages. The latest worms in the Lentin (Yaha) family continued to appear. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. current data they were all created in India by one of the local hacker groups Hacker groups began to flourish in the early 1980s, with the advent of the home computer. Prior to that, the term hacker was simply a referral to any computer hobbyist. The hacker groups were out to make names for themselves, and were often spurred on by their own press. in the course of a virtual war being conducted The latest worms in the Lentin (Yaha) family continued to appear. According to current data they were all created in India by one of the local hacker groups in the course of a virtual war being conducted between Indian and Pakistani hackers. The most widespread were versions M and O, where the virus replicated in the form of a ZIP archive attached to infected messages. Virus writers from Eastern Europe Eastern Europe The countries of eastern Europe, especially those that were allied with the USSR in the Warsaw Pact, which was established in 1955 and dissolved in 1991. were also active in 2003. The second worm from the former USSR USSR: see Union of Soviet Socialist Republics. to cause a global outbreak was Mimail. The worm used a vulnerability in Internet Explorer to replicate itself and the vulnerability became known as Mimail-based. The vulnerability allowed the extraction and execution of binary code from an HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. file and was first exploited in Russia in May 2003 by Trojan. Win32.StartPage.L. Following this, the vulnerability was used by the Mimail family of worms and a number of Trojan programs. The author of Mimail published the source code on the Internet, giving rise to several new versions by virus writers from other countries, including the USA and France. September 2003 was the month of the Internet worm Swen. Swen disguised itself as a Microsoft patch, infected hundreds of thousands of computers throughout the world, and to this day remains one of the most widespread email worms. The virus author was able to successfully exploit the fact that users were already unsettled by the recent Lovesan and Sobif incidents and were therefore likely to instantly install the so-called patch. There were two other major security events which should be mentioned. The first of these was caused by Sober, a relatively simple email worm written by a Geman in imitation of the leader of the year, Sobig f The second of these was the backdoor See trapdoor. Trojan Afcore: in spite of the fact that it did not spread widely, it is worth a certain amount of attention due to the interesting way it conceals itself in a system, by writing its code to alternate data streams of the NTFS (NT File System) An optional file system for Windows NT, 2000 and XP operating systems. NTFS is the more advanced file system, compared to FAT32. It improves performance and is required in order to implement numerous security and administrative features in the OS. file system. Even more interesting, Afcore does not use the alternate data streams of files but of directories. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion