From Melissa to Zotob: 10 Years of Windows Worms

A look back at some of the biggest security attacks against Microsoft's flagship operating system since the launch of Windows 95 a decade ago.

The names roll of the tongue like characters in an episode of "American Gladiators." Klez. Blaster. Slammer. Sasser. Zotob. Computer viruses and worms, all targeting users of Microsoft Corp.s Windows operating system.

The first sign of computer worm activity dates back to 1982, when a program called Elk Cloner squirmed through Apple II systems. The SCA virus and Brain, written for IBM PC compatibles and Amigas, would pop up in the late 1980s, followed by the Morris Worm, the first documented "in the wild" proof-of-concept that infected DEC VAX machines.

Those worms hardly registered on the mainstream media radar but, with the arrival of Windows 95, all that changed in a hurry. The computer world has never been the same.

March 1999: Melissa Strikes

Named after a lap dancer in Florida, the Melissa worm is the considered the first destructive mass-mailer targeting Microsoft customers. The worm was programmed to spread via Microsoft Word- and Outlook-based systems, and the infection rate was startling.

Melissa, created by a New Jersey hacker who would go to jail for the attack, was released on a Usenet discussion group inside a Microsoft Word file. It spread quickly via e-mail, sending anti-virus vendors scrambling to add detections and prompting immediate warnings from the CERT Coordination Center.

May 2000: ILOVEYOU

Still widely considered one of the most costly viruses to enterprises, the ILOVEYOU worm, also known as VBS/Loveletter or Love Bug, used social engineering and catchy subject lines to trick Windows users into launching the executable.

/zimages/5/28571.gifClick here to read more about the early worms.

The worm spread rapidly by sending out copies of itself to all entries in the Microsoft Outlook address book. Anti-virus researchers also discovered an additional—and dangerous—component called "WIN-BUGSFIX.EXE" that was a password-stealing program that e-mailed cached passwords back to the attacker.

The worm also gained the attention of the mainstream press when it launched a denial-of-service attack against the White House Web site. To this day, anti-virus vendors report ILOVEYOU sightings in the wild.

2001: A Triple-Barreled Barrage

This was the year that malicious worm activity exploded, with three high-profile attacks bombarding Windows users. First up was SirCam, malicious code that spread through e-mail and unprotected network shares. The damage from SirCam was somewhat limited, but what was to follow would set the tone for a spate of network worms that caused billions of dollars in business costs.

/zimages/5/28571.gifWhat will get Windows 95 die-hards to upgrade to Vista? Click here to read more.

In July 2001, the appearance of Code Red again set the cat among the pigeons, spreading via a flaw in Microsofts Internet Information Server (IIS) Web server. The worm exploited a vulnerability in the indexing software distributed with IIS and caused widespread panic by defacing Web sites with the stock phrase "Hacked By Chinese!" Code Red spread itself by looking for more vulnerable IIS servers on the Internet and, in August, launched a denial-of-service attack against several U.S. government Web sites, including the White House portal.

Less than a month later, a new mutant identified as Code Red II appeared and wreaked even more havoc.

Still reeling from the effects of SirCam and Code Red, Windows users would soon have to deal with Klez, an e-mail borne virus that exploited a flaw in Microsofts Internet Explorer browser and targeted both Outlook and Outlook Express users.

Because Klez required users to click on an embedded e-mail attachment, the damage was limited, but when later variants appeared with spoofed sender addresses, it provided the first sign that virus writers would change tactics to avoid detection. The spoofing of e-mail addresses would later become a standard trick to attack non-technical e-mail (and Windows) users.

Slammer, Sobig and Blaster

After a worm-free 2002, Windows users had to contend with another three-pronged threat—Slammer in January 2003 and the Sobig and Blaster attacks in the summer.

Reminiscent of the Code Red worm, Slammer exploited two buffer overflow vulnerabilities in Microsofts SQL Server database, causing major congestion of Internet traffic throughout Asia, Europe and North America.

The worm infected about 75,000 hosts in the first 10 minutes and knocked several ISPs around the world offline for extended periods of time.

As Microsoft struggled to cope with the Slammer fallout, there were two new outbreaks in the summer with Sobig and Blaster squirming through millions of unpatched Windows machines. The fast-spreading worms crippled network infrastructure globally and the cleanup and recovery were estimated to be tens of billions of dollars.

Blaster was particularly nasty. The worm spread by exploiting a buffer overflow in the DCOM RPC service on Windows 2000 and Windows XP and also launched a SYN flood attack against port 80 of Microsofts site that is used to distribute security patches. Microsoft was able to dodge the bullet by temporarily redirecting the site, but the media latched onto the story and forced the company to make major changes to its patching schedule to help customers cope with the patch management nightmare.

2004: Sasser Strikes

After Slammer and Blaster, Microsoft customers complained bitterly that the companys unpredictable patching schedule was causing hiccups in the patch deployment process. In October 2003, chief executive Steve Ballmer announced a plan to release security bulletins on a monthly cycle, except for emergency situations.

The new plan is greeted warmly, but the worm attacks showed no sign of letting up. In January 2004, the MyDoom worm was spotted. A mass-mailer with a payload targeting the Windows operating system, MyDoom quickly surpassed Sobig as the fastest-spreading e-mail worm ever. In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-of-service) attacks on Microsofts Web site.

In early May, Sasser hit. Exploiting a flaw in the LSASS (Local Security Authority Subsystem Service) component, the Sasser worm squirmed through unpatched Windows 2000 and Windows XP machines. Sasser was particularly dangerous and spread rapidly through vulnerable network ports.

Microsoft is credited with reacting swiftly to contain the Sasser spread but, as the latest Zotob attacks prove, the time to exploit an unpatched flaw has narrowed significantly since the launch of Windows 95 10 years ago.

/zimages/5/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.