Virus yearbook 2004

Generally speaking, when talking about computer viruses, we tend to talk in terms of the epidemics or the damage they have caused. On this occasion, we will be talking in general terms about the most notable traits of the malicious code that has appeared throughout 2004.

- Strings of virus attacks

The Mydoom.A was at the center of the first viral outbreak of the year. At its peak, it was estimated that one in four emails in circulation carried the virus. Mydoom.A used a simple but effective social engineering technique: it spoofed an undelivered email returned by the server. In the wake of this virus, new attacks emerged from other malicious code like Doomjuice, Deadhat and Mitglieder-, which exploited backdoors created by Mydoom.A. This meant that an infection that started with just one virus led to new attacks from others over several weeks.

- Good guys?

Two variants of the Nachi worm and another called Doomhunter appeared on the scene under the guise of modern-day cyber-Robin Hoods. They arrived, supposedly, to free the unfortunate victims of Mydoom, Doomjuice and Blaster from their suffering. It is true that they did rid infected computers of these malicious codes, but at the same time they also exploited certain system vulnerabilities (presumably with some nefarious aim).

- The birth of viral cyber-wars

There has often been talk of how cyber-wars will shape future international conflicts. Whether this will ever come true is not for us to say, but what we have seen in 2004 is the first cyber-war between virus writers. The result was a stream of variants of Bagle, Netsky and Mydoom each containing offensive messages in their code directed at their rivals. Did anyone win? Who knows. It is safe to say though that the losers were the unfortunate users whose computers were infected.

- LSASS: the big flaw in 2004

LSASS, a vulnerability that affects several versions of Windows operating systems, is no doubt the major security hole in 2004, not least in light of the fact that the Sasser worm exploited it to install itself and continuously restart computers. This was the latest in the list of viruses that exploited specific flaws, such as Klez.I (Iframe vulnerability), and Blaster (RPC DCOM vulnerability). The story doesn't end there though, as other malicious code continued the work of Sasser by exploiting LSASS, such as Korgo, Bobax, Cycle, Kibuv, Plexus...

- Viruses infecting new platforms

Until now, the sorties of virus creators into new platforms had been timid attempts that were merely concept trials. However, in 2004 viruses did appear that really infected 64-bit systems (such as Shruggle.1318) or WinCE (Duts.1520 and Brador.A), and even cell phones running under Symbian, such as Toquimos.A, Skulls.A or the Cabir family of worms.

- New virus formats

On many occasions virus authors have hidden their creations in files purporting to be images, audio files, etc. It was thought to be impossible, say, to construct an image file that could infect computers. Nevertheless, events have shown that this is not the case, thanks to a vulnerability that allows attackers to create genuine JPEG files which when opened will take malicious action. Two malicious code soon appeared to take advantage of this flaw: JPGDownloader and JPGTrojan.

- The smartest ruses

Even though more and more viruses are using software vulnerabilities in order to spread, there are still legions of those that use "social engineering" to infect computer systems. In 2004, some of the most frequently employed ruses were texts feigning to be delivery errors (such as Mydoom.A), or claiming that files had been scanned by an antivirus and were completely safe (such as Netsky.N, Netsky.O or Mywife.A).

- Tactics to prevent detection

In 2004, many email worms have used a new strategy to prevent being rapidly detected by antivirus programs. By ensuring that they don't send themselves to certain email addresses, i.e. those related to certain security or antivirus companies, they try to gain precious time to propagate before the industry can provide users with the corresponding vaccine. On the other hand, there are more and more malicious codes that try to disable to security programs installed on the computer. So they don't only try to avoid being detected, they also aim to leave computers unprotected against future attacks.