January 7, 2004
It seems appropriate that the Chinese dubbed 2003 as the Year of the Black Sheep. Among other things, the sheep is a symbol of untidiness - and from a virus standpoint, the year was indeed a mess.
The first indicators of discord came early with the January discovery of the "Avril, Lirva, or is it Naith?" worm. While antivirus vendors disagreed on the name, the worm busily stole passwords and spread via email, mIRC, ICQ, KaZaA, and open shares via Windows networked drives. Close on its heels, the well-known ExploreZip worm bypassed several antivirus scanners by simply employing a different form of compression. SoBig.a also made its debut in the same month, though its impact on antivirus protection would not be seen for some months to come. Bringing up the rear in January was the SQL Slammer worm. Thinking it targeted only SQL Server 2000, many end uers failed to update to the appropriate patches - only to discover the worm also affected Microsoft Desktop Engine (MSDE) 2000, an add-on found in nearly 200 end user products.
By February, it was increasingly apparent that spyware had become a menace for users. Unwanted installations of the Xupiter toolbar plagued online citizens but was being ignored by antivirus protection. Also in February, the Lovegate worm exploited users by employing easily guessed passwords to gain access to inadequately protected network shares. In March, the Deloder Trojan did the same.
In May, the auto-updating Fizzer worm disabled antivirus and security software found on the system, leaving many users vulnerable to other threats. Another May worm, Palyh, ushered in a recurring theme for the year - masquerading as an email or patch from Microsoft. Adding to the spring excitement, antivirus vendor Trend Micro released an update that inadvertently quarantined all emails containing the much maligned letter 'P' and the University of Calgary announced plans to teach students the black art of virus writing.
June witnessed yet another version of the SoBig worm and Bugbear.b appeared on the scene, pretending to be email from someone else. Rounding out the June landscape was JS/Fortnight and SoBig.e. JS/Fortnight exploited a three year old vulnerability in Microsoft's Virtual Machine, redirecting users to porn sites and dropping unsavory favorites to their desktop and SoBig.e sent itself as a ZIP attachment, thereby bypassing most popular content filtering and antivirus products that ignored files with a ZIP extension. This ruse was repeated by the Mimail worm in early August, but was quickly overshadowed by the rapid succession of the Blaster, Welchi and SoBig.F worms in the middle of that month. While Blaster and Welchi grabbed headlines and international attention, antivirus products with a penchant for alert messaging helped SoBig.F cripple mailservers and overload users' inboxes. Even after the worm died down, users were confronted with substantial increases in spam - some experiencing thousands of unwanted email per day.
Rounding out the year, Dumaru and Swen worms carried on the Palyh theme, disguising themselves as patches from Microsoft. Not to be outdone by their viral cohorts, spyware enthusiasts produced browser hijackers throughout, including the infamous Pornbar and QHosts-1 Trojan. Other criminals maintained a steady presence in email, phishing for credit cards and personal banking information by masquerading as email from eBay, PayPal, Citibank, and other reputable entities.
Ghosts of the past
While keeping busy countering new threats, security professionals were also forced to contend with the old. The 2002 Klez.H worm continued to top the virus prevalency charts throughout 2003, and the ancient JDBGMGR.EXE hoax seemed to find no shortage of gullible users willing to keep it alive for yet another year.
