BRIEF STORY ON HOW TO FINALLY GET PEOPLE NERVOUS ABOUT THIS WHOLE CYBER SECURITY

It was not until 2003 when the world realized that consequences of cyber attacks go far beyond just virtual inconveniences. Grounded aircrafts, useless ATMs, unavailable 911 emergency network, shut down railroad system and worldwide press agencies temporarily locked down. Eventually the very first in history rise of spam botnets. And this is just a scarce of direct consequences of 2003 upswing of computer malware.

At the time the real world was preparing itself to the U.S. invasion on Iraq. Martin Scorsese won the Golden Globe for ‘Gangs of New York’ and Kobe Bryant was endlessly throwing three pointers. Meanwhile cyber world was just about to get acquainted with Sobig and Slammer worms. Later that year the merry company was broaden by Blaster and Welchia. Then there was a Battle of Worms (see: Battle of Worms in 5 Acts) nailed down with the outburst of Sasser. Havoc.

Cyber security was making headlines. Repeatedly. Finally.

YOU WERE SAYING IT COULD BE FOR REAL, RIGHT?

One of the darkest periods in cyber security history started somewhere around 9th of January 2003. Unknown author released into the wild Sobig worm. Spreading through email and network shares, based on its own SMTP engine, was not only spamming itself ferociously, but also downloading a Lala trojan. The trojan which turned infected machines into spamming zombies. For the very first time in history computers were turned into relays so easily. Spam business crossed the Rubicon – it was no longer manual, hand-made job. It was now all about automation.

Sobig worm made headlines pretty quickly. Especially BBC ones. The worm went after a mailing list for fans of Archers, long-running radio drama. Just at the time when one of the Archers characters was teaching another one how to use email. Perfect timing, right?

The real fun started almost exactly two weeks later. On 25th of January, Saturday, at 5:30 GMT emerged unknown, scary and prolific as hell, the one and only Slammer worm. Slammer needed only 15 minutes to spread worldwide. Simple piece of code, which exploited a vulnerability known for over 6 months (!), affected 90% of all vulnerable hosts within 10 minutes. It took down 5 out of 13 world’s DNS root servers. Another 5 experienced massive packet loss.

Although the patch for the exposed vulnerability was available at hand, consequences were unprecedented. Windows XP activation servers in Redmond were taken offline. Continental Airlines had to cancel and delay number of flights. Bank of America ATMs refused to dispense cash. In South Korea the entire internet infrastructure was knocked out.

As many as five of the 13 Internet root nameservers have been downed because of the outbreak. Effects were so marked because the worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. SQL Slammer’s code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial-of-service attack.

F-Secure Alert

Internet attack causing a dramatic increase in network traffic worldwide.

Microsoft Statement on Slammer Worm Attack

Slammer worm targeted a flaw in the Microsoft’s SQL Server database. It sent UDP diagram to port 1434. Then it exploited a buffer overflow vulnerability in the SQL Server Monitor. When in memory, it sent datagrams and worm code to random IP addresses. Consequently, causing massive Distributed Denial of Service (DDoS) attack.

The New York Times reported that even Microsoft had number of unpatched machines. Their MSN Internet Service had significant slowdowns caused by Slammer. Any silver lining? Here you go:

Patching was 100% effective in preventing reinfection and so, in its own ironic way, Slammer helped make the Internet that little bit more secure.

David Litchfield – discoverer of the vulnerability

THE MORE THE MERRIER

Starting from January 2003, upcoming months became a baptism of fire for the cyber security community. Not a successful one.

The hammering code of Slammer along with its incredible easiness in spreading was, in fact, the main reason of its twilight. The bandwidth could no longer support the exponential growth of generated packets. Furthermore, as it was a memory-resident worm, it had no looks for a long-lasting future.

Nevertheless, Sobig and Slammer were just a forefront of what was about to bang the world just 6 months later, in August 2003.

First came Blaster. Worm exploiting DCOM RPC vulnerability emerged on Monday, 11th of August. Once the exploit code was successfully sent to the target, communication was maintained through TCP port 135. Then a remote command shell listening on TCP port 4444 was opened. Finally, the Trivial File System Protocol (TFTP) was set up listening on UDP port 69. The last step provided targeted machine with the main Blaster payload. The payload, which shared some interesting thoughts with the world:

I just want to say LOVE YOU SAN
billy gates why do you make it possible?
stop making money and fix your software

Blaster message to the world

Hence, not surprisingly, Blaster went after Microsoft. Although its SYN flood attack was not successful, it sprayed significantly and managed to severely disturb e.g. CTX railroad system, Air Canada, BMW, the Federal Reserve Bank of Atlanta or Swedish telco TeliaSonera. Stay tuned though! The fun part has only started.

Exactly one week later – 18th of August – another Monday, another surprise. This time positive one. Who would have thought, right? There it is. The rescuer. Nematode deleting Blaster and patching missing vulnerabilities. With no intentional harmful effects. Welchia worm.

Welchia primarily used the very same vulnerability exploit as Blaster. It was supported though with yet another attack vector – exploiting WebDav vulnerability through TCP port 80. Both ways led into creating remote shell listening on any random TCP port between 666 and 765. Savvy and with only the best intentions. The outcome was unfortunately not straightforward positive.

This worm, even though it pretends to be friendly, is even more problematic because of the propagation technique it uses. And, even if you have patched against the DCOM RPC vulnerability, you are still at risk because it uses another avenue to infect.

In some cases enterprise users have been unable to access critical network resources. This is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm.

Vincent Weafer, Symantec’s Security Response Unit

Welchia was literally causing another Denial of Service (DoS) through swamping network systems with traffic. So much for good intentions (see: SO MUCH FOR GOOD INTENTIONS).

So there it is, August 2003. The world had just regained consciousness from the Slammer bomb. We have number of Blaster variants flying around the world. The Welchia propagates itself mercilessly. How about making it just a bit spicier?

19th of August. Just one day after the Welchia outburst. The old friend is back with new superpowers. Propagating itself faster than any other worm of its time. Let’s welcome back Sobig. The ‘.F’ variant.

It’s now Blaster, Welchia and Sobig playing around at the very same time.

15 MONTHS WHICH CHANGED THE LANDSCAPE

At the time one could have thought it was just a dangerous thunderstorm. Vivid, ferocious and nasty, but still accidental. Not this time my friends. Not anymore.

While cyber security industry was doing their best to fend-off two worms and one nematode, hoodies were silently preparing something special. Again.

2004 was supposed to be pretty pleasant. Euro 2004 in Portugal, Olympic Games in Athens and grand premiere of the Brad Pitt’s Achilles and Troy movie. It was about to be a whole different experience for cyber security geeks.

January 2004 opened a new chapter in the cyber world. First appeared the Mydoom worm. Beating all the possible notable records of spreading.

The worst email worm incident in history.

Mikko Hyppönen, CSO of F-Secure

Then it all went even heavier. The Battle of Worms emerged at full swing late February (see: Battle of Worms in 5 Acts) including afore mentioned Mydoom complemented with NetSky and Bagle. Another unprecedented event with severe consequences across the globe.

The nail in the coffin was yet to emerge. The very last participant of the Battle of Worms and one of the most destructive worms ever – Sasser. This network worm emerged in April 2004 and made use of LSASS buffer overflow vulnerability. It opened remote shell on TCP port 9996 and used FTP server on TCP port 5554 to spread itself. It spread marvelously. Within hours there were millions of infections causing repeated crashes and reboots of systems. Agence France-Presse (AFP) had all its satellite communication blocked for hours. Delta Air Lines had to cancel several transatlantic flights. Finish Sampo Bank came to a complete halt and had to close their 130 offices in Finland. And that is obviously not the entire list.

Crazy ride started early January 2003. It peaked several times. Firstly, Slammer partially stopped the worldwide internet. Then Blaster heavily disturbed several of high-profile industries. Welchia on the other hand played around with Navy Marine Corps consuming three quarters of its intranet capacity. The Battle of Worms has changed the status quo for the whole cyber security industry being always two steps ahead of everyone. With the Grand Finale in the body of Sasser. With grounded flights and closed banks. There was no longer coming back.

NEVER ENDING STORY?

This was a harsh clash with cyber reality. Well actually… a clash with reality. Cyber world was no longer an isolated island with no consequences to the day-to-day existence of people across the globe. Cyber adversaries provoked real problems for real people. No one could ignore this fact any longer. Critical infrastructure, essential services and daily activities from now on were the target. In the hindsight it is plainly visible it has never got any better.

16 years later we are much better prepared, obviously. Probably the most tangible outcome of the 2003-2004 cyber havoc was the change in approach towards automatic updates. We came to a brutal realization that critical vulnerability patches had to be applied as quickly as possible. Most of us have learned the lesson.

So did hackers. Successful infection means silent infection. You are not supposed to know there is some piece of malicious code nesting in your system. Systems are not to reboot and slow down machine performance. Apart from ransomware you are to be kept in dark. For as long as possible.

Blaster was pretty active for next several years. Slammer came back in December 2016. It made the top 10 common threats of the month. Bagle is still up there. We can still see detections of the worm. The same with SkyNet. We have not got rid of them. We simply intent to control prevailed versions. Let’s see for how long.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used Microsoft Statement on the Slammer Worm Attack,
The Inside Story of SQL Slammer from threatpost.com, Friendly Welchia Worm Wreaking Havoc from internetnews.com and MyDoom declared worst ever from cnet.com.

BATTLE OF WORMS IN 5 ACTS

PRELUDE: THE WORST EMAIL WORM IN HISTORY

The fastest spreading worm ever emerged from nowhere on Monday, January 26th, 2004. Shortly after its release into the wild it accounted for around 30% of email traffic worldwide. Correct. Almost 30% of the whole email traffic in the world was solely caused by this very worm. The hero of the day was later called Mydoom.

Mydoom spread through email and – popular at the time – Kazaa Peer-To-Peer network. Most of the email subjects suggested transmission errors, mail delivery failures, tests or server reports. The lure was to open an attachment, which, when executed, sent out the worm through user’s address book and network shares.

Opening of the attachment led to two adverse activities. Firstly, any infected machine was used for a DDoS (Distributed Denial of Service) attack on 1st of February 2004 against the SCO Group, American software company. Secondly, a backdoor listening on the first available TCP port between 3127 and 3198 was installed. The latter enabled an adversary to turn an infected machine into a proxy, but also opened the doors for executing any additional malicious pieces of code.

Soon it was not only about the SCO Group. The second variant went bigger targeting Microsoft. Both to-be-victims offered $250 000 for any information leading to the arrest of the worm creator. There was FBI involved and a lot of publicity.  

Despite the overwhelming sense of urgency on the defense side, Mydoom – using over one million machines – managed to take down the SCO domain. It did not work with Microsoft though. They managed to prepare themselves well enough.

Both variants had their expiration date hardcoded. The first one retired on 12th of February. The second one on the 1st of March. Was it supposed to be one-time shot? With a specific purpose, written on demand? There was a clue indicating such a scenario. Take a look:

andy; I’m just doing my job, nothing personal, sorry,

This was the message embedded in the code of the worm. This ‘job’ caused billion dollars’ worth losses around the globe. At the time Mikko Hyppönen described Mydoom as ‘the worst email worm incident in history’. Well… actually the real fun was just about to start.

ACT 1: NETSKY CHASING DOWN MYDOOM

There were just about a bit more than two weeks of peaceful spreading of Mydoom. Almost uninterrupted. Full success leaving thousands of backdoors operating on infected machines. Until there was Monday, 16th of February 2004. Can-you-top-this game started-off.

Out of nowhere emerged a 17-year-old German malware enthusiast Sven Jaschar and his creation – NetSky. Another network-spreading worm, which managed to easily distribute itself worldwide. Another one luring its victims through social engineered emails. With just one difference. NetSky was literally chasing down Mydoom. Its sole purpose was to remove or disable it.

The real playground-style brawl started on Wednesday, 25th of February. This is what was found inside the code of NetSky.C:

We are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz–>]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware.

Pretty compelling, right?

ACT 2: BAGLE JOINS THE PARTY – WANNA START A WAR?

The more the merrier. NetSky was actually hunting down not only the famous Mydoom. In fact, there was yet another target – Bagle. One more network-spreading worm, with its own SMTP engine, joyfully installing backdoors.

Different variants of Bagle started popping out already mid-February, competing with self-proclaimed saviour on a daily basis. It was Tuesday, 2nd of March when it really started to get juicy. Let’s give the voice to both runaways:

Hey, NetSky, fuck off you bitch, don’t ruine our bussiness, wanna start a war?

Bagle.J

To netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.

MyDoom.G

No doubt both sides enjoyed it. Wednesday, 3rd of March:

Skynet AntiVirus – Bagle – you are a looser!!!!

NetSky.F

Hey, NetSky, fu** off you bitch!

Bagle.J

And there was a Monday, 8th of March. Could it be the end? NetSky author was apparently signing off. Following message was embedded in the .K variant:

We want to destroy malware writers business, including Mydoom and Bagle… This is the last version of our antivirus. The source code is available soon.

At the time, March 2004, the situation was pretty obvious. Scattering of malware writers were disturbing the whole internet. Unpunished. Playing the cat-and-mouse game with all the antivirus world.

ACT 3: NEVER SEEN ANYTHING LIKE THAT BEFORE

Different variants of all three worms were popping out like crazy. More and more machines getting infected every day. Instant reactions for any move made by the greats of antivirus world. This is how Mikko Hyppönen, Chief Research Officer at F-Secure, described it:

Whoever is behind it is sitting around waiting for us to respond. If the target is to exhaust the antivirus people, he’s succeeding at it. My team is really tired. We are working through the night and the weekends.

Mydoom developed into at least 10 different variants. NetSky entertained itself with 31 incarnations. Bagle beat them all. Variants could go through alphabet several times.

Is there anything that could possibly go worse? Well… Sven Jaschar – the author of the NetSky – decided to enter the battlefield once again. No doubt he had a pretty impressive entrance. Firstly observed on 30th of April, Sasser worm was immensely successful in terms of its distribution. Using the LSASS buffer overflow vulnerability Sasser managed to infect millions of machines. The .E variant was the first one to directly attack and annihilate Mydoom and Bagle.

The Worm War started to faded out though. Neither NetSky nor Sasser managed to significantly disturb proliferation of Mydoom and Bagle. In fact, Sasser caused so much damage around the world – including grounding airlines and temporarily shutting down Sampo Bank’s offices – its author was tracked down and brought to court.  

Obviously, all characters of this story outreached their initial intentions. In fact, 15 years later they have still pretty decent record of persistence.

CLOSING: THEY’RE STILL OUT THERE

Mydoom took down Google site on 26th of July 2004. For most of the day the site was inaccessible. The code was reused in July 2009 for cyberattacks on South Korea and United States. As reported by Palo Alto Networks one percent of all emails containing malware sent during 2019 have been Mydoom emails.

Bagle worm evolved into the Bagle botnet. Mostly involved into proxy-to-relay email spam. As reported by SC Magazine UK: the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year’s Day.

Something more up to date? In December 2018, the Comodo Group indicated that the very first two variants of the worm, Bagle.A and Bagle.B, still arrive in people’s inboxes.

Mydoom is still considered to be the worst email worm incident in history. The Worm War fueled evolution of the Bagle so heavily, it’s difficult to count its variants anymore. The War itself became the very first immensely impactful playground at the expense of millions of unaware internet users across the world. The dust has settled. Worms, however, remain restless.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used NetSky author signs off, War of the worms turns into war of words, German police arrest Sasser worm suspect from theregister.com, Virus writers trade insults as e-mail users suffer from nbcnews.com, The Stealthy War Between Virus Creators from abcnews.go.com, Virus writers exchange coded insults from zdnet.com.