Ten years of Windows malware and Microsoft's security response

Ten years of Windows malware and Microsoft's security response

Summary: They don't make malware like they used to. Literally.Back in 2002, Microsoft and its customers were forced to deal with an unprecedented outbreak of attacks on Windows that threatened the company's survival. In this gallery, I show how malware authors and Microsoft's security response have evolved over the past decade.


 |  Image 12 of 17

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • Thumbnail 16
  • Thumbnail 17
  • In January 2007, a deadly storm hit Europe. Malware authors used the news as an opportunity to practice social engineering. The malicious payload was delivered with subject lines such as "230 dead as storm batters Europe." A thorough writeup by Trend Micro suggests just how effective it was:

    The spam attack started just as the storm in Europe was at its strongest on January 18. Over the next few hours and into the next day, as hundreds of thousands of recipients, interested in information about the storm, opened their inboxes, the global computing community found itself in the face of a huge threat attack.

    Writeups from Wikipedia, IBM, McAfee, Microsoft, and F-Secure contain additional details and also suggest how different naming conventions can frustrate security researchers.

    Besides effective social engineering, the Storm worm was among the first widely successful malware examples to use polymorphic techniques, capable of changing its packing code every 10 minutes to frustrate antivirus signatures. It also employed a peer-to-peer network that could rapidly change the IP addresses of its command-and-control servers.

    Various members of the Nuwar family continued to deliver malicious payloads throughout 2007. Microsoft added it to the Malicious Software Removal tool in September 2007, and it immediately saw a precipitous decline. It was still active, but at a greatly reduced level, in mid-2008 and had begun using RSA encryption to hide its workings from security researchers.

  • A decade ago, social media didn’t exist. By 2008, Facebook had become popular enough to attract the attention of malware authors. One of them created an annoying cross-platform worm that targets Windows, Mac OS X, and even Linux. The worm gathered login details, built a botnet, and made money by installing additional malware. It also used a common social engineering trick, trying to convince potential victims that they needed to install a Flash Player update that was actually the malicious payload.

    Facebook took down the network by decapitating its control servers in early 2011.

    All pretty routine stuff, by modern standards, but the twist is that this gang was unmasked after several years of making Facebook users’ lives miserable. ZDNet blogger Dancho Danchev published his own takedown of the botnet master on January 9, 2012, complete with embarrassing personal photos. Facebook publicly revealed the identities of the entire gang the following week.

    (The image above was captured by an amateur researcher.)

  • Conficker is the poster child for modern malware.

    Its original incarnation in late 2008 exploited a vulnerability that had been patched a month earlier, but because many Windows users are slow to apply patches, it was extremely effective.

    But its particular genius was the way it used a Windows feature called AutoRun, along with social engineering, to spread like wildfire. As the dialog box above shows, Conficker spread by infecting ubiquitous USB flash drives (another technology that didn’t exist at the beginning of the decade). It convinced unwary users to click an innocent-looking option in the AutoRun dialog box that appeared when a USB drive was inserted into a PC.

    To add insult to injury, it then used a simple dictionary attack to find administrator accounts on the network that used pathetically weak passwords like letmein and 123456 and asdfgh and Admin. Turns out there’s a lot of lazy admins out there.

    Microsoft’s response in February 2009 included a $250,000 bounty for identifying the Conficker authors. It closed the USB Autorun hole in the initial release of Windows 7 but didn’t deliver the equivalent patch as a Critical update for Windows XP and Vista until early 2011.

    Microsoft and a loose amalgamation of security professionals called the Conficker Working Group shut down the Conficker botnet by taking over its command-and-control servers through legal processes. Today, there are still several million Conficker-infected PCs, but their ability to be controlled by evil forces is long gone.

Topics: Windows, Malware, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories


Log in or register to join the discussion
  • phishing in Mozilla Thunderbird

    I use Mozilla Thunderbird on a Windows 7, 64-bit computer. When I open an e-mail that has a link and run my cursor over that link, Thunderbird no longer presents the livelink encoded beneath what appears in the e-mail. Previously, another respondent stated that his phishing display worked in Mozilla Thunderbird and suggested that I need to tweak a setting. Needless to say, I can't find that setting, and I have looked thoroughly.
    • Turn on the status bar...

      @binstock: All you have to do it turn on the status bar. If your main menu (File, Edit, View, ...) is not displayed then tap the ALT key to display it, then select "View > Toolbars > Status Bar" to restore it.
      • success in Mozilla Thunderbird anti-phishing


        Thank you! I will feel much safer as I've read life's overabundance of e-mails.
  • Very interesting

    I found this interesting. Luckily I haven't been a victim of any of these. :)
    • Neither Have I

      So by the logic of some of our Apple trolls, none of these pieces of malware was ever a genuine problem and that they are all exaggeration and FUD.....:-)
      Doctor Demento
  • Remembering Blaster

    I was interning at an aluminium plant when it broke out in summer '03. I remember the MIS Manager rushing out of his office alerting everybody we have a problem. The update of systems seemed primitive back then, since a fellow intern and I had to burn CD's and go out into the plant and update systems in some obscure locations to prevent Blaster. We had a Windows Server 2003 test box setup in the office and it was the first to get his with RPC error. Good times, but lots of annoyances as well. The interesting thing, if your system was up to date, you weren't affected. I believe the weekend before it had been let loose Microsoft had released a patch, because I remember informing a friend from high school about it.
  • Break Down of Viruses and malware for each Windows version

    I would like to see a break down of viruses and malware for each Windows version, not patches, but Windows 95, 98, ME, 200, XP, XP SP2, Vista, and Win7.

    On other post I keep hearing how windows has thousands upon thousands of malware and viruses, but how many for each version? To me a malware/virus for Win95, most likely would not affect Windows 7, and vice versus.
  • Windows Defender Doesn't Defend

    It is the only product I have ever used in 23+ years in IT that has allowed multiple desktop infections in a three month period. This was on my own Windows 7 machine -- I've been in IT for 23+ years and learned long ago to be very cautious. In one case, it claimed to detect an attempted infection and clean it, while in fact the infection continued in the background and I had to smash it manually in Safe Mode. AVG Free and Malware Bytes (both also free) combined do a better job for routine home use malware protection.

    I'm a big Microsoft fan, but they are still newbies compared to others when it comes to malware protection (although they have become extremely good at patching their code). Like many of their products, Microsof bought Forefront, they did not create it. I haven't used Forefront, but they still have a ways to go before they are up to par with Windows Defender (which uses the same engine as Forefront).
    • windows defender? you should've installed windows security essentials

      as far as I know Microsoft Forefront is a full Microsoft product. if you're so sure that they bought it please tell me which company they bought it from and what was the previous name of the product? thanks. I would really like to know. I did a simple bing/google search and found nothing of the sort. so I think I little help would be fine. thanks.
      • Defender info


        No, incorrect, I should not have installed Windows Security Essentials, mainly because it was not available to the public at the time, lol. I was referring to the standalone Windows Defender product prior to Security Essentials that was supposed to protect against spyware. In my case, it failed.

        On a related note, I also use Security Essentials on Win7 Pro, and it has also allowed multiple infections (this calendar year) that I had to clean manually.

        As for Forefront, you are incorrect again. It used to be called Antigen, from a company called Sybari that Microsoft bought in June, 2005.

        A little more effort on your part would also be fine. :-) Thanks.
  • The big change in WinXP sp2 was that there were breaking changes

    Windows XP sp2 was the first time that MSFT released a service pack that included multiple, major breaking changes. Software that had worked on previous versions of Windows could break once XPsp2 was installed. Before the Trustworthy Computing Initiative, the idea of breaking compatibility like that in a release (let alone a service pack) was anathema in Redmond.
    • NX memory pages

      The first real game changer in Windows security architecture.
      Lester Young
  • You forgot something - the Sony `rootkit` fiasco

    For those not [u]lucky enough[/u] to have been afflicted with it, all you had to do was to play a audio CD from one of Sony's labels on your PC. (For your reading pleasure: http ://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal )

    Now, you know why scraped windows off my system, and now use Linux!
    • Oh, come on, that's not Windows' fault

      It wasn't your fault either. You loaded a CD from a trusted source (Sony). Windows installed the driver from the CD (I think it was signed by Sony), and the $%&@#s installed a root-kit on your box. My guess is that if a trusted source (like say, Sony (before this fiasco)) put driver code up in Linux repositories, it would be trusted and installed on Linux boxes.

      That Sony is still a "trusted" name in consumer electronics is a bit of a surprise. Then again, the Wall Street bond rating agencies are still around too.
      • RE: that's not Windows fault

        Some comments:

        First, In a way, it was, no thanks to [i]Autoplay[/i]. An audio CD [b]should NOT[/b] have been allowed to install software!!!! How long did it take Microsoft to disable this?

        Second, the complicity by AV companies, and to an extent, Microsoft, in dealing with it.

        Third: [i]That Sony is still a "trusted" name in consumer electronics[/i]; which is why, I have no sympathy for them WRT being hacked. [b]That[/b] (hacking) does not extend to distribution of potentially identifiable information. Teaching Sony, and its brazen executives a lesson, is one thing; passing out credit card numbers, etc, is another.

        Fourth: [i]Wall Street bond rating agencies are still around too[/i], simple, just remember the `golden rule`: [b]He who has the GOLD, rules[/b] (aka `Money Talks, Bulls--- Walks`)

        Fifth: [i]...a trusted source (like say, Sony (before this fiasco)) put driver code up in Linux repositories, it would be trusted and installed on Linux boxes.[/i] You are probably right, however, once the s--- hit the fan, the bad code would have been pulled, and workarounds would have appeared. FOSS supporters have always had a good reason [b]NOT[/b] to trust any DRM scheme.
  • He mentioned TDL4!

    He mentioned TDL4! Now what is that anti-Microsoft person going to do?

    Forget his name, but he accuses ZDNet of never mentioning that one [i]all of the time.[/i] To the point where it's rather annoying.

    I'm gonna link to this article now whenever he shows up and accuses ZDNet of a coverup . . .
    • Glad you noticed

      I'm sure he'll have some other bugaboo that will be up next that I have ignored. ;)
      Ed Bott
  • Windows Security

    I have to commend Microsoft for stepping up and admiting they had a problem and fixing it. I think their software is very secure and I will continue using it.
  • Windows XP Firewalls

    The initial release of Windows XP included a horribly ineffective firewall which was not enabled by default.

    Windows XP Service Pack 2 included a totally different and effective firewall which, however, also was not enabled by default.
    • winXP firewall

      at the time Microsoft basically were just coming off the hot presses of being accused branded a monopoly, it was in their best interest to not enable said firewall by default, plus they had to make it less effective than those on the market. the regulations placed on them burnt many consumers.