Ten years of Windows malware and Microsoft's security response

They don't make malware like they used to. Literally.Back in 2002, Microsoft and its customers were forced to deal with an unprecedented outbreak of attacks on Windows that threatened the company's survival. In this gallery, I show how malware authors and Microsoft's security response have evolved over the past decade.
1 of 17 Ed Bott/ZDNet

Malware is short for malicious software, and it’s been a nagging problem on Windows since at least the mid-1990s.

In January 2002, after a series of high-profile and highly embarrassing attacks that affected Windows customers and Microsoft itself, Bill Gates wrote his now famous “Trustworthy Computing” memo. Although it was viewed with some skepticism at the time, it really did represent a turning point for Microsoft.

Until that point, security was literally an afterthought. As a result of the Trustworthy Computing initiative, Microsoft introduced a massive change in the way it develops software. The Security Development Lifecycle has paid off hugely over the last 10 years and has been widely praised and copied.

Today, as this chart shows, most malware is installed via social engineering or by using exploits that target vulnerabilities that have already been patched.

2 of 17 Ed Bott/ZDNet

In summer 2003, if you were a PC support specialist, the dialog box above meant that your life was hell. The malicious software attack called MSBlast/32 (aka Blaster) spread over networks using the RPC protocol and caused affected computers to go into a spontaneous reboot loop. This contemporaneous SANS writeup notes that this worm had the potential to be more than annoying: It could have allowed an attacker to run code with Local System privileges on the compromised system. Fortunately, whoever wrote Blaster was apparently more interested in creating havoc.

Blaster’s incredible effectiveness was directly attributable to a terrible decision Microsoft made with Windows XP, which included an effective firewall that was turned off by default.

3 of 17 Ed Bott/ZDNet

Windows has included an update utility since Windows 95, and Automatic Updates were introduced with Windows Me in 2000.

It wasn’t until 2003, however, that Microsoft systematized its process for issuing security updates. Security updates are provided on the second Tuesday of each month—Patch Tuesday. Non-security updates are provided on the fourth Tuesday of each month. Microsoft began this program so that corporate customers could plan for testing and installation of security updates. Although it was a controversial decision, today it’s generally regarded as effective.

On rare occasions—once a year or so—Microsoft releases an “out of band” update to address an issue that can’t wait till the next month’s Patch Tuesday.

4 of 17 Ed Bott/ZDNet

This was one of the first truly creative mass-mailing worms, using an extensive menu of options to fool recipients into clicking the malicious payload. It mixed and matched subjects, message bodies, attachment names, and fake assurances that the file had been scanned by a reputable antivirus program and declared clean. The author was an 18-year-old German, who had also written the infamous Sasser worm.

Netsky was annoying (one variant caused infected PCs to beep in the wee hours of the night) but not destructive. (This CA writeup has more details.)

The source code contained numerous insults aimed at other virus writers.

5 of 17 Ed Bott/ZDNet

Up until this worm appeared, most malware was the work of vandals. Mydoom was, according to Microsoft’s security analysts, “one of the earliest examples of a botnet and for-profit malware.” You can read technical details in these writeups from Avira and SecureList.

Upon execution, the malware opened a message window in Notepad, displaying nonsense text. In the background, it installed its payload, which then proceeded to send out email messages using its own SMTP engine and the victim’s address book. If the recipient clicked the attachment, they became part of the botnet and began spreading it to their friends as well.

The worm also used file-sharing programs like Kazaa to spread its payload.

The authors of Mydoom included several taunting references to Netsky in their code.

6 of 17 Ed Bott/ZDNet

The work that eventually became XP SP2 was originally supposed to be a new version of Windows. But the multiple security threats that had hammered Microsoft over the previous several years caused Microsoft to concentrate all work on security and de-emphasize changes in the user interface.

As Windows boss Jim Allchin later told Mary Jo Foley, the decision to make this a free service pack and not a paid upgrade was a deliberate attempt to maximize its adoption. Microsoft had seriously underestimated the security challenges that it would confront with Windows XP, and the improvements in SP2 really did make a difference.

For businesses, it offered much better administrative tools and deployment options than Windows 2000. For consumers, it included the Security Center shown here, which has continued to evolve to this day.

And it turned on the Windows Firewall by default, fixing the mistake that had been so helpful to earlier network-based worms.

7 of 17 Ed Bott/ZDNet

In January 2005, Microsoft released the first version of the Malicious Software Removal Tool. It has updated this tool and delivered it as part of the Patch Tuesday update delivery every month since then. The goal of the MSRT is to remove “specific, prevalent malicious software families” from supported Windows versions.

It’s been extremely effective at its primary job, cleaning up millions of PCs in the past seven years. An unanticipated benefit of releasing the monthly tool is that it provides Microsoft with copious amounts of data about the prevalence of malware “in the wild.”

Full details about the MSRT, including a list of which families of malware were included in each monthly update, is available in a lengthy and well-maintained Knowledge Base article.

8 of 17 Ed Bott/ZDNet

The Win32/Zlob family launched in 2005, and three years later it was the undisputed king of malware. Among infected computers that Microsoft counted in 2008, there was a one-in-four chance that Zlob was to blame.

What made Zlob so effective was was this crude but effective social engineering. The intended victim clicked a link to play a media file, and a dialog box like the one shown here popped up. Users who had been conditioned to install media codecs for various sites found this a perfectly reasonable request.

The primary purpose of Zlob initially was to frighten the victim by displaying persistent pop-up ads for rogue security software. By 2008, it had become a vehicle for delivering DNS changers and early versions of rootkits, as this Trend Micro analysis makes clear. It was also one of the first attempts at cross-platform malware, with a Mac version discovered in 2007.

Today, Zlob is mostly a bad memory and is no longer widely found in the wild. But its descendants are still going strong.

9 of 17 Ed Bott/ZDNet

No one has ever identified the first person to think of distributing malware that disguised itself as legitimate security software. It was a stroke of evil genius, and it spawned an underground industry that is still going strong today.

This is an early example of fake antivirus software. Other products that appeared in the wake of XP Service Pack 2 mimicked the look and feel of the new Security Center.

In recent years, rogue security software has targeted the Chrome browser, Mac OS X, and legitimate security products using similar names. Despite occasional well-publicized prosecutions, there’s no sign that this category will die any time soon.

10 of 17 Ed Bott/ZDNet

For a security researcher, the mere mention of the word rootkit can create a sickening feeling in the pit of the stomach. Bagle was one of the first examples to spread widely. It was also surprisingly sophisticated, as the above graphic (included with a contemporaneous F-Secure writeup) makes clear.

As the authors of the report note, the financial success of botnets had inspired malware authors to step up their game: “Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality.”

As trends go, it was anything but welcome.

11 of 17 Ed Bott/ZDNet

In January 2007, a deadly storm hit Europe. Malware authors used the news as an opportunity to practice social engineering. The malicious payload was delivered with subject lines such as "230 dead as storm batters Europe." A thorough writeup by Trend Micro suggests just how effective it was:

The spam attack started just as the storm in Europe was at its strongest on January 18. Over the next few hours and into the next day, as hundreds of thousands of recipients, interested in information about the storm, opened their inboxes, the global computing community found itself in the face of a huge threat attack.

Writeups from Wikipedia, IBM, McAfee, Microsoft, and F-Secure contain additional details and also suggest how different naming conventions can frustrate security researchers.

Besides effective social engineering, the Storm worm was among the first widely successful malware examples to use polymorphic techniques, capable of changing its packing code every 10 minutes to frustrate antivirus signatures. It also employed a peer-to-peer network that could rapidly change the IP addresses of its command-and-control servers.

Various members of the Nuwar family continued to deliver malicious payloads throughout 2007. Microsoft added it to the Malicious Software Removal tool in September 2007, and it immediately saw a precipitous decline. It was still active, but at a greatly reduced level, in mid-2008 and had begun using RSA encryption to hide its workings from security researchers.

12 of 17 Ed Bott/ZDNet

A decade ago, social media didn’t exist. By 2008, Facebook had become popular enough to attract the attention of malware authors. One of them created an annoying cross-platform worm that targets Windows, Mac OS X, and even Linux. The worm gathered login details, built a botnet, and made money by installing additional malware. It also used a common social engineering trick, trying to convince potential victims that they needed to install a Flash Player update that was actually the malicious payload.

Facebook took down the network by decapitating its control servers in early 2011.

All pretty routine stuff, by modern standards, but the twist is that this gang was unmasked after several years of making Facebook users’ lives miserable. ZDNet blogger Dancho Danchev published his own takedown of the botnet master on January 9, 2012, complete with embarrassing personal photos. Facebook publicly revealed the identities of the entire gang the following week.

(The image above was captured by an amateur researcher.)

13 of 17 Ed Bott/ZDNet

Conficker is the poster child for modern malware.

Its original incarnation in late 2008 exploited a vulnerability that had been patched a month earlier, but because many Windows users are slow to apply patches, it was extremely effective.

But its particular genius was the way it used a Windows feature called AutoRun, along with social engineering, to spread like wildfire. As the dialog box above shows, Conficker spread by infecting ubiquitous USB flash drives (another technology that didn’t exist at the beginning of the decade). It convinced unwary users to click an innocent-looking option in the AutoRun dialog box that appeared when a USB drive was inserted into a PC.

To add insult to injury, it then used a simple dictionary attack to find administrator accounts on the network that used pathetically weak passwords like letmein and 123456 and asdfgh and Admin. Turns out there’s a lot of lazy admins out there.

Microsoft’s response in February 2009 included a $250,000 bounty for identifying the Conficker authors. It closed the USB Autorun hole in the initial release of Windows 7 but didn’t deliver the equivalent patch as a Critical update for Windows XP and Vista until early 2011.

Microsoft and a loose amalgamation of security professionals called the Conficker Working Group shut down the Conficker botnet by taking over its command-and-control servers through legal processes. Today, there are still several million Conficker-infected PCs, but their ability to be controlled by evil forces is long gone.

14 of 17 Ed Bott/ZDNet

Why did it take so long for Microsoft to include effective, free antivirus software as part of Windows? Blame the 2001 United States versus Microsoft antitrust settlement, which severely restricted the company's ability to bundle software with Windows if that software would compete with third-party products.

Through the decade, Microsoft slowly introduced various antimalware solutions. Windows Live OneCare was a paid product, and Windows Defender (included free with Windows Vista) blocked only adware and spyware.

Microsoft Security Essentials was the first free full-strength security product from Microsoft, based on the same engine as the enterprise-grade Forefront product. Its successor will be included by default in all editions of Windows 8, using the well-established Windows Defender brand name.

15 of 17 Ed Bott/ZDNet

These closely related malware families represent a disturbing trend. Yes, there are competent programmers behind these Trojans, which specialize in stealing information about online banking accounts. (Brian Krebs has done an exceptional job of documenting the workings of these bad actors.)

But what’s new and different is that the malware authors have essentially franchised their work, selling the results as crimeware kits that even a non-programmer can use. Some experts estimate that the Zeus/SpyEye botnets have lifted more than $100 million from innocent victims.

Fortunately, a very aggressive worldwide legal effort led by Microsoft has taken out the most aggressive of these botnets, and the survivors have to be feeling a little nervous. Legal proceedings have become an increasingly effective part of Microsoft’s response to malware, especially in persistent cases like this.

16 of 17 Ed Bott/ZDNet

Malware authors relentlessly attacked Internet Explorer in the early 2000s, and they had no trouble finding holes to exploit. As a consequence, cautious web surfers switched to other browsers that promised to be safer. First it was Firefox, then it was Google Chrome.

But malware authors are like cockroaches. They adapt to changing conditions. As a result, one group (possibly the same one that targeted Mac users with Mac Defender) took dead aim at Chrome users with a targeted attack like the one shown here.

17 of 17 Ed Bott/ZDNet

At the beginning of the 21st Century, malware authors were mostly in it for the attention, and their wares tended to produce occasionally spectacular, widespread outbreaks.

Today, malware authors are motivated mostly by money, and their primary goal is to remain undetected for as long as possible.

That motivation results in sophisticated infections like the ever-evolving Alureon rootkit, also known as TDL4 or TDSS. Early versions of this particular bit of nastiness infected the Master Boot Record, making them hard to detect. Newer versions are actually capable of creating their own infected hard disk partitions. That leads to situations like the one described in this support post at the Windows 7 IT Pro forums.

And that’s the face of the next generation of online threats—determined, adaptable, and highly motivated.

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos