The History and the Evolution of Computer Viruses: 2001-2004

What were the main cyber challenges in 2001-2004? These and some other issues are thoroughly addressed in part 4 of Mikko Hypponen’s Defcon 19 speech called “The History and the Evolution of Computer Viruses”.

2001 – 2004

Worldwide replication of 'Code Red' worm

Worldwide replication of 'Code Red' worm - the first 24 hours after launch

…But then things started changing. We entered the years of Internet worms, or web worms, like ‘Code Red’. ‘Code Red’ did not infect Windows workstations. ‘Code Red’ infected Windows servers. It specifically infected Windows web servers, running IIS1. Using a remote exploit, it would infect those servers and immediately continue replicating from that infected server. It would just scan IP ranges trying to find more servers and then, using the remote exploit, infect them. On this image, you can actually see the replication patterns and scope of ‘Code Red’ within the first 24 hours of its existence.

And it started getting copycats of various kinds including: ‘Slapper’, ‘Slammer’, ‘Blaster’ and ‘Sasser’, most of these targeting Windows workstations using remote exploits in LSASS2 or in RPC3 or some other network visible resources of Windows.

2002 – Slapper

2003 – Slammer

2003 – Blaster

2004 – Sasser

And we have to remember 2004, most Windows users were not running a firewall, I mean, if they were online, even if they were inside a company, most likely they had open ports all the way to the Internet, which now feels pretty weird, but that’s the situation at that time. So you had TCP port 139 or port 445 opened, and anybody could connect to it from anywhere in the world. And if there were remote exploits, they could exploit them. And they did. And that’s how for example ‘Sasser’ spread.

So, if you think about that, you got one infected PC, and it starts scanning either random IP addresses or just one by one, like try to go through all IPv4 addresses. We have 4.3 billion IP addresses, which are perfectly scannable, you can scan them all. Most of these worms scanned every single IP address in the world. And of course they’ll find empty addresses, addresses which route nowhere, so there is nothing to infect. Or they find an address which has a computer but it’s a wrong kind of computer, like it’s a Mac, and Windows worm wouldn’t be able to infect it. Or it finds a right kind of computer, like, you know, a Windows computer but it’s blocked, I mean it’s behind a firewall or some sort of routing protection, so you can’t connect, or it’s already patched, so the vulnerability has already been closed by the user.

Principle of IP scanning implemented by worms

Principle of IP scanning implemented by worms

But as you can guess, if it just keeps on scanning and keeps on scanning, eventually, it will find a computer which is the right kind of a computer, which is not behind a firewall, which has not yet been patched, and in that case of course, it will infect that computer and it will immediately start replicating further from that computer. In fact, they are now both scanning the whole public IP ranges, and it gets faster and faster. And this explains why we got these massive spreading speeds, including ‘Slammer’ – it was later proven that it scanned the whole IPv4 address range in less than 20 minutes from the moment when it was started.

And that’s pretty remarkable: in 20 minutes, all of us who were online in 2003 – it scanned our computers, it scanned our mobile phones if we had mobile phones with the Internet connectivity at that time.

System shutdown alert caused by worms

System shutdown alert caused by worms

And as the end user, you would typically know that something like this was happening, because you got some sort of a crash on your system. ‘Slammer’, ‘Blaster’ and ’Sasser’ for example would cause a system shutdown because they would remotely crash RPC or LSASS in Windows at that time (see error message screenshot). So, the end user would see that there’s a problem. His PC would shut down. He would have 60 seconds of time to save his data and then it would shut down. He would reboot and he would most likely see it again, in a minute or two, or maybe ten minutes, maybe half an hour, depends on when the next time someone else is scanning his IP address.

So, let’s think about this. You are an end user, you start seeing this regularly on your PC, you can’t work because you PC keeps rebooting. What are you gonna do? Well, you ask around, like – what should I do, my PC reboots? Somebody will know, that, yeah, it’s a virus, all right, what should I do? Well, you should patch the hole, patch the RPC vulnerability or the LSASS vulnerability. Alright, how do I patch it? Well, you go to www.microsoft.com and you find the patch, you download and run it. Okay, let’s do it then. You visit Microsoft download pages and find the actual patch for the RPC vulnerability MS03-039, click ‘Download’ – excellent, you get an executable file. Here we go, and now you are downloading it. And of course this takes a while, which means it’s more than likely that while you are downloading it you actually get the same error message. And now you have two counters on your screen at the same time: you have to count down from 60 seconds to 0 of reboot, and you have the download counter, like how many percentages of the actual patch you’ve downloaded.

So you’re basically running a game or race, like who’s gonna be first. And this game was being run on thousands and thousands of computers around the world. And of course most of the users lost the game, they didn’t get the patch before it rebooted again. Very, very frustrating.

Most of the worms at that time scanned every single IP address in the world.

And these are the kinds of problems that led Microsoft to change the way they are looking to security. In 2003, they did the big overhaul code review of Windows base code and started taking security seriously. This resulted first in Service Pack 2 for Windows XP; later into what we have today, in for example 64-bit Windows 7 which actually has a decent security model. So, this was the basic reason why security in Windows world, regarding troubles like these, was finally taken serious.

'Packet Loss' chart during the first hours of 'Slammer' propagationAnd the problems we saw at the time were serious. The image shows the ‘Packet Loss’ chart of the whole Internet during the hours when the ‘Slammer’ worm started spreading: typical packet loss globally 1% to 2%. Then suddenly jumps to 20%, 30% – massive problem. So, we started getting denial-of-service problems on systems which weren’t infected themselves, but they were in the same networks with infected systems, and the packet generation that they saw was so massive that we started seeing problems with critical infrastructure.

So, in 2003 I wrote down some of the things we saw, ‘thanks’ to ‘Slammer’, and ‘Blaster’, and ‘Sasser’. We had air traffic control problems, we had ATM networks down, we had 911 services down, we had infected nuclear plants in USA in 2003 because of ‘Sasser’ (see particular instances below). We had flight problems, government systems infected, ‘Heathrow’ airport check-in systems infected. ‘Air Canada’ couldn’t operate because they were infected by ‘Sasser’, I believe, and there were Windows blue screens at their check-ins.

Instances of critical infrastructure problems caused by 'Slammer', 'Blaster' and 'Sasser'

And it wasn’t just computers, I mean normal computers at that time. For example the automation gear started getting affected. In August 2003, ‘CSX’ – those of you who don’t know, ‘CSX’ is one of the largest railroad operators here in USA – announced on their website that they had an in-house infection, which resulted in a slowdown of major applications, including dispatching and signal systems. As a result, passenger and freight train traffic was halted immediately, including the morning commuter train service in the metropolitan Washington D.C. area.

In August 2003, trains around Washington D.C. stopped because of a computer virus.

So, trains around the capital of the United States of America stopped in the middle of the day, in the middle of their tracks, because of a computer virus. This actually happened in 2003. And things like these were the wakeup call.

And then of course, we had infections even in things like forest tractors – there was a large case of infected forest tractors, because they run Windows and they got infected because they had GPRS connections. They couldn’t operate these ones as they got infected. And they were, like, typically far away in forests and you had to somehow rescue them from there.

Newspaper report about an in-house infection at a Swedish hospital And then we had cases like these: this is a screenshot from a Swedish ‘Aftonbladet’ magazine explaining that the hospital in Vastra Gotaland had in-house infection, with 5000 computers infected, which is bad. But what’s even worse is that also their X-Ray systems which were running Windows were infected. And they actually had patients put into ambulance cars and driven to other hospitals to be taken care of, because they had infections in their hospital systems at that time.

Read previous: The History and the Evolution of Computer Viruses: 1996-2001
Read next: The History and the Evolution of Computer Viruses: 2003-2008


1IIS (Internet Information Services) is a web server application and a set of feature extension modules created by Microsoft for use with Microsoft Windows.

2LSASS (Local Security Authority Subsystem Service) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

3RPC (remote procedure call) is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the details for this remote interaction.

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: