On 18 January, an email worm called Bagle was first detected. It gave rise to a whole new family of computer worms explicitly created for nefarious purposes. Bagle was designed to install Trojan proxy servers onto the machines of its victims, which were then used to mass-mail spam.

On the night of 26-27 January [CET], a malware epidemic broke out. It was caused by the first version of the email worm Mydoom. The epidemic instantly peaked, suggesting that its propagation was effected by the mass-mailing of infected messages via zombie networks. The number of automatically generated emails was so vast that many corporate mail servers failed, or dramatically reduced their throughput, unable to handle the overwhelming traffic flow. Mydoom was also of a clearly criminal nature. It installed Trojan proxy servers onto the machines of victims in order to mass-mail spam, just like Bagle. At the same time, a backdoor Trojan was installed, giving the malicious user(s) full remote-access over the victim computers. The epidemic came to its climax on 01 February, when the worm started a DDoS attack on the website of SCO (www.sco.com), a manufacturer of UNIX systems. As a consequence, the site was ‘taken down’, and the company had to use an alternative site (www.thescogroup.com) for some time.

On 9 February, an epidemic of Doomjuice, a network worm, broke out. This worm propagated to the computers infected with Mydoom, penetrating via a network port opened by its predecessor that allowed the sending of remote commands to the victim machines. If an infected computer responded to the worms’ request, Doomjuice established a connection to it and copied itself to the responding PC. The Trojan previously installed by Mydoom received this file and launched it for execution. Thus, Doomjuice preyed on any computers previously infected by Mydoom.

15 February 2003 saw the start of the first epidemic caused by the NetSky-class worm. This worm deleted known versions of Mydoom from the victims’ computers. NetSky then went on to acquire the functionality of deleting Bagle from infected machines. In March 2003 an all-out war started between the two groups of malware writers, with NetSky supporters on the one side and Mydoom and Bagle supporters on the other. On 03 March 2004, five new variants of these worms appeared within the space of 3 hours. During March and April 2004, the most prolific versions of these worms generated 80-90% of the entire malicious web-traffic. The later versions of the worms saw the rival groups targeting and destroying each others malicious codes, whilst including derogatory messages for their opponents:

NetSky.c:

we are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz->]MyDoom.F is a thief of our idea! – -< SkyNet AV vs. Malware >- ->->

NetSky.f:

Skynet AntiVirus – Bagle – you are a looser!!!!

Both sides were as vociferous as each other…

Mydoom.f:

to netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shi**y app.

Bagle.i:

Hey, NetSky, f**k off you b**ch, don’t ruine our bussiness, wanna start a war ?

On 30 April 2004, a major epidemic of the Sasser a network worm occurred. The worm penetrated computers through a loophole in the LSASS service in Microsoft Windows, occasionally causing the infected computers to reboot. Sasser spread rapidly, bringing millions of computers all across the globe to a standstill. Thousands of businesses, universities and government agencies had their operations paralyzed. Some air companies (British Airways, Delta Airlines) had to postpone or cancel their flights, several banks (Goldman Sachs & Westpac Bank) closed, and Samp, a bank in Finland, shut down all of their 130 local offices as a preventative measure. In Taiwan, the epidemic disrupted the Computex technical exhibition and stopped one third of all mail offices from operating. In Hong Kong, the worm left state hospitals without computer support and in Australia it brought Austrailian Railways to an untimely halt.

The Microsoft Corporation announced a $250,000 reward for any information that would lead to the arrest of the malware writers behind Mydoom and Sasser. Eventually, in May 2004, Sven Jaschan, an 18-year-old student from Germany was arrested and charged with creating and propagating Netsky and Sasser. It remains unknown who masterminded Mydoom.

Additionally, during 2004, several concept viruses emerged one after the other. Concept viruses do not carry a malicious payload or generate profit for their creators. They are designed purely to demonstrate new malware propagation techniques. Virtually all of these concept viruses were written by members of 29A, a malware writing group, and sent directly to several antivirus companies.

On 27 May, Rugrat appeared. This was the first virus to infect 64-bit Windows executable files.

14 June saw the emergence of Cabir, the first worm for smartphones running under Symbian. Cabir propagated using Bluetooth: it scanned for smartphones with open Bluetooth connections and sent code to them. After some time, infection reports started arriving from different countries around the world. It’s by means such as this that viruses disseminate so widely and so quickly.

On 17 July, Duts, the first virus for Windows Mobile, appeared. Windows Mobile is one of the most popular platforms for mobile devices, such as PDAs and smartphones.

Then on 05 August Brador surfaced. This was the first Trojan backdoor for pocket PCs running under Windows CE or newer versions of Windows Mobile. Brador was also the first malicious program for mobile devices purpose-designed to generate illegal profit.

In late 2004, a version of Gpcode emerged. That particular Trojan encrypted a user’s data and subsequently tried to extort money from the unfortunate user for its decryption.

From 2004 onwards the bulk of worms and Trojans were created with illicit profits in mind. The amount of ‘nuisance’ malware paled into insignificance when compared to the amount of crimeware designed to steal digital identities and confidential data, carry out DDoS attacks and send spam. So-called banking attacks have proliferated, caused by Trojans stealing access codes to bank accounts. The number of phishing attacks has also risen rapidly, carried out with the same aim of gaining access to personal bank accounts.

2004 also saw an increase in the number of police investigations, often leading to arrests. All in all, about a hundred people were arrested in different countries for various types of e-crime, as reported in open information sources.

Looking at the malware epidemic situation in 2004, it can be broken into two distinct periods. During the first half of the year there were numerous epidemics of email worms. The turning point occurred in the summer, bringing a dramatic reduction in their number and range. The reasons behind such a dramatic downturn can only be guessed at. We would suggest that several factors were involved:

  • Antivirus vendors learned to respond promptly to malware outbreaks and release security updates, whereas Internet providers learned to ensure that security software was installed at all times, and that antivirus programs needed supplementing with dedicated filters. These efforts contained the development of email worm epidemics and considerably reduced their scope;
  • News of the arrest of several malware writers received widespread coverage in the mass media and substantial rewards were offered for information leading to the conviction of the most high-profile cybercriminals. All of this actively discouraged underground programmers from creating highly contagious malware;
  • In terms of serving the interests of the cybercriminals, major epidemics involving millions of infected computers are far less efficient than slowly-disseminating, controllable, smaller-scale infections involving up to tens of thousands of computers, but with a large number of different Trojans.