Video Screencast Help
Security Response

2000 and on - A Security Odyssey

Created: 17 Aug 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:00 GMT
Peter Ferrie's picture
0 0 Votes
Login to vote

After the success of the W97.Melissa virus in 1999, mass-mailing became the next big thing in viruses. This trend continues even today. Different methods have been tried over the time, but they fall mainly into two categories: exploits and social engineering.

Perhaps the most successful example of social engineering came on May 4, 2000 when VBS.LoveLetter called inboxes everywhere just to say “ILOVEYOU". At that time, curiosity easily outweighed security, especially with such a provocative subject line. Many people opened the email and then clicked on the attachment named "LOVE-LETTER-FOR-YOU.TXT[.vbs]" (the .vbs part being hidden by default on many systems). The resulting mess spread across the world during that same day, and new variants starting appearing day after day.

The next remarkable instance was on July 13, 2001, the day that CodeRed made its appearance, thanks to eEye's full and very detailed disclosure of the bug. CodeRed was the first memory-only attack that the AV industry had seen, and the scramble to respond to it was uncomfortable. Was it something for IDS alone? Desktop AV? There is no file, what will we scan? How do we detect it? How do we remove it? Memory scanning was still on the wish list for most companies.

The next date worth noting is October 21, 2002, which turned out to be a slow day at work for many people. It was slow because the stability of the Internet was being unexpectedly tested. A denial of service attack, lasting for over an hour, hit all thirteen of the DNS root name servers simultaneously. According to reports, nine of the thirteen servers were unresponsive as a result of the traffic, but the remaining four were continuously reachable for the entire duration of the attack. Fortunately, the world didn't end.

Next was January 25, 2003, a day that will be remembered for a long time as a sampling of what a flash worm looked like. In the space of something less than an hour (more precise measurements vary markedly), the Slammer worm reached out and hit nearly everyone that it could. For about three hours, the Internet slowed once again, due to the immense amounts of traffic that the worm generates while searching for vulnerable machines.

On March 18, 2004, eEye once again posted full details of a vulnerability in a third-party application. However, this was no ordinary application - it was a firewall, the last kind of application (right after anti-virus software) where you'd want to see a how-to exploit post. One day later, the Witty worm hit the streets at full speed. Not only that, but it was destructive, too, overwriting portions of the hard drives on the systems it compromised.

Along with Witty, there were the worm wars between Beagle and Netsky. Then we had Welchia removing Blaster, while attempting to patch the hole that allowed them both to compromise the machine in the first place.

Then on February 6, 2007 came the second most significant denial of service attack against the Internet DNS root servers, although within five hours the attack had been largely contained. This second attack itself was on a very small scale compared to October 2002, and ultimately only two servers "suffered" particularly. It is also an indication of the improvements made to the infrastructure in the intervening years.

In between, we've had attacks on the browser, attacks on Microsoft Office, and a myriad other malicious attempts besides. And, while techniques such as "fuzzing" are now a well-understood method for finding potential attack vectors, attackers are still out there and, despite it all, there remain people who just don't know to patch their machines.

At the end of the day, so many things are different but not much has changed.