20 Years of Innovative Windows Malware

snydeq writes "InfoWorld's Woody Leonhard takes a look at the past 20 years of innovative Windows malware — an evolution that provides insights into the kinds of attacks to come. From macro viruses, to interstitial infections, to spray attacks, to industrial espionage, 'there's been a clear succession, with the means, methods, and goals changing definitively over time,' Leonhard writes, outlining the rise of Windows malware as a succession of ingenious breakthroughs to nefarious ends."

Good ole' days...

[olsmeister]

Remember the good ole' days, when malware spread by floppy disk?

Re:

[Anonymous Coward]

I remember the good old days when viruses spread by hand.

Re:

[dadelbunts]

And genitals.

Re:

[Tr3vin]

And sitting next to girls.

Re:

[sconeu]

That's "cooties", not "viruses".

On the other hand, Windows users always have cooties.

Re:

[confused one]

I remember creating boot sector viruses for DOS -- we'd trade back and forth in the dorm, testing each others skills. So, yes.

Re:

[Runaway1956]

Wait - not even a browser hijack? Firefox was hijacked to one of those online virus scan sites, the scan ran, found dozens of infections on my C: drive, and prevented me from closing the window, or leaving that page. I couldn't even close Firefox - had to kill process on Firefox to get out of that mess. That was when I decided to install the add-on, noscript. Completely disabling javascript and plugins isn't really an option these days - but you CAN selectively permit sites! Other than that incident -

Re:

[antdude]

I remember getting by Stealth virus in college. We had to use McAfee VirusScan to clean up our 3.5" floppy disks. Ugh.

Re:

[Longjmp]

I remember very well.
Back in the Win 3.x days my boss has brought 99% of infections to the company because he had to stick his floppy into every slot he could find...

Re:

[Anonymous Coward]

You know what else are huge targets, and far more valuable than windoze boxes? LAMP servers.

You're a moron.

Re:

[pentalive]

Several factors mitigate this however 1) LAMP servers are not used day to day to surf the web and exchange email. 2) Usually the operator of the server will do as many of the tasks as possible as a non-administrative user, (This prevents a virus from spreading as fast) 3) Usually the operator of the LAMP server will be computer savvy. 4) In a large number of cases the LAMP server is run from a read-only image, or can be quicky re-imaged from a protected source - if malware gets a foothold. All of th

Re:

[Nerdfest]

Most of these installations are not run by idiots ... you can't really say that about Windows desktops.

Re:

[Nerdfest]

I say "idiots" only because I use the term for any non-expert user. Basically, desktop users are not security experts. They're generally easy to trick into doing things they shouldn't, and they generally user, or can get administrative privileges as they admin their own boxes.

Re:

[atlasdropperofworlds]

What is really telling is that there are now social engineering attacks to get access to people's windows machines. People actually cold call saying how they are from "Microsoft Tech Support" and try to get you to (a) pay for 'warranty' and (b) give them access to your machine using logmein123.com. I've actually had to fix a system because the person just did what he was told to do. Unbelievable. You can't secure a system from it's own administrator, so if the administrator is an idiot, his box is as good a

Re:

[dadelbunts]

notavirus.exe looked totally legit

Re:Let the windows hate begin

[DocSavage64109]

yes, because nobody has ever stolen credit card numbers from a LAMP server.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[quickOnTheUptake]

Which posts will then be followed by posts pointing out that marketshare doesn't account for all the success that malware has had on Windows, but that MS has a few historical cases of a) making social engineering easier and b) making a successful exploit potentially more catastrophic.
And maybe even a few arguing an overall moribund history of patching known holes.

Re:

[RyuuzakiTetsuya]

Why not blame the OS and the CPU architecture underneath?

System security shouldn't be something users should ever have to worry about. While it's true making a perfect lock is impossible, Windows security until 7 has basically been a giant sign that says, "Please don't own this box."

x86 CPUs kind of suck for security. Windows as an OS really sucks for security.

Re:

[drsmithy]

System security shouldn't be something users should ever have to worry about.

What ? That's like saying steering isn't something car drivers should ever have to worry about.

The end user is the single biggest security risk in any remotely modern system.

While it's true making a perfect lock is impossible, Windows security until 7 has basically been a giant sign that says, "Please don't own this box."

What security features were missing until Windows 7 ?

Re:

[RyuuzakiTetsuya]

What ? That's like saying steering isn't something car drivers should ever have to worry about.

The end user is the single biggest security risk in any remotely modern system.

70% of malware results of drive-by infection. [cyveillanceblog.com]

This is more akin to the idea that I shouldn't worry about hitting the gas or brake pedal in fear of blowing the engine.

What security features were missing until Windows 7 ?

A real UAE implementation, NX, ASLR, etc? Windows Vista had some of these features but they sucked, and Windows 7 still sucks by a large margin, Windows 7 just sucks a whole lot less.

Re:

[drsmithy]

70% of malware results of drive-by infection.

So, an application problem, then ?

A real UAE implementation, [...]

I assume you mean UAC. Windows NT has had this since day one, Vista and 7 just made it more automatic.

[...] NX, ASLR, etc?

So did other OSes until about the same time. Are you asserting their security, also, was "a giant sign that says, "Please don't own this box."" ?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[drsmithy]

But, on the other hand, if you get rid of applications like Outlook and IE that hook deeply into the core system [...]

Please elaborate on how Outlook and IE "hook deeply into the core system".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drsmithy]

As I understand it, some Microsoft applications have deep hooks into the core OS or libraries that give them higher privileges that what the user running them has - the best analogy I can give is "sudo" in Linux. It is those elevated permissions that allow some scripts or malware to exploit.

How did you come to "understand" this patently false proposition ?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drsmithy]

I'm going to leave it there with this thread, I think.

Look, it's a pretty simply question. You are asserting that certain Windows applications have "deep hooks" into the OS. WHY do you believe this to be true ? What evidence is there that it is true ?

I can tell you right now that your belief is false. I am curious as to how you reached it, however.

Re:

[drsmithy]

Frak, IE6 is STILL in the wild and you have the gall to ask this? Really?

The assertion is that IE has "deep hooks into the OS" that enable "higher privileges", not that it is one of the included components of a default Windows install.

Re:

[RyuuzakiTetsuya]

But even up to and including XP, if it's patched up to the latest Service Pack and patch version, has a firewall activated, a virus checker and sits behind a NAT router on the Internet, then that system is going to be pretty safe just sitting there.

This is what I'm talking about. Users are users, they're not a thing for OS vendors to abuse. They live lives outside of the realm of computing too.

But it's got its bad security reputation because Microsoft made some poor marketing decisions and aimed it at people who believe they don't need any sysadmin skills to maintain it, and your comments don't honestly do any justice to the number of really good Windows sysadmins who make a pretty good job of keeping it secure, in my experience.

I'm speaking purely in the user space sense. Users shouldn't have sysadmin skills.

Sysadmins on the other hand, are paid to support and keep systems running. Non-sysadmins typically are already working one maybe two jobs, why are we advocating that they also do technical support for free?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[IorDMUX]

But it's got its bad security reputation because Microsoft made some poor marketing decisions and aimed it at people who believe they don't need any sysadmin skills to maintain it,

While I agree that this is part of the problem, the idea does not take into account the serious system security flaws that failed to even involve the user, skilled or otherwise.

From the article:

The root of the problem? In those days, Outlook used Internet Explorer to display HTML-based emails. Even though you never saw IE in action, it was there, lurking in the background, running VBS programs without permission. Years later, the Klez worm used the same approach, but with a different security hole.

Re:

[Runaway1956]

You have a point, albeit, a very small point. *nix boxes were pretty secure on x86, while Windows x86 was insecure. Today, *nix is more secure on AMD64, and Windows is more secure on AMD64 - but still, *nix is far more secure than Windows. As has been mentioned already, it's an attitude. Linux users tend to think of security, while Windows users tend to think in terms of convenience. Maybe we should take a poll, and find out how many *nix users enable auto logon, and how many Windows users enable it.

Re:

[badkarmadayaccount]

x86 is actually a great architecture, when you get rid of some cruft (Tru64 (or was it VMS?) handled the migration to Alpha quite well - but the ugly but required for compatibility instructions not even in the microcode - but in the system firmware (SRM)). The instruction encoding could be a tad smarter - to simplify the decoder, but efficient instruction encoding is important, the memory wall has been hit, in a sense, for a long time, and efficient cache usage is a must. Segmentation is a really neat featu

Re:

[QuoteMstr]

Don't bother. It's practically an article of faith around here that Windows is badly-made, that Microsoft is a malicious, profiteering drag on innovation, and that Windows OS security is responsible for the spread of malware. This view might have been partially accurate 15 years ago, but in 2011, the worm has turned. Companies are made up of people, and people change and mature. Microsoft is trying to be a good corporate citizen these days, and frankly, I'd be far more worried about Apple, both from a t

Re:

[causality]

Don't bother. It's practically an article of faith around here that Windows is badly-made, that Microsoft is a malicious, profiteering drag on innovation, and that Windows OS security is responsible for the spread of malware.

If by "article of faith" you mean "consistent with the long history of this corporation, its products, and its business practices" then I agree. The tone with which you make that statement reminds me of a saying: I'm sorry if the correct way of doing things offends you.

The only thing

Re:

[drsmithy]

Apple made a wise move by basing OSX on BSD Unix. They won't end up reinventing Unix that way and they are starting with a mature codebase that has already experienced a great number of security attacks. Of course that isn't and won't be perfect, but it would be worse still if they started from scratch.

Can you highlight the aspects of Apple's marketing where they "unambiguously state that their products may endanger the user if the user does not learn about and follow good security practices" ?

Re:

[causality]

Apple made a wise move by basing OSX on BSD Unix. They won't end up reinventing Unix that way and they are starting with a mature codebase that has already experienced a great number of security attacks. Of course that isn't and won't be perfect, but it would be worse still if they started from scratch.

Can you highlight the aspects of Apple's marketing where they "unambiguously state that their products may endanger the user if the user does not learn about and follow good security practices" ?

Oh I get it. This is more "us and them" fanboyism. It's like when I say that something Obama does is bad for the country, somebody who likes the Democrats has to chime in and say "oh yeah well Bush did this and that and it was bad too!" as though that makes it okay. Like it's a big imaginary zero-sum balance sheet, so if I criticize "one side" I must also be supporting "the other side". You're either with us or against us, right? It's a rejection of objectivity and I refuse to validate it.

Why would you

Re:

[drsmithy]

Oh I get it. This is more "us and them" fanboyism. It's like when I say that something Obama does is bad for the country, somebody who likes the Democrats has to chime in and say "oh yeah well Bush did this and that and it was bad too!" as though that makes it okay. Like it's a big imaginary zero-sum balance sheet, so if I criticize "one side" I must also be supporting "the other side". You're either with us or against us, right? It's a rejection of objectivity and I refuse to validate it.

No. I'm merely wo

Re:

[atlasdropperofworlds]

>Apple made a wise move by basing OSX on BSD Unix. They won't end up reinventing Unix that way and they are starting with a mature codebase that has already experienced a great number of security attacks. Of course that isn't and won't be perfect, but it would be worse still if they started from scratch.

But the world is evolving. Even windows now has a mature code-base that was NT (which further contains significant bits of OS/2). The problems encountered and solved 10 years ago don't apply today. Tech

As a Windows Admin

[Freaky Spook]

I'd have to say Windows 7 is not too difficult too bad these days.

The biggest problem I have always had with Windows though is the way it manages applications. There are far too many install vectors, from a single binary to various packaged installers.

Microsoft should have secured this better and reduced the options to developers for installing applications. All it does is confuse the user, and make it more difficult for heuristic scanning to determine what is legitimate or not, plus it allows developers to

Re:

[drsmithy]

The way Linux/Apple have gone with Applications as packages is a much smarter idea.

What ? I can get applications onto a Linux or OS X systems via a binary in a zipfile/tarball, via a package manager like Fink/apt/RPM, via a packaged installer, by a simple drag & drop from a disk image, by compiling from source, from a shell archive, and probably others I haven't thought of.

Your argument is ridiculous on its face. There are *more* "install vectors" on Linux and OS X than there are on Windows.

Re:

[atlasdropperofworlds]

I disagree. They are the same, which is too many.

Odd... I just watched a similar article...

[Anonymous Coward]

And it had the dates right. http://www.f-secure.com/weblog/archives/00002094.html [f-secure.com] Cascade.... now a PE infector! Or not...

Re:

[Reverand Dave]

Unprotected sex is only dangerous if you have a partner or an internet connection.

Dumb security

[improfane]

The losing strategy of trying to enumerate all the bad software [ranum.com] in existence is so stupid because bad software outnumbers good software, so why can't we enumerate all the good software - all versions?

In theory you can never be sure that you've removed malware. A compromised computer is compromised forevermore.

I honestly think with enough smart people, the right technology and software you can make malicious software less of a problem. Here's an example:

rather than installing the antivirus on your PC, you ta

Re:

[badkarmadayaccount]

I see a market for a x86 PC with a coreboot+XenClient+IllumOS (because of ZFS) system firmware, virtualizing windows, with checksum protection of core system files and registered, with restore from original known-good snapshots, per file. Unsigned executable execution triggers a system call, in turn trapping to the hypervizor, triggering a snapshot, before the first untrusted instruction is executed. On boot the user is presented with the option of a friendly management console, allowing the installation to

Better Link

[Nemyst]

I wish they'd link to the print page: http://infoworld.com/print/151021 [infoworld.com]

At least this way you avoid the obnoxious SIX pages layout for what could fit in a single page easily. I know, I know... The submitter is always an InfoWorld employee and /. editors don't know the meaning of the word "edit", but hey, I can still ask? Beg, maybe?

Re:Better Link

[Capt.DrumkenBum]

Look on the bright side... You are going to get a +5 Informative for posting a simple link. :)

Re:

[Anonymous Coward]

Don't take this the wrong way, but does it kill you to hit the print button yourself? I mean, sheesh. I know, I know... you're being tracked as you move your mouse to the button, etc.

Re:

[HatofPig]

AutoPager for Firefox [mozilla.org]/Chrome [google.com] automatically finds all the the div-elements containing article text or other primary page content on paginated websites and stitches them together into a single page dynamically as you scroll down. Can't surf without it!

Re:

[badkarmadayaccount]

No AutoPager add-on on your FF? Turn in your geek card.

'Software improves over 20 years'

[Kittenman]

Is the alternative headline. No shit, Sherlock.

20 Years of malware

[ArhcAngel]

Let's see...There was DOS then Windows 3.x, Windows 95, Windows NT, Windows 98, BOB, Windows ME, Windows 2000, Windows XP, Vista, and Windows 7. I think that's a little more than 20 years actually.

Moore's Law of Malware

[CrowdedBrainzzzsand9]

Someone smarter than I am may have an (informed) opinion about whether malware and other types of attacks will have a Moore's Law-like life cycle. Are the bad guys winning? I'd say that they're winning if they will predictably make use of publicly networked computers in business or at home more trouble than it's worth.. Adding to the bad guys' risks are the good guys who are dancing with the devil with their untapped treasure trove of personal information.

20 years!

[KevinColyer]

Why have we put up with 20 years of Windows virus's for so long?

TWENTY YEARS!

What a complete waste of time. And my time is worth much more that the paltry licence fees I have shelled out over the years!!!

Is there any way to say that this is not an epic fail for the Win16/32 platform? On other platforms (Mac, Linux, other Unix's) the total amount of malware is hardly about 100 items in that time... Even if it is around 1000 (I really don't know) it is insignificant in comparison.

I have had not one malware issue in ten years of hosting Linux servers and five years as a Desktop OS on multiple PC's. My last Windows issue was a false positive: AVG thinking it had found a torjan in hal.dll and "healing" it. Thanks AVG. Several hours of work to restore that machine... (the re-imaging broke).

No Windows on every one of my desktops thanks!

Re:

[catmistake]

Whatever, man, malware on Windows is far superior to any other malware on any other platform, by far. It alone supports an entire industry, and without it, thousands of programmers and researchers and experts would need to find something else to do to put food on their kids' plate. People gotta eat, right?

Re:

[KevinColyer]

You will be Really Impressed with my use of Capitals then! And my confusion with ei and ie! Just wait till you see me write in French!!!

Actually, I was trying to figure out the plural of Unix - is it Unixes or Unices. I figured Unixs would be wring but I guess Unixes is more proper.

Cheers, ;)

Well...

[Anonymous Coward]

...at least something about Windows is innovative.

20 years ago ?

[rossdee]

So before 1991 malware wasn't innovative?

(I don't really know, I wasn't dealing with "windows" back then, but I was dealing with viruses.- I thought the disk-validator type virus was particularly nasty. Workbench 2 fixed that backdoor, but there were a lot of people running WB1.3 amigas.