Several hugely successful malware attacks followed in ILOVEYOU's technological footsteps. In 2001, the Anna Kournikova worm arrived in an email attachment called AnnaKournikova.jpg.vbs. Sircam grabbed a Word or Excel file on the infected PC and sent out infected versions of the file using the same technique. Many confidential files went out to unexpected recipients. Sircam also spread by copying itself onto network shares.
Beginning of the botnet
Not content to merely distribute malware over the Internet, enterprising programmers started working on ways to control Windows PCs directly using the Internet.
In December 1999, a Brazilian programmer who uses the name Vecna unleashed a new Trojan called Babylonia. While incorporating CIH-style interstitial infection and Happy99-style Winsock replacement, Babylonia brought an important new capability to the malware gene pool: It phoned home, once a minute, and updated itself if a newer version is available.
While its authors claim BackOrifice wasn't invented to subvert systems, it certainly offered that capability on Windows 95 and 98 systems. Much like today's botnet controllers, BackOrifice provides remote control -- the ability to run one PC from another, over the Internet. BackOrifice isn't a virus; rather, it's a payload waiting to be deposited by a virus or a Trojan.
The Sobig worm created the first commercially successful spam-generating botnet, and it did so through infected email attachments. At one point, 1 out of 20 email messages on the Internet contained a Sobig.f infected attachment. Sobig harvested email addresses from files on the infected computer.
Cracking into Windows
By 2001, most malware spread by sending infected files over the Internet or by dropping infected files on network shares. That year, malware writers expanded their horizons by aiming directly for security holes in Windows itself. They also jumped up several levels in sophistication. No longer intent on destroying data or playing pranks, some malware writers turned their considerable talents to making money.
CodeRed infamously infected more than 300,000 Windows Servers, using a buffer overflow to take control of IIS and deface websites on the infected server. CodeRed-infected machines send out buffer overflow packets to random machines on the Internet in a spray attack. Microsoft patched the hole a month before CodeRed appeared, but admins didn't apply the patches quickly enough. A complete rewrite, CodeRed II, not only engaged in spray attacks, it also attacked local machines.
Then Nimda took the cake. It used five different infection vectors: a blended threat of the first degree. Nimda infects with email attachments. It infects unprotected network shares. It tries to take down websites. It goes after servers in CodeRed-style. And it can use backdoors left behind by CodeRed.
SQL Slammer ricocheted across the Internet in 2003, infecting 75,000 machines in its first 10 minutes, knocking out wide swathes of the Internet. The worm exploited a security hole in SQL Server and SQL Desktop Engine, which had been patched six months previously. It doesn't put a copy of itself on a hard drive, preferring to simply stay memory resident: Reboot an infected machine, and it isn't infected any more.
Like SQL Slammer, Blaster (aka Lovsan) zoomed across the Internet at a breakneck pace by scanning machines connected to the Internet and passing itself around. Like Slammer, it used an exploit that had already been patched. Unlike Slammer, Blaster attacked every Windows XP and Windows 2000 computer. The payload tried to take out Microsoft's windowsupdate.com site with a DDoS attack.