New techniques, social engineering make year the worst ever

December 24, 2001

While the Chinese may have dubbed year 2001 as the "Year of the Snake", to those in the computer security industry it is better known as the "Year of the Virus". Using increasingly clever social engineering techniques and exploiting a number of security vulnerabilities, there were no shortages of new viruses in 2001. Many of these caused mass infection while others achieved notoriety simply because of the techniques used.


When the AnnaKournikova virus was discovered in February 2001, infection rates quickly soared in anticipation of viewing pictures of the famous tennis star. However, the virus was short lived presumably due to the enormous media coverage. The Magistr virus, which followed a short month later, garnered little publicity but achieved infection rates placing it in the top five category for the year. Magistr also carries a delayed but extremely damaging payload, thus winning the award for the most dastardly virus of the year.

Some worms demonstrate users' willingness to open any attachment received in email. The Goner worm used a friendly, familiar tone in its email message to entice opening of the attached .scr file. The tactic was highly successful as Goner achieved a top five rating despite it's late appearance in December 2001. Other top viruses in 2001 include:

CodeRed: Most Hyped
Code Red was a shoo-in for the "most hyped virus" award, garnering predictions of an "Internet Armageddon" when first discovered.

In fact, CodeRed became the little virus that didn't. Conversely, the Nimda worm caused serious disruptions in Internet service but was overshadowed by the events of September 11th and received relatively little press as a result.

Nimda: Most Overlooked
Not only the most prevalent of virus of the year, Nimda used the most advanced mechanism for spread by employing several vectors of infection. Nimda exploited security vulnerabilities to spread via the Internet, email, and networks, and during its reign it was harder to answer the question "who became infected" than "who did not". "Nimda's anonymous author only unleashed his creation in September, yet it still represented more than a quarter of all reports to the Sophos helpdesk," said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "Nimda was effective because it could infect computers using a variety of techniques. It is likely that we will see more multiple pronged attacks in the future."

Sircam: Most Disclosing
Discovered spreading in email in July 2001, Sircam lifted legitimate documents from the system, wrapped them with its infection and mass-mailed them to others. As a result, tens of thousands found their personal and often confidential information blatantly displayed to anyone whose email address resided on their system.

BadTrans.b: Most Controversial
Like the Goner worm, BadTrans.b was a late arrival, first making its rounds in November 2001. However, it quickly gained a spot in the top five list by using compelling attachment names such as "Sorry_about_yesterday" and "YOU_ARE_FAT!". Behind the scenes, BadTrans.b dropped a Trojan that logged every key stroke to a server hosted by Monkeybrains.net. The owner of the ISP hosting the server refused to turn over the database to the FBI for investigation, but felt free to share it with a reporter from a San Francisco newspaper.

Sulfnbk.exe: Most Damaging Hoax
While the intentions of the creator of the Sulfnbk hoax may never be clear, the end effect was thousands of users deleting a legitimate system file from their computer. Fortunately, the file isn't critical to the operation of the computer, but the ensuing queries to help desks impacted service for several days in mid-May 2001. Indeed, it would be fair to describe the Sulfnbk hoax as the first manually-driven virus.

Kak and Hybris: Most Persistent
The Hybris virus, better known as "Snow White and the Seven Dwarfs" and the Kak worm are both carry-overs from the year 2000. In fact, Kak topped the virus charts in 2000 and maintained a weaker but still steady presence throughout 2001. Both viruses continue to plague, though fortunately on an ever-declining scale.

MessageLabs, a leading Managed Services Provider (MSP) specializing in email security, reports that in scans of over 3 million emails per day, they intercepted 3.3 email viruses a minute, or one every 18 seconds, in 2001. This compares with one every three minutes in 2000 and one every hour in 1999. Mark Sunner, MessageLabs Chief Technical Officer, said: ?There is no doubt that 2001 is the year of the virus. A massive increase in numbers is one thing, but of more concern is the business impact that they are having. As virus writers get more sophisticated the trouble they are able to cause is much greater. If we thought the scale of LoveBug was bad last year, then 2001 was characterised more by the sheer range and ingenuity of viruses."