Ned Lindberg, doesn't hesitate when asked which malcode made his job toughest. "I do believe Sasser is the one," the network engineer for Dallas, Wis.-based Chibardun Telephone Cooperative said. "I can data mine and find Sasser-related activity fairly easily. It's still huge."
Sasser began its attack April 30. But months after it faded from the headlines, Lindberg continues to do battle with the worm. "I think one of the biggest problems with Sasser is how many doors it opens into a machine for other infections," he said. Recalling one experience with the worm two months ago, he said he brought up a Windows 2000 virtual machine on a server on his test network. "The Win2k machine was almost up to date on patches, and I figured I'd finish up when I got it online. I couldn't. On a T3, I couldn't get it patched fast enough to keep from getting infected with Sasser."
Using Ethereal to sniff packets, he checked and found that he'd get hit about three times a minute at that point. He said recent sniffs indicate it really hasn't changed much. "I really can't imagine someone taking home a new computer from the discount store and getting online without being patched first," Lindberg said. "I'll bet Christmas gave us a few hundred thousand more Sasser machines."
With a horror story like that, one might expect Sasser to top any security firm's list of baddies for the past year. But it doesn't.
Sure, it's on the top 10 lists of a couple antivirus firms. But a look at other end-of-year lists shows Netsky sitting menacingly atop the heap, or Bagle, or other malicious code that barely made headlines because the malware spread slowly and silently while the others burst onto the scene with fury.
In general, security experts seem to agree Sasser, Netsky and Bagle were major menaces this past year; that security holes in Windows and other programs made their spread fairly easy and that attacks have become increasingly motivated by financial gain.
Expect it to get worse in 2005, they said.
"There was a point where the Internet was a place where you exchanged information," said Alex Tosheff, chief technology officer for Newport Beach, Calif.-based security firm PivX Solutions. "Now it's being used to do financial damage against companies. Exploits will grow more numerous and sophisticated. There are still a lot of vulnerabilities to be found -- deep and shallow vulnerabilities."
He said the Windows LoadImage vulnerability disclosed over Christmas is an example of "plain old poor programming" ripe for exploiting. "You put an extremely large value in the size field of the image header and a simple arithmetic error causes the program to crash and give control to an attacker," Tosheff said.
Here's a look at how some security vendors rated the worst malicious code of the year:
Sasser a major player, but not tops
Most firms agree with Lindberg that Sasser was a major menace, ranking it in the top 10. Sasser ranked third on the list of Lynnfield, Mass.-based antivirus firm Sophos, accounting for 14.2% of all reported malicious activity. Boca Raton, Fla.-based security firm Prevx Inc. ranked Sasser sixth on its list, estimating it caused $979 million in damage. But Netsky is the worm that seems to have topped the most lists.
Sophos researchers had identified 10,724 new viruses by early December, a 51.8% increase in the number of new viruses, bringing the total viruses in existence to 97,535. "Of these," the firm said, "Netsky variants accounted for 41.6% of all viruses reported to the firm, capturing an unprecedented five of the top 10 slots on this year's Top Ten round-up." Netsky-P topped the overall list, accounting for 22.6% of all reported activity.
Netsky-P also topped the list of Tokyo-based Trend Micro, with 2,505,087 sightings between December 2003 and November 2004.
"Netsky-P was discovered in March 2004, and after only being in the wild for 11 days, secured the fourth spot of March's most prevalent malware," Trend Micro said in its report. "It easily secured the top spot the succeeding month, and has not gone down beyond the third spot ever since. In October, it reclaimed the top spot, continuing its reign up until November. To date, it has infected at least 2 million computers worldwide."
Netsky was also a prominent player on the top 10 lists of such other firms as Santa Clara, Calif.-based McAfee and Panda Software of Glendale, Calif.
Other worms and viruses that made for a hairy 2004 were multiple variants of Mydoom and Bagle, both of which made the top 10 lists of several security firms.
Obscure viruses make the lists
According to its 2004 records, McAfee AVERT assessed 46 threats as a medium risk or higher in 2004, compared to 2003's total of 20 threats reaching that level. Most of this was due to the Netsky-Bagle war that consumed the first quarter. Within the first half of 2004, 50 new viruses were discovered daily. By the end of 2004, detection for 17,000 new malware threats were added to AVERT's growing database of threats, the company said.
Some of the names on McAfee's list were not headline grabbers and included notorious spyware: Adware-180, Adware-Gator; Exploit-ByteVerify; Exploit-MhtRedir; and JS/Noclose.
"In 2004, the rise in viruses, worms, phishing, adware and vulnerability exploitation has surpassed what was noted in 2003," Vincent Gulotto, vice president of McAfee AVERT, said in a statement. "Although we saw a steady 5% (year over year) decrease in the rate of virus production from 2000 to 2003, we have seen an increase in 2004 which can be partly attributed to Bagle and Netsky authors feuding, as well as a general lack of awareness in regards to adware and other such programs."
Outlook for 2005
McAfee anticipates adware and unwanted content transmitted by e-mail and the Web will continue to increase in 2005, with programs becoming increasingly complex. "Threats will be combined with content such as spam and phishing as the year progresses," the company said in its report. "It is anticipated that successful phishing schemes will continue to increase throughout 2005 due to a general lack of consumer awareness. Additionally, the number of exploits that attack discovered vulnerabilities will increase as more vulnerabilities are discovered and disclosed."
Nick Ray, chief executive officer of Prevx, agreed. "Cybercrime is booming and the huge costs show just how seriously the threat should be taken," he said in a statement. "These threats, combined with other malicious attempts to exploit our society's reliance on computers, are perpetuated by a vicious minority of people and yet affect millions of innocent victims across the world."