2011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article that counts down some of the malware evolution low-lights.
The Sunnyvale, CA network security firm says that viruses evolved from academic proof of concepts to geek pranks which have evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:
– See Part 1 Here – See Part 2 Here – See Part 3 Here – See Part 4 Here
2001 – E-mail and the Internet become primary transmission vectors for malware by 2001 as scripts automatically load viruses from infected Websites. The Code Red worm targeted Web servers and not users. By exploiting a vulnerability in Microsoft IIS servers Code Red automatically spread to nearly 400,000 servers in less than one week. The Code red worm replaced the homepage of the compromised websites with a “Hacked By Chinese!” page. Code Red had a distinguishing feature designed to flood the White House Website with traffic (from the infected servers), probably making it the first case of documented ‘hacktivism’ on a large scale.
Shortly after the September 11 attacks, the Nimda worm (admin spelled backward) infected hundreds of thousands of computers worldwide. Nimda is one of the most complicated viruses, having many different methods of infecting computers systems and duplicating itself.
2003 – Widespread Internet attacks emerge as SQL Slammer (or Sapphire) infects the memory in servers worldwide, clogging networks and causing shutdowns. on January 25, 2003, Slammer first appeared as a single-packet, 376-byte worm that generated random IP addresses and sent itself to those IP addresses. If the IP address was a computer running an unpatched copy of Microsoft’s (MSFT) SQL Server Desktop Engine, that computer would immediately begin firing the virus off to random IP addresses. Slammer was remarkably effective at spreading, it infected 75,000 computers in 10 minutes. The explosion of traffic overloaded routers across the globe, which created higher demands on other routers, which shut them down, and so on.
The summer of 2003 saw the release of both the Blaster and Sobig worms. Blaster (aka Lovsan or MSBlast) was the first to hit. The worm was detected on August 11 and spread rapidly, peaking in just two days. Transmitted via network and Internet traffic, this worm exploited a vulnerability in Windows 2000 and Windows XP, and when activated, presented the PC user with a menacing dialog box indicating that a system shutdown was imminent.
The Sobig worm hit right on the heels of Blaster. The most destructive variant was Sobig.F, which generated over 1 million copies of itself in its first 24 hours. The worm infected host computers via e-mail attachments such as application.pif and thank_you.pif. When activated, the worm transmitted itself to e-mail addresses discovered on a host of local file types. The result was massive amounts of Internet traffic. Microsoft has announced a $250,000 bounty for anyone who identifies Sobig.F’s author, but to date, the perpetrator has not been caught.
2004 – The Sasser worm built on the autonomous nature of Code Red. It spread without anyone’s help by exploiting a vulnerability in Microsoft Windows XP and Windows 2000 operating systems called the Local Security Authority Subsystem Service or LSASS. Microsoft Security Bulletin MS04-011 here. This is the first widespread Windows malware, made even more annoying by a bug in the worm’s code, that turned infected systems off every couple of minutes.
This is the first time that systems whose function isn’t normally related to the Internet (and that mostly existed before the Internet) were severely affected. Sasser infected more than one million systems. The damage amount is thought to be more than $18 billion.
Bagle was first detected in 2004, it infected users through an email attachment, and used email to spread itself. Unlike earlier mass-mailing viruses, Bagle did not rely on the MS Outlook contact list rather it harvested email addresses from various document files stored in the infected computer to attack. Bagle opened a backdoor where a hacker could gain access and control of the infected computer. Through the backdoor, the attacker could download more components to either spy and steal information from the user or launch DDoS attacks.
MyDoom is another mass-mailing worm discovered in 2004. It spread primarily through email but it also attacked computers by infecting programs stored in the shared folder of the Peer-to-Peer software KaZaA. MyDoom slowed down global Internet access by ten percent and caused some website access to be reduced by 50 percent. It is estimated that during the first few days, one out of ten email messages sent contained the virus.
2005 – In 2005 Sony BMG introduced secret DRM software to report music copying; Other rootkits appear, providing hidden access to systems.
MyTob appeared in 2005 and was one of the first worms to combine a botnet and a mass-mailer. MyTob marks the emergence of cybercrime. The cybercriminals developed business models to “monetize” botnets that installed spyware, sent spam, hosted illegal content, and intercepted banking credentials, etc. The revenue generated from these new botnets quickly reached billions of dollars per year today.
rb-
By 2005 cybercriminals are starting to put all the parts together, Slammer proves that Microsoft systems can be used to spread attacks, Blaster and SoBig improved the infection rate, Bagel began to mine the targets for data and install backdoors so the attackers could continue to re-use the victims’ systems. MyDoom stated to use the first social network, the P2P networks for attacks. Sony proved that rootkits could be widely distributed and MyTob was the first of the modern botnet, leading the world into today’s monetized cybercrime age, described in part 4.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
On his excellent VoIP/UC Security Blog, Mark Collier points to some interesting work on Interactive Voice Response (IVR) security threats by Rahul Sasi. IVR systems are used in phone banking, call centers, hospitals, and corporations mainly for information retrieval and account management via phone lines. As a security researcher for iSIGHT Partners, Sasi is doing research on a variety of security vulnerabilities that may be present in IVRs.
Information harvesting – for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account but reset at midnight.
Who remembers blue boxes or the most famous phone phreak John “Captain Crunch” Draper.
