2011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article that counts down some of the malware evolution low-lights.
The Sunnyvale, CA network security firm says that viruses evolved from academic proof of concepts to geek pranks which have evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:
See Part 1 Here – See Part 2 Here – See Part 3 Here – See Part 4 Here
2007 – By 2007, Botnets have infected millions worldwide using Zombie systems to send spam to generate Denial of Service (DoS) attacks, compromised passwords, and data. By 2007 cybercriminals had developed a lucrative business model they were protecting. The attackers became more concerned about protecting their zombie computers. Until 2007, botnets lacked robustness, by neutralizing its unique Control Center (PDF), a botnet could be taken down because Zombies didn’t have anyone to report to (and take commands from) anymore. The Storm botnet was the first to feature a peer-to-peer architecture (PDF) to decentralize its command and control functions. At the peak of the outbreak, the Storm Botnet was more powerful than many supercomputers and accounted for 8% of all malware running in the world according to FortiGuard.
2008 – Koobface (an anagram for Facebook) spreads by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player to view a video. The update is a copy of the virus. Once infected, users would serve as both vectors of infection for other social network contacts and as human robots to solve CAPTCHA challenges for cyber-criminals, among other things. Koobface is also the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). FortiGuard estimates that over 500,000 Koobface zombies are online at the same time.
2009 – Conficker (aka Downadup) is a particularly sophisticated and long-lived virus, as it’s both a worm, much like Sasser, and an ultra-resilient botnet, which downloads destructive code from a random Internet server. (We still see it pop-up from time to time at work). Conficker targeted the Microsoft Windows OS and used Windows flaws and Dictionary attacks on admin passwords to crack machines and link them to a computer under the control of the attacker. Conficker’s weakness is its propagation algorithm is poorly calibrated, causing it to be discovered more often according to Fortinet. In 2009 some networks were so saturated by Conficker, that it caused planes to be grounded, hospitals and military bases were impacted. Conficker infected bout 7 million systems worldwide.
Advanced Persistent Threat (aka APT, Operation Aurora) was a cyber attack that began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google (GOOG) on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China and was both sophisticated and well resourced and consistent with an advanced persistent threat attack. According to Wikipedia the attack also included Adobe (ADBE), Dow Chemical (DOW), Juniper Networks (JNPR), Morgan Stanley (MS), Northrop Grumman,(NOC), Rackspace (RAX), Symantec (SYMC), and Yahoo (YHOO). There is speculation that the primary goal of the attack was to gain access to and potentially change source code repositories at these high-tech, security, and defense contractor companies.
The definition of an Advanced Persistent Threat depends on who you ask, Greg Hoglund, CEO at HBGary told Network World an Advanced Persistent Threat is a nice way for the Air Force and DoD to not have to keep saying “Chinese state-sponsored threat.” He says,” APT is “the Chinese government’s state-sponsored espionage that’s been going on for 20 years,” Mr. Hoglund told Network World.
2010 – Stuxnet‘s discovery in September 2010 ushered in the era of cyberwar. According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity. Stuxnet is the first piece of malware specifically designed to sabotage nuclear power plants. It can be regarded as the first advanced tool of cyber-warfare. Stuxnet was almost certainly a joint U.S. / Israeli creation for damaging the Iranian nuclear weapons program, which it did, by destroying a thousand centrifuges used for uranium enrichment.
To spread, Stuxnet exploited several critical vulnerabilities in Microsoft (MSFT) Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a systems autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a Siemens industrial software system that run Iran’s Bushehr nuclear reactor and most likely intended to destroy or neutralize the industrial system.
2011 – Duqu is the current star in the world of malware but, as history shows, that fame will be short-lived. Just like fashion models, modern malware has a lifespan in the media eye of a couple of weeks to a couple of months, tops. They then fade into the shadow of more dangerous and advanced tools, according to Help Net Security.
Gary Warner, director of Research in Computer Forensics in the UAB College of Arts and Sciences blogged that Duqu is a data-stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we’ve seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.
Symantec disclosed in their report that one of the infections they were analyzing was infected via a Word Document that exploited the system using a previously unknown 0-day attack.
On November 3, 2011, Microsoft released a Microsoft Security Advisory (2639658) Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:
Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.
rb-
Every couple of years a new malware is crowned the most innovative or dangerous cyber threat in the wild. The anti-malware industry is built on a game of chicken between malware creators and anti-malware creators, with end users stuck squarely in the middle. As this series of articles has shown this game has gone on for 40 years since computers were bigger than many houses and were as user-friendly as the DMV.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
On his excellent VoIP/UC Security Blog, Mark Collier points to some interesting work on Interactive Voice Response (IVR) security threats by Rahul Sasi. IVR systems are used in phone banking, call centers, hospitals, and corporations mainly for information retrieval and account management via phone lines. As a security researcher for iSIGHT Partners, Sasi is doing research on a variety of security vulnerabilities that may be present in IVRs.
Information harvesting – for account numbers and PINs, guessing a static 4-digit PIN for a range of account numbers. The odds of a hit are pretty good. Some IVRs lock the account but reset at midnight.
Who remembers blue boxes or the most famous phone phreak John “Captain Crunch” Draper.
Once upon a time, back in 2005, there was a time when “using the Internet” always meant using a computer. Today getting on the Intertubes is an expected feature for many devices. The next digital frontier is the physical world, where the “Internet of Things.” The Internet of Things will bring an online ability to objects.
There are reports of two recent cyber attacks on 
