A responsive site for everything to do with computing and computer science
What is a virus?
- Viruses have been the bane of IT and companies since networks were introduced into companies for business transactions. Remember that all computer viruses have been created by someone for a purpose, whether it is to annoy, destroy, deliberately bring down a company or website. A
computer virus is a computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.
All viruses are different so they all act in a different way and have a different purpose. On Symantec the threats are defined daily according to the possibility of risk and the exploit a virus takes advantage on in its attack as detailed in the "Threat Exporer". (Note that this is updated daily.)
- Kaspersky has a useful and suitably brief history of viruses which should prove useful.
- Here is a splendid areticle about the origin of the term "virus" for a self-replicating computer programme and a clear description of a "worm". However, there is some dispute (given here) as to the exact origin of the term.
- The infographic shows the developmental path of 25 of the most famous viruses known in 2011 (which is a long time ago in virus terms. Click on it to see it im more detail.
- The Daily Telegrah has a different slant on the history of cybersecurity in relation to visues here.
- Alternatively the Make Use Of site has an intersting page on "A History Of Computer Viruses & The Worst Ones of Today" albeit from 2010 which is a little out of date (possibly but it does give the early history!)
- A history of viruses in six parts is available from Antivirusworld.
- If you are looking for a timeline of various visues than actually Wikipedia is pretty good.
- Comodo (another anti-virus vendor) has its own potted history here.
- This is a more up-to-date list of viruses looking at the issue from a business perspective.
- A useful article in that it shows how the response changed to the globalisation of the hacking fraternity is provided by CatchUpdates.
A computer virus, much like a flu virus, is designed to spread from host to host and has the ability to replicate itself. Similarly, in the same way that viruses cannot reproduce without a host cell, computer viruses cannot reproduce and spread without programming such as a file or document.
In more technical terms, a computer virus is a type of malicious code or program written to alter the way a computer operates and that is designed to spread from one computer to another. A virus operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code. In the process a virus has the potential to cause unexpected or damaging effects, such as harming the system software by corrupting or destroying data.
A computer virus is a malicious program that self-replicates by copying itself to another program. In other words, the computer virus spreads by itself into other executable code or documents. The purpose of creating a computer virus is to infect vulnerable systems, gain admin control and steal user sensitive data. Hackers design computer viruses with malicious intent and prey on online users by tricking them.
A computer virus is a program or piece of code designed to damage your computer by corrupting system files, wasting resources, destroying data or otherwise being a nuisance. Viruses are unique from other forms of malware in that they are self-replicating — capable of copying themselves across files or other computers without a user's consent.
A brief history of viruses.
Timeline of Computer Viruses
Computers and computer users are under assault by hackers like never before, but computer viruses are almost as old as electronic computers themselves. Most people use the term “computer virus” to refer to all malicious software, which we call malware. Computer Viruses are actually just one type of malware, a self-replicating programs designed to spread itself from computer to computer. A virus is, in fact, the earliest known malware invented.
On November 10, 1983, a handful of seminar attendees at Lehigh University, Pennsylvania, USA, heard for the first time the term “virus” applied to computing. The use of the word was strange. The virus that was then on everyone’s mind was the one isolated a few months earlier at the Pasteur Institute in Paris that could be the cause of a new disease called AIDS. In the digital world, talking about viruses was almost nonsense. The first PC had been launched on the market just two years earlier and only the most technologically informed were running an Apple II computer or one of its early competitors.
However, when on that day the graduate student from the University of Southern California Fred Cohen inserted a diskette into a VAX11/750 mainframe computer, the attendees noted how code hidden in a Unix program installed itself and took control in a few minutes, replicating and spreading to other connected machines, similar to a biological virus.
Cohen tells OpenMind that it was on November 3 when a conversation with his supervisor, Leonard Adleman (one of the three creators of RSA encryption which is the cornerstone of e-commerce), led to the idea of giving the name of virus to that code capable of infecting a network of connected computers. The Cohen virus was simple: “The code for reproduction was perhaps a few lines and took a few minutes to write,” says the author. “The instrumentation and controls took almost a day.”
Cohen published his creation in 1984, in an article that began: “This paper defines a major computer security problem called a virus.” But though the extensive research of Cohen and Adleman in the specialized literature would draw attention to their existence, the truth is that before that first virus defined as such appeared, there had already been earlier cases.
The following is a history of some of the most famous viruses and malware ever:
Although no viruses or worms were developed, theories of self-replicating programs that spawn viruses or worms are developed.
|1959||Core Wars: A computer game was programmed in Bell Laboratory by Victor Vysottsky, H. Douglas McIlroy and Robert P Morris. They named it Core Wars. In this game, infectious programs named organisms competed with the processing time of PC.|
John von Neumann known to be the “Father of Cybernetics”, wrote an article called the "Theory of Self-Reproducing Automata" that was published. This was based his lectures he had held 18 years earlier on this theory.
Did John von Neumann open "Pandora's Box" or would someone else have opened it later anyway?
The Creeper Worm, by Bob Thomas, was an experimental program that was self-replicating. It infected DEC PDP-10 Computers that ran the TENEX Operating System. The Reaper was later developed to delete this virus.
Bob Thomas developed an experimental self-replicating program. It accessed through ARPANET (The Advanced Research Projects Agency Network) and copied to a remote host systems with TENEX operating system. A message displayed that “I’m the creeper, catch me if you can!”. Another program named Reaper was created to delete the existing harmful program the Creaper.
|1974||A virus called the Wabbit made continual copies of itself at such high speeds that it would clog the system. The computer system would eventually crash.|
John Walker wrote the ANIMAL for the UNIVAC 1108. This became known as one of the first non-malicious Trojans. It spread to other UNIVACs when computer users discovered the game due to overlapping permissions. It was also spread by sharing tapes.
A novel by John Brunner called the "Shockwave Rider" coined the term "worm" by using it to describe a particular program that circulates itself through a computer network.
The "Elk Cloner" for the Apple II Systems was created by Richard Skrenta. It infected the Apple DOS 3.3 and spread to other computers by floppy disk transfer. The "Elk Virus" was responsible for being the first computer virus to cause a massive outbreak ever in history.
It is interesting to note that the first virus written for a PC was written for an Apple computer despite the fact that "Everyone says that Apple computer do not have viruses." Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild," or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.
|1983||While completing his dissertation Frederick Cohen first used the term virus in order to explain when a particular computer program is able to infect additional computer programs because it was capable of replicating itself. He formally defines a computer virus as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself."|
|1986||Two programmers from Pakistan named Basit and Amjad, found a way to replace the executable code found in the boot sector of a floppy disk. It became known as the "Brain" "Brain boot sector" and even the Pakistani flu as well as being the first IBM PC virus, 5 years after the first Apple virus. The virus was built to respond to illegal copying of their software - cardiac monitoring software.|
A virus called "Lehigh" came from Yale University and it infected command.com files. It was immediately stopped.
"Cascade" was the first self-encrypting file virus that resulted in IBM developing an antivirus product.
A virus first found in the city of Jerusalem called the Jerusalem Virus infected and destroyed all executable files on computers after being activated only on every Friday the 13th. This caused a world wide epidemic a year later.
A boot sector virus for specifically for the Amiga called the "SCA virus" quickly caused a virus-writer clash. The SCA virus released a more destructive and malicious virus that became known as "Byte Bandit".
Another virus that was developed in December of 1987 called the "Christmas Tree EXEC". It was the first replicating program that that was able to infect quite a few computer networks internationally.
In early spring, the "Ping-Pong virus" was discovered at the University of Turin in Italy. It was a type of boot sector virus.
The ARPANET worm was written and it disabled over 6,000 computers.
A virus called the "Festering Hate Apple ProDOS" spread through underground systems (BBS) and begins to infect mainstream networks.
Robert Tappan Morris develops the Morris Worm that infects DEC VAX and SUN machines that were running on the BSD UNIX. This system was also connected to the internet which made it the first worm to spread into the "wild." Up until this point, viruses were shared through exchaning data using disks and bulletin boards (BBS).
|1989||A trojan called AIDS appears. It requested immediate payment in order for it to be removed.|
Some of the first antivirus software from Symantec called Norton AntiVirus began to appear.
The first polymorphic virus called the Chameleon was developed by Ralf Burger.
|1991||The Chameleon virus is released and also becomes known as Tequila. With its every changing appearance, it became wide spread and difficult to detect as polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.|
There are over 1300 viruses in existence.
DAME or the Dark Avenger Mutation Engine was created and made to turn regular viruses into chameleon like polymorphic viruses.
This toolkit was one of many that were available from the Virus Creation Laboratory.
The Michelangelo was blown out of proportion by the media as predictions anticipatethat the virus will have caused a digital apocalypse, when in actuality it caused little damage; 5 million infections were predicted and 5,000 to 10,000 actually took place.
|1993||Popularity with shareware caused "Leandro and Kelly" and "Freddy Krueger" viruses to spread a very quick rate.|
|1994||The first major computer virus hoax called Good Times spreads. It is said that any email with the subject of Good Times is in fact a malicious virus capable of erasing the whole hard drive. Although this hoax was later disproved it will still reappear from time to time.|
|1995||A virus called "Concept" is developed. It spreads through and attacks Microsoft Word documents.|
|1996||A macro virus known as Laroux was developed to infect Microsoft Excel Documents, A virus named Baza was developed to infect Windows 95 and Virus named Staog was created to infect Linux.|
CIH virus"s first version begins to appear, developed by Chen Ing Hau from Taiwan.
StrangeBrew infects Java files. Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.
A virus called the Chernobyl spreads drastically through executive files. It affected files and certain chips in computers.
Two teens from California were able to infiltrate and control over 500 computer systems from the military, private sectors, and the government.
A worm called the Happy99 appears and attaches itself to emails, hides changes being made and also wishes the computer user a happy New Year. It affected Outlook Express and Internet Explorer on Windows 95 and 98.
Another worm that attacked in a similar way as the Happy99 called the Melissa worm (W97M.Melissa) targeted systems based with Microsoft Word and Outlook Express. It infected nearly one million PCs.
Bubble Boy was another worm that worked similarly to Melissa and Happy99 except that it was able to function without the user opening an email.
The first macro virus capable of infecting multiple programs was known as the Tristate. It infected files from Excel, PowerPoint, and Microsoft Word.
The "I love you" virus, also known as the "Love Bug" infects more than a million PCs. It works similar to that of the Melissa or Bubble Boy virus in the way that it is spread. It sends user names and passwords back to the person responsible for spreading the virus. It is also capable of deleting files such as JPEGs, MP2, or MP3.
The Pikachu virus is the first of its kind to target children.
A virus, known as the "Anna Kournikova", hits email servers extremely hard by sending emails to all the contacts in a given Microsoft Outlook address book. Although it was not a malicious virus it did cause it gave analysts a reason to believe it was written using a tool kit, which could be used by the most inexperienced programmer. The emails purported to contain pictures of the very attractive female tennis player, but in fact hid a malicious virus.
More worms such as CodeRed, Sircam, and BadTrans are causing more problems and becoming more prevalent. CodeRed caused the most damage by infecting nearly 400,000 hosts of web pages in least than 24 hours. BadTrans was designed for stealing credit card information along with passwords.
The Code Red II comes out in China and is even more aggressive than its original.
Shortly after 9/11 a worm called the Nimda, spreads in many different ways including through Microsoft Outlook and through backdoors from previous worms.
The Kiez worm is discovered to find vulnerable holes through Microsoft Internet Explorer, Outlook Express and Microsoft Outlook.
A virus called the LFM-926 infects Shockware Flash files.
Increasing amounts of viruses emerge with celebrity names.
Beast or RAT is capable of infecting nearly all types of of Windows OS. It is a backdoor Trojan horse.
A computer worm called Mylife spread by sending malicious emails to all of the email addresses in Microsoft Outlook.
The fastest spread worm to date called the "Slammer" infects over 75,000 PCs in just 10 minutes. It was also capable of doubling its numbers every 8.5 seconds during the first initial minute of infection.
A worm called the Welchia or Nachi tried to remove such other worms as Blaster and attempt to repair windows.
The first worm to be considered spam was called Sobig. It spread quickly through network shares and email of Microsoft systems.
In the fall of 2003 a computer worm, called the Swen, was written using C++.
Vulnerabilities in Microsoft caused computer worms like Agobot and Bolgimo to spread easily.
The fastest email and file sharing computer worm called MyDoom (also called Novang) that allows hackers to access the infected computers hard drive. It holds the record for the quickest spreading mass mailer worm.
The Netsky worm spreads through emails by replicating itself to folders found on the local hard drive.
The Whitty worm found holes in many Internet Security Systems related products. The Whitty worm was the first of its kind to spread rapidly through the internet.
The Sasser worm finds holes and soft spots in LSASS, which causes major network problems and interrupts business. An estimated one million computers running Windows are affected by the fast-spreading Sasser computer worm in May. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.
The Caribe was the first computer worm designed to infect mobile phones that had Symbian OS. It spread itself through Bluetooth.
Vundo is a Trojan horse that causes popups and advertising in some antispyware programs. It is also known for denying service with certain websites like Google.
The first webworm called Santy used Google to find targets. It infected nearly 40,000 websites before Google was able to filter the search query that the worm used in order to prevent it from spreading.
A cell phone virus called Commwarrior-A spread from cell phone to cell phone via text message.
Samy XXA becomes one of the fastest spreading viruses to date; it was developed to spread quickly and infects all of the Windows family.
A backdoor trojan horse called the Bandook or Bandook RAT infects the Windows family by taking over the computer. It uses a hijacking method to get by firewalls and access the internet.
Another mass-mailing worm called the Nyxem, is activated on the 3rd of every month. It tries to disable all security and file sharing related software in order to destroy files like Microsoft Office; again a mass mailer virus.
A fast spreading email spam threatening Microsoft systems called the Storm worm was discovered. In nearly 6 months it had infected close to 1.7 million computers. By September the numbers had reached millions.
A trojan horse called Zeus steals banking information through a method called keystroke logging.
First serious computer virus called the Mocmex found. It was a trojan that was traced to a digital photo frame.
A trojan horse known as the Torpig affects Windows by shutting down any antivrus applications. This allows others to access the computer and change or steal any confidential information. It also installs more malware onto the infected computer.
A worm called the Koobface targets people who use MySpace and Facebook.
The Conflicker computer worm infects 9 to 15 million servers systems (Microsoft) that were running on a variety of Windows, from Windows 2000 to Windows 7 Beta. Servers from large government organizations like the French Navy and the UK Ministry of Defense were affected. Authorities think that the authors of Conficker may be releasing these variants to keep up with efforts to kill the virus.
W32.Dozer follows a series of cyber attacks in the United States and South Korea.
The Daprosy Worm steals passwords for online games. It would steal from internet cafes and intercept on all keystrokes. It is a very dangerous worm since it was affecting business-to-business systems.
A Windows trojan called the Stuxnet was the first worm to hit the SCADA (Supervisory Control And Data Acquisition) systems. Discovered in June, Stuxnet is a computer worm targeting Siemens industrial software through Microsoft Windows. It is the first worm that corrupts industrial equipment. Stuxnet is also the first worm to include a PCL (programmable logic controller), software designed to hide its existence and progress. In August, security software company Symantec states that 60% of the computers infected with Stuxnet are in Iran. In November, Siemens announces that the worm has not caused any damage to customers. However, the Iran nuclear program is damaged by Stuxnet. Iran uses embargoed Siemens equipment for its nuclear program. A Russian computer company, Kaspersky Lab concludes that Stuxnet is the kind of sophisticated attack that could only be conducted with the full support of a nation.
The website infecting Kenzero virus spreads online stealing browser history from peer to peer sites.
SpyEye and ZeuS have merged to form a new way to attack mobile phones to gain banking information.
Anti-Spyware 2011 is a trojan horse that poses as an anti-spyware program. It attacks newer Windows versions like Vista and XP. It blocks access to the internet for virus updates and completely disables security for antivirus programs.
Cryptolocker: This is a trojan horse that encrypts the files of an infected machine and demands a ransom to unlock the files.
In August two security firms, Fox-IT and FireEye, made public an online portal called Decrypt Cryptolocker to provide the half million victims an opportunity to "access free keys designed to unlock systems infected by CryptoLocker."
The BASHLITE malware is leaked leading to a massive spike in DDoS attacks.
Linux.Wifatch is revealed to the general public. It is found to attempt to secure devices from other more malicious malware.
A trojan named "MEMZ" is created. The creator, Leurak, explained that the trojan was intended merely as a joke. The trojan alerts the user to the fact that it is a trojan and warns them that if they proceed, the computer may no longer be usable. It contains complex payloads that corrupt the system, displaying artifacts on the screen as it runs. Once run, the application cannot be closed without causing further damage to the computer, which will stop functioning properly regardless. When the computer is restarted, in place of the bootsplash is a message that reads "Your computer has been trashed by the MEMZ Trojan. Now enjoy the Nyan cat…", which follows with an animation of the Nyan Cat.
Ransomware Locky with its over 60 derivatives spread throughout Europe and infected several million computers. At the height of the spread over five thousand computers per hour were infected in Germany alone. Although ransomware was not a new thing at the time, insufficient cyber security as well as a lack of standards in IT was responsible for the high number of infections. Unfortunately even up to date antivirus and internet security software was unable to protect systems from early versions of Locky.
Tiny Banker Trojan (Tinba) makes headlines. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC and Bank of America. Tiny Banker Trojan uses HTTP injection to force the user's computer to believe that it is on the bank's website. This spoof page will look and function just as the real one. The user then enters their information to log on, at which point Tinba can launch the bank webpage's "incorrect login information" return, and redirect the user to the real website. This is to trick the user into thinking they had entered the wrong information and proceed as normal, although now Tinba has captured the credentials and sent them to its host.
Mirai creates headlines by launching some of the most powerful and disruptive DDoS attacks seen to date by infecting the Internet of Things. Mirai ends up being used in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s. Ars Technica also reported a 1 Tbit/s attack on French web host OVH. On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others. The attribution of the attack to the Mirai botnet was originally reported by BackConnect Inc., a security firm.
On 12th May, the WannaCry ransomeware virus infects more than 200,000 computers in over 150 countries in a single day, including large companies and public services such as the UK health system that was neither patched nor protected; these were legacy devices where new softwqare was not available to run important but older hardware. Exploits revealed in the NSA hacking toolkit leak of late 2016 were used to enable the propagation of the malware. Shortly after the news of the infections broke online, a UK cybersecurity researcher in collaboration with others found and activated a "kill switch" hidden within the ransomware, effectively halting the initial wave of its global propagation. The next day, researchers announced that they had found new variants of the malware without the kill switch.
The Petya (malware) attack spreads globally affecting Windows systems. Researchers at Symantec reveal that this ransomware uses the EternalBlue exploit, similar to the one used in the WannaCry ransomware attack.
The Xafecopy Trojan attacks 47 countries, affecting only Android operating systems. Kaspersky Lab identified it as a malware from the Ubsod family, stealing money through click based WAP billing systems.
A new variety of Remote Access Trojan (RAT), Kedi RAT is distributed in a Spear Phishing Campaign. The attack targeted Citrix users. The Trojan was able to evade usual system scanners. Kedi Trojan has all characteristics of a common Remote Access Trojan and it could communicate to its Command and Control center via Gmail using common HTML, HTTP protocols.
The Gandcrab Ransomware virus is one of the most famous computer viruses. Gandcrab is a ransomware spread through malvertisements, explicit websites, or spam emails, which leads the user to Rig Exploit Kit Page or GrandSoft EK page. Through these pages, Gandcrab makes an entry into users’ systems and devices. Once ransomware is active on the system, it starts to gather user’s personal information such as username, keyboard type, presence of antivirus, IP, OS version, current Windows version etc. Dangerous computer virus Gandcrab makes its next move on the basis of information collected. After which it kills all tasks & processes running on system so that it can start encrypting the data and files present in system. It then generates public and private keys on user’s system, which are then forwarded to C2 server hosted on .bit domain. As soon as the key is delivered it starts its process of encryption by using public key generated and adds ‘.GDCB’ extension to all encrypted files. After this, it sends a file containing ransom message on the user’s system in return for decryption of their data. The name of the file with ransom message is ‘GDCB-DECRYPT.txt’.
The Trojan Glupteba virus that has several variants with different functionalities. This trojan reaches the system through a file dropped by other malware or by exploit kits. It activates as a service and enables processes on the system pretending to be a legit or authentic software. Glupteba directly communicates to IP addresses and ports to collect user’s information. It diverts the traffic and users towards various unknown domains such as ostdownload.xyz, travelsreview.wo, rldbigdesign.website, sportpics.xyzkinosport.top.
Kuik Adware is one of the top computer virus in the form of a malware & adware dubbed as ‘Kuik’. It is a,los a Trojan as it acts as legitimate Adobe Flash Player update by masking itself. This dangerous computer virus comes with three modules that are legitimate flash player, certificate and .exe file named ‘upp.exe’.Once the virus enters in system, it communicates with all established network interface and adds the DNS 188.8.131.52. After this, it starts collecting personal information and data from the user’s system and forwards it to the hosting domain ‘kuikdelivery.com’. As soon as the information reaches domain server, it activates various other malicious tasks on system that also includes chrome extension from unknown sources, coin miners, etc.
The Magniber Ransomware virus is mostly active in Asian countries. Magniber is spread through malvertisements, infected websites that redirects user to Magnitude exploit kit page. It is the oldest serving malicious browser toolkit that is still in use to distribute the ransomware. As soon as Magniber enters into the system, it starts encrypting the data and files with the use of a unique key. Once encrypted, it adds the .dyaaghemy extension to all the files encrypted.
A new computer virus named ‘Thanatos’, which is distributed through malvertisements, spam emails with malicious attachments and file types, etc. This is very similar to most famous computer virus that is ILOVEYOU computer virus. The most complicated part is to decrypt the data been encrypted by this ransomware. This is because, it generates different keys every time for encryption and does not save these keys anywhere making it difficult to recover. After this, it drops payload in user’s system in form of .exe file or .txt file, which is set for auto run and opens every time the system is restarted. This payload starts encrypting files and add ‘.thanatos’ extension to encrypted files. Soon, user receives a ransom pay message on its system.
Trojan Panda Banker / Zeus Panda. This computer virus is very much identical to top computer virus Zeus banking trojan malware. It’s a malware that uses web to inject malware and to steal users banking information and credentials. It basically is distributed through exploit kits, such as Ngler exploit kit, Nuclear exploit kit, and Neutrino exploit kit. Not only from exploit kits, this is spread through social networking sites, spam emails, and adult sites as well. After getting installed on system, it starts searching for the information such as antivirus, spyware, username, password, etc. This information is passed on to C2 server. And, once this is done, it starts to steal banking credentials, transaction information and other info as well.
Perhaps this section might be called "Famous Viruses" but as they are gennerally destructive (pranks at worst) they deserve the term "IMFAMOUS". In no particular order...
Whenever a PC or mobile vulnerability is revealed, there’s naturally panic about its effects. But why? If you’ve never suffered anything catastrophic in the wake of a virus, it’s easy to downplay how big an impact one can have.
But it’s important that we always learn from the past. These famous PC viruses ably demonstrate that anyone and everyone can fall victim to devastating data loss.
1. The Morris Worm
Let’s start with one of the most important examples of malware. The Morris Worm was the first malicious program covered by mainstream media due to its mass repercussions.
On November 2, 1988, the worm was released and within 24 hours, an estimated 10 percent of computers connected to the internet were affected. The malware slowed down thousands of systems by creating files in temporary folders in an effort to replicate itself.
These PCs were rendered useless (within 90 minutes of infection) until the software was removed. This took around two days to do. It naturally took even longer to expunge it from an entire network. The University of California, Berkeley, for instance, estimated that it took 20 working days to completely get rid of the worm from its computers.
However, it wasn’t meant to be malicious. Robert Tappan Morris had created the program as a way of testing the size of the internet. It was a coding error that was estimated to have cost up to $53,000 per institution—at least according to the judge in the case against Morris. One estimate places the total cost of the worm at between $250,000 and $96 million.
Morris, now one of the world’s most famous hackers, was the first to be found guilty under the 1986 Computer Fraud and Abuse Act ( American Act). He was fined $10,050, and further sentenced to three years on probation, plus 400 hours of community service. Despite the damage this worm caused, it’s generally considered a harsh sentence considering it was a simple mistake. He now works for the Massachusetts Institute of Technology (MIT).
2. Melissa Virus
From the prophetic Curious George and the Ebola Virus to our adoption of the term “frogurt”, The Simpsons has influenced a great deal of society. Perhaps the most surprising is the Melissa virus, inspired by a 1990 episode of the show… and a stripper working in Miami.
Let’s rewind. Infected Word documents were nothing new.
Although rumor had it that the first “wild” macro virus to affect Word could be contracted via email, this wasn’t true. The Concept virus was instead spread, accidentally, by professional firms. Microsoft itself was partly responsible when it shipped Windows 95 Software Compatability Test CD-ROMs containing the virus.
But Concept acted as a forerunner to the Melissa virus. A Word file was uploaded to the Usenet discussion group, alt.sex in March 1999. This contained a list of passwords for 80 porn websites, so you can imagine how many downloaded it. Once they did so, it automatically forwarded onto the first 50 contacts in the Microsoft Outlook address book.
It then sent on other Word files, meaning personal details could’ve been sent to family, friends, and colleagues. This cost an estimated $80 million in damages to private, and corporate networks.
One quirk was in corrupting files with the phrase, “22, plus triple-word-score, plus 50 points for using all my letters. Game’s over. I’m outta here.” This comes from Bart the Genius, in which Bart cheats at Scrabble with Kwyjibo, meaning “a big, dumb, balding North American ape, with no chin and a short temper”.
The Melissa virus was named after a stripper its creator, David L Smith had met in Florida. Smith, who served 20 months of his 10-year sentence, didn’t do it for any financial gain. Still, he subsequently aided the FBI in catching hackers, for which his rent, insurance, and utilities were paid for…
Three words everyone wants to hear—but not in this form.
This took a similar approach to the Melissa virus, yet was far more devastating. It was a worm spread via an email with the subject line “ILOVEYOU”. It came with the attachment, “LOVE-LETTER-FOR-YOU.txt.vbs”. Once opened, it would send itself to everyone in the Outlook address book, making this one of the fastest-spreading viruses at the time.
It was said to have reached over 50 million users within 10 days.
Far more troubling was its capacity to overwrite files. If you didn’t have back-ups (and comparatively few personal networks did), you would have to kiss goodbye to your JPEGs and audio files. Further file types that were overwritten include CSS, HTA, and JSE.
What’s more, it vacuumed up private information, notably passwords, from the internet.
After some companies became wise to this subject line, hackers introduced variants reading “Mother’s Day Order Confirmation”, “Joke”, and “VIRUS ALERT!!!”, the latter supposedly from Symantec.
In May 2000, just a few hours after it originated in the Philippines, a number of places were forced offline to protect themselves from further damage. These included the Pentagon, and the Ford Motor Company.
It’s estimated to have cost $15 billion for firms across America to expunge the worm.
Here it is: the fastest-spreading email worm ever.
This exceeded the impact of ILOVEYOU and has yet to be surpassed. Fingers crossed it never will be. Because MyDoom and variations of it have caused an estimated $38.5 billion in damages worldwide.
The worm acts on a similar principle as ILOVEYOU: an email—with misleading subjects like “Mail Delivery System”—includes an attachment which, once opened, sends itself to addresses found in local files. Whereas previous worms targeted a limited number of contacts, MyDoom wasn’t picky.
It attempted to go under the radar by not targeting addresses of governmental agencies and security firms. MyDoom could further stop a device from running updates to security software!
The most concerning part of the virus was its ability to open a back-door vulnerability in systems for hackers to exploit. Some of these back-doors remain open.
It caused chaos online: the initial strain began distributed denial of service (DDoS) attacks on mainstream sites, like the SCO Group and Microsoft. Subsequent iterations affected Google and other search engines when an influx of requests from corrupted PCs attempted to crash servers.
Part of its impact stems from its longevity. MyDoom was first spotted in January 2004, but deviations have resurfaced across many years since. This included the July 2009 cyberattacks which hit infrastructure in America and South Korea.
Its creators have never been found, which seems strange considering its prolificacy. MyDoom’s point of origin was Russia. A clue might come from the message within the worm: “andy; I’m just doing my job, nothing personal, sorry”.
Cast your minds back to May 2017 and you’ll recall a lot of panic about WannaCry. There was fair reason for it. Despite only lasting a few days, the ransomware spread across between 200,000 and 300,000 computers worldwide.
It was particularly cruel: using a back-door exploitation in Microsoft Windows, it would encrypt all data on the device and hold your files to ransom. It would apparently cost up to $600 (using Bitcoin) to decrypt the information, although even paying the fee wouldn’t save your PC in reality. Nonetheless, some users paid, however futile the effort. Cybercriminals received payments of over $130,600.
Once infected, a computer’s screen locks, showing a red warning and two countdowns, one until the ransom demand would rise and the other until files would be permanently deleted.
Fortunately, Microsoft acted quickly by issuing updates to combat the threat.
One of the biggest victims was the National Health Service (NHS) in the UK. Many medical institutions run older operating systems, (OS) including Windows XP.
When it comes to malware, ransomware is the new kid on the block. While most people can rattle off names like ‘Trojan’, ‘viruses’, and ‘spyware’, they’re often not too familiar with ransomware.
Ransomware is a kind of malware that takes your files hostage. You know in heist movies when the bad guy grabs someone and threatens them in return for money? Ransomware works much like that, except your computer is taken hostage by a faceless bad guy.
Released in September 2013, CryptoLocker spread through email attachments and encrypted the user’s files so that they couldn’t access them.
The hackers then sent a decryption key in return for a sum of money, usually somewhere from a few hundred pounds up to a couple of grand.
With some of the hacking attempts, System Restore or recovery software worked. Although with many of the infected computers, if the victims didn’t pay up they’d lose all their files. Now is a good time to remind you to always back your files up!
In June 2014, Operation Tovar took down Evgeniy Bogachev, the leader of the gang of hackers behind CryptoLocker. In February, the FBI offered a cool $3 million reward for Bogachev.
Cost of the malware: With 500,000 victims, CryptoLocker made upwards of $30 million in 100 days.
7. Sasser & Netsky
17-year-old Sven Jaschan created Sasser & Netsky, two worms, in the early noughties. Sasser & Netsky are actually two separate worms, but they’re often grouped together because the similarities in the code led experts to believe they were created by the same person.
Sasser spread through infected computers by scanning random IP addresses and instructing them to download the virus. Netsky was the more familiar email-based worm. Netsky was actually the more viral virus, and caused a huge amount of problems in 2004.
A German student, Jaschan was arrested when multiple tip-offs were reported to the police. Speculation suggested Jaschan had actually written the viruses to create business for his mother and stepfather’s PC business. Because he was under 18 when he wrote the virus, Jaschan spent his prison sentence on probation.
Even more interesting is Jaschan’s motivation. MyDoom was spreading rapidly at the time and Jaschan, a newbie coder, wanted to see what would happen if his bug could spread faster than MyDoom. Things quickly escalated from there.
Cost of malware: Around $31 billion.
8. Anna Kournikova
What’s a tennis player got to do with a list of interesting viruses? Quite a lot, as it so happens.
We’re going to get this out of the way first: the Anna Kournikova virus is pretty tame compared to many on the list.
So in the early to mid-noughties, Anna Kournikova was one of the most searched terms on the internet. People were just very into tennis.
Jan De Wit, a 20-year-old Dutch man, wrote the virus as ‘a joke’. The subject was “Here you have, ;0)” with an attached file called AnnaKournikova.jpg.vbs. Anna was pretty harmless and didn’t do much actual damage, though De Wit turned himself into police anyway.
The mayor of the town came forward and said the city should be proud to have produced such a talented young man and offered him a job as a techie once he was finished his education.
Cost of the malware: $166,000.
While most of the malware on this list strictly hit computers, Slammer was created with broader ambitions. Slammer is the kind of virus that makes it into films, as only a few minutes after infecting its first victim, it was doubling itself every few seconds. 15 minutes in and Slammer had infected half of the servers that essentially ran the internet.
The Bank of America’s ATM service crashed, 911 services went down, and flights had to be cancelled because of online errors. Slammer, quite aptly, caused a huge panic as it had effectively managed to crash the internet in 15 quick minutes.
Cost of the malware: Around $1 billion.
Stuxnet is easily the scariest virus on the list as it was built by government engineers in the US with the intention of obstructing nukes from being built in Iran.
Yes, you read that right. Who needs to target email when they can gun for nukes?
Stuxnet spread by a USB thumb drive and targeted software controlling a facility in Iran that held uranium. The virus was so effective it caused their centrifuges to self-destruct, setting Iran’s nuclear development back and costing a lot of money.
Stuxnet is the first real venture into cyberwar and it definitely asks the question as to what will come next. The idea of digital weaponry is pretty scary, isn’t it?
Cost of the malware: Unknown.
11. Code Red
Code Red first surfaced on 2001 and was discovered by two eEye Digital Security employees. It was named Code Red because the the pair were drinking Code Red Mountain Dew at the time of discovery. The worm targeted computers with Microsoft IIS web server installed, exploiting a buffer overflow problem in the system. It leaves very little trace on the hard disk as it is able to run entirely on memory, with a size of 3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a bug in the programming, it will duplicate even more and ends up eating a lot of the systems resources.
It will then launch a denial of service attack on several IP address, famous among them the website of the White House. It also allows backdoor access to the server, allowing for remote access to the machine. The most memorable symptom is the message it leaves behind on affected web pages, "Hacked By Chinese!", which has become a meme itself. A patch was later released and it was estimate that it caused $2 billion in lost productivity. A total of 1-2 million servers were affected, which is amazing when you consider there were 6 million IIS servers at the time.
Also known as Downup or Downadup, Conficker is a worm of unknown authorship for Windows that made its first appearance in 2008. The name comes form the English word, configure and a German pejorative.It infects computers using flaws in the OS to create a botnet. The malware was able to infect more than 9 millions computers all around the world, affecting governments, businesses and individuals. It was one of the largest known worm infections to ever surface causing an estimate damage of $9 billion.
The worm works by exploiting a network service vulnerability that was present and unpatched in Windows. Once infected, the worm will then reset account lockout policies, block access to Windows update and antivirus sites, turn off certain services and lock out user accounts among many. Then, it proceeds to install software that will turn the computer into a botnet slaveand scareware to scam money off the user. Microsoft later provided a fix and patch with many antivirus vendors providing updates to their definitions.
The good news is that if it is infected, it is simply localized to that specific user’s account. The bad news is that more than 600,000 Macs were infected, including 274 Macs in the Cupertino area, the headquarters of Apple. Oracle published a fix for the exploit with Apple releasing an update to remove Flashback from people’s Mac. It is still out in the wild, with an estimate of 22,000 Macs still infected as of 2014.
So there you have it: while viruses and malware might seem like a myth drummed up by tech companies, they are a very real threat that have caused billions in damage.
Cyber Attack Maps
A number of antivirus organitions provide "real time" "attack maps" that are rarely real time but do show (sort of) the frequency and sourcfe of many of the attacks currently being undertaken.
Cyber attack maps can be fun to look at, but are they useful? As usual, when it comes to security context is key, so CSO looked at eight of the web's most popular cyber-attack maps. While the maps themselves are mostly eye candy with limited context, there are some creative ways they can be used.
Entrenched security professionals view cyber-attack maps with a somewhat jaded eye. They call them "pew pew" maps, mimicking a child-like sound to represent gunfire when playing with toys. In fact, one map actually uses these sounds to an amusing effect.
Some of the professionals CSO spoke with said they'll pop one of the maps up on a screen in the SOC (Security Operations Center) if they know a client is coming in, but only because of the eye candy factor. In fact, most of the professionals said they've used them, but other than "performance art," there isn't any real value in them.
The common misconception with cyber attack maps is that the data is live, or real-time. It isn't. Most are just a subset of recorded attacks or a playback of sanitized packet captures.
But don't discount how useful the eye candy factor can be: one security professional said he uses them to get high schoolers interested in the security industry. The concept is smart, as the visuals and datatypes on display can create discussion points on attack types, methods and threat actors.
Some SOC operators do the same thing for clients, using the maps to visualize attack types and try to answer customer questions. Again, the value of these cyber attack maps isn't the data they're showing, it's how they can be used as a conversation starter. This is something the vendors that produce the maps know well, as the maps themselves are sales tools.
Probably the most well-known cyber attack map is the one produced by Norse, a security firm that's had its share of problems over the last few years. Discussing the data shown on their map, Norse says the attacks are "based on a small subset of live flows against the Norse honeypot infrastructure…" Interestingly enough, organizations can add their logo to the map when it is displayed at the office.
Taking first prize for visuals and interactive displays is the Kaspersky "Cyberthreat Real-Time Map" – complete with global rotation and zoom. The attacks shown on the Kaspersky map are taken from on-demand and on-access scans, as well as web and email detections. But it isn't clear just how real-time, the real-time presentation is.
Fortinet's cyber attack map looks similar to the one from Norse and appears to show a playback of recorded events. As the attacks are displayed, a rotating breakdown of various stats appears in the lower left part of the screen. Fortinet customers have the ability to have a map of their own, according to documentation.
Check Point Software
The ThreatCloud cyber attack map from Checkpoint Software shows historical data that is reset each day at 12:00 a.m. PST. The map is more visual than the one from Norse, but still has the same basic construct. In addition to watching the playback, the top attackers and targets can be viewed historically, with monthly and weekly stats.
The FireEye cyber attack map lacks the detail presented by the others, and keeps things simple. It tracks historical data and splits it into industry segments and top country of origin for attackers. The data displayed is "based on a subset of real attack data, which is optimized for better visual presentation."
The cyber attack map from Arbor Networks is a hybrid map that was created in part with Google Ideas. The Digital Attack Map tracks DDoS attacks with data from Arbor's ATLAS threat intelligence system. The raw data is sourced from more than 300 ISP customers, and 130Tbps of global traffic. The map will visualize DDoS attacks and allow filtering by size and type.
Trend Micro's Botnet Connection Dashboard is a smaller, stripped down cyber attack map that tracks C&C (Command and Control) servers used by botnets (and their targets) across the globe. The age of the data shown isn't clear, but the historical data tracks back 14 days.
The Akamai real-time monitor isn't a typical cyber-attack map, but we've included it here because it does track attacks in addition to traffic on the internet. Once loaded, it's possible to see what regions in the world have the most traffic volume; in another tab, you can see what regions are experiencing the most attacks. Akamai says the data is presented in real-time.
Protection against viruses