20 notorious worms, viruses and botnets

The earliest worms and viruses were created for geeky fun and did little harm - oh, how times have changed. Here are 20 worms, viruses and botnets that show the evolution of malware, from Creeper to Flame.

Men working in a computer lab
computerhistory.org

Creeper

The first real computer virus, Creeper was released "in lab" in 1971 by an employee of a company working on building ARPANET, the Internet’s ancestor, according to Guillaume Lovet, Senior Director, FortiGuard Labs.

The Creeper looked for a machine on the network, transferred to it, displayed the message “I’m the creeper, catch me if you can!” and started over, thereby hopping from system to system.

Image of Apple II

Elk Cloner

Written in 1982 "by a 15-year old as a way to booby trap his friends' Apple II computer systems without physical access to them, Elk Cloner spread via floppy disks," according to FortiGuard Labs's Lovet. "Infected machines displayed a harmless poem, dedicated to the virus' glory."

Robert Morris
Trevor Blackwell

Morris worm

Chris Larsen, Malware Lab Architect for Blue Coat Systems, points to the Morris worm, created in 1988 by Cornell University student Robert Tappan Morris, as the first internet worm.

"It's the one that got everyone's attention and demonstrated the possibility of computer malware for causing chaos," adds Kevin Haley, Director, Symantec Security Response.

(Morris also made our Rogues Gallery list of 10 infamous hacks and hackers.)

 

Michelangelo

Michelangelo

The dormant Michelangelo virus was designed to awaken in 1991 on March 6th, the birthday of Renaissance artist Michelangelo, and erase critical parts of infected computers’ hard drives, says Lovet.

"The promises of destruction it carried spawned a media frenzy. In the weeks preceding March 6th, media relayed, and some may say amplified, experts’ predictions forecasting 5 million computers going definitively down. Yet, on March 6th, only a few thousand data losses were reported – and public trust in AV companies’ ethics was tainted for a while."

Picture of a strip club
Rick Hall / Flickr

Melissa

The Melissa virus, found in 1999, propagated via infected Microsoft Word documents and mailed itself to Outlook contacts of the contaminated user, explains Lovet. It was virulent enough to paralyze some important mailing systems on the Internet.

Its author created the bug to honor Melissa, a stripper he’d met in Florida.

"Whether he conquered her heart this way is somewhat unlikely, but one thing is sure: the malicious code earned him 20 months in jail and a $5,000 fine," says Lovet.

Picture of a woman reading a love letter

I Love You

Discovered in 2000, the "I love you" or "Love Letter" malware was not the first example of using social engineering to infect computers, but it was the first massively successful one," says Haley.

Subsequently, it provided a foundation for cyber social engineering that still works today: everyone wants to know that someone loves them. On the flip side, it also taught computer users that they can't trust everything they see online or receive in their inbox. (Though that lesson clearly hasn't settled in fully.)

Anna Kournikova
Sgt. Jon E. Dougherty

Anna Kournikova virus

In 2001, the Anna Kournikova virus spread like wildfire via emails promising a picture of the tennis star.

This proved that just like in advertising, when it comes to social engineering, sex sells, says Haley.

Image of map

Code Red

In 2001, Code Red infected Web servers, where it automatically spread by exploiting a vulnerability in Microsoft IIS servers, says Lovet.

"In less than one week, nearly 400,000 servers were infected, and the homepage of their hosted Websites was replaced with 'Hacked By Chinese!'"

Lovet also notes Code Red had a distinguishing feature designed to flood the White House Website with traffic from the infected servers, probably making it the first case of documented hacktivism on a large scale.

SQLslammer
Nathan Hayag

SQLslammer

SQL Slammer made the rounds in 2003. The worm reportedly infected every system vulnerable to the attack within a mere 15 minutes, according to Symantec's Haley. It caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, spreading rapidly and infecting most of its 75,000 victims within ten minutes.

"No one had ever seen malware spread at those speeds before," says Haley.

The worm was based on proof-of-concept code demonstrated at the Black Hat Briefings by David Litchfield.

Sasser

Sasser

In 2004, Sasser malware exploited a vulnerability in Microsoft Windows to propagate, which made it particularly virulent. What’s more, due to a bug in the worm’s code, infected systems turned off every couple of minutes, says Lovet.

More than one million systems were infected, AFP’s communications satellites were interrupted for hours, Delta Airlines was forced to cancel flights, the British coast guard had to go back to print maps, and a hospital had to redirect its emergency room because its radiology department was completely paralyzed by the virus. The damage amount was estimated to be more than $18 billion.

Microsoft placed a $250,000 bounty on the author’s head, who turned out to be an 18-year old German student.

Credit card phishing image
Thinkstock

Mytob

One of first pieces of malware to combine the features of a bot and a mass-mailer, 2005's MyTob marked the beginning of the era of botnets and of cybercrime, says Lovet.

Business models designed to monetize the many botnets began to appear: installation of spyware, dispersal of spam, illegal content hosting, interception of banking credentials, blackmail, etc.

Today the revenue generated from botnets (some of which may number 20 million machines) is by some estimates several billion dollars per year. (Read The botnet hunters on CSOonline.)

Night of the Living Dead zombie

Storm botnet

By 2007, Lovet notes cybercriminals already had lucrative business models in place. Before then, however, botnets were fairly fragile: By neutralizing its unique Control Center, a botnet could be completely neutralized, because the bots no longer had anyone to report to or take commands from.

By implementing a peer-to-peer architecture, Storm became the first botnet with decentralized command.

At the peak of the epidemic, Storm had infected between 1 and 50 million systems and accounted for 8 percent of all malware running in the world.

Koobface prompt

Koobface

Koobface (an anagram for Facebook) made headlines in 2008.

"It spread by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player in order to view a video. The update is a copy of the virus," explains Lovet.

Zeus
Webb Zahn / Flickr

Zeus botnet

Chris Larsen, Malware Lab Architect for Blue Coat Systems, points to Zeus, first discovered in 2007, as the "king of the botnet kits."

A malware platform unto itself that can be used to create a Trojan horse that steals banking information with man-in-the-browser keystroke logging and form grabbing, Zeus is spread mainly through drive-by downloads and phishing schemes.

Picture of an iPhone
CSO Staff

Ikee

"Many people hadn't even heard of 'jailbreaking' a mobile device until the Ikee threat showed up (in 2009)," says Symantec's Haley.

Affecting Apple's iPhone, the threat was rather harmless in payload, but it caught people's attention and demonstrated a couple of important facts: Mobile devices are simply computers and must be protected from cyber threats just like any other computer and like flies to honey, wherever you have a popular operating system, malware is sure to follow.

Army of bots
CSO Staff

Conficker

The massive number of machines infected by Conficker got everyone's attention, says Haley. The real interesting thing about it, though, and what caused even more fear was the great unknown: What would happen when the resulting botnet woke up on a date specified in the threat's code.

Fortunately, it did not live up to people's worst expectations.

 

Google China

Operation Aurora

Operation Aurora, a cyber attack which began in mid-2009 and continued through December 2009, put the concept of advanced persistent threats on the map, according to researchers at Kaspersky Lab.

The attack, first publicly disclosed by Google in a January 12, 2010 blog post, originated in China. The attacks, which hit more than 30 organizations in the U.S., were the first public confirmation that dedicated hackers had infiltrated major organizations and were using advanced techniques to stay undetected for long periods while stealing valuable information, including source code and intellectual property.

Flashback
CSO Staff

Flashback

The Flashback Trojan, discovered in 2011, affects computers running Mac OS X and exploits a security flaw in Java in order to install itself on Macs.

Blue Coat's Larsen notes Flashback is a "wake-up call for Mac users; no one should be feeling smug and safe these days."

A picture of a nuclear plant
Utilities-Me.com

Stuxnet

Discovered in 2010, Stuxnet exploited several critical vulnerabilities in Windows which until then were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system – even if a system's autorun capabilities were disabled, says FortiGuard Labs' Lovet.

From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: an industrial control system manufacturered by Siemens. In this particular instance, Stuxnet knew the weak point with a specific controller – and most likely intended to destroy or neutralize the industrial system.

Flame malware

Flame malware

"According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity," says Lovet of Flame and similar types of cyberespionage attacks.

Flame mostly targeted computers in the Middle East. Analysis conducted in 2012 of servers used to control the Flame malware found several other related types of malware existed, including a direct connection to Stuxnet.

Researchers with Kaspersky Lab, Symantec and others have found Flame is linked to a highly sophisticated operation in which a variety of defensive mechanisms were used to cover the attackers' tracks.