Timeline: A Decade of Malware
ScanSafe security researcher Mary Landesman looks back at some of the notorious malware that has shaped the attack landscape we now face online
By Mary Landesman, Senior Security Researcher, ScanSafe
February 02, 2010 — CSO —
With first decade of the millennium coming to a close this year, it seems a good time to take a look back at some of the malware that has helped shape the current-day attacks on the Web. Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money. Looking back at the most notable malware of the last ten years, we begin to see how the industry has taken shape. From pesky spam pranks to a multi-million dollar 'black hat' industry, malware continues to evolve at a rapid pace, with no signs of slowing.
1. 2001: Loveletter steals free Internet access
Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money. In hindsight, the May 2000 Loveletter worm was a harbinger of things to come. The Loveletter worm combined social engineering (love letter for you) with a password-stealing trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm's author (Read about current social engineering tactics in CSO's social engineering guide).
2. 2002: JS/Exception bombs usher in malicious marketing
In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm's ability to infect Web pages. As such, Nimda can be viewed as a pioneer in malware's eventual move to the Web.
3. 2003: Sobig worm popularizes spam proxy trojans
January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers; even harvesting the victims own email contacts to add to the spammers' mailing lists.
4. 2004: Bagle worm vies for dominance to harvest addresses and account information
The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K's code was the message, "Hey Netsky, f*ck off you b*tch, don't ruine our business, wanna start a war?"