One of the few benefits of being old is that even if your memory is starting to fade, you can still remember more history than the youngster next to you. That's why I'm always sent the latest malware reports by friends, coworkers, customers, and other reporters, then asked to gauge the seriousness of the latest supposed superthreat.
For example, a friend recently brought my attention to a detailed rundown on the ZeroAccess/Sirefer malware program. It's a doozy -- besides being a rootkit botnet program, it creates its own hidden partition on the hard drive and uses hidden alternative data streams to hide and thrive. I'm impressed ... sort of.
Longtime antimalware experts are rarely bowled over by new malware. Most of the threats are retreads of programs we've seen dozens of times since the 1990s. Malware that hides from prying eyes and antimalware software? Hiding techniques were in the very first IBM PC computer virus, Pakistani Brain, from 1986. Malware that encrypts data and asks for a ransom to provide the decryption key? That started with the AIDS Trojan in 1989. Polymorphic, ever-changing, hard-to-detect malware? Try Dark Avenger's Mutation Engine from March 1992. He confounded the world's best antivirus expects, including John McAfee, for most of the next few years.
It really takes something new to impress us. It happens occasionally, most notably with Stuxnet and Flame. But even those programs failed to shake up most malware experts because they're cyber warfare bugs that required teams of people with a state-sponsored objective in mind. The scariest parts of those two programs don't appear in traditional malware.
My doomsday malware
No, it's superbugs with more general targets that scare malware fighters. Although most antimalware experts won't readily admit to it, especially to the press, each has an idea of the most dreaded supermalware program they'd hate to see unleashed on the general public. Here's mine.
The most important attribute is that it would not require end-user intervention to spread. Think SQL Slammer or Blaster. Truly remote buffer overflow worms are pretty rare, but when they kick off, they can inflict a lot of damage. Slammer holds the fastest record, infecting nearly every possible unpatched SQL server connected to the Internet in about 10 minutes. By the time most of had woke up to reports of Slammer (it was released in the early morning hours on a Sunday), it had been in charge of the victims' servers for almost an entire business day.
Slammer had a few other interesting traits; for one, it didn't contain any payload. It just took over its victim and aggressively looked for more targets to exploit. In fact, its aggressiveness gave it away. Because Slammer tried to use so many network connections, an admin could quickly realize Slammer's presence on their network due to an utter shutdown from all the malicious traffic.
Low-profile mayhem
A more dreaded worm would be one that infected low and slow. The slowness isn't that important, but the low attribute implies that the beast can infect as many victims as possible without incurring immediate responses from admins. The perfect malware program would go about doing its dirty work, hitting more hosts, possibly getting backed up along with normal data so that even all the saved backups were compromised.