• United States



by Mary Landesman, Senior Security Researcher, ScanSafe

Timeline: A Decade of Malware

Feb 02, 20105 mins
Application SecurityBotnetsCybercrime

ScanSafe security researcher Mary Landesman looks back at some of the notorious malware that has shaped the attack landscape we now face online

With first decade of the millennium coming to a close this year, it seems a good time to take a look back at some of the malware that has helped shape the current-day attacks on the Web. Modern malware is commercially motivated. Instead of writing malware for ego gratification, today’s attackers are using malware to make money. Looking back at the most notable malware of the last ten years, we begin to see how the industry has taken shape. From pesky spam pranks to a multi-million dollar ‘black hat’ industry, malware continues to evolve at a rapid pace, with no signs of slowing.

1. 2001: Loveletter steals free Internet accesssocial engineering guide).

Modern malware is commercially motivated. Instead of writing malware for ego gratification, today’s attackers are using malware to make money. In hindsight, the May 2000 Loveletter worm was a harbinger of things to come. The Loveletter worm combined social engineering (love letter for you) with a password-stealing trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm’s author (Read about current social engineering tactics in CSO’s

2. 2002: JS/Exception bombs usher in malicious marketing

In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm’s ability to infect Web pages. As such, Nimda can be viewed as a pioneer in malware’s eventual move to the Web.

3. 2003: Sobig worm popularizes spam proxy trojans

January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers; even harvesting the victims own email contacts to add to the spammers’ mailing lists.

4. 2004: Bagle worm vies for dominance to harvest addresses and account information

The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K’s code was the message, “Hey Netsky, f*ck off you b*tch, don’t ruine our business, wanna start a war?”

5. 2005: Bot-delivering breaking news alertsThe Botnet Hunters).

Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month’s tsunami in the Indian ocean, scammers began targeting people’s fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots (Read about how botnets are hunted and destroyed in

6. 2006: The as-yet-unnamed Storm worm emergesHow a Botnet Gets its Name).

By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed “230 dead as storm batters Europe.” Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the trojan family (and its associated botnet) its new name, Storm (Also see:

7. 2007: MPack publicity popularizes exploit frameworks

In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed Web attacks. The release of free or low cost SQL injection tools in the Fall of 2007.

8. 2008: Goolag and automated injection attacks complete cloud-based malware-as-a-service

In 2008, remote discovery tools such as Goolag further cemented cloud-based malware delivery via the Web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases

9. 2009: Gumblar incorporates and expands a decade’s evolution of malware

The 2009 Gumblar attacks can be viewed as the culmination of a decade’s evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetization, as well as long term potential profits via its ability to intercept, tamper with and steal Internet and network communications. Gumblar also includes the ultimate in social engineering; turning perfectly good, reputable websites against their visitors.

10. 2010: ?10 IT Security Predictions for 2010).

If the poorly coded and fairly innocuous Loveletter ushered in the beginning of the decade, and the highly sophisticated, multi-pronged Gumblar is ending the decade, one can only wonder, and worry, at what the next ten years may bring (Also see:

Mary Landesman is a senior security researcher with ScanSafe, a provider of SaaS Web security products.