What to expect when you’re… surfing
No one is safe on the Internet. This is a common expression, which not by accident happens to be true.
Have you ever been a victim of a hacker attack? If not, you’re one of the very few internet users who avoided any kind of cyber crime.
This article is the first of two and contains the top 13 (coincidence? I don’t think so…) of the most dangerous computer viruses of all time. The second article will include counter-measures to a cyber attack.
Getting a computer virus has happened to many users in some fashion or another. To most, it is simply a mild inconvenience, requiring a cleanup and then installing that antivirus program that you’ve been meaning to install but never got around to. But in other cases, it can be a complete disaster, with your computer turning into a very expensive brick which which no amount of antivirus can protect.
Since people usually equate general malware like worms and trojan horses as viruses, we’re including them as well. These malware have caused tremendous harm, amounting to billions of dollars and disrupting critical real life infrastructure.
The ILOVEYOU virus is considered one of the most virulent computer virus ever created and it’s not hard to see why. The virus managed to wreck havoc on computer systems all over the world, causing damages totaling in at an estimate of $10 billion. 10% of the world’s Internet-connected computers were believed to have been infected. It was so bad that governments and large corporations took their mailing system offline to prevent infection.
The virus was created by two Filipino programers, Reonel Ramones and Onel de Guzman. What it did was use social engineering to get people to click on the attachment; in this case, a love confession. The attachment was actually a script that poses as a TXT file, due to Windows at the time hiding the actual extension of the file. Once clicked, it will send itself to everyone in the user’s mailing list and proceed to overwrite files with itself, making the computer unbootable. The two programers were never charged, because there were no laws about malware. This led to the enactment of the E-Commerce Law to address the problem.
- Code Red
Code Red first surfaced on 2001 and was discovered by two eEye Digital Security employees. It was named Code Red because the the pair were drinking Code Red Mountain Dew at the time of discovery. The worm targeted computers with Microsoft IIS web server installed, exploiting a buffer overflow problem in the system. It leaves very little trace on the hard disk as it is able to run entirely on memory, with a size of 3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a bug in the programming, it will duplicate even more and ends up eating a lot of the systems resources.
It will then launch a denial of service attack on several IP address, famous among them the website of the White House. It also allows backdoor access to the server, allowing for remote access to the machine. The most memorable symptom is the message it leaves behind on affected web pages, “Hacked By Chinese!”, which has become a meme itself. A patch was later released and it was estimate that it caused $2 billion in lost productivity. A total of 1-2 million servers were affected, which is amazing when you consider there were 6 million IIS servers at the time.
Named after an exotic dancer from Florida, it was created by David L. Smith in 1999. It started as an infected Word document that was posted up on the alt.sex usenet group, claiming to be a list of passwords for pornographic sites. This got people curious and when it was downloaded and opened, it would trigger the macro inside and unleash its payload. The virus will mail itself to the top 50 people in the user’s email address book and this caused an increase of email traffic, disrupting the email services of governments and corporations. It also sometimes corrupted documents by inserting a Simpsons reference into them.
Smith was eventually caught when they traced the Word document to him. The file was uploaded using a stolen AOL account and with their help, law enforcement was able to arrest him less than a week since the outbreak began. He cooperated with the FBI in capturing other virus creators, famous among them the creator of the Anna Kournikova virus. For his cooperation, he served only 20 months and paid a fine of $5000 of his 10 year sentence. The virus reportedly caused $80 million in damages.
A Windows worm first discovered in 2004, it was created by computer science student Sven Jaschan, who also created the Netsky worm. While the payload itself may be seen as simply annoying (it slows down and crashes the computer, while making it hard to reset without cutting the power), the effects were incredibly disruptive, with millions of computers being infected, and important, critical infrastructure affected. The worm took advantage of a buffer overflow vulnerability in Local Security Authority Subsystem Service (LSASS), which controls the security policy of local accounts causing crashes to the computer. It will also use the system resources to propagate itself to other machines through the Internet and infect others automatically.
The effects of the virus were widespread as while the exploit was already patched, many computers haven’t updated. This led to more than a million infections, taking out critical infrastructures, such as airlines, news agencies, public transportation, hospitals, public transport, etc. Overall, the damage was estimated to have cost $18 billion. Jaschen was tried as a minor and received a 21 month suspended sentence.
Zeus is a Trojan horse made to infect Windows computers so that it will perform various criminal tasks. The most common of these tasks are usually man-in-the-browser keylogging and form grabbing. The majority of computers were infected either through drive-by downloads or phishing scams. First identified in 2009, it managed to compromise thousands of FTP accounts and computers from large multinational corporations and banks such as Amazon, Oracle, Bank of America, Cisco, etc. Controllers of the Zeus botnet used it to steal the login credentials of social network, email and banking accounts.
In the US alone, it was estimated that more than 1 million computers were infected, with 25% in the US. The entire operation was sophisticated, involving people from around the world to act as money mules to smuggle and transfer cash to the ringleaders in Eastern Europe. About $70 million were stolen and in possession of the ring. 100 people were arrested in connection of the operation. In late 2010, the creator of Zeus announced his retirement but many experts believe this to be false.
Believed to have been created by the Israeli Defence Force together with the American Government, Stuxnet is an example of a virus created for the purpose of cyberwarfare, as it was intended to disrupt the nuclear efforts of the Iranians. It was estimated that Stuxnet has managed to ruin one fifth of Iran’s nuclear centrifuges and that nearly 60% of infections were concentrated in Iran.
The computer worm was designed to attack industrial Programmable Logic Controllers (PLC), which allows for automation of processes in machinery. It specifically aimed at those created by Siemens and was spread through infected USB drives. If the infected computer didn’t contain Siemens software, it would lay dormant and infect others in a limited fashion as to not give itself away. If the software is there, it will then proceed to alter the speed of the machinery, causing it to tear apart. Siemens eventually found a way to remove the malware from their software.
Surfacing in 2004, Mydoom was a worm for Windows that became one of the fastest spreading email worm since ILOVEYOU. The author is unknown and it is believed that the creator was paid to create it since it contains the text message, “andy; I’m just doing my job, nothing personal, sorry,”. It was named by McAfee employee Craig Schmugar, one of the people who had originally discovered it. ‘mydom’ was a line of text in the program’s code (my domain) and sensing this was going to be big, added ‘doom’ into it.
The worm spreads itself by appearing as an email transmission error and contains an attachment of itself. Once executed, it will send itself to email addresses that are in a user’s address book and copies itself to any P2P program’s folder to propagate itself through that network. The payload itself is twofold: first it opens up a backdoor to allow remote access and second it launches a denial of service attack on the controversial SCO Group. It was believed that the worm was created to disrupt SCO due to conflict over ownership of some Linux code. It caused an estimate of $38.5 billion in damages and the worm is still active in some form today.
CryptoLocker is a form of Trojan horse ransomware targeted at computers running Windows. It uses several methods to spread itself, such as email, and once a computer is infected, it will proceed to encrypt certain files on the hard drive and any mounted storage connected to it with RSA public key cryptography. While it is easy enough to remove the malware from the computer, the files will still remain encrypted. The only way to unlock the files is to pay a ransom by a deadline. If the deadline is not met, the ransom will increase significantly or the decryption keys deleted. The ransom usually amount to $400 in prepaid cash or bitcoin.
The ransom operation was eventually stopped when law enforcement agencies and security companies managed to take control part of the botnet operating CryptoLocker and Zeus. Evgeniy Bogachev, the ring leader, was charged and the encryption keys were released to the affected computers. From data collected from the raid, the number of infections is estimated to be 500,000, with the number of those who paid the ransom to be at 1.3%, amounting to $3 million.
The good news is that if it is infected, it is simply localized to that specific user’s account. The bad news is that more than 600,000 Macs were infected, including 274 Macs in the Cupertino area, the headquarters of Apple. Oracle published a fix for the exploit with Apple releasing an update to remove Flashback from people’s Mac. It is still out in the wild, with an estimate of 22,000 Macs still infected as of 2014.
- TINY BANKER TROJAN
Specifically designed to steal banking information, Tiny Banker Trojan is a better and smaller form of Banker Trojan which was seen in the past.
This virus uses packet sniffing to detect if a user is entering login details to operate a bank account. When it does happen, the virus uses bank details like its bank website domain, logo, and title to identify the bank and save its details. After the user has logged in with the correct details, the virus creates a fake pop up with all the bank details to make the page seem real and asks the user for the details again.
- STORM WORM
Found in January 2007, Storm Worm is one of the most harmful viruses ever discovered. It started from Russia, and it is the fastest spreading email virus which has ever attacked Windows systems.
Like other viruses which are spread through email, Storm Worm too uses a deceiving headline to make users download email attachments. Usually, the subject made the email look like it was a news piece and the attachment was a video connected to that news.
By June 2007, the Storm Worm had infected over 1.7 million computers, and by September, the number had reached 10 million.
Discovered in November 2014, the Regin virus was so efficient in attacking Windows computers, that most of the security and antivirus software were not able to detect this virus until the very end of 2015.
It is essentially a Trojan horse which gets downloaded to the system when a user visits a spoofed web page. Once downloaded, the virus then downloads more extensions which makes it difficult to be detected by any antivirus.
It has been speculated that this virus was created by the United Kingdom and United States as a way of mass surveillance. But of course, nothing has been proven yet.
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system and using EternalBlue by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
The attack began on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Some of the infected were parts of the United Kingdom’s National Health Service (NHS) were infected, Spain’s Telefónica, FedEx and Deutsche Bahn, along with many other countries and companies worldwide.
Shortly after the attack began, a 22-year-old web security researcher from North Devon in England known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch. Researchers have also found ways to recover data from infected machines under some circumstances.