"I think everybody's got a malicious side." ~Jonathan Rhys Meyers
ILU <3
On May 5th, 2000, overflowing with love (but too late for Valentine's Day), 24-year-old Onel de Guzman shared his "Love Letter" worm (ILOVEYOU) with the world, infecting over 10 million systems. The worm spread by email, containing a malicious .vbs
attachment which trashes the user's drives before forwarding itself to all the people in their address book. Considering data loss and the cost of remediation, the worm caused an estimated US$15-24 billion in damages.
For some reason, the world wasn't thrilled with Onel's exhuberant expression of adoration. Still, he never served time; the Philippines had no laws against writing malware at the time, so all charges were dropped. (They passed laws after-the-fact, but couldn't charge him for crimes committed prior.)
Onel set the bar high, but malware authors love a challenge.
Tennis Star Goes Viral
At the peak of her sports career, tennis star Anna Kournikova achieved super-stardom. Mixed drinks and poker hands were named after her. She had a licensed PlayStation game, released in Japan and Europe. She was so famous that between 2001 and 2003, her name was among the top most-searched terms on Google.
Looking to cash in on that fame, 20-year-old Jan de Wit released the Vbs.OnTheFly worm—known more widely as the "Anna Kournikova virus"—in February of 2001. Like the ILOVEYOU worm, the virus used a .vbs
email attachment—masquerading as a risque photo of the namesake tennis star—to infect the system. Like its predecessor, the worm would send itself to everyone in the user's Outlook address book. Unlike its predecessor, the worm did not cause any damage to systems it infected.
The worm infected millions of systems and caused problems in email servers worldwide. But here's the kicker... de Wit didn't hand-craft OnTheFly. He used a simple online VBS Worm Generator tool, originally created by an Argentinian hacker called [K]Alamar. He created the worm to see whether security had improved in the year following the ILOVEYOU worm. (Clearly it hadn't.) He attributed the worm's success to the world's unhealthy obsession with Kournikova.
Jan served 150 hours of community service.
Worms of Mass Destruction
2001 saw a flood of additional worms:
- Magistr, a sophisticated email worm targeting people in the legal profession.
- Sadmind, which spread by exploiting Sun Solaris and Microsoft IIS.
- Sircam, which spread through Microsoft systems via email and unprotected network shares.
- Code Red, which spread via Microsoft IIS exploits.
- Code Red II, because everybody loves a good sequel.
- Nimda, which spread not only via Windows exploits, but via existing Code Red II and Sadmind infections.
- Klez, which exploited Microsoft Internet Explorer, Outlook, and Outlook Express.
2002 had a nice change of pace, starting with the Simile virus, written in Assembly by "Mental Driller." The virus would lay dormant, activate on a semi-random date, show a "Free Palestine" message, then completely rebuild itself, shuffling around its code prior to infecting random files on the system. This resulted in a constantly-changing viral fingerprint, which made the malware remarkably resilient and difficult to detect.
Following Simile, 2002 brought Beast (yet another RAT), then skipped right back to worms with Mylife, which spread via... can you guess? That's right! A .vbs
email attachment that forwards itself to everyone in the user's Outlook address book.
Nobody said malware authors had to be original.
Worms Without Borders
In 2003, aside from a couple RATs, it was worms all the way down:
- SQL Slammer, spreading via Microsoft SQL Server.
- Blaster, exploiting Windows system services.
- Welchia, which attempts to remove Blaster and patch Windows. (Sounds familiar...)
- Sobig, which spread across Windows systems via email and network shares.
- Swen, daring to think different. (This one is written in C++!)
- Sober, yet another
.vbs
worm. - Agobot, which exploited Windows vulnerabilities.
- Bolgimo, which exploited Windows vulnerabilities.
2004 continued the trend:
- Bagle, MyDoom, Netsky, and Witty all followed closely in their predecessors' footsteps.
- Sasser exploited Windows LSASS (but removed MyDoom and Bagle).
- Caribe broke from the pack, becoming the first worm to infect mobile phones, spreading via Bluetooth.
- Santy became the first-known "webworm," exploiting online forums running phpBB. It used Google to find new targets, and infected around 40,000 sites before Google filtered the malicious search query.
The worms did not stop. Legends say they're still spreading to this very day... (Like RATs, I'll only cover notable worms from here on.)
Corporate Rootkits? In My Home PC?
It's more likely than you'd think! While the swarm of worms continued in 2005, Sony BMG (a now-defunct music-and-entertainment venture) stole the headlines when researchers discovered two subversive rootkits designed to impede digital piracy. The rootkits hid from the system, preventing users from copying CDs, and "phoning home" to report on users' activity. They violated copyrights, installed without user consent, and created vulnerabilities which were exploited by unrelated malware.
To quell the public outrage, Sony BMG released an uninstaller for one of the rootkits—though the uninstaller failed to uninstall the rootkit, and actually introduced more malware and vulnerabilities onto affected systems.
Hoping to smooth things over, Sony BMG paid out a few settlements, recalled 10% of the infected CDs, and pinky-promised they'd never do it again.
How the Mighty Have Fallen
In February of 2006, Mac OS X fans—who, like their Linux counterparts, had long boasted immunity to malware—were dismayed by the news of a trojan (known as OSX/Leap-A
or OSX/Oompa-A
) designed to infect Mac systems. Fortunately, the trojan didn't pose much threat, so they—like their Linux counterparts—continued to boast immunity, despite evidence to the contrary.
Following on its heels, the Stardust Macro Virus (a.k.a. "Starbucks") was the first macro virus for StarOffice and OpenOffice. Proponents of these office suites oft claimed that they were more secure than Microsoft Office, as they didn't employ Microsoft's VBS macro language. The Stardust virus shattered their dreams, proving that nothing is sacred, and no one is safe. (OpenOffice and LibreOffice are still excellent alternatives for those looking to kick their Microsoft habit.)
From Olympus With Love
In 2007, the Zeus banking trojan was unleashed on Windows systems. The malware stole banking information via keystroke logging, and spread to about 3.6 million systems in the U.S. alone. When the malware ring was busted, over 100 people were charged with conspiracy to commit bank fraud and launder money, having stolen approximately US$70 million.
The original author was never caught, and is believed to have retired in 2010.
Infect Your Treasured Memories Today
In 2008, the Mocmex trojan spread via digital photo frames, infecting computers to which the frames were attached. The malware employed complex anti-detection mechanisms and disabled system protections, all so it could steal passwords for online game accounts.
Industry experts called it the "nuclear bomb of malware," proving once again that industry experts have a flair for the dramatic.
Malware for Everyone!
2008 also saw the Bohmini.A RAT, which exploited Adobe Flash—a notoriously-insecure software that just refused to die until Adobe finally killed it in 2021.
In July, the Koobface worm spread across users of Facebook and Myspace, as well as other social networks, infecting Windows, Mac OS X and Linux indiscriminately. Much to the chagrin of its designers, Koobface's notoriety was soon overshadowed by that of Conficker, a worm that infected up to 15 million systems, including numerous government, military, police and hospital networks. Four of Conficker's creators were arrested, but only one served time, spending four years in prison.
Tracking Trends
Malware, as with everything, is subject to trends. For each new strain that breaks the mold, a dozen copy-cats will spring up in its wake. Malware authors are pragmatic. "If it ain't broke, don't fix it." An entire decade of email worms propagated via .vbs
email attachments, preying on gullible users. Microsoft failed to prevent these attacks, so they just kept coming. There may have been a few creative malware authors out there, but the vast majority just copied each other's work, making only minor tweaks to existing code.
The same is true today. The "malware du jour" may have shifted from RATs to worms to ransomware, but everyone's still playing "follow the leader," parroting popular paradigms in malware design. Every time a new 0-day drops, malware authors race to exploit it for as long as possible, while software developers struggle to patch their software. Once the bug is patched, malware authors bide their time awaiting the next big 0-day, when they can do it all again. In fact, so many attackers employ similar tactics that in 2013, MITRE created the ATT&CK framework to document them all.
Naturally, the ATT&CK framework is an excellent resource for aspiring pentesters and malware authors/analysts, providing excellent documentation of common Tactics, Techniques and Procedures (TTPs). If you haven't yet, you should check it out. It's not as deep a rabbit-hole as TVTropes, the "all-devouring pop-culture wiki," but you could still get lost for hours, exploring all the data on MITRE's site.
(No, I'm not sponsored by MITRE. Though I wouldn't turn down their money... 👀)