The most recent cyberattacks were laid against the Canadian government by Chinese hackers, who penetrated the computer systems of two key agencies, the Finance Department and the Treasury Board, forcing them offline. With advances in network collaboration tools, from email toSharePoint 2010, there is incredible potential for sharing and collaborating ideas and information. Unfortunately, malware can spread just as easily.
As computers have evolved, so have the attacks against them. But before the Internet became so widely accessible, viruses spread mainly through floppy disks and other removable media. The following article will explore some of the most notorious email hacks and viruses from the past, to the present.
Users affected: DEC PDP-10 computers running the TENEX operating system.
Infection and spread: Using the Tenex operating system and ARPANET, a self-replicating virus spread between DEC PDP 10 systems displaying the message, “I’M THE CREEPER CATCH ME IF YOU CAN”.
Hacker Motivation: (Experiment) Not intended to be malicious, the virus was designed by BBN Technologies engineer Bob Thomas to explain how a virus could infiltrate, and be replicated throughout a localized computer network.
Damage caused: (Minor) Some sources claim the Creeper replicated so many times, that it crowded out other programs, but the extent of the damage is unspecified.
Aftermath: The “Reaper” was created to fight the Creeper. It was the first piece of anti-virus software, also a self-replicating program that spread through the system, removing the offending virus from infected computers.
Type : Boot sector
Users affected: Apple DOS 3.3 computers
Infection and spread: Spread “in the wild” via floppy disk. Once an infected disk was booted, the virus loaded into the memory and infected the boot sector. Elk Cloner would be copied to the disk, allowing it to spread from disk to disk.
Hacker Motivation: (Practical joke) Authored by Rich Skrenta, a ninth-grade student who wanted to play a joke on his schoolmates. An infected computer would display the short poem displayed above on every 50th boot.
Damage caused: (Minor) Infected all the computers used by Skrenta and his friends, even some used by the staff at his school.
Aftermath: Skrenta wrote countless other computer programs and also started the online news business Topix. But, he is still remembered most for unleashing the “Elk Cloner” virus on the world.
Type: Boot sector
Users affected: Computers running Microsoft Corp.’s operating system (only infected 360k floppy)
Infection and spread: The boot sector virus would fill unused space on the floppy disk so that it could not be used.
Hacker Motivation: (Publicity) Two young programmers from Pakistan wrote the boot sector program, targeting people who spread pirated software. A form of advertising for the company, it displayed the phone number of the brothers’ computer shop for repairs.
Damage caused: (Minor) Brain was pretty benign and due to its partial non-destructiveness, went undetected. Most users at the time paid little attention to the slow speed of floppy disk access.
Aftermath: Other viruses soon followed Brain. Among them were Alameda, Cascade, Jerusalem, and Lehigh. These viruses were able to infect .COM and .EXE files.
Robert Tappan Morris
Users affected: Infected an estimated 6,000 university and military computers connected over the Internet. Became one of the first worm’s to spread extensively “in the wild”, and one of the first well-known programs exploiting buffer overrun vulnerabilities.
Infection and spread: Exploited known vulnerabilities in Unix sendmail, Finger, rsh/rexec, and weak passwords. An unintended consequence of the code, was that a computer could be infected multiple times and each additional process would slow the machine, eventually making it unusable.
Hacker Motivation: (Experiment) Morris was written by Cornell University graduate student, Robert Tappan Morris. He claims it was not written to cause damage but to gauge the size of the Internet.
Damage caused: (Medium-Major) The U.S. Court of Appeals estimated the cost of removing the virus from each installation was in the range of $200 – 53,000. The U.S. General Accounting Office estimated that damages may have cost as much as $10 million. Harvard spokesman Clifford Stoll estimated the total economic impact was between $100,000 – $10,000,000. There were an estimated 60,000 computers attached to the Internet at the time, and the worm might have infected about 10 percent of them.
Aftermath: Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse Act. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.
Type: Boot sector
Users affected: PCs running MS-DOS versions 2.xx and higher.
Infection and spread: Michelangelo was a variant of the already endemic Stoned virus. It remains dormant until a system is booted on March 6 of any year, (the birthday of Renaissance artist Michelangelo). The virus overwrites parts of the hard disk with random data. This renders the hard disk of the system, and all of its information, inaccessible.
Hacker motivation: (Unspecified) Michelangelo was first recognized by the media when Leading Edge shipped 500 PCs infected with the virus in January 1992.
Damage caused: (Medium-Major) Millions of dollars were spent by companies, institutions, and government agencies to prepare for the digital Apocalypse expected from the Michelangelo virus. The virus affected 20, 000 systems, though media estimates claimed as many as 5 million computers could be hit.
Aftermath: People bought and installed anti-virus software in droves. Critics pointed out that the people making the huge claims stood to profit–because they were also selling anti-virus programs.
Death skull not included
Users affected: Microsoft Word systems
Infection and spread: Infected data files. The macro in the template would copy the virus to the master template on the system and every Microsoft Word document passing through the “Word processor” carried along an infected template. Concept’s payload displayed the virus author’s message: “That’s enough to prove my point”.
Hacker Motivation: (Proving a Point) Concept was the first reported macro virus seen in the wild by AV researcher Sarah Gordon.
Aftermath: Macro viruses become the dominant type of virus.
Type: Mass-mailing macro virus
Users affected: Microsoft Word 97 and Word 2000, Microsoft Excel 97, 2000 and 2003. Can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98.
Infection and spread: When a Word document containing the virus was downloaded and opened, the macro in the document runs and attempts to mass mail itself to the first 50 entries from the user’s address book. Appearing as an important message from a colleague or friend, it reads: “Here is that document you asked for … don’t show anyone else;-).”
Hacker Motivation: (Love) David Smith, 34, developed the Melissa virus and named it after a Florida stripper he knew.
Damage Caused: (Major) Caused more than $80 million in damage, infected more than 1 million personal computers in North America and flooded corporate networks with e-mail messages, forcing some companies, including Intel Corp. and Microsoft Corp., to shut down their e-mail systems.
Aftermath: Network Associates and other anti-virus and computer security companies issued warnings and supplied fixes to counteract Melissa. Smith was sentenced to 20 months in prison and ordered to pay $5,000 in fines. Prosecutors suggested a lesser term because he had assisted the authorities in thwarting other viruses.
Name: ILOVEYOU a.k.a The love Bug
Users affected: Computers running the Microsoft Windows operating system
Infection and spread: The worm appeared in email inboxes, posing as a contact, with the message “ILOVEYOU” in the subject line. Once the attachment was opened, the worm sent a copy of itself to everyone in the person’s Windows Address Book. It also made a number of malicious changes to the user’s system.
Hacker Motivation: (Revenge) Two young Filipino computer programming students, Reomel Ramones and Onel de Guzman, created the virus. De Guzman was already familiar with computer viruses. He had proposed to create one for his undergraduate thesis, which was not accepted, forcing him to drop out.
Damage Caused: (Major) Infected over 50 million computers in 9 days. It caused the CIA, Pentagon and British Parliament to shut down their systems.
Aftermath: Caused upwards of $5.5 to $10 billion dollars in damage. Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released, with all charges dropped by state prosecutors. The Philippine Congress enacted Republic Act No. 8792 otherwise known as the E-Commerce Law, in response to this event.
Name: Code Red
Type: Server Jamming Worm
Users affected: computers running Microsoft’s IIS web server
Infection and spread: The worm exploited a vulnerability in the indexing software distributed with IIS, and spread itself using the buffer overflow technique (a long string of repeated character ‘N’ used to overflow a buffer). It defaced web sites with the text, “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” Once the system received more information than its buffers could handle it started overwriting adjacent memory.
Hacker Motivation: (Unspecified) eEye believed that the worm originated in Makati City, Philippines (the same origin as the ILOVEYOU worm.
Damage Caused: (Major) Released on July 13, 2001 by July 19, the number of infected hosts reached 359,000. Launched DoS attacks on several fixed IP addresses including the White House web server. Total damage was estimated at $2.6 billion.
Aftermath: Code Red II is released two weeks after Code Red.
And when I think of you Nimda, I hope you f-ing choke!
Type: Multiple (worm/file infector)
Users affected: Windows 95-XP
Infection and spread: Used five different infection vectors to spread: via email, open network shares, browsing compromised websites, exploiting various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities, and back doors left behind by the “Code Red II” and “sadmind/IIS” worms.
Hacker Motivation: (Malicious) BKIS, a Vietnamese security firm said the virus Nimda contained text indicating that it may have originated from China.
Damage Caused: (Major) Became the Internet’s most widespread virus/worm within 22 minutes. Nimda cost an estimated $635 million in damage.
Aftermath: Microsoft put up a $250,000 reward for any information leading to an arrest related to the case. Authorities never identified who was responsible for creating the virus.
Name: SQL Slammer
Users affected: Microsoft SQL Server Desktop Engine (MSDE)
Infection and spread: Exploited a buffer overflow bug in Microsoft’s flagship SQL Server and Desktop Engine database products
Hacker motivation: (Malicious) Slammer was first brought to the attention of the public by Michael Bacarella who posted a message to the Bugtraq security mailing list entitled “MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
Damage Caused: (Major) An estimated 150,000 to 200,000 systems were affected. Caused major denials of service and slowed down the entire Internet. Three hundred thousand cable modems in Portugal went dark, no cell phone or Internet service for 27 million people in South Korea. Continental Airlines was unable to process tickets, canceled flights. Large financial institutions’ ATMs were unavailable. Estimates of cost ranged between $750 million and $1.2 billion.
Aftermath: Slammer exposed previously unknown interdependencies that were thought to be separate from the Internet. Brought sweeping changes to improve security of Microsoft products.
Name: MS Blaster
Users affected: Various Windows operating systems
Infection and spread: Targeted Microsoft’s windowsupdate.com site with DoS attacks. Infected vulnerable Windows PCs causing them to repeatedly crash as soon as they connected to a network. The worm attempted to download malicious code and run it, however had no mass-mailing functionality.
Hacker motivation: (Attack against Microsoft) The original Blaster was created after a Chinese hacking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack. One of the messages left behind by the worm (shown above) was directed to Bill Gates telling him to stop profiting from his flawed software.
Damage caused: (Major) Cost an estimated $320 million in damage. Victims included the Federal Reserve Bank of Atlanta, BMW AG, Philadelphia’s City Hall, and thousands of home and corporate users.
Aftermath: Despite cleanup efforts, and an anti-worm aimed at patching systems, the worm remained very much alive. Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota created a B variant of the Blaster worm. He was arrested and sentenced to an 18-month prison term in January 2005.
Users Affected: Microsoft Windows
Infection and spread: Transmitted mainly via e-mail, it appeared as a transmission error, with subject lines including “Error”, “Mail Delivery System”, “Test” or “Mail Transaction Failed”. If the attachment was opened, it would resend the worm to e-mail addresses found in local files, such as a user’s address book. It could also copy itself to the “shared folder” of peer-to-peer file-sharing application like KaZaA. It became the fastest-spreading e-mail worm ever.
Hacker motivation: (Organized crime) Law enforcement agents investigating the virus attributed the virus to organized online crime gangs.
Damage caused: (Major) CNN estimated that due to loss of productivity and costs of tech support, the estimated damage was $250 million though the mi2g consultancy firm estimated losses caused by the virus at $38.5 billon. At one point, 25 percent of emails in circulation had been infected by MyDoom.
Aftermath: Mydoom resurfaces in the July 2009 cyber attacks affecting South Korea and the United States.
Users affected: Microsoft operating systems Windows XP and Windows 2000.
Infection and spread: Exploited a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service)
Hacker Motivation: (Fame) Authored by 18 year old German computer science student Sven Jaschan. He said he really wanted to develop an antidote to the virus and didn’t mean to cause any damage.
Damage caused: (Major) An estimated $500 million worth of damage was caused by the virus. Attacked tens of millions of PCs across the world. The virus caused the satellite communications of the news agency Agence France-Presse to cease and disabled the computer systems of U.S. flight company Delta Air Lines (who then had to cancel a number of trans-Atlantic flights). The British coastguard and a Finnish bank were among other big businesses affected.
Aftermath: Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21 month suspended sentence.
Name: Storm Botnet Worm
Image Source: Trendmicro
Type: Trojan horse
Users affected: Microsoft Windows computers
Infection and spread: A Trojan horse spread through e-mail spam. It gathered infected computers into the Storm botnet through a remotely controlled network of hijacked computers. As of 2007, the botnet was considered powerful enough to force entire countries off the Internet, and believed to be capable of executing more instructions per second than some of the world’s top supercomputers
Hacker Motivation: (Organized crime) Thought to have originated in Russia, the Storm botnet has been used in a variety of criminal activities.
Damage caused: (Major) The Storm worm accounted for 8 percent of all malware on Microsoft Windows computers as of 2007. It had infected between 1 and 10 million computers between June and September.
Aftermath: The Storm Worm is constantly being updated by its authors to evade antivirus detection
Name: July 2009 cyber attacks
Infection and spread: Malicious code tries to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copies the data to an encrypted file that’s inaccessible to the user, and then overwrites the data in the original files.
Hacker Motivation: (Malicious) South Korea’s spy agency, the National Intelligence Service, stated the origin of the attacks were from North Korea’s telecommunications ministry.
Damage caused: (Major) 3 attacks were made- websites included the White House and The Pentagon, South Korea’s presidential Blue House, the Ministry of Defense, the Ministry of Public Administration and Security, the National Intelligence Service and the National Assembly, as well as one of the country’s largest banks and a major news agencies.
Aftermath: Security experts said that the attack re-used code from the Mydoom worm. The virus had minor technological effects, but major implications for long-term foreign policy and economics.
In early 2010, Microsoft announced that there was a Blue Screen of Death (BSoD) problem on some computers with a Windows based OS. Also, in January 2010, Google fell victim to attacks by China-based cyber spies who hacked into the Gmail accounts of Chinese human rights activists in China as well as the US and Europe. Google supposed the computers became infected when users clicked on links in their emails or malicious documents attached to them.
By the end of 1990, about 200 viruses had been identified. Today, that number has jumped to well over 70,000 with more to come… (Insert bad guy laugh.)