As security firm Fortinet celebrates 10 years in business, Fortiguard Labs took a look at the 10 most intriguing threats during the past decade and showed how their feature sets have evolved, Darwin-like, over time.
2000: I LOVE YOU worm
This was an effective mass-mailing worm that attacked tens of millions of Windows computers. The email arrived with “I Love You” in the subject line and contained the malicious attachment “Love-Letter-For You.txt.vbs.”
The visual basic script (.vbs) was a hidden extension by default, so users wouldn’t necessarily know they were executing a script (they would just see a text file attachment) – and that’s what was used to spread itself.
When a user opened the attachment, the worm quickly sent copies of itself (using the sender’s email address) to everyone found in the Windows Address Book and also damaged the user’s system. Today, thanks to application awareness, users receive an on-screen warning when such scripts are executed, making Visual Basic worms like these difficult to spread.
Evolution: Netsky burst onto scene in 2004. Like the I LOVE YOU worm, Netsky spread when users clicked on an infected email attachment. The worm then made its way to an individual’s address book and proceeded to send itself out to all addresses it found.
Today, the Pushdo/Cutwail spam botnet (circa 2007) defines what modern mass-mailing worms are all about. These botnets are template-based and do not contain hardcoded emailing routines. Template-based botnets receive new templates with variables to change up email content, rather than having the same email format/campaign that is hardcoded within them sent out.
2001: Code Red worm
The Code Red worm hit web servers by propagating through Windows IIS servers, thanks to a buffer overflow vulnerability.
From there, the malicious code would deface that website in question and scan for more systems to exploit.
Evolution: SQL Slammer hit servers in 2003, slowing the internet down globally and causing denial-of-service (DoS) disruptions.
In South Korea, the worm caused internet services to shut down for a number of hours. Like the Code Red worm, Slammer exploited a weakness in Microsoft’s SQL Server’s buffer overflow. Slammer, tiny in size, could fit in a single UDP packet, which increased its effectiveness and firing rate.
2002: Beast trojan/remote administration tool (RAT)
Beast was originally built to be a remote administration tool (RAT).
While this type of tool is in wide use today for technical support situations, hackers used the code to simply take over and have complete control over a user’s computer. Beast was one of the first pieces of malware to incorporate features found in modern-day trojans, such as code injection, reverse connections, fake error messages and offline key loggers.
There are many RATS still in existence today.
Evolution: In 2008, Gh0st RAT surfaced as a cyberspying computer program and primarily targeted government entities. Like Beast, Gh0st was a RAT that gave hackers complete, real-time control over a user’s system. If an infected computer had a video camera and/or microphone attached to it, Gh0st could turn those peripherals on remotely and then surreptitiously record (and transmit back to base) everything that was going on in the room.
2003: Blaster worm
The Blaster worm was created by Xfocus, a Chinese collective who reverse engineered a Microsoft patch intended to thwart such attacks.
Like the Code Red and SQL Slammer worms, Blaster spread through a buffer overflow vulnerability found in the Microsoft remote procedure call (RPC) distributed component object model (DCOM) service.
Unlike those earlier worms, Blaster was engineered to spread without a user having to open an infected email attachment. It simply attacked large numbers of random IP addresses.
Evolution: In 2008/2009, the Conficker worm, like Blaster, wreaked havoc by using a similar vulnerability found in the Microsoft RPC DCOM service.
But, unlike Blaster, Conficker was more evolved. It was a full-fledged botnet that could communicate through a domain generation algorithm and encrypted peer-to-peer traffic. Even more nefarious, it is believed the malware’s creator(s) are actually tracking ongoing anti-malware efforts and releasing new patches to close the worm’s own vulnerabilities.
2004: Vundo trojan
Vundo was a pesky Windows pop-up-generating trojan that filled a user’s screen with unwanted advertisements and filled its creator’s pockets with cash.
In addition, Vundo could adversely affect a PC’s performance and could be used to send out DoS attacks to Google and Facebook.
Adware and fake anti-virus are probably the most prevalent software installed today by trojans like Vundo, due to the high profit opportunities from affiliate programs.
Evolution: Bredolab (circa 2009), much like Vundo, was a malware loader that focused on loading modern, fake anti-virus software, but it was also used to download keyloggers, adware and other malware.
By 2010, Bredolab evolved to incorporate ransomware variants, which were capable of holding a user’s system and their data/applications hostage.
Oftentimes, the “ransom” would come in the form of a software download to “fix” the corrupted files. Unfortunately, more times than not, the download never fixed the problem and the user would be out the cash.
2005: Samy XSS Worm
The Samy worm targeted MySpace users and successfully infected more than one million people in 20 hours through a cross-site scripting (XSS) hole that existed in the site before MySpace disabled the worm.
Evolution: Throughout 2009 and 2010, multiple XSS worms have hit Twitter and other social networking sites, such as Orkut, through similar XSS holes. These holes exist because of programming errors.
And as long as programming errors occur, so will attacks on those on those sites. XSS vulnerabilities are nothing new, yet continue to remain one of the most prevalent web threats to date. The Open Web Application Security Project (OWASP) lists XSS attacks as the second highest application security risk in 2010.
At its peak, new Stration variants were being produced every 30 minutes. By the end of 2006, Stration accounted for one-third of all malware infections.
This variant technique has since been widely adopted by modern malware creators and is the main reason we see so much volume today compared to the beginning of the decade.
Evolution: Most ransomware and fake anti-virus software produced today now use server-side polymorphism to evade detection. These programs are specifically designed to scam users and create revenue.
At its peak, the Storm botnet was reportedly running on one-million-plus computers and accounted for eight percent of all malware running on Windows systems.
What makes this malware intriguing is that no one seems to know who created it. What’s more, this particular botnet displays defensive behaviors, meaning its creators built in code to thwart ways to track and disable it.
Storm was also one of first botnets to operate on fast-flux hosting, which is the process of hosting servers that are constantly changing their domain name system (DNS) addresses, thus making them incredibly difficult to track.
Evolution: Waledac (circa 2009) was comparable to Storm, considering the fact that it used peer-to-peer and fast-flux hosting.
Waledac, which at its peak was capable of sending more than 1.5 billion spam emails a day through 70,000+-infected computers, built on Storm’s model by adding layered encryption and advanced packers. For example, Waledac will BZIP compress, AES encrypt, and Base64 encode XML content that is sent to command-and-control over its peer-to-peer network.
Koobface (an anagram for Facebook) was the first prevalent virus that targeted and spread through social networking accounts including Facebook, MySpace, hi5, Bebo and Friendster.
It achieved this by sending a link to all of a user’s “friends,” directing them to download an update to their Adobe Flash player. Once a user did that, Koobface could commandeer the user’s computer and direct it to additional contaminated websites.
What’s worse, Koobface also contained a DNS filter program, which blocked access to security websites, and a proxy tool, which allowed an attacker to further damage a user’s computer.
Evolution: Webwail is an engine that was discovered by FortiGuard Labs in 2009.
Like Koobface, it uses websites to spread, primarily through webmail such as Gmail and Hotmail.
Koobface needed to crack CAPTCHAs, which are lightweight interactive applications used in computing to ensure that a response is not generated by a computer, and did so by sending a pop-up box to the infected user where he or she would need to enter the code.
By doing so, Koobface was able to solve the CAPTCHA that a social network would request, and proceed with spamming.
Webwail upped the ante here by using CAPTCHA breaking services – using a network of data-entering humans to do the dirty work. By doing so, Webwail could crack CAPTCHAs in less than 30 seconds and send spam through both automatically created and compromised webmail accounts.
Dozor was a distributed denial-of-service (DDoS) botnet that was spread through the Pushdo botnet.
Its payload primarily targeted public-sector services and was thought to be intended for cyberwarfare. Though there had been cases of such cyberwarfare attacks in the past, by using a high-powered botnet like Pushdo, Dozor was able to spread very quickly in high volume, making its DDoS engine all the more powerful.
Evolution: Dozor employed a DDoS attack strategy, taking down public service websites, such as financial institutions.
While this indeed has damaging effects, Stuxnet kicked this up a notch by targeting industrial control systems. Think of it this way: What would have more impact?
A) A malfunctioning nuclear power plant
B) A bank site taken offline for a day
Stuxnet is quite a devious framework, as it presents a certain level of multiplicity.
More specifically, it consists of an “exploit” part, a “rootkit” part, involves specific infection vectors, targets a specific class of victims and has unusual characteristics (such as software certificates that seem to have been stolen from a well-known hardware producer).
In addition, it was the first worm observed to contain a PLC programmable logic control) rootkit and was specifically designed to spy on and reprogram industrial systems responsible for critical industrial infrastructure.
Foreshadowing the next decade: Since 2009, we have seen more threats arising that target different platforms, such as SymbianOS, Blackberry, Android and Simatic WinCC/STEP 7.
Early in the decade, threat developers were focused on creating frameworks and malware that we see in today’s modern botnets that primarily operate on Microsoft Windows systems. While some developers will continue to stay on the Windows platform over the next few years, expect to see a growing demand for malicious code on emerging platforms, such as those used by smartphone manufacturers and cloud computing providers.