Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Timeline: A Decade of Malware

An evolution from script kiddies to syndicates

With first decade of the millennium coming to a close this year, it seems a good time to take a look back at some of the malware that has helped shape the current-day attacks on the Web. Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money.

Looking back at the most notable malware of the last ten years, we begin to see how the industry has taken shape. From pesky spam pranks to a multi-million dollar 'black hat' industry, malware continues to evolve at a rapid pace, with no signs of slowing.

1. 2001: Loveletter steals free Internet access Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money. In hindsight, the May 2000 Loveletter worm was a harbinger of things to come. The Loveletter worm combined social engineering (love letter for you) with a password-stealing trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm's author (Read about current social engineering tactics in CSO's social engineering guide).

2. 2002: JS/Exception bombs usher in malicious marketing In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm's ability to infect Web pages. As such, Nimda can be viewed as a pioneer in malware's eventual move to the Web.

3. 2003: Sobig worm popularizes spam proxy trojans January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers; even harvesting the victims own email contacts to add to the spammers' mailing lists.

4. 2004: Bagle worm vies for dominance to harvest addresses and account information The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K's code was the message, "Hey Netsky, f*ck off you b*tch, don't ruine our business, wanna start a war?"

5. 2005: Bot-delivering breaking news alerts Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month's tsunami in the Indian ocean, scammers began targeting people's fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots (Read about how botnets are hunted and destroyed in The Botnet Hunters).

6. 2006: The as-yet-unnamed Storm worm emerges By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed "230 dead as storm batters Europe." Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the trojan family (and its associated botnet) its new name, Storm (Also see: How a Botnet Gets its Name).

7. 2007: MPack publicity popularizes exploit frameworks In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed Web attacks. The release of free or low cost SQL injection tools in the Fall of 2007.

8. 2008: Goolag and automated injection attacks complete cloud-based malware-as-a-service In 2008, remote discovery tools such as Goolag further cemented cloud-based malware delivery via the Web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases

9. 2009: Gumblar incorporates and expands a decade's evolution of malware The 2009 Gumblar attacks can be viewed as the culmination of a decade's evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetization, as well as long term potential profits via its ability to intercept, tamper with and steal Internet and network communications. Gumblar also includes the ultimate in social engineering; turning perfectly good, reputable websites against their visitors.

10. 2010: ? If the poorly coded and fairly innocuous Loveletter ushered in the beginning of the decade, and the highly sophisticated, multi-pronged Gumblar is ending the decade, one can only wonder, and worry, at what the next ten years may bring (Also see: 10 IT Security Predictions for 2010).

Mary Landesman is a senior security researcher with ScanSafe, a provider of SaaS Web security products.

Read more about data protection in CSOonline's Data Protection section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, IT Security, Microsoft
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: malware, security
Latest Blog Posts
Whitepapers
  • Investment Protection and Elasticity for your Network
    Enterprise IT teams are being challenged to increase overall IT flexibility and business agility by incorporating emerging cloud technologies into their next generation datacentre architectures. Top of mind is how to embed a high degree of elasticity to properly handle increasingly unpredictable application traffic loads, while still meeting strict performance service level agreements (SLAs). Satisfying these often opposing goals requires that individual elements within the larger datacentre infrastructure provide a native capability to increase capacity and performance as conditions dictate. Read on.
    Learn more »
  • Learning To Compete: IT’s Next Transformation
    CIOs must become competitive players in managing relationships between IT and the business. Megatrends like virtualization, consumerisation, cloud computing, and mobility are forcing a new model for operating IT. This interactive white paper from CIO Magazine and EMC explores this transformation as a leadership opportunity, as an opportunity to create new models for IT, and as a catalyst to fundamentally change the dynamic between IT and the business. Embedded videos feature CIOs from T-Mobile USA and Wharton School of Business and a quick survey provides benchmarking between CIO peers.
    Learn more »
  • So Long, Silos: Why Multi-Domain MDM Is Better For Your Business
    Say “so long” to silos. This white paper explains why a multi-domain MDM solution is far better than single-domain, single-focused point solutions. You’ll learn what to look for in a multi-domain solution so you don’t outgrow it or are forced to purchase multiple products down the road. You’ll also get tips on how to select a multi-domain solution that can lead to multiple benefits over many years. The age of multi-domain MDM is here. See why you should say “hello” to it!
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments