The Anna Kournikova worm
Anna Kournikova (named by its author as “Vbs.OnTheFly Created By OnTheFly”) was a computer worm written by a 20-year-old Dutch student named Jan de Wit who called himself ‘OnTheFly’ on February 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of the tennis player Anna Kournikova, while actually hiding a malicious program. The worm arrives in an email with the subject line “Here you have, ;0)” and an attached file called AnnaKournikova.jpg.vbs. When launched under Microsoft Windows the file does not display a picture of Anna Kournikova but launches a viral Visual Basic Script that forwards itself to everybody in the Microsoft Outlook address book of the victim.
ILOVEYOU, sometimes referred to as Love Bug or Love Letter, was a computer worm that attacked tens of millions of Windows personal computers on and after 5 May 2000 local time in the Philippines when it started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The latter file extension (‘vbs’, a type of interpreted file) was most often hidden by default on Windows computers of the time (as it is an extensions for a file type that is known by Windows), leading unwitting users to think it was a normal text file. Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting random types of files (including Office files, image files, and audio files; however after overwriting MP3 files the virus would hide the file), and sent a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook
The Melissa virus
Around March 26, 1999 Melissa was put in the wild by David L. Smith of Aberdeen Township, New Jersey. (The virus itself was credited to Kwyjibo, who was shown to be macro virus writers VicodinES and ALT-F11 by comparing MS Word documents with the same globally unique identifier—this method was also used to trace the virus back to Smith.) On December 10, 1999, Smith pleaded guilty to releasing the virus and was sentenced to 10 years in prison, serving 20 months. He was also fined US $5,000. The arrest was the result of a collaborative effort involving (amongst others) the FBI, the New Jersey State Police, Monmouth Internet and a Swedish computer scientist. David L. Smith was accused of causing $80 million worth of damages by disrupting personal computers and computer networks in business and government.
Netsky is a prolific family of computer worms which affect Microsoft Windows operating systems. The first variant appeared on Monday, February 16, 2004. The “B” variant was the first family member to find its way into mass distribution. It appeared on Wednesday, February 18, 2004. 18-year-old Sven Jaschan of Germany confessed to having written these, and other worms, such as Sasser. Although individual functions vary widely from virus to virus, the Netsky family perhaps is most famous for comments contained within the code of its variants insulting the authors of the Bagle and Mydoom worm families and, in some cases, routines that removed versions of these viruses. The “war” as it was referred to in the media caused a steady increase in the number of variant viruses produced in these families.
As of June 2004, Bagle had approximately 28, Netsky approximately 29, and MyDoom approximately 10. Other symptoms of Netsky included beeping sounds on specified dates, usually in the morning hours. The worm was sent out as an e-mail, enticing recipients to open an attachment. Once opened, the attached program would scan the computer for e-mail addresses and e-mail itself to all addresses found. Until October 2006, the P variant of this virus remained the most prevalent virus being sent in e-mail throughout the world, despite being over two and a half years old. It was surpassed by a variant from the Stration malware family in November 2006.
Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The Storm Worm began attacking thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, “230 dead as storm batters Europe”. During the weekend there were six subsequent waves of the attack. As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally. There is evidence, according to PCWorld, that the Storm Worm was of Russian origin, possibly traceable to the Russian Business Network worm
CIH, also known as Chernobyl or Space filler, is a Microsoft Windows 9x computer virus which first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS. The virus was created by Chen Ing-hau, pinyin: Chén Yíngháo) who was a student at Tatung University in Taiwan. Now he is the chief executive officer, and founder of 8tory. 60 million computers were believed to be infected by the virus internationally, resulting in an estimated $1 billion US dollars in commercial damages. Chen claimed to have written the virus as a challenge against bold claims of antiviral efficiency by antivirus software developers. Chen stated that after the virus was spread across Tatung University by classmates, he apologized to the school and made an antivirus program available for public download; the antivirus program was co-authored with Weng Shi-hao, a student at Tamkang University. Prosecutors in Taiwan could not charge Chen at the time because no victims came forward with a lawsuit.
These events led to new computer crime legislation in Taiwan. The name “Chernobyl Virus” was coined sometime after the virus was already well known as CIH, and refers to the complete coincidence of the payload trigger date in some variants of the virus (actually the virus creation date in 1998, to trigger exactly a year later) and the Chernobyl disaster, which happened in the Soviet Union on April 26, 1986. The name “Space filler” was introduced because most viruses write their code to the end of the infected file – however, CIH looks for gaps in the existing program code, where it then writes its own code. This does not increase the file size and in that way helps the virus avoid detection.
Zeus is a Trojan horse made to infect Windows computers so that it will perform various criminal tasks. The most common of these tasks are usually man-in-the-browser keylogging and form grabbing. The majority of computers were infected either through drive-by downloads or phishing scams. First identified in 2009, it managed to compromise thousands of FTP accounts and computers from large multinational corporations and banks such as Amazon, Oracle, Bank of America, Cisco, etc. Controllers of the Zeus botnet used it to steal the login credentials of social network, email and banking accounts.
In the US alone, it was estimated that more than 1 million computers were infected, with 25% in the US. The entire operation was sophisticated, involving people from around the world to act as money mules to smuggle and transfer cash to the ringleaders in Eastern Europe. About $70 million were stolen and in possession of the ring. 100 people were arrested in connection of the operation. In late 2010, the creator of Zeus announced his retirement but many experts believe this to be false.
Surfacing in 2004, Mydoom was a worm for Windows that became one of the fastest spreading email worm since ILOVEYOU. The author is unknown and it is believed that the creator was paid to create it since it contains the text message, “Andy; I’m just doing my job, nothing personal, sorry,” It was named by McAfee employee Craig Schmugar, one of the people who had originally discovered it. ‘mydom’ was a line of text in the program’s code (my domain) and sensing this was going to be big, added ‘doom’ into it.
The worm spreads itself by appearing as an email transmission error and contains an attachment of it. Once executed, it will send itself to email addresses that are in a user’s address book and copies itself to any P2P program’s folder to propagate itself through that network. The payload itself is twofold: first it opens up a backdoor to allow remote access and second it launches a denial of service attack on the controversial SCO Group. It was believed that the worm was created to disrupt SCO due to conflict over ownership of some Linux code. It caused an estimate of $38.5 billion in damages and the worm is still active in some form today.
Code Red first surfaced on 2001 and was discovered by two eEye Digital Security employees. It was named Code Red because the pair were drinking Code Red Mountain Dew at the time of discovery. The worm targeted computers with Microsoft IIS web server installed, exploiting a buffer overflow problem in the system. It leaves very little trace on the hard disk as it is able to run entirely on memory, with a size of 3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a bug in the programming, it will duplicate even more and ends up eating a lot of the systems resources.
It will then launch a denial of service attack on several IP address, famous among them the website of the White House. It also allows backdoor access to the server, allowing for remote access to the machine. The most memorable symptom is the message it leaves behind on affected web pages, “Hacked By Chinese!”, which has become a meme itself. A patch was later released and it was estimate that it caused $2 billion in lost productivity. A total of 1-2 million servers were affected, which is amazing when you consider there were 6 million IIS servers at the time.
Crypto Locker is a form of Trojan horse ransom ware targeted at computers running Windows. It uses several methods to spread itself, such as email, and once a computer is infected, it will proceed to encrypt certain files on the hard drive and any mounted storage connected to it with RSA public key cryptography. While it is easy enough to remove the malware from the computer, the files will still remain encrypted. The only way to unlock the files is to pay a ransom by a deadline. If the deadline is not met, the ransom will increase significantly or the decryption keys deleted. The ransom usually amount to $400 in prepaid cash or bitcoin.
The ransom operation was eventually stopped when law enforcement agencies and security companies managed to take control part of the botnet operating crypto Locker and Zeus. Evgeniy Bogachev, the ring leader, was charged and the encryption keys were released to the affected computers. From data collected from the raid, the number of infections is estimated to be 500,000, with the number of those who paid the ransom to be at 1.3%, amounting to $3 million.