Ten Years of Evolving Threats
As Fortinet celebrates 10 years of innovation and leadership in security, Fortiguard Labs took a look at the 10 most intriguing threats over the last 10 years and explains how their feature sets have evolved Darwin-like over time.
2000: I LOVE YOU worm
This was an effective mass mailing worm that attacked tens of millions of Windows computers. The email arrived with â€śI Love Youâ€ť in the subject line and contained the malicious attachment â€śLove-Letter-For You.txt.vbs.â€ť The visual basic script (.vbs) was a hidden extension by default, so users wouldn't necessarily know they were executing a script (they would just see a text file attachment) - and thatâ€™s what was used to spread itself. When a user opened the attachment, the worm quickly sent copies of itself (using the senderâ€™s email address) to everyone found in the Windows Address Book and also damaged the userâ€™s system. Today, thanks to application awareness, users receive an onscreen warning when such scripts are executed, making visual basic worms like these difficult to spread.
2001: Code Red Worm
The Code Red Worm hit Web servers by propagating through Windows IIS servers through a buffer overflow vulnerability. From there, the malicious code would deface that Website in question and scan for more systems to exploit.
Evolution: SQL Slammer hit servers in 2003, slowing the Internet down globally and causing denial of service (DoS) disruptions. In South Korea, the worm caused Internet services to shut down for a number of hours. Like the Code Red worm, Slammer exploited a weakness in Microsoftâ€™s SQL Serverâ€™s buffer overflow. Slammer, tiny in size, could fit in a single UDP packet, which increased its effectiveness and firing rate.
2002: Beast Trojan/Remote Administration Tool (RAT)
Beast was originally built to be a remote administration tool (RAT). While this type of tool is in wide use today for technical support situations, hackers used the code to simply take over and have complete control over a userâ€™s computer. Beast was one of the first pieces of malware to incorporate features found in modern day Trojans, such as code injection, reverse connections, fake error messages and offline key loggers. There are many RATS still in existence today.
Evolution: In 2008, Gh0st RAT surfaced as a cyber spying computer program and primarily targeted government entities. Like Beast, Gh0st was a RAT that gave hackers complete, real-time control over a userâ€™s system. If an infected computer had a video camera and/or microphone attached to it, Gh0st could turn those peripherals on remotely and then surreptitiously record (and transmit back to base) everything that was going on in the room.
2003: Blaster Worm
The Blaster Worm was created by Xfocus, a Chinese collective who reverse engineered a Microsoft patch intended to thwart such attacks. Like the Code Red and SQL Slammer worms, Blaster spread through a buffer overflow vulnerability found in the Microsoft remote procedure call (RPC) distributed component object model (DCOM) service. Unlike those earlier worms, Blaster was engineered to spread without a user having to open an infected email attachment. It simply attacked large numbers of random IP addresses.
Evolution: In 2008/2009, the Conficker Worm, like Blaster, wreaked havoc by using a similar vulnerability found in the Microsoft RPC DCOM service. But, unlike Blaster, Conficker was more evolved. It was a full-fledged botnet that could communicate through a domain generation algorithm and encrypted peer-to-peer traffic. Even more nefarious, it is believed the malwareâ€™s creator(s) are actually tracking ongoing anti-malware efforts and releasing new patches to close the wormâ€™s own vulnerabilities.
2004: Vundo Trojan
Vundo was a pesky Windows popup-generating Trojan that filled a userâ€™s screen with unwanted advertisements and filled its creatorâ€™s pockets with cash. In addition, Vundo could adversely affect a PCâ€™s performance and it could be used to send out DoS attacks to Google and Facebook. Adware and fake antivirus are probably the most prevalent software installed today by trojans like Vundo, due to the high profit opportunities from affiliate programs.
Evolution: Bredolab (circa 2009), much like Vundo, was a malware loader that focused on loading modern fake anti-virus software, but it was also used to download keyloggers, adware and other malware. By 2010, Bredolab evolved to incorporate ransomware variants, which were capable of holding a userâ€™s system and their data/applications hostage. Oftentimes, the â€śransomâ€ť would come in the form of a software download to â€śfixâ€ť the corrupted files. Unfortunately, more times than not, the download never fixed the problem and the user would be out the cash.
2005: Samy XSS Worm
The Samy worm targeted MySpace users and successfully infected over 1 million people in 20 hours through a cross-site scripting (XSS) hole that existed in the site before MySpace disabled the worm. To date, itâ€™s one of the fastest spreading viruses of its time. The Samy infection foreshadowed what was to come with regards to other popular social networking sites.
Evolution: Throughout 2009 and 2010, multiple XSS worms have hit Twitter and other social networking sites such as Orkut through similar XSS holes. These holes exist because of programming errors. And as long as programming errors occur, so will attacks on those on those sites. XSS vulnerabilities are nothing new, yet continue to remain one of the most prevalent Web threats to date. The Open Web Application Security Project (OWASP) lists XSS attacks as the 2nd highest application security risk in 2010.
Stration was one of the first heavy instances of server-side polymorphism, meaning many variants of the same core code were being blasted out through email. At its peak, new Stration variants were being produced every 30 minutes. By the end of 2006, Stration accounted for one third of all malware infections. This variant technique has since been widely adopted by modern malware creators and is the main reason we see so much volume today compared to the beginning of the decade.
2007: Storm Botnet
At its peak, the Storm botnet was reportedly running on 1 million+ computers and accounted for 8% of all malware running on Windows systems. What makes this malware intriguing is that no one seems to know who created it. Whatâ€™s more, this particular botnet displays defensive behaviors, meaning its creators built in code to thwart ways to track and disable it. Storm was also one of first botnets to operate on fast flux hosting, which is the process of hosting servers that are constantly changing their domain name system (DNS) addresses, thus making them incredibly difficult to track.
Evolution: Waledac (circa 2009) was comparable to Storm, considering the fact that it used peer-to-peer and fast flux hosting. Waledac, which at its peak was capable of sending more than 1.5 billion spam emails a day through 70,000+ infected computers, built on Stormâ€™s model by adding layered encryption and advanced packers. For example, Waledac will BZIP compress, AES encrypt, and Base64 encode XML content that is sent to command and control over its peer-to-peer network.
Koobface (an anagram for Facebook) was the first prevalent virus that targeted and spread through social networking accounts including Facebook, MySpace, hi5, Bebo and Friendster. It achieved this by sending a link to all of a userâ€™s â€śfriendsâ€ť that directed them to download an update their Adobe Flash player. Once a user did that, Koobface could commandeer the userâ€™s computer and direct it to additional contaminated Websites. Whatâ€™s worse, Koobface also contained a DNS filter program that blocked access to security Websites and a proxy tool, which allowed an attacker to further damage a userâ€™s computer.
Evolution: Webwail is an engine that was discovered by FortiGuard Labs in 2009. Like Koobface, it uses Websites to spread; primarily through webmail such as Gmail and Hotmail. Koobface needed to crack CAPTCHAs, which are lightweight interactive applications used in computing to ensure that a response is not generated by a computer, and did so by sending a popup box to the infected user where he/she would need to enter the code. By doing so, Koobface was able to solve the CAPTCHA a social network would request and proceed with spamming. Webwail upped the ante here by using CAPTCHA breaking services â€“ using a network of data-entering humans to do the dirty work. By doing so, Webwail could crack CAPTCHAs in less than 30 seconds and send spam through both automatically created and compromised webmail accounts.
Dozor was a distributed denial-of-service (DDoS) botnet that was spread through the Pushdo botnet. Its payload primarily targeted public-sector services and was thought to be intended for cyber warfare. Though there had been cases of such cyber warfare attacks in the past, by using a high-powered botnet like Pushdo, Dozor was able to spread very quickly in high volume; making its DDoS engine all the more powerful.
Evolution: Dozor employed a DDoS attack strategy, taking down public services Websites such as financial institutions. While this indeed has damaging effects, Stuxnet kicked this up a notch by targeting industrial control systems. Think of it this way: What would have more impact?
A) A malfunctioning nuclear power plant
B) A bank site taken offline for a day
Stuxnet is quite a devious framework, as it presents a certain level of multiplicity. More specifically, it consists of an â€śexploitâ€ť part, a â€śrootkitâ€ť part, involves specific infection vectors, targets a specific class of victims and has unusual characteristics (such as software certificates that seem to have been stolen from a well known hardware producer). In addition, it was the first worm observed to contain a PLC (Programmable Logic Control) rootkit, and was specifically designed to spy on and reprogram industrial systems responsible for critical industrial infrastructure.
Foreshadowing the Next Decade: Since 2009, we have seen more threats arising that target different platforms, such as SymbianOS, Blackberry, Android and Simatic WinCC/STEP 7. Early in the decade, threat developers were focused on creating frameworks and malware that we see in todayâ€™s modern botnets that primarily operate on Microsoft Windows systems. While some developers will continue to stay on the Windows platform over the next few years, expect to see a growing demand for malicious code on growing platforms, such as those used by smart phone manufacturers and cloud computing providers.
Article by Derek Manky, project manager, cyber security & threat research at Fortinetâ€™s Fortiguard Labs and author of Fortinet's monthly Threat Landscape Report.