Home Guru The evolution of malware

The evolution of malware

Mikko Hypponen, F-Secure, Raj Samani, McAfee

We got together two of the industry’s great minds to talk about the major milestones of malware development. Over to Raj Samani from McAfee and Mikko Hypponen from F-Secure.



Mikko: It’s been 25 years since the Morris worm. While Morris wasn’t the first virus, it was the first internet worm in history. In fact, it’s one the most important early viruses, together with Elk Cloner for Apple II, BHP for Commodore 64 and Brain.A for PCs. Since the Morris worm started the age of online outbreaks, maybe it’s one of the most important viruses ever? What do you think, Raj?


Raj: It’s hard to disagree with you (though I try to at every opportunity!). The next major milestone in my mind is the Anna Kournikova virus. Here you have one of the early and most successful attempts at leveraging social engineering techniques to coerce the victim into opening an attachment, in this case a picture of a tennis star voted the sexiest tennis star of all time. If we consider many of the most successful spear phishing/malware campaigns today, their roots can originate from 2001 and Jan de Wit knowing what it takes to get someone to open a malware infected file.


Do you agree? And if so what would you say is the next major milestone?


Mikko: Anna Kournikova would have never even made the news without the (arguably excellent) bait it used. I even remember one customer calling me about it and explaining that he knew it was a virus and it was successfully blocked, but he’d still like to see what the attachment looked like! But we really shouldn’t forget all the other major viruses between Morris and Anna Kournikova, such as Stoned, Michelangelo, Concept, Melissa and Loveletter. In fact, the Loveletter outbreak is still today probably one of the largest outbreaks of all time.


Raj: Let me guess – the customer was a single man? Yes, they were absolutely major viruses, and I suppose you could say that Kournikova taught people about the use of an enticing message to influence unsafe behaviour. Indeed, if we include the fact that emails appeared to come from people they already knew, then there is no surprise that email became (and probably still is) one of the most successful malware delivery mechanisms. However, if I had to pick one as a major milestone, I would still go with Kournikova. It was excellent bait, it came from someone you trusted and it really put malware into the general public spotlight with an appearance on the TV show Friends.


Mikko: Ok, fine. But after the era of email worms, we saw something that could spread much, much faster: internet worms. During the following years, we would see plenty of examples of that including Code Red, Slapper, Slammer, Blaster and Sasser. Slammer is the fastest computer worm in history. As it spread throughout the internet in January 2003, it doubled in size every 8.5 seconds.


It infected more than 90 per cent of vulnerable hosts within ten minutes. If your computer was online in 2003 and had a publicly accessible IP address, it was scanned by Slammer – multiple times, in fact. These massive Windows worms caused Microsoft to turn around and start its Trustworthy Computing Initiative. I believe that initiative has increased Windows security tremendously. Do you agree?


Raj: Wow that takes me back! Yes for sure. But seeing as you pushed me on defining the milestone for email worms then I will turn this around and ask you which one? Which internet worm would you say is the milestone malware? You mentioned Slammer, but what about Nimda?


Mikko: Nimda was important, for sure. But if I have to name one milestone worm; that would indeed be Slammer. Slammer wins because of its sheer efficiency: the whole worm fits in one 376-byte UDP packet! But internet worms died out eventually, as firewalls became the norm on every computer. Then we entered the world of drive-by-downloaders, which would infect Windows PCs just by visiting a website.


So, what’s your favourite exploit kit?


Raj: Actually before I answer that question, I wanted to throw another milestone, and I can sense a raised eyebrow or two, but let me put forward Zotob. Now, I know technically it’s perhaps not a significant milestone, but here you had malware that was developed only days after the release of the patch (MS05-039) which is far cry from earlier examples (in particular Nimda).


More significant was the organisational structure behind it, where you had the financier who, in turn, outsourced the writing of the malware. It’s a good example of cybercrime-as-a-service and really announces to criminals that there may be gold here. Do you think this is significant enough to be in our Hall of Fame?


Mikko: Yes, I suppose we need to include Zotob too. Indeed, it was an early example of cybercrime as-a-service, which then really became the norm. And that is the mechanism that fuels exploit kits even today. So, your favourite kit, Raj?


Raj: Probably BlackHole, and largely building on from the points raised in Zotob. A professionally managed, maintained and hugely successful exploit kit with a ‘commercial’ pricing model. It’s as far removed from the academic experiment that got out of hand that started our discussion. What do you think? And what would you suggest we have missed in our list of milestones?


Mikko: I think we have a pretty good run down of PC malware evolution right here. Sure, we missed so many cases – like the Sony Rootkit and Conficker, Stuxnet, ZeroAccess and Cryptolocker. But I guess we can’t fit them all here. Thanks Raj!


Raj: No problem Mikko!



Raj Samani is chief technology officer of McAfee, Mikko Hypponen is chief research officer of F-Secure


Google defends decision not to patch the Jelly Bean WebView vulnerability

According to Google’s head of Android security, Adrian Ludwig, support for the WebView extension used in Android versions 4.3 Jelly Bean is too time consuming and costly. Ludwig explained in a Google+ blog post that “WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every (…read more)

January 26, 2015

Lizard Squad hijacks Malaysia Airline DNS

Hackers purporting to be from the “Lizard Squad – Official Cyber Caliphate” group have attacked the official website of Malaysia Airlines, leaving visitors to see a message that read: “ISIS WILL PREVAIL”. The airline’s ticket-booking and other services were also unavailable. Instead, a large picture of a Malaysia Airlines A380 plane and the words “404-Plane (…read more)

January 26, 2015

ICO says Scouts investigation is unlikely

The Information Commissioner’s Office has said that it has no plans to investigate the issue regarding a reportedly unsecure database of personal details of members of the Scouts.   According to The Register, the Scout Association’s database holds the contact details of 450,000 young people and volunteer adults, and a Scout leader contacted The Register to (…read more)

January 23, 2015