Home Guru The evolution of malware

The evolution of malware

Mikko Hypponen, F-Secure, Raj Samani, McAfee

We got together two of the industry’s great minds to talk about the major milestones of malware development. Over to Raj Samani from McAfee and Mikko Hypponen from F-Secure.



Mikko: It’s been 25 years since the Morris worm. While Morris wasn’t the first virus, it was the first internet worm in history. In fact, it’s one the most important early viruses, together with Elk Cloner for Apple II, BHP for Commodore 64 and Brain.A for PCs. Since the Morris worm started the age of online outbreaks, maybe it’s one of the most important viruses ever? What do you think, Raj?


Raj: It’s hard to disagree with you (though I try to at every opportunity!). The next major milestone in my mind is the Anna Kournikova virus. Here you have one of the early and most successful attempts at leveraging social engineering techniques to coerce the victim into opening an attachment, in this case a picture of a tennis star voted the sexiest tennis star of all time. If we consider many of the most successful spear phishing/malware campaigns today, their roots can originate from 2001 and Jan de Wit knowing what it takes to get someone to open a malware infected file.


Do you agree? And if so what would you say is the next major milestone?


Mikko: Anna Kournikova would have never even made the news without the (arguably excellent) bait it used. I even remember one customer calling me about it and explaining that he knew it was a virus and it was successfully blocked, but he’d still like to see what the attachment looked like! But we really shouldn’t forget all the other major viruses between Morris and Anna Kournikova, such as Stoned, Michelangelo, Concept, Melissa and Loveletter. In fact, the Loveletter outbreak is still today probably one of the largest outbreaks of all time.


Raj: Let me guess – the customer was a single man? Yes, they were absolutely major viruses, and I suppose you could say that Kournikova taught people about the use of an enticing message to influence unsafe behaviour. Indeed, if we include the fact that emails appeared to come from people they already knew, then there is no surprise that email became (and probably still is) one of the most successful malware delivery mechanisms. However, if I had to pick one as a major milestone, I would still go with Kournikova. It was excellent bait, it came from someone you trusted and it really put malware into the general public spotlight with an appearance on the TV show Friends.


Mikko: Ok, fine. But after the era of email worms, we saw something that could spread much, much faster: internet worms. During the following years, we would see plenty of examples of that including Code Red, Slapper, Slammer, Blaster and Sasser. Slammer is the fastest computer worm in history. As it spread throughout the internet in January 2003, it doubled in size every 8.5 seconds.


It infected more than 90 per cent of vulnerable hosts within ten minutes. If your computer was online in 2003 and had a publicly accessible IP address, it was scanned by Slammer – multiple times, in fact. These massive Windows worms caused Microsoft to turn around and start its Trustworthy Computing Initiative. I believe that initiative has increased Windows security tremendously. Do you agree?


Raj: Wow that takes me back! Yes for sure. But seeing as you pushed me on defining the milestone for email worms then I will turn this around and ask you which one? Which internet worm would you say is the milestone malware? You mentioned Slammer, but what about Nimda?


Mikko: Nimda was important, for sure. But if I have to name one milestone worm; that would indeed be Slammer. Slammer wins because of its sheer efficiency: the whole worm fits in one 376-byte UDP packet! But internet worms died out eventually, as firewalls became the norm on every computer. Then we entered the world of drive-by-downloaders, which would infect Windows PCs just by visiting a website.


So, what’s your favourite exploit kit?


Raj: Actually before I answer that question, I wanted to throw another milestone, and I can sense a raised eyebrow or two, but let me put forward Zotob. Now, I know technically it’s perhaps not a significant milestone, but here you had malware that was developed only days after the release of the patch (MS05-039) which is far cry from earlier examples (in particular Nimda).


More significant was the organisational structure behind it, where you had the financier who, in turn, outsourced the writing of the malware. It’s a good example of cybercrime-as-a-service and really announces to criminals that there may be gold here. Do you think this is significant enough to be in our Hall of Fame?


Mikko: Yes, I suppose we need to include Zotob too. Indeed, it was an early example of cybercrime as-a-service, which then really became the norm. And that is the mechanism that fuels exploit kits even today. So, your favourite kit, Raj?


Raj: Probably BlackHole, and largely building on from the points raised in Zotob. A professionally managed, maintained and hugely successful exploit kit with a ‘commercial’ pricing model. It’s as far removed from the academic experiment that got out of hand that started our discussion. What do you think? And what would you suggest we have missed in our list of milestones?


Mikko: I think we have a pretty good run down of PC malware evolution right here. Sure, we missed so many cases – like the Sony Rootkit and Conficker, Stuxnet, ZeroAccess and Cryptolocker. But I guess we can’t fit them all here. Thanks Raj!


Raj: No problem Mikko!



Raj Samani is chief technology officer of McAfee, Mikko Hypponen is chief research officer of F-Secure


UK civilians and military personnel learn to defend against online attacks at cyber training camp

The Cyber Security Challenge UK’s new cyber security bootcamp, held at the Defence Academy in Shrivenham, is being delivered by a number of the UK’s most prestigious cyber defence companies including PWC, GCHQ and the National Crime Agency, to help attendees gain foundation skills and confidence to take their first steps into the cyber security profession. Today’s assessment, devised by cyber security operatives from GCHQ, will see candidates take on (…read more)

August 29, 2014

Microsoft cleans up Windows App store, removing 1500 apps

Sparked by complaints that Microsoft’s online stores were full of fraudulent apps, Microsoft has removed 1,500 fake, fraudulent and misleading apps from its Windows and Windows Phone store. Todd Brix, Windows Store general manager said in a blog post “Earlier this year we heard loud and clear that people were finding it more difficult to find (…read more)

August 29, 2014

Child Sexual Abuse content downloaded on a fifth of corporate networks

In a recent survey of IT experts, a fifth of those surveyed revealed that someone had downloaded Child Sexual Abuse (CSA) material at work. Of those, just 3.5% lead to criminal investigations and in the vast majority of cases (69%) nothing happened. According to NetClean, one in every 1,000 employees will look at CSA content (…read more)

August 28, 2014