The evolution of malwareMikko Hypponen, F-Secure, Raj Samani, McAfee
We got together two of the industry’s great minds to talk about the major milestones of malware development. Over to Raj Samani from McAfee and Mikko Hypponen from F-Secure.
Mikko: It’s been 25 years since the Morris worm. While Morris wasn’t the first virus, it was the first internet worm in history. In fact, it’s one the most important early viruses, together with Elk Cloner for Apple II, BHP for Commodore 64 and Brain.A for PCs. Since the Morris worm started the age of online outbreaks, maybe it’s one of the most important viruses ever? What do you think, Raj?
Raj: It’s hard to disagree with you (though I try to at every opportunity!). The next major milestone in my mind is the Anna Kournikova virus. Here you have one of the early and most successful attempts at leveraging social engineering techniques to coerce the victim into opening an attachment, in this case a picture of a tennis star voted the sexiest tennis star of all time. If we consider many of the most successful spear phishing/malware campaigns today, their roots can originate from 2001 and Jan de Wit knowing what it takes to get someone to open a malware infected file.
Do you agree? And if so what would you say is the next major milestone?
Mikko: Anna Kournikova would have never even made the news without the (arguably excellent) bait it used. I even remember one customer calling me about it and explaining that he knew it was a virus and it was successfully blocked, but he’d still like to see what the attachment looked like! But we really shouldn’t forget all the other major viruses between Morris and Anna Kournikova, such as Stoned, Michelangelo, Concept, Melissa and Loveletter. In fact, the Loveletter outbreak is still today probably one of the largest outbreaks of all time.
Raj: Let me guess – the customer was a single man? Yes, they were absolutely major viruses, and I suppose you could say that Kournikova taught people about the use of an enticing message to influence unsafe behaviour. Indeed, if we include the fact that emails appeared to come from people they already knew, then there is no surprise that email became (and probably still is) one of the most successful malware delivery mechanisms. However, if I had to pick one as a major milestone, I would still go with Kournikova. It was excellent bait, it came from someone you trusted and it really put malware into the general public spotlight with an appearance on the TV show Friends.
Mikko: Ok, fine. But after the era of email worms, we saw something that could spread much, much faster: internet worms. During the following years, we would see plenty of examples of that including Code Red, Slapper, Slammer, Blaster and Sasser. Slammer is the fastest computer worm in history. As it spread throughout the internet in January 2003, it doubled in size every 8.5 seconds.
It infected more than 90 per cent of vulnerable hosts within ten minutes. If your computer was online in 2003 and had a publicly accessible IP address, it was scanned by Slammer – multiple times, in fact. These massive Windows worms caused Microsoft to turn around and start its Trustworthy Computing Initiative. I believe that initiative has increased Windows security tremendously. Do you agree?
Raj: Wow that takes me back! Yes for sure. But seeing as you pushed me on defining the milestone for email worms then I will turn this around and ask you which one? Which internet worm would you say is the milestone malware? You mentioned Slammer, but what about Nimda?
Mikko: Nimda was important, for sure. But if I have to name one milestone worm; that would indeed be Slammer. Slammer wins because of its sheer efficiency: the whole worm fits in one 376-byte UDP packet! But internet worms died out eventually, as firewalls became the norm on every computer. Then we entered the world of drive-by-downloaders, which would infect Windows PCs just by visiting a website.
So, what’s your favourite exploit kit?
Raj: Actually before I answer that question, I wanted to throw another milestone, and I can sense a raised eyebrow or two, but let me put forward Zotob. Now, I know technically it’s perhaps not a significant milestone, but here you had malware that was developed only days after the release of the patch (MS05-039) which is far cry from earlier examples (in particular Nimda).
More significant was the organisational structure behind it, where you had the financier who, in turn, outsourced the writing of the malware. It’s a good example of cybercrime-as-a-service and really announces to criminals that there may be gold here. Do you think this is significant enough to be in our Hall of Fame?
Mikko: Yes, I suppose we need to include Zotob too. Indeed, it was an early example of cybercrime as-a-service, which then really became the norm. And that is the mechanism that fuels exploit kits even today. So, your favourite kit, Raj?
Raj: Probably BlackHole, and largely building on from the points raised in Zotob. A professionally managed, maintained and hugely successful exploit kit with a ‘commercial’ pricing model. It’s as far removed from the academic experiment that got out of hand that started our discussion. What do you think? And what would you suggest we have missed in our list of milestones?
Mikko: I think we have a pretty good run down of PC malware evolution right here. Sure, we missed so many cases – like the Sony Rootkit and Conficker, Stuxnet, ZeroAccess and Cryptolocker. But I guess we can’t fit them all here. Thanks Raj!
Raj: No problem Mikko!
Raj Samani is chief technology officer of McAfee, Mikko Hypponen is chief research officer of F-Secure