Threat Intelligence

Top 5 Smartest Malware Programs

Daniel Dimov
November 23, 2017 by
Daniel Dimov

1. Introduction

The growing threat of malware is one of the biggest Cyber Security threats of today. Malware is a term that encompasses a plethora of covert, intrusive software. This includes items such as viruses, worms, Trojans horses, and ransomware. The impact of these rapidly spreading malicious programs ranges from regular everyday annoyances (e.g., pop-up advertising) to thefts of sensitive data and disruptions of industrial activities.

The features that distinguish smart malware from regular malignant code are:

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.
  1. It is difficult to detect;
  2. It uses sophisticated propagation tactics;
  3. It possesses a design that bypasses antivirus programs;
  4. It has the mechanism in which to infect a vast number of computers.

In this article, we provide an overview of the five most well-known which have recently occurred.

1. MyDoom

MyDoom is a computer worm which appeared for the first time in 2004 and has had several active versions since then. It affects computers using the Microsoft Windows operating systems by exploiting a backdoor. It is estimated that at least 1 out of 12 e-mail messages on the Internet carried this kind of malicious software. MyDoom succeeded to break previous world records for infecting computer systems, including the records established by the infamous malware programs I LOVE YOU and Sobig.

MyDoom is usually transmitted via e-mails containing malicious attachments and messages, such as "Mail Transaction Failed," "Error," or "Mail Delivery System," as well as through peer-to-peer sharing networks. If the attachments are executed, MyDoom resends the worm to the email addresses in the email address book of the infected user. From there, it then spreads itself further along the network. It is important to note that the worm is smart enough to avoid specific email addresses, such as those of universities, and high-tech businesses.

The virus was initially designed to perpetuate a Distributed Denial of Service (DDoS) attack against the American software company known as the SCO Group. Later, MyDoom was used for a series of coordinated cyberattacks (the so-called "July 2009 Cyberattacks") against major institutions in South Korea and the United States.

2. Code Red Worm

Code Red Worm, also known as the I-Worm, was launched in 2001 and has had several upgrades since then, known as Code Red II and Code Red III. It has been estimated that Code Red infected more than 359,000 computers. This malware program is a self-replicating malicious code which targeted Windows 2000 and Windows NT operational systems explicitly.

The code uses a vulnerability known as buffer overflow. This refers to an anomaly in a program which overruns the buffer's boundaries and thus, overwriting adjacent memory locations. Websites infected by Code Red Virus display the welcoming text: "HELLO! Welcome to http://www.worm.com! Hacked by Chinese!"

Code Red Virus uses the Random Constant-Spread (RCS) model. This model is identical to the biological epidemic model which, in its simplest form, consists of a number of hosts. Each of those hosts can have only two states, namely, susceptible and infected. Malware programs using the RCS model propagate themselves by sending infected files to randomly selected IP addresses. Thus, the number of susceptible hosts increases exponentially until all hosts are infected.

The White House was affected by Code Red through a Distributed Denial of Service attack. The White House responded to the attack by changing the IP addresses of its websites.

3. ILOVEYOU

The ILOVEYOU virus infected businesses and individual users in 2000. The critical aspect of this virus was not its technical complexity, but instead, focused upon the psychological phenomenon of a person's need to be loved and appreciated.

The email types through which the virus spread itself contained a subject line with the words "I love you" from a known sender and an invitation to read the attached love letter in a .txt format. The trick was immensely successful. It is estimated that, in two days, the ILOVEYOU virus succeeded to infect about 45 million Windows computers and cost billions of dollars in damages.

Another factor for the success of the ILOVEYOU virus was in the way it spread itself. For example, immediately after reaching the targeted computers, it replaced media files with copies of the virus. Next, it spread itself to the email addresses contained in the victim's address book.

The virus was the most wide-spread malware encountered by Internet users at that time and was called "the first successful use of social engineering." Because of its destructive outcome, it received extensive media attention.

4. Crypto Locker

CryptoLocker is a ransomware which affected more than 1 million computers and stole about USD 30 million from its victims. The CryptoLocker has demonstrated that ransomware can be a very profitable "business." CryptoLocker encrypts victims' files by using strong third-party certified cryptography.

The effects of CryptoLocker has also shown a pressing need for regulating Bitcoin, a cryptocurrency which is used by most ransomware creators. If Bitcoin is not regulated, it will continue serving as the engine of the Dark Web.

Of course, the success of CryptoLocker was initiated not only by its use of Bitcoin but also by its utilization sophisticated method of propagation. CryptoLocker spreads itself as an attachment to email messages.

The attachment is in the form of a ZIP file. The ZIP file contains an executable file masked as a PDF file. Once opened, the executable file encrypts files stored on the hard drive of the soon to be infected computer. Then, the user sees a pop-up message that his/her files were unknowingly encrypted and must pay a ransom to unlock those specific files.

CryptoLocker has demonstrated that encryption-based malware can have a devastating consequence on a large number of computers. Therefore, cybersecurity experts are concerned that such malware can be used for much larger scale, cyberwarfare purposes.

5. Stuxnet

Stuxnet, a joint U.S.-Israel cyber weapon, was used in a series of cyber-attacks organized under the code name "Olympic Games." Stuxnet was the first virus to affect software controlling industrial systems at a uranium enrichment facility.

The creators of Stuxnet not only succeeded to gain access to crucial industrial information but also could operate industrial machines remotely. The Stuxnet attack became the second largest incident of cyber warfare targeting a physical infrastructure.

Since Stuxnet was a well-funded project launched on a government level, the malware used a complex code. In his book, Technology Security and National Power: Winners and Losers (2017), security expert Stephen Bryen classified it as "one of the most complex and sophisticated attacks ever launched against an industrial control system."

The primary purpose of the virus was to affect Iran's nuclear control systems, thus reducing the lifetime of nuclear centrifuges. According to Eugene Kaspersky, an IT security expert, Stuxnet also infected a Russian nuclear plant and other nuclear facilities outside of Iran.

It is important to note that Stuxnet does not harm all types and kinds of IT Infrastructures. It is designed in such a way that it carefully selects its targets.

7. Conclusions

In this article, we examined the 5 smartest malware applications. Our analysis indicates that each of them has its own features and malicious behavior. Although most of these applications are "disinfected" by the usage of contemporary anti-virus programs, in the end, they still provide hackers with a plethora of ideas on how to create even more harmful malware.

It should be pointed that the most covert forms of malware may be still undiscovered by the information security community. For example, the malware "ProjectSauron" has operated undetected for five years. This malware targeted networks in Sweden, Russia, China, and other countries.

The security firms Kaspersky Lab and Symantec detected the malware in an embassy in Belgium and an airline based in China. According to researchers from Symantec, ProjectSauron has a number of "stealth features."

References

  1. Beck, T., 'Computing's 11 Smartest Super Viruses and the Damage They Wrought', 8 February 2013, Fast Company. Available at https://www.fastcompany.com/3015224/computings-11-smartest-super-viruses-and-the-damage-they-wrought.
  2. Bodungen, C., Singer, B., Shbeeb, A., Wilhoit, K., Hilt, S., 'Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions', McGraw Hill Professional, 2016.
  3. Chapple, M., Seidle, D., 'Cyberwarfare', Jones & Bartlett Publishers, 2014.
  4. Chen, G., Wang, X., Li, X., 'Fundamentals of Complex Networks: Models, Structures and Dynamics', John Wiley & Sons, 2014.
  5. Chen, Z., 'Worm Propagation Models'. Available at https://www.researchgate.net/publication/239546417_Worm_Propagation_Models.
  6. Dockrill, P., 'Scientists Just Found an Advanced Form of Malware That's Been Hiding For at Least 5 Years', 12 August, 2016, Science Alert. Available at http://www.sciencealert.com/scientists-just-found-an-advanced-form-of-malware-that-s-been-hiding-for-at-least-5-years.
  7. Goldenberg, B., 'The Definitive Guide to Social CRM: Maximizing Customer Relationships with Social Media to Gain Market Insights, Customers, and Profits', Pearson Education, 2015.
  8. Haslam, K., 'Do Macs get viruses, and do Macs need antivirus software?', 15 May 2017, MacWorld. Available at http://www.macworld.co.uk/how-to/mac-software/do-macs-get-viruses-do-macs-need-antivirus-software-3454926/.
  9. Mazanec, B., Thayer, B., 'Deterring Cyber Warfare: Bolstering Strategic Stability in Cyberspace', Springer, 2014.
  10. 'Number of Viruses', 28 February 2013, CKnow. Available at http://www.cknow.com/cms/vtutor/number-of-viruses.html.
  11. Rebane, J. C., 'The Stuxnet Computer Worm and Industrial Control System Security', Nova Science Publisher: 2011.
  12. Rees, T., 'Regulating Bitcoin: how new frameworks could be a catalyst for cryptocurrencies', 16 April 2017, The Telegraph. Available at http://www.telegraph.co.uk/business/2017/04/16/regulating-bitcoin-new-frameworks-could-catalyst-cryptocurrencies/.
  13. Simone, A., 'How My Mom Got Hacked', 2 January 2015, The New York Times. Available at https://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?_r=0.
  14. 'Top 10 worst computer viruses', 18 March 2009, The Telegraph. Available at http://www.telegraph.co.uk/technology/5012057/Top-10-worst-computer-viruses-of-all-time.html.
  15. Walker, M., 'CEH Certified Ethical Hacker Bundle, Third Edition', McGraw Hill Professional, 2017.

    Co-Author

    Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.