A Brief History of Malware: Part Five (2006–2014)
In this series, I’ve explained much of the history of malware. It always helps to learn history, because learning about problems in the past can prevent problems in the future. The story of malware went from a theory of one of history’s brightest minds, John Von Neumann, to innocent experiments of programmers in the 1970s. Then, as our institutional and commerical systems became computerized, and microcomputers starting entering small offices and the homes of ordinary people, the earliest blackhats took full advantage. True malware, software and code with malicious intent, became an everyday matter for everyday people in their everyday lives.
As people started using the Internet at home in significant numbers by the 1990s, a whole new vector for malware transmission emerged. When Sir Tim Berners-Lee’s “World Wide Web” launched, Internet use grew in popularity like never before, often a catalyst for email, IRC, and FTP as well.
As the number of people using the Internet grew exponentially, so did the number of blackhats and malware developers. As that phenomenon started to take hold, Microsoft Windows was by far the most popular client OS. One major problem with client Windows, up until the release of Windows XP in 2001, was that it was based on MS-DOS. As MS-DOS uses the FAT16 and FAT32 file systems, all those many millions of PCs had no file-level permissions. OS partitions with no file-level permissions, coupled with the explosion of Internet usage, resulted in malware disasters for millions of people.
As the 20th century came to a close and the 21st century began, it soon became apparent that Windows certainly is not the only platform vulnerable to malware. In fact, any computer with any software and any means of external data (mainly removable media and networking) can be subject to malware. The growing popularity of the BSD/Unix based Mac OS X, GNU/Linux distros, and the NT kernel’s client OS debut in Windows XP kept malware developers on their toes, because file-level permissions and associated user accounts are features of all of those platforms.
But file-level permissions only makes malware more difficult to develop, certainly not impossible. As I conclude this series and finish in 2014, malware has become more destructive than ever. At the very least, as of the current year, many thousands of malicious programs are developed and released every day. And now that most people in the developed world (and many in the developing world) own mobile devices, a whole new target for malware now exists.
Even though malware has been discovered that targets the platforms that run on smartphones and tablets, the rest of the malware covered in this series targets conventional PCs, servers, and industrial PLC systems.
Blackworm
Blackworm was discovered on January 20th, 2006. It affected machines running Windows NT, 95, 98, ME, 2000, XP, and Server 2003.
Infected email attachments and network shares were the primary means of transmission. Blackworm was yet another “time bomb,” deleting local files starting on February 3rd, and then the 3rd of each month following.
File formats targetted for deletion included ZIP, RAR, DOC, XLS, PPT, PPS, and PSD.
Fortunately, the signature development process for many antivirus vendors had matured by then, and by 2006, a large percentage of Windows users were aware of the importance of running an antivirus shield. That helped to mitigate the damage that Blackworm did, but still, many Windows users worldwide were harmed.
The Almighty ZeuS
ZeuS, discovered in July 2007, went by many names. Those names include Zbot, Gorhax, PRG, Wsnpoem, and Kneber.
What’s notable and scary about ZeuS is that it’s the first major malware to steal banking information, hence giving blackhats access to people’s money. It can be created with a kit that’s sold in underground markets, and variants of ZeuS continue to cause trouble to this very day.
The ZeuS versions discovered in 2007 and 2008 focused on Windows. But I fully expect variants of ZeuS to target Mac OS X, GNU/Linux distros, and now that millions of people do their banking on smartphones and tablets, iOS, Android and BlackBerry OS as well.
ZeuS’ initial means of transmission were phishing websites, hence it was a trojan at the very beginning.
Malware in the ZeuS family not only grabs banking credentials, but credentials for social networking sites and email as well.
By October 2010, the FBI reported that blackhats from Eastern Europe were using variants of ZeuS to develop botnets that have stolen huge amounts of money from people’s bank accounts. Multiple unauthorized transactions of thousands of dollars at a time are often transfered to accounts belonging to “money mules,” participants of organized crime networks who are paid a commission.
As of this writing in 2014, antivirus vendors still develop signatures for new variants of ZeuS as the crimekits and source code continue to evolve.
Conflicker
The Conflicker worm was first discovered in November 2008. Like ZeuS, Conflicker continues to evolve and attack machines to this very day.
The earliest variants of Conflicker have exploited Windows vulnerabilities, starting by dictionary attacking adminstrator passwords.
The destructive potential of worms and viruses in the Conflicker family is how they disable firewalls and antivirus shields. I figure that some blackhats use Conflicker malware to weaken specific targets for further attacks, and other blackhats use Conflicker malware just to vandalize.
I’m a hacker in the whitehat, Steven Levy sense. I can understand wanting to innocently play around with technology and explore what is possible, because it’s something I frequently do and it’s how I became a computing professional. I can also understand blackhats who have specific targets, because sadly, vengence is a part of human nature, and I’d be lying if I denied that I’ve ever been tempted to seek revenge upon someone who’s hurt me.
I just can’t possibly get into the headspace of a blackhat who seeks destruction for destruction’s sake. I think this goes back to when I was fourteen and I loved playing SimCity 2000. I put a lot of effort into designing cities that operated well, I loved creating. But when one of my similar age cousins would build a little bit in the game, only to then run all of the disasters to destroy the city he built, I was completely and utterly perplexed.
Anyway, I think that blackhat mentality of just wanting to destroy stuff is a major factor in Conflicker’s development and growth.
Fortunately, the antivirus community has merged efforts in keeping up with Conflicker and preventing its variants from damaging systems. Major software and antivirus vendors have formed the Conflicker Working Group. Notable members include Microsoft, Cisco, Facebook, Kaspersky, OpenDNS, Juniper and VeriSign. The Conflicker Working Group formed on February 12th, 2009. On their website, I’ve found records of their activity up until 2012. I couldn’t find confirmation of any work beyond 2012. As variants of Conflicker continue to be used, developed, and sold in underground markets, I hope they didn’t stop.
The Conflicker family of malware has used all of the major vectors for transmission; websites, FTP, P2P, email, and removable media among others.
Stuxnet
Most of the malware I’ve covered so far in this series affects the sort of computers that are in homes, offices, and typical datacenters and server rooms. Stuxnet is a bit different, it affects the computers that most people, including most IT people, seldom ever see.
Stuxnet was discovered in June 2010, but it’s suspected that it was the cause of an attack on a nuclear program in Natanz, Iran in 2009. Variants of the initially discovered Stuxnet continue to wreak havoc.
Stuxnet is generally platform independent, and it attacks programmable logic controllers. PLCs operate the computing systems we all depend on in some way, albeit indirectly. They’re computers that operate everything from factory assembly lines, to water and sewer systems, to our electrical grid, to nuclear power plants and technologies used by militaries around the world. Yep, it’s serious stuff indeed.
Some Iranian officials suspected that the American government was behind the Stuxnet driven attack on Iran’s Natanz facility in 2009. As far as I can tell, that’s pure speculation. Some Americans in the military and intelligence communities suspect that Iran struck back with Stuxnet to attack American banking systems. That’s also pure speculation, but their suspicion has certainly hurt American-Iranian relations.
Industrial and military computing experts suspect that the development of Stuxnet could have only been possible with “the resources of a nation state.” So it’s most probable that some military, somewhere in the world was the party that intially developed it.
The initial emergence of Stuxnet conducted five attacks, including four zero-day attacks on Windows vulnerabilites. Yes, a lot of these SCADAs and PLC systems run niche versions of Windows. Stuxnet is also known to exploit vulnerabilities in Siemens’ WinCC/Step 7 software.
The Stuxnet family of malware started to infect PLC systems in Iran, Indonesia, and India, but now it has been found to attack systems in the United States and Europe, as well.
Each instance of Stuxnet is programmed to attack vulnerabilites in the specific target PLCs. So, SCADAs and other PLC systems can be attacked even if they don’t run Windows or Siemens software.
With the arrival of Stuxnet, malware has become a matter of international cyber warfare.
CryptoLocker
CryptoLocker is the most recent major malware scare. It was discovered in September 2013. Its means of transmission include email attachments, P2P, and trojan websites.
CryptoLocker is both “ransomware” and a rogue AV. A rogue AV is malware that pretends to be legitimate antivirus software. I started rescuing offices and end users from rogue AVs for Windows in 2006. As of this writing in 2014, rogue AVs have also been found for Mac OS X and Android. They can be really scary for end users who have no background in IT or computer science, because they’ll tell the user that their computer is infested with thousands of viruses, when really it’s the rogue AV that’s the malware in the first place.
Most rogue AVs, including CryptoLocker, will demand that the user spend money in order for their computer to be usable again. That’s what “ransomware” means.
CryptoLocker is still out there “in the wild.” It has even evolved into variants such as Cryptowall, Cryptobit, and Cryptodefense. CryptoLocker is fundamentally different from the rogue AVs I started to find in 2006. Earlier rogue AVs disable vital operating system services, processes and daemons. But nothing would be permanently altered, so once I removed a rogue AV infection for a client, everything would be back to normal.
CryptoLocker is much nastier. It encrypts files and folders, one by one, under a very strong key, one that is difficult to crack. I’ve removed CryptoLocker for many people. If their important files are properly backed up, it’s pretty easy for me to restore everything back to normal. I insist on never paying the ransom. One reason is that you can’t trust the blackhat to be honest about the payment fixing the problem. The other is that I don’t want to encourage them by helping them make money.
Computers infected with CryptoLocker can be completely cured if users make regular backups. If they don’t, they’ll possibly lose important data for good. Always remember to back up your files and programs to external disks, even if you don’t use Windows! I even backup my Android smartphone on a regular basis. My smartphone is a computer that can be affected by malware and other technical mishaps, just like any other computer. I wish more end users understood that.
So, there you go. Malware started as a theory of a brilliant scientific mind that started computing with ENIAC in the 1940s. By the 1970s, computer programmers conducted innocent experiments to see what their programs could do. As microcomputers and Internet use caught on with ordinary people in the 80s and 90s, a whole new world opened for blackhats and malware to develop and grow. And now in the 21st century, computing is in various facets in everyone’s lives. Even people who don’t use computers can be affected by malware, now that it has been known to attack banking, industrial and military systems.
Those of us who work in IT and computer science must study the history of malware, so we can prevent future problems, ones that range from minor inconveniences, to malware that’s used in cyber warfare.
