On Sunday Microsoft reported that “…some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”
This is due to the presence of an an older cryptographic algorithm in Windows Server which may be exploited to make the code appear to be signed by Microsoft.
The algorithm was employed by Terminal Server Licensing Service, which allows for remote desktop access. Microsoft has released an advisory and update to eliminate the security hole that allows certificates to be signed.
Flame is clearly the next evolution in computer virus and got me to thinking of all of the viruses, worms, trojans, and malware that I have had to battle over the past few years.
Disclaimer: Since I was not around for Elk Cloner or Brain, and though I thought the Angry Samoan virus (named after the famed wrestlers) was cleverly named, it did not impact me significantly, so I did not include them in my list.
Here are my top 5 Worms, Trojans, or Viruses.
A macro virus named after a Miami stripper, was so effective in 1999 that the tidal wave of email traffic it generated caused the likes of Intel and Microsoft to shut down their email servers. The virus contained a Word document labeled List.DOC as an attachment to an email allowing access to porn sites.
The email was first distributed to a Usenet group but quickly got out of hand. When a user opened the email a message, the infected Word attachment was sent to the first 50 names in the user’s address book. The scheme was particularly successful because the email bore the name of someone the recipient knew and referenced a document they had allegedly requested. I recall spending long hours cleaning up after this one.
2. The Anna Kournikova Virus
This computer virus was attributed to a Dutch programmer Jan de Wit on February 11, 2001. The virus was designed to trick a recipient into opening a message by suggesting that it contained a picture of the lovely Anna Kournikova, instead the recipient triggered a malicious program.
This was another virus that exploited a user’s Microsoft Outlook mail contacts. The email subject read: “Hi: Check This!”, with what appeared to be a picture file labeled “AnnaKournikova.jpg.vbs”. Clearly, the attachment was not a JPG, but it was a good bit of social engineering and was an effective transmission mechanism.
MyDoom began appearing in inboxes in 2004 and soon became the fastest spreading worm ever to hit the web, exceeding previous records set by the Sobig worm and ILOVEYOU. A side note, though I knew people affected by Sobig and ILOVEYOU, I did not see either of these in the wild.
The reason that MyDoom was effective was that the recipient would receive an email warning of delivery failure – a message we have all seen at one time or another. The message prompted the recipient to investigate thus triggering the worm.
Once the attached file was executed, the worm would send itself to email addresses found in the local address book and also put a copy in a shared folder (KaZaA). Like Klez, MyDoom could spoof email but also had the ability to generate traffic through web searches, which placed a significant load on search engines like Yahoo and Google.
MyDoom was also significant for the second payload that it carried, which was a DDoS attack on the SCO group; albeit not the coordinated sort of attack we would now expect to see with modern bot-nets. The origination of the virus is attributed or suggested to be someone in Russia, but no one was ever able to confirm.
Lastly, MyDoom contained the text “andy; I’m just doing my job, nothing personal, sorry,” which led many to believe that the virus was constructed for a fee for a spammer, though this also was not confirmed. Shot in the dark: if you are the Andy in referenced in MyDoom and are reading this, please comment!
4. Sasser & Netsky
Easily one of the most famous and prolific variants of computer worms, famous for effectiveness and the fact that it was authored by an 18 year-old German, Sven Jaschan, who confessed to having written these and other worms.
Netsky sticks in my mind because it was the first time that a virus insulted other virus authors. Here the authors of both the Bagle and Mydoom worm families were dissed and, in some cases, Netsky included code that removed versions of the competing viruses.
The other reason this one sticks with me was that the author was turned in to authorities by a friend who wanted to collect the $250,000 bounty that Microsoft put up for information about the outbreak. Though obviously, not a really good friend!
5. 2007 Storm Worm
Though I did consider the 1988 Morris worm, regarded as the first worm, I had to go with the 2007 Storm worm as the 5th to include. Known by many names the Storm Worm is a backdoor Trojan that affects Microsoft based computers.
Here, again, we see distribution of payload through email, with the subject reading, “230 dead as storm batters Europe”. The Storm Worm was a Trojan horse that would join the infected computer to a bot-net – a network of remotely-controllable computers. Though it was thought to be a bot-net of millions of computers, the exact numbers were never known.