Representative Image |
Did you know that there had been numerous cyber attacks in the past which had led to the damage of millions of dollars?Here, we have come up with a list of the most dreadful malware attacks in the history of cyber crimes that will definitely intrigue you!
WannaCry Ransomware - 2017
Wanna Decrypter |
The WannaCry ransomware attack was one of the recent and the most dangerous cyber attacks in the history of cyber crimes. It was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which mainly targeted the machines based on the Microsoft Windows operating system by encrypting data and demanding ransom payments in the form of Bitcoin. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack. Although Microsoft had released patches to fix these vulnerabilities, there were still a lot of computers which did not update their software, as hence, became a victim of the deadly virus attack.
The attack was halted within a few days of its discovery due to emergency patches released by Microsoft and the discovery of a kill switch that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.
It was in December 2017 that the United States, United Kingdom and Australia formally asserted that North Korea was behind the attack.
Cryptolocker
Cryptolocker |
The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.
Although CryptoLocker itself was easily removed, the affected files still remained encrypted in a way which researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims also claimed that paying the ransom did not always lead to the files being decrypted.
CryptoLocker was isolated in late May 2014 via Operation Tovar, which took down the Gameover ZeuS botnet that had been used to distribute the malware. During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan. Other instances of encryption-based ransomware that have followed have used the "CryptoLocker" name (or variations), but are otherwise unrelated.
GameOverZeus
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Evgeniy Mikhailovich Bogachev of Russia. It is believed to have been spread through use of the Cutwail botnet.
Unlike its predecessor the ZeuS trojan, Gameover ZeuS uses an encrypted peer-to-peer communication system to communicate between its nodes and its command and control servers, greatly reducing its vulnerability to law enforcement operations. The algorithm used appears to be modeled on the Kademlia P2P protocol.
Scammers control and monitor Gameover ZeuS via Command and Control (C&C) server. The virus establishes the connection to the server as soon as its malicious executable installs on the computer, at which point it can disable certain system processes, download and launch executables, or even delete essential system files, easily bricking the device.
According to a report by Symantec, Gameover ZeuS has largely been used for banking fraud and distribution of the CryptoLocker ransomware.
Stuxnet
Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel.
Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including gas centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern supervisory control and data acquisition (SCADA) and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan, and the US. Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges. Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, to prevent detection of Stuxnet. It is typically introduced to the target environment via an infected USB flash drive, thus crossing any air gap. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.
In 2015, Kaspersky Lab noted that the Equation Group had used two of the same zero-day attacks prior to their use in Stuxnet and commented that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together".
Mydoom Virus
Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2019 has yet to be surpassed.
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers.[2] The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same people were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."
MyDoom is the most devastating computer virus to date, which caused more than $38 billion in damage.
Sasser and Netsky
Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
Netsky is a prolific family of computer worms which affect Microsoft Windows operating systems. The first variant appeared on Monday, February 16, 2004. The "B" variant was the first family member to find its way into mass distribution. It appeared on Wednesday, February 18, 2004. 18-year-old Sven Jaschan of Germany confessed to having written these, and other worms, such as Sasser.
Although individual functions vary widely from virus to virus, the Netsky family perhaps is most famous for comments contained within the code of its variants insulting the authors of the Bagle and Mydoom worm families and, in some cases, routines that removed versions of these viruses. The "war" as it was referred to in the media caused a steady increase in the number of variant viruses produced in these families. As of June 2004, Bagle had approximately 28, Netsky approximately 29, and MyDoom approximately 10.
Other symptoms of Netsky included beeping sounds on specified dates, usually in the morning hours.
The worm was sent out as an e-mail, enticing recipients to open an attachment. Once opened, the attached program would scan the computer for e-mail addresses and e-mail itself to all addresses found.
Until October 2006, the P variant of this virus remained the most prevalent virus being sent in e-mail throughout the world, despite being over two and a half years old.[2] It was surpassed by a variant from the Stration malware family in November 2006.
CodeRed
Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server. It was the first large scale, mixed threat attack to successfully target enterprise networks.
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh when it exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.
On July 19, the code red worm infected more than 250,000 computer systems in just nine hours and it was estimated that it caused $2 billion in lost productivity. The Pentagon shut down their hundreds of Defense Department Web pages in order to install protection against “Code Red.”
In order to protect your computer, Microsoft has made available a “patch” that is intended to protect computers against “Code Red.” It can be downloaded from the home page of the Microsoft Web site (www.microsoft.com ).
Plug X
The Plug X malware, also known as “Korplug” is a Remote Access Trojan (RAT) , first discovered in 2012. It primarily targeted the government agencies, specific businesses and organizations and it spread via phishing emails, spam campaigns, and spear-phishing campaigns.
The attack started with a phishing email containing a malicious attachment, usually, a specially crafted malicious document and exploits a vulnerability in either Adobe Acrobat Reader or Microsoft word.
In July 2016, a Japanese travel agency, JTB Corp, suffered a data breach compromising almost 7.93 million user records. The data breach was a result of an employee opening a malicious document which he received via a phishing email. The malicious document included the PlugX RAT, which installed the Elirks backdoor trojan, that is designed to steal user information. Furthermore, it was reported that 7.93 million user records from Japanese Travel Agency were compromised.
PlugX contains backdoor modules to perform the following tasks:
XPlugDisk – It is used to copy, move, rename, execute and delete files.
XPlugProcess – It is used to enumerate processes, get process information, and terminate processes.
XPlugKeyLogger – It is used to log keystrokes.
XPlugNethood – It is used to enumerate network resources and set TCP connections.
XPlugService – It is used to delete, enumerate, modify, and start services.
XPlugShell – It is used to perform remote shell on the affected system.
Nimba
Nimda is a computer virus that caused traffic slowdowns as it rippled across the Internet, spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information Server (IIS), and computer users who opened an e-mail attachment. It first appeared on September 18, 2001.
Like a number of predecessor viruses, Nimda's payload appears to be the traffic slowdown itself - that is, it does not appear to destroy files or cause harm other than the considerable time that may be lost to the slowing or loss of traffic known as denial-of-service and the restoring of infected systems. With its multi-pronged attack, Nimda appears to be the most troublesome virus of its type that has yet appeared. Its name (backwards for "admin") apparently refers to an "admin.dll" file that, when run, continues to propagate the virus.
It probes each IP address within a randomly-selected range of IP addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in computers with Microsoft's Internet Information Server. A system with an exposed IIS Web server will read a Web page containing an embedded JavaScript that automatically executes, causing the same JavaScript code to propagate to all Web pages on that server.
As people (those with Microsoft Internet Explorer browsers at the 5.01 or earlier level) visit sites at the infected Web server, they unwittingly download pages with the JavaScript that automatically executes, causing the virus to be sent to other computers on the Internet in a somewhat random fashion.
Nimda also can infect users within the Web server's own internal network that have been given a network share (a portion of file space).
Finally, one of the things that Nimda has an infected system do is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows address book. A user who opens or previews this attachment (which is a Web page with the JavaScript) propagates the virus further.
ZeroAccess botnet
How a Botnet works |
ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.
The ZeroAccess botnet was discovered at least around May 2011. The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems. Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.
The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.
In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.
ILOVEYOU
ILOVEYOU malware |
According to Wikipedia, ILOVEYOU, sometimes also referred to as Love Bug or Love Letter for you, is a computer worm that infected over ten million Windows personal computers on and after 4 May 2000 when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs". The latter file extension ('vbs', a type of interpreted file) was most often hidden by default on Windows computers of the time (as it is an extension for a file type that is known by Windows), leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. The worm inflicts damage on the local machine, overwriting random types of files (including Office files, image files, and audio files; however after overwriting MP3 files the virus hides the file), and sends a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. This made it spread much faster than any other previous email worm.
On the machine system level, ILOVEYOU relied on the scripting engine system setting (which runs scripting language files such as .vbs files) being enabled, and took advantage of a feature in Windows that hid file extensions by default, which malware authors would use as an exploit. Windows would parse file names from right to left, stopping at the first period character, showing only those elements to the left of this. The attachment, which had two periods, could thus display the inner fake "txt" file extension. True text files are considered to be innocuous as they are incapable of running executable code. The worm used social engineering to entice users to open the attachment (out of actual desire to connect or simple curiosity) to ensure continued propagation. Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited that allowed malicious code capable of complete access to the operating system, secondary storage, and system and user data simply by unwitting users clicking on an icon.
Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.
Melissa
The Melissa virus was a mass-mailing macro virus released on or around March 26, 1999. As it was not a standalone program, it was not classified as a worm. It targeted Microsoft Word and Outlook-based systems, and created considerable network traffic. The virus would infect computers via Email, the email being titled "Important Message From", followed by the current username. Upon clicking the message, the body would read: "Here's that document you asked for. Don't show anyone else ;)." Below this was a document titled list.doc. When the user clicked it many pornographic sites would open. It would then mass mail itself to the first 50 people in the user's contact list and then disable multiple safeguard features on Microsoft Word and Microsoft Outlook.
The virus was released on March 26, 1999, by David L. Smith. The virus itself was credited to Kwyjibo, who was shown to be the macrovirus writers VicodinES and ALT-F11 by comparing Microsoft Word documents with the same globally unique identifier — this method was also used to trace the virus back to Smith.
On April 1, 1999, Smith was arrested in New Jersey as a result of a collaborative effort involving the FBI, the New Jersey State Police, Monmouth Internet, a Swedish computer scientist, and others. David L. Smith was accused of causing $80 million worth of damages by disrupting personal computers and computer networks in business and government.
On December 10, 1999, Smith pleaded guilty to releasing the virus.
On May 1, 2002 he was sentenced to 20 months in federal prison and fined $5,000 USD.
SQL Slammer
SQL Slammer is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. It spread rapidly, infecting most of its 75,000 victims within ten minutes.
The program exploited a buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products. Although the MS02-039 patch had been released six months earlier, many organizations had not yet applied it.
Post a Comment