Before I show you my list of the top 4 worst computer viruses of all time, I need to make a distinction between Viruses, Worms and Trojan Horses.
When most people think of malicious software (malware) they think of viruses but all malware aren’t technically viruses.
Viruses, Worms and Trojan’s – oh my!
We all know what a human virus is.
A biological virus is just a tiny infectious agent that duplicates itself inside the cells of living organisms.
Similarly, computer viruses are self-replicating programs that debilitate your PC either by replacing innocent files with copies of themselves or by augmenting existing files and corrupting them. The act of successfully cloning a copy of the virus to another part of your computer is known as an infection.
That being said, some computer viruses are less pernicious than others.
For example a few viruses simply waste disk space or slow your computer by consuming an inordinate amount of system resources. Yes, these actions will still importune you but they are certainly less offensive than some of the uglier viruses out there that totally trash your files.
Worms are more autonomous than viruses. Like viruses, worms replicate but unlike viruses they leverage the network to proliferate themselves to other computers.
Many people erroneously refer to worms as viruses because worms usually inflict greater damage and therefore receive greater press; however, worms and viruses are two distinct things. Worms stand alone and don’t need to attach themselves to existing programs like viruses. Also, where viruses usually corrupt files, worms corrupt entire networks by consuming prodigious amounts of bandwidth.
Finally we arrive at Trojans. The etymology of the term “trojan” goes all the way back to Greek mythology, specifically the Aeneid of Virgil.
The Greeks allegedly crafted an enormous wooden horse and furtively placed a few armed soldiers inside. Later that evening, the Greeks feigned defeat and sailed away into the night but left the horse behind.
The people of Troy emerged from their homes and saw the horse as a symbol of victory so they pulled it in the city gates.
Well, as the story goes, later that night the Greek soldiers hiding inside the horse, surreptitiously climbed out of the horse and opened the gates to the city of Troy so the entire Greek army could return and annihilate the city.
Talk about guile.
But that’s where we get the term and that’s exactly what a Trojan horse does to your computer.
A Trojan isn’t a virus or worm because it doesn’t replicate itself on the local system or across a network, instead it gives an intruder privileged rights to your system while masquerading as legitimate software.
Trojans are infamous for slipping what’s known as a “backdoor” on to the victims computer which basically turns the computer into the playground of hackers who lust for unauthorized access to your machine. This type of malware is a big deal because hackers can divulge sensitive information to intruders such as passwords, stored credit card information and other personally identifiable data. All your keystrokes are logged, and all your actions are monitored and saved which the hacker can playback.
Hackers can also use backdoor programs to do things to your computer that might make you think it’s possessed by demons.
For example, if you see your CD-ROM randomly opening, windows closing themselves or your mouse cursor moving without you actually moving the mouse or track pad, then you may have someone connecting to your computer via a backdoor.
Fortunately most of the top antivirus programs out there can deal with these threats
The hit list
Technically the title of this post is a misnomer because I’m going to list the 4 worst malware incidents of all time. But now you know how to distinguish viruses from worms and worms from trojans so I’m going to enumerate the most egregious offenders of all time.
4. Melissa Virus
The Melissa Virus is a macro-instruction (Macro) virus created by David Smith which infected Windows 98 computers.
Smith named it after a Miami stripper and disseminated it to the Usenet group called alt.sex. The virus itself lived inside a file called list.doc which had passwords to a bunch of pornographic sites. As soon as the victim attempted to open list.doc in Microsoft Word 97 or 2000, the macro initiated and attempted to mass mail itself to the first 50 entries it can grab from the local address book.
The virus actually caused software giants such as Microsoft to temporarily shut down their email servers because Microsoft was unwittingly abetting the propagation of the virus. One of the cardinal reasons why Smith’s virus was so successful was because the senders name was usually someone who the victim knew so when the victim saw the list.doc attachment hanging out in their inbox, there was greater chance he or she would open it.
Incidentally, Smith was indicted and received a 20 month jail sentence. He was also fined $5,000 dollars and proscribed from using a computer without court consent.
The name of this virulent worm is apt given the doom it brought its hapless victims.
February of 2004 was a month of doom for many people. In fact, according to British security firm MessageLabs, 1 in 12 emails handled by the security firm was infected with the MyDoom worm. That equates to over 100,000 instances of the worm being intercepted every hour!
It was actually the fastest spreading worm of all time and was so ubiquitous that the SCO Group was offering a quarter million dollar reward for “information leading to the arrest and conviction of those responsible for the crime”. Part of the impetus behind the bounty is that MyDoom kicked the SCO site offline for several days. Hundreds of thousands of computers were being harnessed to overwhelm sco.com until the webserver could no longer respond to HTTP requests. This is a classic example of a distributed denial of service attack because there were machines all over the world acting in unison to attack a single resource.
MyDoom was effective for three reasons:
First, it proliferated through the internet by using both email and peer-to-peer file sharing networks such as KaZaA. This one-two punch helped the worm get a fast start into web.
Second, it manifested itself as an email attachment with a benign subject that said either “Mail Delivery System” or “Mail Transaction Failed”. The subject seemed harmless and this often pricked the curiosity of the repient which ineluctably lead to the opening of the attachment. This naturally exacerbated the problem because it helped the worm propagate the internet and used the victim’s address book for fodder.
Third, the worm carried a payload with instructions to assail Google, AltaVista and Lycos with a massive amount of search requests. In fact, on July 26th of 2004 it got so bad that MyDoom managed to completely locked up Google for a major portion of the workday.
MyDoom was eventually contained by major antivirus vendors; however, the aftermath of the damage was still felt years later. For example, a year later, in February of 2005, a new variant of the worm was discovered in the wild. Then, four years later in 2009, it resurfaced as coordinated series of cyber attacks against South Korea and the United States.
The author of MyDoom was never ascertained; however, several security firms believe it originated from a programmer based in Russia.
In the Spring of 2004 a noxious worm began to besiege Windows XP and Windows 2000 machines. Called Sasser, because it exploited a vulnerability in the Local Security Authority Subsystem Services (LSAS), the worm fomented lots of damage on the internet.
LSASS’s primary function in life is to deal with all the security stuff on a Windows system.
For example, the LSASS process manages password changes and verifies users as they login to their computers. I find it ironic that a component designed to secure the system had, ipso faco, vulnerabilities itself. Sasser author Sven Jaschan was able to use a weakness in LSASS to spawn his attacks.
The Sasser worm started its day by scanning IP ranges through TCP port 445 looking for vulnerable Windows hosts. Once infected, the worm made it difficult to shutdown the PC without physically pulling the plug. It also chronically crashed LSASS.exe and severely disrupted usability.
Microsoft actually patched the problem a few days before the worm went wild; however, I guess the patch wasn’t adequate because it didn’t avert the issue.
The ramifications of the worm were fairly widespread. For example, the University of Missouri had to unplug their computers from the internet to mitigate the effects of the worm. In addition, large investment banks such as Goldman Sachs wasted lots of hours wrestling with the worm.
Jaschan was eventually caught and found guilty. Given that the worm was released on his 18th birthday, it didn’t take law enforcement too long to connect the dots.
1. Storm Trojan
The Storm trojan was a cataclysmic event that some people will never forget.
In the beginning of 2007, the digital storm inundated thousands of computers. Unsuspecting users would open emails with innocuous subjects such as:
230 dead as storm batters Europe
FBI vs Facebook
After opening the attachment, the trojan began the dirty work of implanting a service called wincom32 and passing data to other infected hosts. All the infected hosts become zombies or bots that participate in a huge peer-to-peer network of slave machines. Each machine coalesced into a monster web of computers that were all working in concert to infect the world.
This is known as a bot network, or botnet for short.
Most botnets have a central computer that sends command and control instructions to the compromised systems; however, the Storm trojan was different in that it was completely decentralized kind of like BitTorrent. This made it extremely difficult to kill the cause of the problem.
In September 2007, the botnet grew to millions of computers. Peter Gutmann estimated somewhere between 1 and 10 million CPUs were under the rule of the massive storm trojan.
Fortunately almost all the antivirus vendors picked up on the surge and updated their detection signatures; however, the Storm trojan creators incessantly altered the trojan’s code to evade detection.
The storm threat was eventually contained but that’s after thousands of machines were owned and millions of hours were wasted dealing with the pandemic.
The Bottom Line
The bottom line is you should always be wary of opening email attachments, especially those that end in .exe.
Even if you trust the sender you shouldn’t be so quick to open an attachment. As we’ve seen above, many forms of malware can spoof the sender address from a valid contact in your address book so a valid sender address isn’t an adequate criterion for determining if a file is safe.
Keeping your antivirus software updated, scheduling regular scans and downloading attachments with a scrupulous, critical eye will keep most malware threats at bay.
Do you remember being infected by any of the malware I mentioned? Did you know any friends or co-workers who were infected? How did you handle that? Let me know in the comments!