Cybercrime is constantly evolving. Cybercriminals are always searching for new ways to compromise our IT security and cause problems for users and organizations all over the world. But with such a vertiginous rate of adaptation, both for malware and for new cyberattack techniques, and with so much effort going into stopping new cyberthreats, it can be easy to forget the threats that wreaked so much havoc in the past.
However, an artist called Guo O Dong has created a work of art that can serve as a reminder of some of cybercrime’s past successes. On May 29, his artwork, The Persistence of Chaos, was sold for over a million dollars. The work is a laptop that contains six of the most dangerous pieces of malware in history. With the help of a cybersecurity company, Guo O Dong filled the laptop with dangerous code. To ensure that the work isn’t used to carry out any malicious activities, it has been air gapped, a security measure to stop it from being able to connect to any networks.
The six pieces of malware on this laptop are among the most destructive in the recent history of IT security. They are: ILOVEYOU from 2000; Sobig from 2003; Mydoom from 2004; BlackEnergy from 2007; DarkTequila from 2013; and WannaCry from 2017.
Below, we take an in-depth look at some of these pieces of malware, the devastating effects that they had at the time, and the techniques that they used.
Computer worms
ILOVEYOU. In May 2000, tens of millions of computers around the world received an email with the subject “ILOVEYOU” and an attachment called “LOVE-LETTER-FOR-YOU. TXT.vbs”. Windows systems hid the extension .vbs by default, thus making the file look like a plain text file.
However, opening the file activated a VBScript that overwrote files on the victim’s computer. It then forwarded itself to all the addresses in the Windows Address Book. The fact that it seemed to have been sent by a known contact encouraged many people to open it, assuming that it was safe.
It is estimated that it caused between 5.5 and 8.7 billion dollars’ worth of damages around the world, and after 10 days, it had reached some 50 million computers – 10% of all computers with an Internet connection at the time.
Sobig. This worm arrived on computers with Windows systems in 2003, and is the second fastest computer worm in history. It holds the record for the volume of emails sent. It was sent out with subjects such as “Re: Movies”, “Re: Sample”, and “Re: Document”, and caused damages of around 37 billion dollars. At its height, two of every three spam emails was sent by the Sobig botnet.
Mydoom. This worm appeared in 2004, and holds the record for the fastest worm in history. With subjects such as “Error” and “Mail Delivery System”, the email contained an attachment that, if it was opened, forwarded the email to all the email addresses found in local files. The payloads included opening a backdoor that allowed the computer to be controlled remotely, and a DoS attack.
Attacks on states
BlackEnergy was first discovered in 2007. It is an HTTP based toolkit that can be used to carry out DDoS attacks, as well as to build botnets for spam campaigns to deliver other kinds of malware. Unlike the worms seen above, this malware didn’t use indiscriminate spam campaigns to get to its targets; in order to gain access to specific organizations, it used spear phishing.
Its most notorious use was in 2015 when it was employed in the cyberattacks on critical infrastructure in Ukraine, causing blackouts all over the country. Before that, in 2014, it managed to infiltrate infrastructure in the United States.
What can we learn from these historic cyberattacks?
Some of these pieces of malware – ILOVEYOU, Sobig, Mydoom – are no longer causing problems for the IT security community. Others are still notorious worldwide: BlackEnergy and WannaCry continue to pose a threat to this day. Nevertheless, the techniques used in these attacks can teach us some vital cybersecurity lessons that are still applicable today.
The cyberattacks we’ve seen here have one thing in common: social engineering; all of the emails used in these campaigns used believable subjects, email addresses of known contacts (or at least similar email addresses), and attachments to infect as many computers as possible. And BlackEnergy, with its spear phishing techniques, used all of the above, but with a higher degree of personalization in order to reach the directors of important companies and organizations.
All these techniques are still hugely popular among cybercriminals; it’s therefore vital to know how to stop them from causing problems in your company. The first thing is awareness. Employees need to know how to identify fake emails and must know what to do if they receive an email like this. Another important step is to reiterate the fact that attachments from unknown senders should never be opened.
Cybercrime has changed a lot over the last few years, and is not going to stop advancing, improving its methods, and incorporating new tactics to sneak onto our corporate networks. ‏You can follow all the advances and get to know the latest trends here.