11 real and famous cases of malware attacks
- Updated at June 4, 2021
- Blog , Threat Research
Many cases of famous hacker attacks use malware at some point. For example, first, the cybercriminal can send you a phishing email . No attachment. No links. Text only. After he gains your trust , in a second moment, he can send you a malicious attachment , that is, malware disguised as a legitimate file.
Malware is a malicious software designed to infect computers and other devices. The intent behind the infection varies. Why? Because the cybercriminal can use malware to make money, to steal secret information that can give strategic advantages, to prevent a business from running or even just to have fun.
Yes, there are hackers who act for pleasure.
In fact, malware is a broad term. It’s like a category. Within this category are different types of threats, such as virus , worm , trojan , and ransomware .
To fight malware delivered via email, here at Gatefy we offer a secure email gateway solution and an anti-fraud solution based on DMARC . You can request a demo or more information .
To get an idea, according to the FBI , damages caused by ransomware amounted to more than USD 29.1 million just in 2020. And one of the most widely used form of malware spreading continues to be via email . As a Verizon report confirmed : 30% of the malware was directly installed by the actor, 23% was sent there by email and 20% was dropped from a web application.
The cases listed below show how malware attacks can work and give you a glimpse of the harm they cause to businesses and individuals.
In this post, we’ll cover the following malware cases:
Table of Contents
Check out 11 real cases of malware attacks
1. covidlock, ransomware, 2020.
Fear in relation to the Coronavirus (COVID-19) has been widely exploited by cybercriminals. CovidLock ransomware is an example. This type of ransomware infects victims via malicious files promising to offer more information about the disease.
The problem is that, once installed, CovidLock encrypts data from Android devices and denies data access to victims. To be granted access, you must pay a ransom of USD 100 per device.
2. LockerGoga, ransomware, 2019
LockerGoga is a ransomware that hit the news in 2019 for infecting large corporations in the world, such as Altran Technologies and Hydro. It’s estimated that it caused millions of dollars in damage in advanced and targeted attacks.
LockerGoga infections involve malicious emails , phishing scams and also credentials theft. LockerGoga is considered a very dangerous threat because it completely blocks victims’ access to the system.
3. Emotet, trojan, 2018
Emotet is a trojan that became famous in 2018 after the U.S. Department of Homeland Security defined it as one of the most dangerous and destructive malware. The reason for so much attention is that Emotet is widely used in cases of financial information theft, such as bank logins and cryptocurrencies.
The main vectors for Emotet’s spread are malicious emails in the form of spam and phishing campaigns . 2 striking examples are the case of the Chilean bank Consorcio, with damages of USD 2 million, and the case of the city of Allentown, Pennsylvania, with losses of USD 1 million.
4. WannaCry, ransomware, 2017
One of the worst ransomware attacks in history goes by the name of WannaCry , introduced via phishing emails in 2017. The threat exploits a vulnerability in Windows.
It’s estimated that more than 200,000 people have been reached worldwide by WannaCry, including hospitals, universities and large companies, such as FedEx, Telefonica, Nissan and Renault. The losses caused by WannaCry exceed USD 4 billion.
By the way, have you seen our article about the 7 real and famous cases of ransomware attacks ?
5. Petya, ransomware, 2016
Unlike most ransomware , Petya acts by blocking the machine’s entire operating system. We mean, Windows system. To release it, the victim has to pay a ransom.
It’s estimated that the losses involving Petya and its more new and destructive variations amount to USD 10 billion since it was released in 2016. Among the victims are banks, airports and oil and shipping companies from different parts of the world.
6. CryptoLocker, ransomware, 2013
The CryptoLocker is one of the most famous ransomware in history because, when it was released in 2013, it used a very large encryption key, which made the experts’ work difficult. It’s believed that it has caused more than USD 3 million in damage, infecting more than 200,000 Windows systems.
This type of ransomware was mainly distributed via emails, through malicious files that looked like PDF files , but, obviously, weren’t.
7. Stuxnet, worm, 2010
The Stuxnet deserves special mention on this list for being used in a political attack, in 2010, on Iran’s nuclear program and for exploiting numerous Windows zero-day vulnerabilities . This super-sophisticated worm has the ability to infect devices via USB drives, so there is no need for an internet connection.
Once installed, the malware is responsible for taking control of the system. It’s believed that it has been developed at the behest of some government. Read: USA and Israel.
8. Zeus, trojan, 2007
Zeus is a trojan distributed through malicious files hidden in emails and fake websites, in cases involving phishing . It’s well known for propagating quickly and for copying keystrokes, which led it to be widely used in cases of credential and passwords theft, such as email accounts and bank accounts.
The Zeus attacks hit major companies such as Amazon, Bank of America and Cisco. The damage caused by Zeus and its variations is estimated at more than USD 100 million since it was created in 2007.
9. MyDoom, worm, 2004
In 2004, the MyDoom worm became known and famous for trying to hit major technology companies, such as Google and Microsoft. It used to be spread by email using attention-grabbing subjects, such as “Error”, “Test” and “Mail Delivery System”.
MyDoom was used for DDoS attacks and as a backdoor to allow remote control. The losses are estimated, according to reports, in millions of dollars.
10. ILOVEYOU, worm, 2000
The ILOVEYOU worm was used to disguise itself as a love letter, received via email. Reports say that it infected more than 45 million people in the 2000s, causing more than USD 15 billion in damages.
ILOVEYOU is also considered as one of the first cases of social engineering used in malware attacks. Once executed, it had the ability to self-replicate using the victim’s email.
Also see 10 real and famous cases of social engineering .
11. Melissa, virus, 1999
The Melissa virus infected thousands of computers worldwide by the end of 1999. The threat was spread by email, using a malicious Word attachment and a catchy subject: “Important Message from (someone’s name)”.
Melissa is considered one of the earliest cases of social engineering in history. The virus had the ability to spread automatically via email. Reports from that time say that it infected many companies and people, causing losses estimated at USD 80 million.
How to fight malware attacks
There are 2 important points or fronts to fight and prevent infections caused by malware.
1. Cybersecurity awareness
The first point is the issue regarding cybersecurity awareness. You need to be aware on the internet. That means: watch out for suspicious websites and emails . And that old tip continues: if you’re not sure what you’re doing, don’t click on the links and don’t open attachments.
2. Technology to fight malware
The second point involves the use of technology . It’s important that you have an anti-malware solution on your computer or device. For end-users, there are several free and good options on the market.
For companies, in addition to this type of solution, we always recommend strengthening the protection of your email network. As already explained, email is the main malware vector. So, an email security solution can rid your business of major headaches.
Here at Gatefy we offer an email gateway solution and a DMARC solution . By the way, you can request a demo by clicking here or ask for more information . Our team of cybersecurity experts will contact you shortly to help.
Latest news
10 real and famous cases of bec (business email compromise), 8 reasons to use dmarc in your business, what is mail server.
- Artificial Intelligence
- Generative AI
- Business Operations
- IT Leadership
- Application Security
- Business Continuity
- Cloud Security
- Critical Infrastructure
- Identity and Access Management
- Network Security
- Physical Security
- Risk Management
- Security Infrastructure
- Vulnerabilities
- Software Development
- Enterprise Buyer’s Guides
- United States
- United Kingdom
- Newsletters
- Foundry Careers
- Terms of Service
- Privacy Policy
- Cookie Policy
- Member Preferences
- About AdChoices
- E-commerce Links
- Your California Privacy Rights
Our Network
- Computerworld
- Network World
11 infamous malware attacks: The first and the worst
Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet..
Viruses and other malware spreading for sinister or baffling reasons has been a staple of cyberpunk novels and real-life news stories alike for decades. And in truth, there have been computer viruses on the internet since before it was the internet. This article will take a look at some of the most important milestones in the evolution of malware: These entries each represent a novel idea, a lucky break that revealed a gaping security hole, or an attack that turned to be particularly damaging—and sometimes all three.
- Creeper virus (1971)
- Brain virus (1986)
- Morris worm (1988)
- ILOVEYOU worm (2000)
- Mydoom worm (2004)
- Zeus trojan (2007)
- CryptoLocker ransomware (2013)
- Emotet trojan (2014)
- Mirai botnet (2016)
- Petya ransomware/NotPetya wiper (2016/7)
- Clop ransomware (2019-Present)
1. Creeper virus (1971)
Computer pioneer John von Neumann’s posthumous work Theory of Self-Reproducing Automata , which posited the idea of computer code that could reproduce and spread itself, was published in 1966. Five years later, the first known computer virus, called Creeper , was a written by Bob Thomas. Written in PDP-10 assembly language, Creeper could reproduce itself and move from computer to computer across the nascent ARPANET.
Creeper did no harm to the systems it infected—Thomas developed it as a proof of concept, and its only effect was that it caused connected teletype machines to print a message that said “I’M THE CREEPER: CATCH ME IF YOU CAN.” We’re mentioning it here despite its benign nature because it was the first, and set the template for everything that followed. Shortly after Creeper’s release, Ray Tomlinson, best known for implementing the first email program, wrote a rival program called Reaper that spread from computer to computer eliminating Creeper’s code.
2. Brain virus (1986)
Creeper was designed to leap across computer networks, but for most of the 1970s and ’80s that infection vector was in limited simply because most computers operated in isolation. What malware did spread from computer to computer did so via floppy disks. The earliest example is Elk Cloner , which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.
Brain was developed by computer programmers (and brothers) Amjad and Basit Farooq Alvi, who lived in Pakistan and had a business selling medical software. Because their programs were often pirated, they created a virus that could infect the boot sector of pirated disks. It was mostly harmless but included contact information for them and an offer to “disinfect” the software.
Whether they could actually “fix” the problem isn’t clear, but as they explained 25 years later, they soon started receiving phone calls from all over the world , and were shocked by how quickly and how far Brain had spread (and how mad the people who had illegally copied their software were at them, for some reason). Today Brain is widely regarded as the first IBM PC virus, so we’re including it on our list despite its benign nature, and the brothers still have the same address and phone number that they sent out 25 years ago.
3. Morris worm (1988)
1988 saw the advent of a piece of malware called Morris, which could claim a number of firsts. It was the first widespread computer worm , which meant it could reproduce itself without needing another program to piggyback on. It targeted multiple vulnerabilities to help it spread faster and further. While not designed to do harm, it was probably the first malware to do real substantive financial damage, more than earning its place on this list. It spread incredibly swiftly—within 24 hours of its release, it had infected 10 percent of all internet-connected computers —and created multiple copies of itself on each machine, causing many of them to grind to a halt. Estimates of the costs of the attack ranged into the millions.
The worm is named after its creator Robert Morris , who was a Cornell grad student at the time and meant it as a proof-of-concept and demonstration of widespread security flaws. Morris didn’t anticipate that it would spread so quickly or that its ability to infect individual computers multiple times would cause so much trouble, and he tried to help undo the damage, but it was too late. He ended up the unfortunate subject of another first: The first person convicted under the 1986 Computer Fraud and Abuse Act.
4. ILOVEYOU worm (2000)
Unlike the previous malware creators on this list, Onel de Guzman, who was 24 in 2000 and living in the Philippines, crafted his creation with straightforward criminal intent: he couldn’t afford dialup service, so he built a worm that would steal other people’s passwords so he could piggyback off of their accounts. But the malware so cleverly took advantage of a number of flaws in Windows 95—especially the fact that Windows automatically hid the file extensions of email attachments so people didn’t realize they were launching executable files—that it spread like wildfire, and soon millions of infected computers were sending out copies of the worm and beaming passwords back to a Filipino email address . It also erased numerous files on target computers, causing millions of dollars in damage and briefly shutting down the U.K. Parliament’s computer system.
de Guzman was never charged with a crime, because nothing he did was illegal in the Philippines at the time, but he expressed regret in an interview 20 years later , saying he never intended the malware to spread as far as it did. He also ended up being something of a pioneer in social engineering : the worm got its name because it spread with emails with “ILOVEYOU” in the subject line . “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” de Guzman said.
5. Mydoom worm (2004)
Mydoom may be almost 20 year old as of this writing, but as of today still holds a number of records. The Mydoom worm infected computers via email , then took control of the victim computer to email out more copies of itself, and did it so efficiently that at its height it accounted for a quarter of all emails sent worldwide, a feat that’s never been surpassed. The infection ended up doing more than $35 billion in damages, which, adjusted for inflation, has also never been topped.
The creator and ultimate purpose of Mydoom remain mysteries today. In addition to mailing out copies of the worm, infected computers were also used as a botnet to launch DDoS attacks on the SCO Group (a company that aggressively tried to claim intellectual property rights over Linux ) and Microsoft , which led many to suspect some rogue member of the open source community . But nothing specific has ever been proven.
6. Zeus trojan (2007)
Zeus was first spotted in 2007, at the tail end of the Web 1.0 era, but it showed the way for the future of what malware could be. A Trojan that infects via phishing and drive-by downloads from infected websites, isn’t just one kind of attacker; instead, it acts as a vehicle for all sorts of malicious payloads. Its source code and operating manual leaked in 2011, which helped both security researchers and criminals who wanted to exploit its capabilities .
You’ll usually hear Zeus referred to as a “banking Trojan,” since that’s where its variants focus much of their energy. A 2014 variant, for instance, manages to interpose itself between a user and their banking website , intercepting passwords, keystrokes, and more. But Zeus goes beyond banks, with another variation slurping up Salesforce.com info .
7. CryptoLocker ransomware (2013)
Zeus could also be used to create botnets of controlled computers held in reserve for some later sinister purpose. The controllers of one such botnet, called Gameover Zeus, infected their bots with CryptoLocker, one of the earliest prominent versions of what became known as ransomware . Ransomware encrypts many of the files on the victim’s machine and demands a payment in cryptocurrency in order to restore access.
CryptoLocker became famous for its rapid spread and its powerful asymmetric encryption that was (at the time) uniquely difficult to break. It also became famous due to something unusual in the malware world: a happy ending. In 2014, the U.S. DoJ and peer agencies overseas managed to take control of the Gameover Zeus botnet , and restore the files of CryptoLocker victims free of charge. Unfortunately, CryptoLocker spread via good old-fashioned phishing as well, and variants are still around.
8. Emotet trojan (2014)
Emotet is another piece of malware whose functionality has shifted and changed of the years that it has remained active. In fact, Emotet is a prime example of what’s known as polymorphic malware , with its code changing slightly every time it’s accessed, the better to avoid recognition by endpoint security programs . Emotet is a Trojan that, like others on this list, primarily spreads via phishing (repeat after us: do not open unknown email attachments ).
Emotet first appeared in 2014, but like Zeus, is now a modular program most often used to deliver other forms of malware, with Trickster and Ryuk being two prominent examples. Emotet is so good at what it does that Arne Schoenbohm, head of the German Federal Office for Information Security, calls it the “king of malware.”
9. Mirai botnet (2016)
All the viruses and other malware we’ve been discussing so far have afflicted what we think of as “computers”—the PCs and laptops that we use for work and play. But in the 21st century, there are millions of devices with more computing power than anything that Creeper could have infected. These internet of things (IoT) devices are omnipresent, ignored, and often go unpatched for years.
The Mirai botnet was actually similar to some of the early malware we discussed because it exploited a previously unknown vulnerability and wreaked far more havoc than its creator intended. In this case, the malware found and took over IoT gadgets (mostly CCTV cameras) that hadn’t had their default passwords changed. Paras Jha, the college student who created the Mirai malware, intended to use the botnets he created for DoS attacks that would help settle scores in the obscure world of Minecraft server hosting, but instead he unleashed an attack that focused on a major DNS provider and cut off much of the U.S. east coast from the internet for the better part of a day.
10. Petya ransomware/NotPetya wiper (2016/7)
The ransomware Trojan dubbed Petra started afflicting computers in 2016. Though it had a clever mechanism for locking down its victims’ data—it encrypts the master file table, which the OS uses to find files—it spread via conventional phishing scams and wasn’t considered particularly virulent.
It would probably be forgotten today if not for what happened the following year. A new self-reproducing worm variant emerged that used the NSA’s leaked EternalBlue and EternalRomance exploits to spread from computer to computer. Originally distributed via a backdoor in a popular Ukrainian accounting software package, the new version— dubbed NotPetya —quickly wreaked havoc across Europe. The worst part? Though NotPetya still looked like ransomware, it was a wiper designed wholly to ruin computers, as the address displayed where users could send their ransom was randomly generated and did no good. Researchers believe that Russian intelligence repurposed the more ordinary Petya malware to use as a cyberweapon against Ukraine—and so, in addition to the massive damage it caused, NotPetya earns its place on this list by illustrating the symbiotic relationship between state sponsored and criminal hackers.
11. Clop ransomware (2019-Present)
Clop (sometimes written Cl0p) is another ransomware variant that emerged on the scene in 2019 and has grown increasingly prevalent since, to the extent that it was dubbed one of the top malware threats of 2022 . In addition to preventing victims from accessing their data, Clop allows the attacker to exfiltrate that data as well. McAfee has a breakdown of the technical details , including a review of ways it can bypass security software.
What makes Clop so interesting and dangerous, however, is not how it’s deployed, but by whom. It’s at the forefront of a trend called Ransomware-as-a-Service , in which a professionalized group of hackers does all the work for whoever will pay them enough (or share in a percentage of the ransomware riches they extract from victims). The earlier entries in this list are from a day when the internet was for hobbyists and lone wolves; today, it seems even cybercrime is largely the province of governments and the professionals.
More on malware:
- New campaign uses malware ‘cluster bomb’ to effect maximum impact
- CISA opens its malware analysis and threat hunting tool for public use
- Surge in “hunter-killer” malware poses significant challenge to security teams
Related content
North korean group infiltrated 100-plus companies with imposter it pros: crowdstrike report, over 13,000 phones wiped clean as cyberattack cripples mobile guardian, attackers leverage cloudflare tunnels to obscure malware distribution, north korean cyberspies trick developers into installing malware with fake job interviews, from our editors straight to your inbox.
Josh Fruhlinger is a writer and editor who lives in Los Angeles.
More from this author
What is the cia triad a principled framework for defining infosec policies, crisc certification: exam, requirements, training, potential salary, tabletop exercise scenarios: 10 tips, 6 examples, what is swatting criminal harassment falsely involving armed police, ccsp certification: exam, cost, requirements, training, salary, certified ethical hacker (ceh): certification cost, training, and value, whitelisting explained: how it works and where it fits in a security program, download our password managers enterprise buyer’s guide, most popular authors.
Show me more
S3 shadow buckets leave aws accounts open to compromise.
Phishers have figured out that everyone is afraid of HR
Generative AI takes center stage at Black Hat USA 2024
CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe
CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)
CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands
MyDoom: The 15-year-old malware that's still being used in phishing attacks in 2019
A destructive form of malware is still actively being distributed, 15 years after it was unleashed causing over $38bn-worth of damage.
Special feature
Cyberwar and the future of cybersecurity.
Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.
MyDoom first emerged in 2004 and is still regarded as one of the fastest spreading and most destructive computer viruses of all time – at one point, the worm generated up to a quarter of all emails being sent worldwide.
It spread by scraping email addresses from infected Windows computers and spread to victim's contacts by sending a new version of itself as a malicious attachment. If the attachment was opened, the process would repeat and MyDoom spread to more victims, roping them into a botnet that could perform Distributed Denial of Service (DDoS) attacks.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
Such was the impact of MyDoom that on 26 July 2004, it took down Google, preventing users from conducting web searches for most of the day. Other popular search engines of the time, including Yahoo, Lycos and Alta Vista, also experienced slow performance as a result of the attack.
Exactly a decade and a half on from that day, MyDoom is still active in the wild and according to analysis by Unit 42 – the research division of cybersecurity company Palo Alto Networks – one percent of all emails containing malware sent during 2019 have been MyDoom emails.
It might not sound like much, but it's a large figure considering the sheer number of malicious phishing emails distributed around the globe – and it's testament to the staying power and self-sufficiency of MyDoom that it remains active to this day.
"The main reason for the high and consistent volume of MyDoom malware is that once infected, MyDoom will work aggressively to find other email addresses on the victim's system to send itself on to," Alex Hinchliffe, threat intelligence analyst at Unit 42 told ZDNet.
"MyDoom will work aggressively to find other email addresses on the victim's system to send itself on to. This worm behaviour means, for the most part, the malware is self-sufficient and could continue to do this forever, so long as people open the email attachments".
The vast majority of IP addresses distributing MyDoom in 2019 are in China, with the United States and Great Britain following in second and third place, but together still only accounting for less than 10% of spam emails sent by infected Chinese systems. Those targeted vary, with Palo Alto Networks spotting MyDoom spam being sent across the globe.
MyDoom distribution remains similar to the way it has always worked, with email subject lines designed to dupe the user into opening an attachment sent from a spoofed email address. In many cases, these are based around failed delivery notifications that suggest the user needs to open the malicious document to find out why.
Other subject lines include random strings of characters, 'hello', 'hi' and 'Click me baby, one more time'. The lures sound basic, but they still prove sufficient enough to remain effective. However, with education, this could be countered.
"We should be learning about basic levels of cyber hygiene that may prevent such emails from being successful. Things like spotting suspicious file types and being vigilant to odd-looking email sender addresses," said Hinchliffe.
While relatively simple attacks, worms are still a danger to internet users. Both WannaCry and NotPetya – two of the most destructive cyber attacks in recent years – were powered by worm-like capabilities. NotPetya in particular caused vast amounts of financial damage, costing some of its victims hundreds of millions of dollars .
MORE ON CYBER CRIME
- What is malware? Everything you need to know about viruses, trojans and malicious software
- The best antivirus protection of 2019 for Windows 10 CNET
- Phishing attacks: Why is email still such an easy target for hackers?
- The 18 scariest computer viruses of all time TechRepublic
- The day computer security turned real: The Morris Worm turns 30
The best VPN services: Expert tested
The best travel vpns: expert tested, the best vpn for streaming: expert tested.
Trojan Horse Examples (2024): The 6 Worst Attacks Ever
By Tibor Moes / Updated: June 2024
In the ever-evolving landscape of cybersecurity, Trojan horse attacks represent a significant and persistent threat to individuals and organizations alike.
This article delves into the history of six of the most devastating Trojan horse attacks, offering insights into their mechanisms, impacts, and the lessons learned from these cyber incursions.
- ILOVEYOU (2000): This worm masqueraded as a love letter, rapidly infecting millions of computers worldwide. It infected over ten million Windows PCs starting from May 5, 2000.
- Zeus (2009): A powerful Trojan that targeted financial information, Zeus compromised thousands of FTP accounts including those of major companies. Over 74,000 FTP accounts on high-profile sites were compromised by June 2009.
- CryptoLocker (2013): This ransomware encrypted users’ files and demanded payment for their release. Between 200,000 to 250,000 computers were infected, with operators extorting around $3 million.
- Emotet (2014): Initially a banking Trojan, Emotet evolved to deliver other malware and caused significant financial damage. It has cost governments up to $1 million per incident to remediate.
- Dyre (2014): Dyre targeted banking credentials, showing a marked increase in infection rates and financial theft. Infections rose from 500 to nearly 3,500 instances, with over $1 million stolen from enterprises.
- BlackEnergy (2015): Initially a simple Trojan, BlackEnergy evolved to disrupt critical infrastructure, notably in Ukraine. It left about 1.4 million people without electricity for several hours in Ukraine.
Don’t become a victim of a trojan horse. Protect your devices with the best antivirus software and your privacy with the best VPN service .
Trojan Horse Examples
1. iloveyou (2000).
In the early days of May 2000, a seemingly harmless email began circulating with the subject line “I LOVE YOU.” What appeared as a digital note of affection was, in fact, one of the most virulent computer worms of its time. According to Wired.com, the ILOVEYOU worm rapidly infected over ten million Windows personal computers globally , beginning its spread on May 5, 2000.
The worm exploited human curiosity and trust, using a simple email attachment to infiltrate and replicate across networks. Its reach was not only vast but also alarmingly swift, showcasing the vulnerabilities in personal and corporate cybersecurity practices at the dawn of the 21st century.
The ILOVEYOU incident serves as a stark reminder of how digital trust can be exploited and the profound impact of cyber threats on a global scale.
2. Zeus (2009)
Fast forward to 2009, and the cybersecurity world witnessed the emergence of Zeus – a Trojan horse that epitomized the growing sophistication of cybercriminal tactics.
As reported by TheTechHerald.com, in June 2009, it was discovered that Zeus had compromised over 74,000 FTP accounts , infiltrating the online defenses of high-profile companies such as Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.
This malware was not just a tool for data theft; it was a full-fledged operation that targeted the very foundation of corporate and financial security. The Zeus Trojan showcased the escalating arms race in cybersecurity, where the stakes were not just personal information but also the integrity of critical corporate and governmental infrastructures.
3. CryptoLocker (2013)
In 2013, the digital world was introduced to a new form of cyber terror: ransomware. CryptoLocker, a formidable player in this domain, emerged as a ransomware Trojan that held personal files hostage for a ransom.
According to BBC.com, by mid-December of that year, between 200,000 to 250,000 computers were infected by CryptoLocker. The Trojan demanded payment in Bitcoin, exploiting the anonymity of digital currency to carry out its extortion. The operators behind CryptoLocker demonstrated a chilling efficiency, managing to extort an estimated total of around $3 million from victims.
This attack not only highlighted the vulnerability of personal data but also underscored the growing threat of ransomware in the digital age, where data encryption could be weaponized for financial gain.
4. Emotet (2014)
The following year, in 2014, the cybersecurity landscape faced another formidable challenge with the advent of Emotet. Initially a banking Trojan, Emotet evolved into a sophisticated malware delivery service.
Heimdalsecurity.com reported that Emotet infections have cost state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to remediate .
This malware was particularly notorious for its ability to evade standard antivirus detection, making it a persistent threat. Emotet’s impact extended beyond financial losses; it compromised the security of government systems, posing a threat to public sector operations.
The case of Emotet is a stark reminder of the continuous evolution of cyber threats and the escalating costs associated with combating these sophisticated attacks.
5. Dyre (2014)
In the latter part of 2014, the cybersecurity community faced a significant surge in the activity of Dyre, a notorious banking Trojan.
SecurityIntelligence.com reported that in October 2014, the IBM Trusteer team observed a dramatic spike in Dyre infections, escalating from 500 instances to nearly 3,500.
This malware specialized in stealing banking credentials, and IBM Security uncovered an active campaign using a variant of Dyre malware that successfully siphoned more than $1 million from targeted enterprise organizations .
Dyre’s rapid proliferation and financial impact underlined the escalating threat posed by banking Trojans. They no longer just targeted individual consumers; they had evolved to launch sophisticated attacks against large organizations, posing a serious threat to corporate financial security.
6. BlackEnergy (2015)
The year 2015 marked a pivotal moment in cyber warfare with the BlackEnergy attack. According to WeLiveSecurity.com, a significant incident occurred in Ukraine, where approximately 1.4 million people were plunged into darkness for several hours due to a cyberattack.
BlackEnergy, originally designed as a relatively simple Trojan, had evolved into a sophisticated tool capable of carrying out large-scale infrastructure attacks. This incident in Ukraine was particularly alarming as it demonstrated the potential of cyberattacks to cross over from the digital realm into causing real-world, physical disruptions.
The BlackEnergy attack not only disrupted daily life for millions but also signified a new era in cyber threats, where critical infrastructure became a prime target.
As we have seen through these examples, Trojan horse attacks pose a significant and evolving threat in the digital landscape. From the widespread infection caused by ILOVEYOU to the sophisticated financial and infrastructural disruptions by Zeus, CryptoLocker, Emotet, Dyre, and BlackEnergy, the impact of these attacks is both far-reaching and deeply concerning. These incidents underscore the importance of vigilance and proactive measures in cybersecurity.
In light of these threats, the importance of robust antivirus solutions, especially for Windows 11 users, cannot be overstated. Brands like Norton , Avast , TotalAV , Bitdefender , McAfee , Panda , and Avira offer comprehensive protection against such malware.
Investing in these antivirus programs provides not just real-time protection against known threats, but also employs advanced technologies to detect and neutralize emerging threats. With cybercriminals constantly evolving their tactics, having a reliable antivirus is an essential line of defense for safeguarding personal and organizational data.
- Web.archive.org
- Thetechherald.com
- Heimdalsecurity.com
- Securityintelligence.com
- Welivesecurity.com
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor has tested 39 antivirus programs and 30 VPN services , and holds a Cybersecurity Graduate Certificate from Stanford University.
He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.
You can find him on LinkedIn or contact him here .
Antivirus Comparisons
Best Antivirus for Windows 11 Best Antivirus for Mac Best Antivirus for Android Best Antivirus for iOS
Antivirus Reviews
Norton 360 Deluxe Bitdefender Total Security TotalAV Antivirus McAfee Total Protection
Case Studies: How Top Companies Tackled Malware Threats
by Natasha Dixon | Jul 2, 2023 | Malware Defense Tactics
Malware case studies are crucial in understanding how top companies combat the ever-growing menace of malware threats. In today’s digital landscape, the consequences of a malware attack can be devastating, ranging from financial loss to compromising sensitive information. By analyzing real-life scenarios where leading organizations successfully dealt with malware, we can glean valuable insights into effective cybersecurity strategies.
Throughout this article, we will delve into several notable case studies involving top companies and their proactive approach to combating malware. By studying their experiences, we can gain invaluable knowledge on how to strengthen our defenses against these malicious software infections.
Stay tuned as we explore compelling stories of resilience, innovation, and strategic decision-making that have helped these companies navigate the complex world of cybersecurity. Together, let’s uncover the secrets behind their success in mitigating malware threats and learn practical tips that can safeguard our digital environments.
CovidLock Ransomware: Exploiting Fear in the Face of COVID-19
CovidLock ransomware emerged during the height of the COVID-19 pandemic, capitalizing on the widespread fear and uncertainty surrounding the virus. This malware specifically targeted Android devices, infecting them through malicious files disguised as sources of vital information about the disease. Once installed, CovidLock encrypted the victims’ data, locking them out of their devices until a ransom of $100 per device was paid.
The case of CovidLock ransomware serves as a stark reminder of the importance of exercising caution when downloading files related to current events, especially during times of heightened anxiety. Cybercriminals often exploit these situations to trick unsuspecting users into installing malicious software. It also highlights the critical need for robust cybersecurity measures to prevent and respond to such attacks effectively.
To safeguard against malware attacks like CovidLock, it is essential to maintain up-to-date antivirus software, regularly back up data in secure locations, and exercise due diligence when downloading files from the internet. Additionally, organizations should prioritize employee education and awareness programs to ensure that individuals are equipped with the knowledge and skills to recognize and mitigate potential cybersecurity threats.
Protecting Against CovidLock Ransomware
- Exercise caution when downloading files related to current events, particularly during times of heightened anxiety.
- Keep antivirus software up-to-date to detect and prevent malware infections.
- Regularly back up data in secure locations to mitigate the impact of a potential ransomware attack.
- Train employees on cybersecurity best practices and raise awareness about the risks of downloading unverified files.
| CovidLock Ransomware | Impact | Prevention |
|---|---|---|
| Infects Android devices through malicious files disguised as COVID-19 information sources. | Encrypts victims’ data, denying access until a ransom is paid. | Exercise caution when downloading files, keep antivirus software updated, regularly back up data, and provide cybersecurity awareness training. |
By staying vigilant and implementing comprehensive cybersecurity measures, individuals and organizations can protect themselves from the damaging effects of malware attacks like CovidLock ransomware. By understanding the tactics employed by cybercriminals and taking proactive steps to prevent and respond to such threats, we can create a safer digital environment for all.
LockerGoga: Targeted Attacks on Corporate Giants
LockerGoga ransomware has become synonymous with sophisticated and targeted attacks on major corporations worldwide. Notable victims of this malicious software include Altran Technologies and Hydro, both of which suffered millions of dollars in damages.
Unlike many other ransomware strains that rely on widespread distribution, LockerGoga takes a more strategic approach. It infiltrates corporate networks through various means, including malicious emails, phishing scams, and credential theft. Once inside, it launches devastating attacks that disrupt business operations and hold valuable data hostage until a ransom is paid.
The Impact of LockerGoga
The impact of LockerGoga attacks on corporate giants goes beyond financial losses. It highlights the critical need for organizations to have robust cybersecurity defenses in place. By targeting high-profile companies, LockerGoga demonstrates the potential for significant reputational damage and loss of customer trust.
Furthermore, the success of LockerGoga attacks showcases the importance of employee education and awareness. Phishing scams and credential theft often serve as entry points for this ransomware. Therefore, organizations must invest in comprehensive training programs to empower their workforce in recognizing and combating these threats.
| LockerGoga Ransomware | Targeted Attacks on Corporate Giants |
|---|---|
| Notable Victims | Altran Technologies, Hydro, and others |
| Method of Infiltration | Malicious emails, phishing scams, credential theft |
| Impact | Financial losses, reputational damage, loss of customer trust |
| Importance of Cybersecurity Defenses | Robust defenses necessary to prevent and mitigate attacks |
| Employee Education and Awareness | Training programs to recognize and combat phishing and credential theft |
Emotet: Stealing Financial Information through Email
Emotet is a highly dangerous trojan that poses a significant threat to individuals and organizations alike. It is designed to steal financial information, including bank logins and cryptocurrencies, through malicious emails. This trojan has been labeled one of the most destructive malware by the U.S. Department of Homeland Security, and its impact has been felt globally.
Emotet spreads through various means, including spam, phishing campaigns, and malicious email attachments. Once a user unknowingly opens an infected email attachment, Emotet gains access to the victim’s system and starts its insidious operations. It can then steal sensitive financial data, compromising the victim’s financial security.
To protect against Emotet and similar threats, organizations and individuals must prioritize email security. Implementing robust email filtering and authentication mechanisms can help prevent malicious emails from reaching inboxes. Regular security awareness training is also crucial to educate users about the risks of opening suspicious attachments or clicking on malicious links.
By strengthening email security defenses and promoting cybersecurity awareness, individuals and businesses can minimize the risk of falling victim to Emotet and safeguard their financial information.
WannaCry: A Global Ransomware Epidemic
The WannaCry ransomware attack sent shockwaves through the cybersecurity community when it struck in May 2017. This global epidemic exploited a vulnerability in Windows operating systems, impacting over 200,000 individuals and organizations worldwide. Hospitals, universities, and major companies like FedEx and Telefonica were among the victims. The financial losses incurred by this cyber assault exceeded a staggering $4 billion, highlighting the urgent need for robust cyber defenses.
The WannaCry attack was a wake-up call for businesses and individuals alike, underscoring the critical importance of timely patching and vulnerability management. Organizations that had not installed the necessary security updates fell prey to the ransomware, which encrypted their critical data and demanded a ransom in Bitcoin for its release. The malware spread rapidly through networks, exploiting vulnerabilities and causing widespread disruption.
To prevent similar global ransomware epidemics in the future, individuals and organizations must remain vigilant and proactive. Regularly updating and patching operating systems, implementing robust cybersecurity measures, and promoting cybersecurity awareness among employees are essential steps to protect against cyber threats like WannaCry. Additionally, organizations should invest in advanced threat detection and response capabilities to swiftly identify and mitigate potential attacks. By prioritizing these measures, businesses can reduce their vulnerability to ransomware attacks and safeguard their valuable data and systems from the devastating impacts of cybercrime.
Petya: Blocking Operating Systems for Ransom
The Petya ransomware is notorious for its ability to completely block the victim’s operating system, particularly in Windows. Once infected, victims are required to pay a ransom in order to regain access to their systems. This type of attack has caused significant damage, impacting banks, airports, and oil and shipping companies worldwide. The financial losses attributed to Petya and its variants have exceeded $10 billion, emphasizing the severe consequences of ransomware attacks on organizations.
Petya is typically distributed through various means, including malicious emails, phishing campaigns, and compromised software updates. Once it infiltrates a system, Petya encrypts the victim’s files and displays a ransom message demanding payment in exchange for the decryption key. The ransomware not only targets individual users but also aims at larger organizations, taking advantage of their reliance on critical systems to disrupt operations and maximize the likelihood of payment.
To protect against Petya and similar ransomware attacks, organizations should implement robust cybersecurity measures. This includes regularly updating software and operating systems to patch any vulnerabilities that could be exploited. Additionally, strong email security protocols and employee training on identifying and avoiding phishing attempts are crucial. Having a comprehensive backup and recovery strategy in place is also essential to mitigate the impact of a ransomware attack and quickly restore affected systems.
ILOVEYOU: Blending Social Engineering and Malware
The ILOVEYOU worm holds a significant place in the history of malware attacks, as it combined social engineering techniques with malicious software. This notorious worm infected millions of people worldwide and caused a staggering $15 billion in damages. It spread through email, disguising itself as an innocent love letter, capturing the curiosity and trust of unsuspecting victims.
This case emphasizes the importance of cybersecurity awareness among individuals. It serves as a reminder to exercise caution when opening email attachments or clicking on suspicious links. By blending social engineering tactics with malware, cybercriminals exploit human emotions and curiosity, making it crucial for users to remain vigilant and adopt robust email security measures.
The ILOVEYOU worm showcases the need for a multi-layered approach to cybersecurity. Implementing advanced email filtering and antivirus software can help detect and block malicious attachments or URLs. Additionally, educating users about common social engineering tactics and the potential risks associated with opening unsolicited emails can significantly reduce the chances of falling victim to such attacks.
Christian Scott is the founder and operator of Malware Brains, a comprehensive cybersecurity website dedicated to educating individuals and businesses about malware and its impacts on society. With over 25 years of collective industry experience, Christian and his team of experts provide unbiased, factual information to help users understand and mitigate the risks associated with malicious software.
Featured Posts
Advertising
We use cookies for security purposes, to improve your experience on our site and tailor content for you. Our Privacy Statement explains how we use cookies.
The following form allows you to search all of BT.
- Practice management
- Managing your business
Case studies – malware attacks
As our lives increasingly move online, cybersecurity is an important consideration for all businesses, including financial advice businesses. For many financial advisers understanding how to protect sensitive client information from cyber attacks is becoming an important part of sound practice management.
A cyber attack is essentially an attempt by hackers to damage or destroy a computer network or system. One of the ways they can do this, is by installing malware (also known as malicious software)on your computer that allows unauthorised access to your files and can allow your activity to be watched without you knowing. Cyber criminals can then steal personal information and login details for secure websites to commit fraudulent activities.
In this article we discuss steps financial advisers can take to protect themselves from cyber attacks and explore different scenarios that demonstrate what a cyber attack can look like and how it can be prevented.
How can financial advisers improve their cyber security?
- Turn on auto-updates for your business operating system – such as windows or Apple’s ios, and be sure to keep computer security up to date with anti-virus and anti-spyware, as well as a good firewall.
- Back up important data – to an external hard drive, to a USB or a cloud to protect your business from lost data.
- Enable multi-factor authentication – start using two or more proofs of identity such as a PIN, passphrase, card or token, or finger print before access is enabled.
- Implement premissions on a ‘need to know’ basis – your employees don’t need to access everything. Be selective about what permissions are allowed to which staff.
- Conduct regular employee cyber training. Show staff how to ‘recognise, avoid, report, remove and recover’. Your employees can be your defence against cyber crime. Reward staff for their efforts; and
- Always be cautious of the below when receiving emails: - requests for money, especially urgent or overdue - Bank account changes - Attachments, especially from unknown or suspicious email addresses - Requests to check or confirm login details
Case studies - malware attacks
Protect yourself and your business
Cyber security assessment tool
The Department of Industry, Science, Energy and Resources has developed a tool to help you identify your business' cyber security strengths and areas where your business can improve. This tool will ask you a series of questions about how you manage your cyber security risks and based on your answers, you will receive a list of recommendations to action. You can download the recommendations as a PDF and access the tool here.
Scenario 1 – Advisory practices attacked by a trojan virus
Scenario 2 - Adviser subject to a malware attack causing account lock
Scenario 3 - opening email attachment causes all pcs in the office to shutdown, scenario 1 - advisory practices attacked by a trojan virus.
In this scenario, a number of advisory practices were subject to a targeted malware attack via a Trojan virus. This virus helped the cyber criminals access several advisers’ PCs and obtain the login details for systems that had been used.
This attempted fraud took place while the practice was closed over the Christmas holidays.
"We locked up the office that afternoon just before Christmas and went home. We were all looking forward to a nice long break, it’d been a busy year. We wouldn’t be back in the office until the New Year."
Transactions were submitted to the platform over the Christmas period using several advisers’ user IDs.
Direct credit (EFT) bank account details were edited to credit the cyber criminals' ‘mule’ Australian bank account. From this account the cyber criminals would be free to transfer the funds overseas.
Luckily for the practice, the fraud was uncovered before any funds were paid out.
"Even though we were on holiday, we all continued to check our transaction updates via the platform each day. We called the platform right away and they were able to stop the fraudulent payments in time."
Preventing this type of fraud
- Be diligent about checking platform transaction updates sent by email or displayed online. Specifically look out for withdrawal requests, new accounts opened, asset sell downs and changes to contact details.
- When taking annual leave, nominate a colleague to check platform transaction updates on your behalf in your absence.
- Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent further fraudulent transactions.
- Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.
A Melbourne advisory practice was the target of a malware attack, having found malware on their system which locked their access to the platform. The malware allowed the cyber criminal to gain access to an adviser’s login details for all systems he had used recently.
The cyber criminals now had access to every website or account that required a login. This included personal banking, platform desktop software, Xplan software and Facebook.
The next time the adviser tried to log in to his platform desktop software, he was locked out.
He rang our account executive team to report his access was locked. He couldn’t login, even though he was using his correct user name and password.
The platform reset his password. The next day when the adviser tried again to login, he was locked out of the system again.
It became obvious that the adviser’s user ID had been compromised. At this point, the user ID was deleted.
Where you have had your platform access locked or you suspect fraud or malware on your system call us immediately as part of your reporting response so we can suspend your login ID to attempt to prevent further fraudulent transactions. Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.
- Be on the lookout for requests to check and confirm login details.
- Increase the strength of your identifiers and ensure two or more proofs of identity are required before access to company systems is enabled.
- Use virus protection software to prevent hackers from accessing your information and to help protect you if you click on a suspicious link or visit a fake website.
- Schedule regular training for employees so that they can better detect malicious links or avoid downloading content from untrustworthy sources.
A staff member in an advisory practice opened a file attached to an email received one morning.
It turned out the attachment contained a ‘worm’ that infected not only the staff member’s PC, it also spread to all other PCs in the practice network.
This malware caused all PCs in the office to shut down.
The adviser needed to use the platform software that day to ensure his clients participated in a Corporate Action that was closing the following day.
With help from their Business Development Manager, the office worked through the issue so they were able to log into the platform software to complete this critical work from a home laptop that hadn’t been infected with the virus.
- Never open attachments in emails if you don’t know or trust the source.
- Ensure your office network is protected with up-to-date anti-virus software.
- Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent any further criminal activity.
- Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.
Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. A ransomware attack can shut down a business for days, even weeks and -- even when the company pays the ransom -- there's no guarantee it will ever get its assets back, or that it won't be attacked again. This guide covers the history and basics of ransomware, identifies the most common targets and offers expert instructions on how to prevent an attack. Or, if the worst happens, how to recognize an attack's taken place and remove the ransomware as swiftly as possible.
Ransomware case study: recovery can be painful, in ransomware attacks, backups can save the day and the data. even so, recovery can still be expensive and painful, depending on the approach. learn more in this case study..
- Alissa Irei, Senior Site Editor
Seasoned IT consultant David Macias will never forget the day he visited a new client's website and watched in horror as it started automatically downloading ransomware before his eyes. He quickly disconnected his computer from the rest of the network, but not before the malware had encrypted 3 TB of data in a matter of seconds.
"I just couldn't believe it," said Macias, president and owner of ITRMS, a managed service provider in Riverside, Calif. "I'm an IT person, and I am [incredibly careful] about my security. I thought, 'How can this be happening to me?' I wasn't online gambling or shopping or going to any of the places you typically find this kind of stuff. I was just going to a website to help out a client, and bingo -- I got hit."
Macias received a message from the hackers demanding $800 in exchange for his data. "I told them they could go fly a kite," he said. He wiped his hard drive, performed a clean install and restored everything from backup. "I didn't lose anything other than about five days of work."
Ransomware case study: Attack #2
A few years later, another of Macias' clients -- the owner of a direct-mail printing service -- called to report he couldn't access his server. Macias logged into the network through a remote desktop and saw someone had broken through the firewall. "I told the client, 'Run as fast as you can and unplug all the computers in the network,'" he said. This short-circuited the attack, but the attacker still managed to encrypt the server, five out of 15 workstations and the local backup.
This article is part of
What is ransomware? How it works and how to remove it
- Which also includes:
- The 10 biggest ransomware attacks in history
- How to recover from a ransomware attack
- How to prevent ransomware in 6 steps
"What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system," Macias added. Although the ransom demanded was again only $800, he advised against paying , since attackers often leave backdoors in a network and can return to steal data or demand more money.
What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system. David Macias President, ITRMS
Fortunately, Macias had a full image-based backup of the client's network saved to a cloud service. Even so, recovery was expensive, tedious and time-consuming. He had to reformat the hard drive manually, rebuild the server from scratch and reinstall every single network device. The process took about a week and a half and cost $15,000. "The client was just incredibly grateful that all their data was intact," Macias said.
Although pleased the client's data loss was negligible, Macias wanted to find a more efficient, less painful disaster recovery strategy . Shortly after the second ransomware incident, he learned about a company called NeuShield that promised one-click backup restoration. He bought the technology for his own network and also sold it to the client that had been attacked. According to NeuShield, its Data Sentinel technology works by showing an attacker a mirror image of a computer's data, thus protecting the original files and maintaining access to them, even if encryption takes place.
Ransomware case study: Attack #3
The printing services company experienced another ransomware incident a couple of years later, when its owner was working from home and using a remote desktop without a VPN . A malicious hacker gained entry through TCP port 3389 and deployed ransomware, encrypting critical data.
In this instance, however, Macias said NeuShield enabled him to restore the system with a simple click and reboot. "When they got hit the first time, it took forever to restore. The second time, they were back up and running in a manner of minutes," he said.
While he praised NeuShield's technology, Macias noted it doesn't negate the need for antivirus protection to guard against common malware threats or for cloud backup in case of fires, earthquakes or other disasters. "Unfortunately, there's no one-stop solution," he said. "I wish there was one product that included everything, but there isn't."
Macias said he knows from personal experience, however, that investing upfront can prevent massive losses down the road. "I've had clients tell me, 'I'll worry about it when it happens.' But that's like driving without insurance. Once you get into an accident, it's too late."
How to create a ransomware incident response plan
Best practices for reporting ransomware attack
How to remove ransomware, step by step
17 ransomware removal tools to protect enterprise networks
4 tips to find cyber insurance coverage in 2023
Related Resources
- The Guide to Cyber Incident Response Planning –NCC Group
- Demystifying the myths of public cloud computing –TechTarget ComputerWeekly.com
- Towards an Autonomous Vehicle Enabled Society: Cyber Attacks and Countermeasures –TechTarget ComputerWeekly.com
Dig Deeper on Threats and vulnerabilities
MSP shares details of Kaseya VSA ransomware attack, recovery
Podcast: Ransomware, data protection and compliance
Ransomware, storage and backup: Impacts, limits and capabilities
How to prepare for ransomware
Wireshark is a useful tool for capturing network traffic data. Network pros can make the most of the tool by analyzing captured ...
IP addressing and subnetting are important and basic elements of networks. Learn how to calculate a subnet mask based on the ...
Enterprises must modernize their networks to support remote work, while IT teams ensure networks have proper bandwidth and ...
The next U.S. president will set the tone on tech issues such as AI regulation, data privacy and climate tech. This guide breaks ...
Minnesota Gov. Tim Walz supports climate action and released a Climate Action Framework detailing steps for the state to become ...
Remedies in the Google online search antitrust case could include eliminating the company's use of distribution contracts that ...
Enterprises with the IT talent might turn to open-source software as a backup for commercial products to mitigate damage from a ...
Copilot is a powerful generative AI technology with lots of integrations with Microsoft technology. But the usefulness of this ...
The copyright laws around generative AI-created content are still somewhat unclear, so organizations should look to Microsoft's ...
Private cloud doesn't have to break the bank. Use these best practices to implement an intentional cost management strategy that ...
Are you ready for the newest version of the CompTIA Cloud+ exam? Learn exam prep tips from the author of The Official CompTIA ...
While it's tough to make a clear distinction between cloud-native, cloud-based and cloud-enabled apps, they differ in terms of ...
Diversity, equity and inclusion was once a regularly discussed part of the tech industry, but as attitudes shift, what does this ...
Report suggests UK’s independent broadband providers are at risk of more unnecessary overbuild as new entrants rush to deploy ...
Switzerland’s leading telecoms provider to deploy largest drones-as-a-service network to enhance safety and operational ...
Click through the PLOS taxonomy to find articles in your field.
For more information about PLOS Subject Areas, click here .
Loading metrics
Open Access
Peer-reviewed
Research Article
Hybrid Epidemics—A Case Study on Computer Worm Conficker
* E-mail: [email protected] (CZ); [email protected] (SZ)
Affiliations Department of Computer Science, University College London, London, United Kingdom, Security Science Doctoral Research Training Centre, University College London, London, United Kingdom
Affiliation Department of Computer Science, University College London, London, United Kingdom
Affiliation Division of Infection and Immunity, University College London, London, United Kingdom
- Changwang Zhang,
- Shi Zhou,
- Benjamin M. Chain
- Published: May 15, 2015
- https://doi.org/10.1371/journal.pone.0127478
- Reader Comments
Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm’s spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conficker epidemic. The model is then used to explore the tradeoff between spreading modes in determining the worm’s effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.
Citation: Zhang C, Zhou S, Chain BM (2015) Hybrid Epidemics—A Case Study on Computer Worm Conficker. PLoS ONE 10(5): e0127478. https://doi.org/10.1371/journal.pone.0127478
Academic Editor: Gui-Quan Sun, Shanxi University, CHINA
Received: December 12, 2014; Accepted: April 14, 2015; Published: May 15, 2015
Copyright: © 2015 Zhang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited
Data Availability: All relevant data are within the paper.
Funding: This work was supported in part by the Engineering and Physical Sciences Research Council of UK (no. EP/G037264/1), the China Scholarship Council (file no. 2010611089), and the National Natural Science Foundation of China (project no. 60970034, 61170287, 61232016). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
Epidemic spreading phenomena exist in a wide range of domains [ 1 , 2 ]. Well-known examples include disease spreading [ 3 – 5 ], computer worm proliferation [ 6 – 8 ], and information propagation [ 9 – 11 ]. Modelling and understanding of such phenomena can have important practical values to predict and control real world epidemics [ 3 – 5 , 12 – 15 ].
Some typical spreading mechanisms have been extensively studied, such as the fully-mixed spreading model and the network spreading model. Many epidemics are hybrid as they spread via two or more different mechanisms simultaneously. Previous work on hybrid epidemics has focused on what we call the non-critically hybrid epidemic, where at least one of the spreading mechanisms alone is able to cause an epidemic outbreak, and a mixture of mechanisms brings no advantage.
We are interested in the critically hybrid epidemic, where each spreading mechanism alone is unable to cause any significant spreading whereas the mixture of such mechanisms leads to a huge epidemic outbreak. Recently we proposed a model that explains the behaviour of critically hybrid epidemics, which incorporates two spreading mechanisms in the setting of a metopopulation [ 16 ]. We demonstrated that it is indeed possible to have a highly contagious epidemic by mixing simple, ineffective spreading mechanisms. The properties of such epidemics are critically determined by the ratio at which the different spreading mechanisms are mixed, and usually there is an optimal ratio that leads to a maximal outbreak size.
In this paper we present a detailed analysis of a real hybrid epidemic—the Internet worm Conficker, which erupted on the Internet in 2008 and infected millions of computers. The worm is a hybrid epidemic as the code analysis [ 17 ] has revealed the worm applied three distinct spreading mechanisms: (1) global random spreading, (2) local network spreading, and (3) neighbourhood spreading. It is a critically hybrid epidemic because the first and second spreading mechanisms are highly ineffective if used alone, and the third mechanism, as we will show later, is most effective when mixed with the other two.
We introduce a mathematical model to describe the spreading behaviour of Conficker. Our study was based on measurement data provided by Center for Applied Internet Data Analysis (CAIDA)’s Network Telescope project [ 18 , 19 ], which monitors Internet traffic anomalies. We proposed algorithms to extract Conficker–related features from the CAIDA data. Then we infer the values of our model’s parameters that characterise the worm.
We evaluated our inference results by comparing theoretical predictions with the actual measurement results. Our predictions closely reproduced the outbreak process of Conficker. We then explored possible spreading scenarios based on simulations using different values of parameters. One of the interesting results was that we showed the worm could spread faster, reach a larger outbreak size or survive for longer time by just revising the ratios at which the worm allocated its time on each of the spreading mechanisms (while keeping everything else the same), which can be easily achieved by changing a few lines in its coding.
This paper’s contributions are two fold. Firstly, we present the first study on a real-life critically hybrid epidemic, where the epidemic’s parameter values are inferred from measurement data. Secondly, we analyse the complex interactions among Conficker’s three spreading mechanisms, and show that the worm can be more contagious if it mixes its three spreading mechanisms in an optimal way.
Epidemic spreading mechanisms
A number of epidemic spreading mechanisms have been extensively studied [ 20 , 21 ]. For example, in the fully-mixed spreading models [ 20 , 22 ], a node is connected to all other nodes in a population, thus an epidemic can potentially spread between any two nodes according to a probability. Whereas in the network spreading models [ 1 , 2 , 20 , 23 ], nodes are connected to their neighbours via a network structure, therefore an epidemic can only spread along the connections among nodes. Recent network-based models considered additional physical properties such as location-specific contact patterns [ 24 , 25 ], human mobility patterns [ 26 – 29 ] and spatial effects [ 30 – 33 ].
Hybrid epidemics
Many epidemics are hybrid in the sense that they spread via two or more spreading mechanisms simultaneously. A hybrid epidemic can use fully-mixed spreading and network spreading, or use fully-mixed spreading but at two or more different levels, e.g. at the global level covering the whole population or at the local level consisting of only a part of the population.
There are many real examples. Mobile phone viruses can spread via Bluetooth communication with any nearby devises (local, fully-mixed spreading) and Multimedia Messaging Service with remote contacts (global, network spreading) [ 27 ]. A computer that is infected by the worm Red Code II spends 1/8 of its time probing any computers on the Internet at random (global, fully-mixed spreading) and the rest of the time probing computers located in local area networks (local, fully-mixed spreading) [ 34 ]. Today information is propagated in society via mass media (TV, newspaper, posters) as well as online social media (Facebook, Twitter and emails). Mass media (global, fully-mixed spreading) can potentially deliver the information to a big audience, but the effectiveness of information transmission at an individual level may be small (for example, its ability to alter the target individuals behaviour). In contrast, social media (local, network spreading) may have little or no access to the majority of people who are not connected to the local group, but they provide rapid penetration of a selected target group with higher effectiveness.
It is clear that hybrid epidemics are much more complex than simple epidemics. Their behaviour is affected not only by multiple spreading mechanisms that they use, but also by the population’s overlaid structure on which they spread. Studying hybrid epidemics may provide crucial clues for better understanding of many real epidemics.
Previous works on hybrid epidemics
Hybrid epidemics were initially studied as two levels of mixing in a population where nodes are mixed at both local and global levels [ 35 ]. Recently hybrid epidemics were studied as two levels of mixing in a network [ 36 – 38 ], in structured populations [ 39 ], in structured households [ 40 – 42 ], and in a meta-population which consists of a number of weakly connected sub-populations[ 43 – 48 ]. Studies of epidemics in clustered networks [ 49 – 51 ] are also relevant to the hybrid epidemics.
These previous works focused on analysing how a network’s structure affects hybrid spreading. And most of them studied the non-critically hybrid epidemics, where at least one of the two spreading mechanisms alone can cause an infection outbreak and therefore the mix of two mechanisms is not a necessary condition for an epidemic outbreak. In this case, a hybrid epidemic using two spreading mechanisms is often less contagious than an epidemic using only one of the mechanisms. [ 36 , 52 ].
Our recent study on critically hybrid epidemics
We are interested in the critically hybrid epidemics, where each of the spreading mechanisms alone is not able to cause any significant infection whereas a combination of the mechanisms can cause an epidemic outbreak. In this case, the mix of different spreading mechanisms is a critically condition for an outbreak (see Fig 1 ).
- PPT PowerPoint slide
- PNG larger image
- TIFF original image
(a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when α = 1 or α = 0). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal α that produces the maximum outbreak.
https://doi.org/10.1371/journal.pone.0127478.g001
Recently we proposed a generic model to study the critically hybrid epidemics [ 16 ]. We considered an epidemic which spreads in a meta-population (consisting of many weakly connected sub-populations ) using a mix of the following two typical spreading mechanisms. (1) Fully-mixed spreading on the global level, i.e. infection between any two nodes in the meta-population. (2) Network (or fully-mixed) spreading on the local level, i.e. infection between nodes within a sub-population where the internal topology of a sub-population is a network (or a fully-connected mesh). Each spreading mechanism has its own infection rate and an infected node recovers at a recovery rate. We define a parameter called the hybrid trade-off, α , as the proportion of time that the epidemic devotes to the first spreading mechanism (or the probability of using the first spreading mechanism in a time unit). Thus the proportion of time spent on the second mechanism is (1 − α ).
Our mathematical analysis and numerical simulations based on the model highlight the following two results. Firstly, it is possible to mix two ineffective spreading mechanisms to produce a highly contagious epidemic, because the mix of the mechanisms can help to overcome the weakness of each mechanisms. Secondly, the threshold and the size of outbreak is critically determined by the hybrid trade-off α . We also provided an analytical prediction of the optimal trade-off for the maximum outbreak size.
Computer Worm Conficker
In this paper we will analyse a critically hybrid epidemic, the computer worm Conficker, based on real measurement data. It is one of the most contagious computer worms on record. It erupted on the Internet on 21 November 2008 and infected millions of computers in just a few days [ 7 ]. The worm’s ability to spread to such a large number of computers in so short a time and the fact [ 53 ] that it is still active on the Internet has caused serious concern.
- Global spreading, where the worm probes computers with random IP addresses on the Internet;
- Local spreading, where the worm on an infected computer probes computers in the same Local Area Network (LAN) with the same IP address prefix;
- Neighbourhood spreading, where it probes computers in ten neighbouring LANs (with smaller consecutive IP address prefixes).
(1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.
https://doi.org/10.1371/journal.pone.0127478.g002
Previous research on Conficker has studied the geographical distribution of infected IP addresses, the distribution of probing packet size [ 7 , 54 , 55 ], and properties of the worm’s global probing [ 56 , 57 ]. The parameters of Conficker’s hybrid spreading and how they affect the epidemic dynamics of the worm can help explain why the worm is so contagious. But they have been hitherto little studied.
Our Model of Conficker
- Global spreading with probability α g , where the worm probes nodes on the Internet at random with the global infection rate β g ∈ [0, 1].
- Local spreading with probability α l , where it probes nodes in the local subnet with the local infection rate β l ∈ [0, 1];
- Neighbourhood spreading with the probability α n , where it probes nodes in ten neighbouring subnets with the neighbourhood infection rate β n ∈ [0, 1];
An infected node is recovered with recovery rate γ ∈ [0, 1]. A recovered node remains recovered and cannot be infected again. Note that for mathematical analysis, the mixing probabilities could be incorporated into the infection rates. But we have treated them as separate parameters, considering that an infection rate reflects inherent properties of a computer worm in the context of a specific target population, whereas mixing probabilities are settings that can be easily modified in the worm’s code. This is also the reason we use the mixing probabilities as controlling parameters in our study below and keep other parameters the same.
Only nodes that can potentially be infected by Conficker are relevant to our study. We call them the relevant nodes. A subnet is relevant if it contains at least one relevant node. Irrelevant nodes include unused IP addresses and those computers that do not have the vulnerabilities that the worm can exploit. Note that although the irrelevant nodes and subnets do not participate in the spreading of Conficker, they will be probed by the worm as the worm does not have the priori knowledge about which nodes are vulnerable.
Let n represent the total number of relevant nodes and N the number of relevant subnets. The average number of relevant nodes in a subnet is n N = n / N . Let N + represent the average number of relevant subnets in ten neighbouring subnets.
At time t , the total number of susceptible, infected, and recovered nodes are S ( t ), I ( t ), and R ( t ), respectively. Then the average number of infected nodes in a subnet is I N ( t ) = I ( t )/ N , and the average number of infected nodes in ten neighbouring subnets is I + ( t ) = I N ( t ) N + . Hence on average a susceptible node can be infected via (1) global probing by I ( t ) infected nodes in the Internet; (2) local probing by I N ( t ) infected nodes in the local subnet; (3) neighbourhood probing by I + ( t ) infected nodes in the neighbouring subnets.
Inferring Conficker Parameters From Data
We infer the parameter values of our Conficker model from the Internet measurement data [ 18 , 19 ] collected by the Center for Applied Internet Data Analysis (CAIDA) in 2008. This is the only publicly available dataset that has captured the initial outbreak process of the worm. The CAIDA Network Telescope project [ 18 , 19 ] monitors Internet traffic sent to a large set of unusable IP addresses, which account for around 1/256 of all addresses. No legitimate traffic should be sent to these monitored addresses because they are not allocated for normal usage [ 58 ]. Thus the traffic data captured by this project provides a good view on various abnormal behaviours on the Internet.
When Conficker spreads on the Internet, its global spreading mechanism sends out probing packets to randomly generated IP addresses, some of which are unused IP addresses and therefore are monitored by the Network Telescope project. Conficke’s probing packets are characterised by the Transmission Control Protocol (TCP) with destination port number 445. This feature can be used to distinguish Conficker packets from other packets in the Network Telescope data.
For each record of Conficker’s probing packet, we are interested in two things: (1) the time when the packet is monitored by the Network Telescope project, and (2) the packet’s source IP address, which gives the location of a Conficker-infected node. We ignore the destination address, as it is a randomly-generated, unused IP address.
We study the Network Telescope project’s daily dataset collected on November 21, 2008, the day when Conficker broke out on the Internet. We use two earlier datasets collected on November 12 and 19, 2008 to filter out background ‘noise’ that has been happening before the outbreak. That is, in the outbreak dataset, we discard packets that were sent from any source address that had already sent packets to any of the unusable addresses in the two earlier datasets. We use the prefix of /24 (i.e. IP address mask of 255.255.255.0) to distinguish different subnets [ 7 ]. Our analysis uses a 10-minute window.
Step One: Inferring node status at a given time
We first infer the status of each node at time t from the CAIDA data. On the day of Conficker outbreak, all relevant nodes were initially susceptible. In the analysis, we assume a node is just infected by the worm when we observe the first Conficker probing packet coming from it; and the node is recovered when we observe its last probing packet before the end of the day. Fig 3 shows the number of susceptible, infected and recovered nodes as observed in a 10-minute window.
Numbers of susceptible nodes S ( t ), infected nodes I ( t ) and recovered nodes R ( t ) as a function of time t , as inferred from CAIDA’s dataset on 21/Nov/2008, the day of Conficker’s outbreak.
https://doi.org/10.1371/journal.pone.0127478.g003
Step Two: Inferring new infections caused by each spreading mechanism
Let dI l ( t ), dI n ( t ) and dI g ( t ) represent the numbers of nodes that are newly infected through local, neighbourhood and global spreading, respectively, at time step t . Our analysis on the data shows that 84% of new infections occurred within already infected subnets or their neighbourhood subnets, i.e. only 16% of new infections appeared outside the reach of local and neighbourhood probing. This agrees with our understanding that local and neighbourhood probing are significantly more effective than global probing [ 7 ]. And 73% of those new infections within the reach of local and neighbourhood probing (i.e. 73%×84% of all new infections) occurred in already infected subnets. This indicates the local probing is more effective than neighbourhood probing. Based on the above analysis we can then approximately identify the probing mechanism that is responsible for a newly infected node by analysing the states of other relevant nodes at the time when the new infection happens.
- IF there is an infected node already in the same subnet, the new infection is caused by that infected node via local spreading.
- ELSE IF there is an infected node in the ten neighbouring subnets, then the new infection is via neighbourhood spreading.
- OTHERWISE, the newly infected node is infected via global spreading.
Fig 4 shows the inferred results, plotting the number of new infections caused by each spreading mechanism as a function of time.
Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker’s outbreak, as inferred from CAIDA’s dataset on 21/Nov/2008.
https://doi.org/10.1371/journal.pone.0127478.g004
Step Three: Inferring parameters of the Conficker model
Inference results and evaluation
The inferred values of the Conficker model parameters are shown in Table 1 , including the mixing probability α and the infection rate β for three spreading mechanisms, the recover rate γ , the recovery time τ = 1/ γ which is the average time it takes for an infected node to recover, and the probing frequency λ . The parameter values are averaged over time windows between 4:00 and 16:00 when the spreading behaviour was stable. Computers are online and offline on a daily basis following a diurnal pattern [ 59 ]. We find that this factor only has a marginal impact on our results.
https://doi.org/10.1371/journal.pone.0127478.t001
We observe in the data that the worm had infected in total n = 430,135 nodes, which were located in N = 92,267 subnets. On average, each subnet has n N = 4.7 relevant nodes, and N + = 4.3 of ten neighbouring subnets are relevant.
With these parameter values, we can use our Conficker model (see Eq 2 ) to theoretically predict the worm’s outbreak process. As measured from the data, the number of nodes in the three statuses were S = 423,899, I = 3,945, and R = 2,291 at 4:00am. Our prediction starts from 4.00am and uses these numbers as the initial condition. As shown in Fig 5 , our model’s predictions closely match the measurement data.
Points are measured from Network Telescope’s dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.
https://doi.org/10.1371/journal.pone.0127478.g005
The inferred parameters are in agreement with our expectations. For example the local spreading has a high infection rate because if a computer is already infected, then other computers in the same subnet are likely to have a similar computer system and thus are also likely to be vulnerable to the worm. By comparison, global spreading has an extremely low infection rate. On average, more than 10 million global probings will produce only a single new infection. On average an infected node retains its status for 2.5 hours (156 mins) before it recovers (e.g. switched off or updated with new anti-virus database). The worm only sends out 8 probing packets per minute. Such a deliberately low probing rate helps the worm to evade a computer’s or network’s security systems.
Analysis on Conficker’s Hybrid Spreading
Mix of two spreading mechanisms.
We run simulations using our Conficker model with the parameter values inferred above. The simulation network has 100k subnets. Each subnet contains 5 relevant nodes and has 4 relevant adjacent subnets. This topology setting resembles Conficker’s spreading network observed in the data. Initially two random nodes are infected. The only controlling parameter is the mixing probabilities of the spreading mechanisms. Simulation results on mix of two spreading mechanisms are shown in Fig 6 .
(a) Mix of global ( α g ) and local (1 − α g ) mechanisms; (b) Mix of global ( α g ) and neighbourhood (1- α g ) mechanisms; (c) Mix of local ( α l ) and neighbourhood (1- α l ) mechanisms. In each case we measure the outbreak size, the total duration of the spreading, and the speed of spreading. The outbreak results include both the final outbreak size (square) and the outbreak size at time step 100 (filled circle). Each data point is averaged over 100 runs of a simulation. Note the y axes are all logarithmic.
https://doi.org/10.1371/journal.pone.0127478.g006
Fig 6a shows that as explained above, global spreading or local spreading alone cannot cause an outbreak, whereas a mixture at a ratio of 0.8 to 0.2 produces a large and rapid outbreak. Fig 6b shows that the neighbourhood spreading alone ( α g = 0) can cause a large, but very slow outbreak, whereas the mix of neighbourhood spreading with just a small amount of global spreading can dramatically accelerate the spreading process. Fig 6c shows that adding local spreading to neighbourhood spreading slows down the spreading process considerably. When they are mixed at the ratio of 0.8 to 0.2, the spreading reaches the same final outbreak size but the whole process lasts for the longest time.
Mix of THREE spreading mechanisms
Simulation results on mixing three spreading mechanisms are shown in Fig 7 . Fig 7a shows it is not difficult to achieve a large final outbreak size when the three mechanisms are all present and neither local spreading nor global spreading is dominant. Fig 7b shows spreading will last for longer time if there is less global probing. Fig 7c shows that the most contagious variation of the worm is a mix of global, local and neighbourhood spreading at the probabilities of 0.4, 0.2 and 0.4 (see circle on the plot), which causes the largest final outbreak with the highest spreading speed.
Spreading properties shown include the final outbreak size, the survival time and the spreading speed (see colour maps) as functions of the mixing probabilities of global spreading α g (x axis) and local spreading α l (y axis), where the mixing probability of neighbourhood spreading is α n = 1 − α g − α l .
https://doi.org/10.1371/journal.pone.0127478.g007
In this study, we infer the epidemic spreading parameters of the Conficker worm from observed data collected during the first few hours of the epidemic. Simulations of worm spreading, based on these parameters, allow us to reach some important conclusions about the worm’s use of hybrid spreading mechanisms.
Advantage of mixing hybrid spreading mechanism
Conficker’s global probing is extremely ineffective. The infection rate of global probing is many orders of magnitude smaller than the recovery rate. This means, if Conficker used only the global probing, it would not have caused any significant infection on the Internet at all.
Local probing has a remarkably high infection rate, β l = 0.32, which means when an infected node conducts only local spreading, a susceptible node in the same subnet has an 1/3 chance of being infected in a step (10-mins). However, local probing is confined within a subnet. If the worm used only the local probing, it would not have infected any other subnet apart from those initially containing infected nodes.
Neighbourhood probing is constrained to a neighbourhood of ten subnets. It has a high infection rate because computers in adjacent IP address blocks often belong to the same organisation and they use similar computer systems and therefore have similar vulnerabilities that can be exploited by the worm. Since different nodes’ neighbourhoods can partially overlap with each other, it is in theory possible for the worm to reach any node in the whole meta-population by using only the neighbourhood probing. Such process, however, would be extraordinarily slow as we have shown in Fig 6b .
In summary, if Conficker used only a single spreading mechanism, it would have vanished on the Internet without causing any significant impact.
Thus the enormous outbreak of the worm lies in its ability to do two things. Firstly it needs to devote great efforts to explore every corner of the Internet to find a new vulnerable computer. Every new victim will open a new colony full of similar vulnerable computers. Secondly it needs to make the most out of each new colony.
This is exactly what Conficker does. It allocates most of its time on global probing with a mixing probability of α = 89%. This in a degree compensates the ineffectiveness of global probing. Although the worm allocates small amounts of time on local and neighbouring probing, their high infection rates allow them to exploit all possible victims in the subnets with efficiency. And all newly infected nodes will join the collective effort to flood the Internet with more global random probes.
In short, the Conficker worm is an example of a critically hybrid epidemic. It can cause an enormous outbreak not because it has an advanced ability to exploit weaknesses of a computer, but because it has remarkable capability to discover all potentially vulnerable computers in the Internet, i.e. it is not the infectivity, but the hybrid spreading that makes Conficker one of the most infectious worms on record.
Implication of critically hybrid epidemics
The analysis of critically hybrid epidemics such as Conficker has important general implications. Firstly, it demonstrates that it is possible to design a high impact epidemic based on mechanisms, each of relatively low efficiency. Indeed our result in Fig 7 suggests that Conficker could have had a larger outbreak with higher speed if it had used a different set of mixing probabilities, which requires change of only a few lines of Conficker’s program code. Hybrid mechanisms may therefore be ideal for rapid efficient penetration of a network, for example in the context of an advertising campaign or in order to promulgate important public health or security information. An interesting example might be the use of media campaigns (global spreading) where the reader or viewer is specifically requested to pass on a message via Twitter or Facebook to their “local” group contacts.
Conversely, malicious hybrid epidemics can be extremely difficult to defend against, and many existing defence strategies may not be effective. For example immunising a selected portion of a local population in order to isolate and hence protect the vulnerable nodes will not be effective, because the vulnerable nodes can still be found by the worm through random global spreading.
Another possible measure is to reduce the average time it takes for an infected node to recover, for example to speed up the release of anti-virus software updates or increase the frequency of security scanning on computers. Our theoretical predictions (using Eq 2 ) in Fig 8 show that the final outbreak size (in terms of total recovered nodes) does not change significantly when the recovery time is reduced from 156 minutes to 140 or 120 minutes. In practice, even achieving such reductions represents a remarkable technical challenge. It is clear from the discussion above that epidemics can spread with extremely low global infection rates (far below individual recovery rates), provided there is efficient local infection. The extremely efficient spreading achieved once a given subnet or set of subnets has been penetrated is therefore obviously a key determinant of the worm’s outbreak [ 7 ]. Thus, defence strategies that focus on security co-operation between nodes with a local network neighbourhood (a “neighbourhood watch” strategy [ 7 ]) may be the key to future prevention of similar outbreaks.
Conficker’s recovery time is 156 minutes.
https://doi.org/10.1371/journal.pone.0127478.g008
Our Conficker model
The Conficker worm can be described as a discrete model or a continuous model. The two modelling approaches should give the same prediction results of the spreading dynamics of the worm. In this work we used a discrete approach to model the Conficker worm for three reasons. Firstly the model’s parameters can be defined with clear physical meanings. Secondly we can directly calculate the parameters’ values from the CAIDA measurement data. Lastly it is more convenient to run simulations with a discrete model. If a continuous model were used, the model parameters would be defined differently with less clear physical meanings, and their values would have to be obtained through iterative data fitting.
In our Conficker model, we set the local and global population as fully mixed, because this is how the Conficker worm perceives the structure of the Internet. We considered more complex network structures in a separate work [ 16 ] where we studied hybrid epidemics in general.
Our study uses data collected during the first day of the Conficker epidemic to parametrise a hybrid model to capture the worm’s spreading behaviour. The study highlights the importance of mixing different modes of spreading in order to achieve large, rapid and sustained epidemics, and suggests that the trade-off between the different modes of spreading will be critical in determining the epidemic outcome.
Author Contributions
Conceived and designed the experiments: CZ SZ BMC. Performed the experiments: CZ. Analyzed the data: CZ SZ BMC. Wrote the paper: SZ BMC CZ.
- View Article
- Google Scholar
- PubMed/NCBI
- 16. Zhang C, Zhou S, Cox IJ, Chain BM. Optimizing Hybrid Spreading in Metapopulations; 2014. Preprint. Available: arXiv:1409.7291. Accessed 10 Feb 2015.
- 17. Chien E. Downadup: Attempts at Smart Network Scanning; 2010. Available: http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning . Accessed Dec 2014.
- 18. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Three Days Of Conficker”; 2008. Available: http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml . Accessed Dec 2014.
- 19. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Two Days in November 2008” Dataset; 2008. Available: http://www.caida.org/data/passive/telescope-2days-2008_dataset.xml . Accessed Dec 2014.
- 20. Newman M. Networks: An Introduction. Oxford University Press, USA; 2010.
- 34. Moore D, Shannon C, Claffy KC. Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. IMW. ACM; 2002. pp. 273–284.
- 53. ESET Virusradar. Win32/Conficker Charts; 2014. Available: http://www.virusradar.com/en/Win32_Conficker/chart/week . Accessed Dec 2014.
- 54. Irwin B. A network telescope perspective of the Conficker outbreak. In: Information Security for South Africa; 2012. pp. 1–8.
- 56. Li R, Gan L, Jia Y. Propagation Model for Botnet Based on Conficker Monitoring. In: International Symposium on Information Science and Engineering; 2009. pp. 185–190.
- 57. Yao Y, Xiang Wl, Guo H, Yu G, Gao FX. Diurnal Forced Models for Worm Propagation Based on Conficker Dataset. In: International Conference on Multimedia Information Networking and Security; 2011. pp. 431–435.
- 58. Aben E. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope; 2009. Available: http://www.caida.org/research/security/ms08-067/conficker.xml . Accessed Dec 2014.
- 59. Dagon D, Zou C, Lee W. Modeling botnet propagation using time zones. In: Annual Network & Distributed System Security Symposium; 2006.
- MyAccount sign in: manage your personal or Teams subscription >
- Cloud Console sign in: manage your cloud business products >
- Partner Portal sign in: management for Resellers and MSPs >
FEATURED CASE STUDY Featured
Customer Case Study Video
“Among the solutions put in competition, Walden chose ThreatDown for a few reasons. First of all, the solution convinced us from a technical point of view. The implementation went very well as the solution integrated fully and easily with existing security tools. We were also very impressed with the number of attacks stopped, the reduction in false positives, and the responsiveness of the technical team.” – Harold Potier, Chief Information Security Officer (CISO)
Network Computer Systems
“We often tell potential clients, ‘We’ve successfully transitioned numerous customers to this product with remarkable benefits’… That’s our pitch. With Malwarebytes, we can assure customers they won’t become the next headline about systems hijacked or businesses paralyzed by ransomware.” — Brad Harley, CEO of Network Computer Systems
All Industries
Triotech Amusement
“With ThreatDown, powered by Malwabytes, we don’t just get a full-featured EDR product with great price value, we’re getting the whole experience that comes with it — a strong vendor relationship and expert security support.” — Francois Riopel, IT Manager, Triotech Amusement
“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With ThreatDown MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” — Dennis Davis, IT Systems Manager, Drummond
Protecting Sunnyside SD Student and Staff Mac Machines, Wherever They Go
Sunnyside school district.
“Anything our IT team can do remotely makes us more efficient. With Malwarebytes’ cloud console, we can remotely manage endpoint protection and see the state of all the machines in a single view, whether the user’s machine is on or off campus.” — David Peterson, IT Coordinator, Sunnyside School District
Hooton Tech
“I’ve long led my MSP business from the approach that I only sell technology that I believe in and use myself. For endpoint protection, that’s Malwarebytes. Malwarebytes leads the market with its lightweight footprint, ease of use, and steadfast reliability in stopping threats.” — Shane Hooton, Owner, Hooton Tech
Articles on computer virus
Displaying all articles.
Cybersecurity: high costs for companies
Hervé Debar , Télécom SudParis – Institut Mines-Télécom
DNA has gone digital – what could possibly go wrong?
Jenna E. Gallegos , Colorado State University and Jean Peccoud , Colorado State University
An ethical hacker can help you beat a malicious one
Georg Thomas , Charles Sturt University
Explained: why a reboot is the go-to computer fix
Rob Miles , University of Hull
Computer viruses deserve a museum: they’re an art form of their own
Jussi Parikka , University of Southampton
Hack attack on a hospital IT system highlights the risk of still running Windows XP
Robert Merkel , Monash University
Seven easy steps to keep viruses from your devices
Mary Adedayo , University of Pretoria
Human and technical ingenuity will be required to defeat shape-shifting malware
John Walker , Nottingham Trent University
Would you compromise your computer for one cent an hour? This study says you might
Andrew Smith , The Open University
Media shock stories about GameOver Zeus are not helpful
Bill Buchanan , Edinburgh Napier University
Related Topics
- Computer hacking
- Cybersecurity
- Internet security
Top contributors
Lecturer, Department of Computer Science, University of Pretoria
Associate professor, Charles Sturt University
Head, The Cyber Academy, Edinburgh Napier University
Postdoctoral Researcher in Chemical and Biological Engineering, Colorado State University
Lecturer in Software Engineering, Monash University
Adjunct Lecturer, Charles Sturt University
Visiting Professor, Nottingham Trent University
Professor, Abell Chair in Synthetic Biology, Colorado State University
Senior Lecturer in Networking, The Open University
Lecturer in Computer Science, University of Hull
Professor in Technological Culture & Aesthetics, University of Southampton
Directeur de la Recherche et des Formations Doctorales, Directeur adjoint, Télécom SudParis – Institut Mines-Télécom
- X (Twitter)
- Unfollow topic Follow topic
- Computer Science and Engineering
- Computer Security and Reliability
- Computer Virus
Computer Virus: Their Problems & Major at-tacks in Real Life
- August 2012
- Journal of Advanced Computer Science & Technology 1(4)
- Shivaji University, Kolhapur
- B.V. D. U. Yashwantro Mohite Institute of Management, Karad
Discover the world's research
- 25+ million members
- 160+ million publication pages
- 2.3+ billion citations
- James Ajor Ogar
- Thelma Aya Abang
- Abdullah Abdulhai Alshaher
- Mubarak Mohammad Alkharang
- Priyanka Ahlawat
- صلاح الدين محمد توفيق
- شيــرين عيــــد مرســــي
- Vaishnavi Bhagwat Savant
- Rupali D. Kasar
- Heru Winarno
- Benny Ranti
- Mitch Halpin
- David Dagon
- Rainer Link
- Hannelore Prof
- Felix Uribe
- Gaurav Sharma
- Recruit researchers
- Join for free
- Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up
IMAGES
VIDEO
COMMENTS
Learn how malware such as ransomware, trojan and worm can infect computers and cause damage to businesses and individuals. See examples of malware attacks, such as CovidLock, LockerGoga, Emotet, WannaCry and Stuxnet.
Learn about the history and impact of some of the most notorious computer viruses and worms, from Creeper to Clop. This article covers the milestones in the evolution of malware, from proof of concepts to cybercrime.
Jaschan's motivations behind these viruses remain unclear but may have been driven by a desire to outpace even the notorious MyDoom virus. 6. Anna Kournikova virus. The Anna Kournikova virus, named after the famous tennis player, exploited her popularity to trick unwitting users.
Computer chaos From Hong Kong, where the virus crippled the communications and ravaged file systems of investment banks, public relations firms and the Dow Jones newswire, the love bug spread ...
Computer Virus Examples. 1. Morris Worm (1988) In the late 1980s, the digital world witnessed one of its first major security crises with the emergence of the Morris Worm. This incident, a landmark in the history of cyber threats, unfolded rapidly and with startling impact.
A decade-and-a-half from when it emerged and held the title of the most destructive computer virus of all time, MyDoom still persists. Written by Danny Palmer, Senior Writer July 26, 2019, 6:00 a ...
Trojan Horse Examples. 1. ILOVEYOU (2000) In the early days of May 2000, a seemingly harmless email began circulating with the subject line "I LOVE YOU.". What appeared as a digital note of affection was, in fact, one of the most virulent computer worms of its time. According to Wired.com, the ILOVEYOU worm rapidly infected over ten million ...
If the ransom payment is made, ransomware victims receive a decryption key. If the payment is not made, the malicious actor publishes the data on the dark web or blocks access to the encrypted file in perpetuity. Below we explore 16 recent ransomware examples and outline how the attacks work. BitPaymer. Cryptolocker. DarkSide. Darma. DoppelPaymer.
T rojan Horse Malware Case Study actions, accessing the applications and software they use, taking screenshots, and tracking login data of the victim are the applications of this trojan malware [1].
This global epidemic exploited a vulnerability in Windows operating systems, impacting over 200,000 individuals and organizations worldwide. Hospitals, universities, and major companies like FedEx and Telefonica were among the victims. The financial losses incurred by this cyber assault exceeded a staggering $4 billion, highlighting the urgent ...
The Horror of Ransomware. If a ransomware attack targets your computer, you won't know until it's too late. The ransomware stays out of sight, quietly encrypting your important files. (Credit ...
Learn how cyber criminals can use malware to access your computer network or system and steal your data. Read three scenarios of malware attacks on financial advisers and how to prevent them.
The Trojan AIDS/PC Cyborg virus was the first known ransomware attack. It gained access to users' computers through a mailed floppy disc disguised as a survey program. The malware encrypted C ...
CASE STUDY E MARCUS HUTCHINS This is the case of Marcus Hutchins, a 25-year-old British man from the South-West of England. He was working as a Cyber Security malicious software (malware) investigator when in 2017 a computer virus called Wannacry struck the world. This virus was
A virus infects a file or system. Computer viruses attach themselves to a piece of software, an online program, a file, or a piece of code. They can spread through email and text message attachments, files you download online, or scam links sent on social media. 2. An unsuspecting user executes the virus's code.
Mydoom - $38 billion. The worst computer virus outbreak in history, Mydoom caused estimated damage of $38 billion in 2004, but its inflation-adjusted cost is actually $52.2 billion. Also known as Novarg, this malware is technically a "worm," spread by mass emailing. At one point, the Mydoom virus was responsible for 25% of all emails sent.
Ransomware case study: Attack #2. A few years later, another of Macias' clients -- the owner of a direct-mail printing service -- called to report he couldn't access his server. Macias logged into the network through a remote desktop and saw someone had broken through the firewall.
Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm's spreading behaviour. The parameters of the model are inferred directly from ...
Malwarebytes leads the market with its lightweight footprint, ease of use, and steadfast reliability in stopping threats.". — Shane Hooton, Owner, Hooton Tech. KEEP READING. Cyberprotection for every one. Learn how Malwarebytes secures businesses worldwide in these cyber security case studies focusing on organizations from all industries.
Jenna E. Gallegos, Colorado State University and Jean Peccoud, Colorado State University. Biologists' growing reliance on computers advances the field - but comes with new risks. The first ...
The rapid development of technology, and its usage, in our everyday lives caused us to depend on many of the aspects it offers. The evolution of the Internet in recent decades has changed human ...