The 10 Worst Computer Viruses in History

• INTRO

Credit: Dreamstime

The worst computer virus is the one that happens to infect your own personal computer. Unfortunately, millions of us have had this misfortune, and then spent hours — sometimes days — cleaning, restoring and recovering from a computer virus.
Today, many pieces of malware are designed to attack specific targets, such as the Stuxnet worm (designed to knock out Iran's nuclear centrifuges) or the Zeus and SpyEye Trojans (designed to steal from victims' bank accounts).
But back in the day — say, before 2005 — viruses were all about how much damage could be done by trashing hard drives, corrupting files, bringing corporations to their knees and slowing down the Internet itself.
It was an atmosphere that turned computer security into a big business and created some of the most notorious viruses of all time.
Here are the dirtiest of the bunch, our terrible 10 worst viruses in history.

• 10

Stoned

Before there was the World Wide Web, the first computer viruses spread via floppy disks. One of the earliest was the 1987 boot-sector virus Stoned, which taunted infected users with the on-screen message, "Your computer is now stoned."
Several variants of the virus were written by copycats, ushering in the practice of hackers updating existing virus code to create more infections

• 9

Jerusalem
Toward the end of 1987, the Jerusalem virus began spreading. The virus was much more destructive than the Stoned virus, infecting both .exe and .com files (different kinds of applications).
Because it launched only on every Friday the 13th, Jerusalem's spread was more slow-moving than Stoned's, but Jerusalem destroyed tens of thousands of users' programs along the way.

• 8

The source code for the Morris worm at the Boston Museum of Science. Credit: Shannon Bullard, GoBostonCard.com

The Morris Worm
November 1988 saw what is widely regarded as the first worm — a self-contained program that spreads without human intervention — to infect public networks. At the time, it was estimated to have infected about 10 percent of all computers connected to the nascent Internet.
Its creator, Cornell University graduate student Robert Tappan Morris, whose father was a famous computer scientist, became the first person convicted under the Computer Fraud and Abuse Act.

• 7

The Concept Virus
The '90s saw the development of a raft of new bugs, including so-called polymorphic viruses that could change their appearance with each new infection, making it difficult for anti-virus software to detect their presence.
In 1995, the Concept virus broke new ground by being the first to infect Microsoft Word documents. Unaware users sharing documents via email helped make it one of the fastest spreading viruses of its time.

• 6

Melissa
Before the decade was out, one of the worst viruses of all-time appeared. Reputed to be named for a Florida stripper, Melissa showed up in mid-1999 and was one of the first viruses designed to spread from computer to computer without relying on action on the user's part.
For every PC it infected via email, it attempted to infect another 50 using the victim's Microsoft Outlook address book. The subsequent volume of Internet traffic forced companies such as Intel and Microsoft to temporarily shut down their own mail servers.

• 5 

The Love Bug
Social engineering — tricking a person to open a file or reveal information — came into its own in May 2000 with the ILOVEYOU virus.
Like Melissa, it also used email and appeared to come from someone known to the recipient. But in reality, the attached script deleted multimedia and personal files, changed the Internet Explorer start page and unleashed a torrent of junk mail.
The Love Bug is still considered to be one of the most destructive viruses ever. It infected more than 50 million computers in just nine days, and caused several military sites to shut down their networks until the virus could be purged.

• 4

Anna Kournikova at Bagram Air Force Base in Afghanistan in Dec. 2009. Credit: Senior Airman Felicia Juenke, U.S. Air Force

The Anna Kournikova Virus
You didn't have to be a tennis fan in February 2001 to fall victim to this virus. Inaugurating what has since become a commonplace tactic, the Kournikova virus enticed email recipients to open an attached picture of the statuesque tennis star.
There was in fact no image behind the message — just an obsessed young programmer from the Netherlands, who quickly turned himself in to authorities.

•  3    

Credit: Like the Grand Canyon/Wikipedia

Code Red
In 2001, anti-virus researchers were frustrated by a new worm dubbed Code Red, after the hyper-caffeinated flavor of Mountain Dew soda its finders were drinking when they discovered it.
Code Red attacked Microsoft servers and during the summer of 2001 infected more than 350,000 computers. It proved tricky to eradicate because it was able to re-infect cleaned systems, causing overload and denial-of-service problems for sites around the world.

• 2

Nimda
Using a tripartite attack, Nimda ("admin" spelled backwards) was not only a virus (an alteration to a benign program or file) but also a worm and a Trojan horse (a standalone program that pretends to be benign).
Nimda's variety of attack methods enabled it to spread faster than any previous malware, spanning the globe in less than an hour. (It appeared on Sept. 18, 2001, leading to media speculation of an Al Qaeda connection.) Although estimates vary, it is reported to have caused billions of dollars worth of damage.

• 1    

 Netsky and Sasser
By 2004, virus writers were rapidly exploiting and building on each other's code, so much so that they were beginning to interfere with one another. So the Netsky and Sasser worms took the extraordinary step of attempting to clean out other worms on a victim's PC before installing themselves.
Sasser drew attention because it knocked out the satellite communications system for the French news agency Agence France-Presse and caused problems with Delta Air Lines systems, causing some flight cancellations. Eventually, both viruses were traced to a teenage computer science student in Germany.





THE Worst DDos attacks coming soon...

QR code security risks in the car park

QR codes are a highly convenient way to link a physical object to a URL. Point your phone's camera at the 2D barcode and you're instantly taken to a website.

That's something which can have security consequences, as mobile guru Terence Eden explains.

Recently, Islington Council in London has partnered with Verrus to bring mobile phone payments to car parking.

It's a really simple way to improve paying for parking - but it does leave open some fairly serious security risks.

Initial impressions

The QR codes being used by Islington Council are fairly clearly displayed on the side of the parking meters - but there is no printed call to action.

Which raises the question - what does scanning the code do?

From a practical point of view, would anyone scanning the code know that it allowed them to pay with their phone?

From a security point of view, does the QR code belong to the parking company? Could someone malicious have stuck this code onto the machine?

Unfortunately, there is a problem with the QR code that rang instant alarm bells in my mind.

I spotted instantly that it isn't using an HTTPS URL:

http://m.paybyphone.co.uk/?
utm_source=islington&
utm_medium=qrcode&
utm_campaign=mweb

For a site which asks for a password - and later for credit card details - that seems like a worrying oversight, and isn't going to instill confidence.

In fairness, the site does automatically redirect to the SSL version - but why leave that out of the QR code?

After scanning the code with their mobile phone, this is what the first time user sees:

One thing to note is that most mobile phones won't display the full URL, unless they are in landscape mode.

The URL on display could easily be:

https://m.paybyphone.evilsite.xxx/

Registering

If you've never used the system before, you need to register on this screen:

It is, in my opinion, a very poor idea to require someone to type their credit card number into a phone.

• What if there's a gang of vicious hoodies waiting to snatch credit cards from unsuspecting users as they get them out on the street?
• Is this really a legitimate site? There is no way of knowing, and the switch in branding between "paybyphone" or "PayByPhone" just makes things more confusing and suspicious.

Attack Vectors

The main way of attacking a QR code is to change it. In this case, all it would take would be a large sticker placed on the car parking notice to successfully redirect the user.

In the most mundane case, an attacker could ask the user to visit a malicious website which collects their login details - or worse, their credit card number.

However, a QR code can also be used to point to a premium rate phone number or premium rate SMS. Both could look "legitimate" when placed near a parking meter. A simple and effective way to deprive a victim of their money.

Solutions

QR code hijacking is very rare - but here are a few practical tips for securing a QR code payment service.

1. Include signage telling the user what the code does. Otherwise the user has no way of knowing if the code should point to a URL, phone number, or SMS.
2. Print the URL near to the code. This way if the code is hijacked and pointed to http://evilsite.xxx/ the user can see they're not visiting the correct site.
3. Include https in the URL. Get users used to checking for https before they interact with you.
4. If possible, use a short domain. Not only will it reduce the size of the QR code, it will give your users confidence if they can see the full domain in their phone's URL bar.
5. Don't ask a user to get their credit card out on a busy street. Use a mobile payment solution which charges to the user's phone bill or deducts it from their credit.

QR codes provide a brand new way for people to interact with your service. Make sure that what you offer them is simple, satisfying, and secure.

Disclaimer: The author currently works for InMobi who have a mobile payments product called SmartPay. There are several other cross-network payment solutions, including Bokuor Google Checkout.

BitTorrent serves malware directly from website - no need for P2P!

Back in 2001, when BitTorrent was first announced, it seemed inevitable - and, at the same time, implausible - that a commercial company based around its social approach to file sharing would emerge and succeed, despite its novelty.

Inevitable, because the sheer popularity of peer-to-peer file sharing means that the potential return for any company successfully commercialising a popular P2P client is enormous.

Implausible, because the indelible association between P2P and piracy means that potential risk of burning out in lawsuits from copyright holders is vast.

But the creator of BitTorrent, Bram Cohen, did create a company out of his codebase, and BitTorrent, Inc. is effectively today's Torrent mothership.

The company is also the custodian of two popular Torrent clients: the so-called Mainline version, and its extremely popular compact cousin, uTorrent.

(The character u is commonly, if confusingly, used in Latin alphabets to represent the Greek letter μ. Short for micro, it's pronounced in English as mew, as in cat. So much for internationalisation.)

In its ten-year history, BitTorrent - the protocol, not the company - has become well known for facilitating the unregulated sharing of arbitrary material. Indeed, it's become quite the way to find all the ripped-off software, films, TV shows and porn you might need. Unsuprisingly, the cybercrooks love that sort of neo-anarchic mix, because it makes it easy for them to expose you to your fair share of malware.

Unfortunately, however, even if you are one of the several many entirely law-abiding users of BitTorrent, the folks at BitTorrent, Inc. may recently have put you in harm's way.

According to a really-ought-to-be-more-visible warning on the download pages of www.bittorrent.com and www.utorrent.com, a breach of the two servers resulted in a two-hour window in which downloading BitTorrent's software would have given you a fake anti-virus program instead.

This morning [13 Sep 2011 on the US West Coast] at approximately 4:20 a.m. PT, the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program.

Just after 6:00 a.m. PT, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally

BitTorrent, Inc. identifies the malware as belonging to the Security Shieldscareware family. Program files under this "brand" of fake anti-virus should be mopped up by Sophos Anti-Virus as CXmal/FakeAV-A.

Confusingly, the BitTorrent blog has recently been updated to claim that the software available from the www.bittorrent.com URI was not affected, implying that only those who downloaded utorrent during the infection window would be at risk.

Since the two sites share the same network infrastructure - both resolve to the same IP number in Limelight Networks' cloud - you might want to ignore that blog update and assume that any recent downloads from Bittorrent, Inc. were dodgy and give yourself a thorough anti-malware checkover.

I'd also ignore the time window, since BitTorrent used the annoyingly ambiguous abbreviation "PT" to denote the timezone. I'm guessing they meant to say UTC-7, but they didn't.

Update. Allison at BitTorrent got in touch to say she's updated the official report to make it clear: Pacific Daylight Time, UTC-7. Thanks for listening, Allison!

Hackers steal credit card details at Wisconsin and Tennessee Wilderness resorts

Bad news if you have been on vacation at one of the Wilderness resorts in Tennessee and Wisconsin in the last couple of years - hackers may now have your credit card details.

VacationLand Vendors Inc, a firm which provides arcade and vending machines to businesses, has revealed that a hacker broke into its credit card processing systems and stolen up to 40,000 credit card details.

The credit cards were used in arcades at the Wilderness Hotel & Golf Resort in Wisconsin, and the Wilderness at the Smokies Waterpark Resort in Tennessee.

Precise details of how the data breach occurred have not been made public, but the company has published a warning on its website, and advised customers to keep their eyes peeled for unusual transactions on their credit cards.

Vacationland Vendors says that it "deeply regrets" the security breach and shut down its systems at the affected arcades as soon as it discovered the problem on March 25, 2011 - but that patrons may be impacted as far back as December 12, 2008.

The FTC has produced a website all about how consumers can protect themselves against identity theft.

SSCC 72 - DigiNotar, DNS hijacking and Firesheep v2

This week my guest for the podcast was Mike Wood, a Senior Threat Researcher at SophosLabs in Vancouver, Canada.

Mike is our expert on digital certificates and how malware authors try to use andabuse digital certificates for their own purposes.

I talked briefly about this month's Patch Tuesday, which fortunately is a small one compared to others this year.

I also briefly mentioned the compromise at DNS registrar NetNames. The attacker pointed the DNS for The Register, UPS and others to a Turkish hacker web site.

We discussed the latest version of Firesheep and how it is now able to steal your Google search history due to a flaw in how some Google sites handle cookies.

The meat of this Chet Chat was spent discussing the recent breach and impact of the hacker(s) who compromised certificate authority DigiNotar.

Mike went into some detail of how certificates have been abused and what these attackers might accomplish if they were to use bogus certificates they purloined from DigiNotar.

(8 September 2011, duration 27:22 minutes, size 12.5 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 72 or subscribe to our RSS.