04The term “computer virus” arose in the early 80s. It was first used by the American scientist Fred Cohen in his dissertation work on self-replicating computer programs. Since then, time and human intelligence have produced a huge number of malware, leaving a mark in the history of computer software consisting of a huge amount of erased information and broken operating systems.
In this article we will look at the TOP 10 most dangerous computer viruses in PC history.
1.Brain
The Brain virus was created by two programmer brothers Amjat and Basit Alvi from Pakistan in 1986. It was originally created as a weapon against local pirates who were stealing software created by the brothers. However, instead the program began to spread and infect tens of thousands of computers around the world. Brain was written to the boot sectors of floppy disks, and when scanning the computer, it substituted a specially created neutral copy in place of the infected sector.
Such programs that try to hide their presence in the operating system are called “stealth viruses”, and at the moment they are the most dangerous enemies of any PC.
Jerusalem
The Jerusalem virus was created in 1988 in Israel, and caused a lot of noise among users from the Middle East, as well as from Europe and the USA. In those days, no one knew how to deal with virus software, and antiviruses were a curiosity and not very popular.
This virus caused a lot of harm: it infected files created or opened during the day, and when launched, it simply deleted them. The entire process was accompanied by the slow deletion of all data stored on the hard drive.
The author of the virus and his motives remain unknown. However, the virus itself became one of the most dangerous on the planet, and marked the beginning of the Suriv family of resident viruses.
Conficker
In three months, this malware, which began its activity in 2008, infected more than 12 million computers running Microsoft's Windows operating system.
Using operating system vulnerabilities, this virus independently downloaded from the Internet, bypassed antivirus protection and blocked access to updates to their databases. Next, updates for elements of the operating system itself were disabled, and the names of services were changed. The virus penetrated into the farthest corners of the operating system, so it was almost impossible to find and destroy all its fragments.
What damage does a computer virus cause?
Viruses can cause a wide variety of harm. In most cases, they delete files or permanently damage them. If this happens to an important system file, you will not be able to start the operating system after infection.
Damage to physical equipment is also possible, but is quite rare. For example, among other things, a virus can overclock a video card, causing it to overheat and lead to failure.
Simply destroying files does not bring financial benefits to criminals, so viruses have become uninteresting to them. Moreover, today there are much more profitable malware - the same ransomware or adware, the so-called “adware”.
Storm Worm
The Storm Worm virus, like Conficker, infected the operating system via the Internet. Emails were sent to owners of email accounts with catchy headlines to attract attention and an attached file infected with a virus. A file opened on a user's computer created a security hole, collecting data and sending spam.
The Storm Worm virus became active in 2007, and, according to experts, during its entire existence, about 10 million computers were infected.
CIH
Viruses on the site: checking the site for viruses, removing malicious code, protecting the site from viruses
The CIN virus was developed in June 1998 by Taiwanese student Chen Ying-Hau to demonstrate the vulnerability of Tatung University's security system. However, the program he created, which was later nicknamed “Chernobyl,” quickly spread across the network and infected several million PCs. After the CIH virus intervened in the BIOS chips, the computers simply did not turn on, and all data from the hard drives was erased without the possibility of recovery.
The damage caused by this virus is estimated at $1 billion. However, the author of the virus, which infected about 500,000 computers around the world, managed to escape punishment. Now the young man works at Gigabyte.
Melissa
In the late 90s, the first email macro virus, Melissa, spread across the network, infecting computers and independently sending spam, causing system overload. As a result, the operating system simply failed.
The speed of spread and scale of infection by this virus were so colossal that the FBI joined in the search for its author. The creator of the virus turned out to be a man named David Sit. For his brainchild, which caused damage of $80 million, David was sentenced to 20 months in prison and paid a huge fine.
SQL Slammer
Brute force is terrible power!
SQL Slammer, a dangerous computer worm that appeared in January 2003, generated random IP addresses and sent itself to those addresses. Due to its small size, the virus quickly spread across the network, causing the Microsoft server and another 500,000 servers around the world to crash, and it completely disconnected South Korea from the Internet for 12 hours.
In 10 minutes, SQL Slammer infected about 75,000 computers.
The ten most destructive viruses in history
TechWeb has published a list of the ten most destructive computer viruses in history, in chronological order. CIH (1998) Estimated damage: $20-80 million, not including massive amounts of data destroyed.
This virus came from Taiwan in June 1998 and became one of the most dangerous and destructive viruses in human history. The well-known “sneeze” in Russia infected executable files and multiplied through the computer’s RAM. It was especially dangerous because it could overwrite data in the boot sector of the hard drive, causing the latter to fail.
Melissa (1999)
Estimated damage: $300-600 million.
On Friday, March 26, 1999, the W97M/Melissa macro virus hit the front pages of newspapers in various countries. It turned out that in a very short time the virus affected from 15 to 20% of business computers in the world. The malware spread through email so quickly that many large corporations, including Intel and Microsoft, were forced to block email traffic on their internal networks.
ILOVEYOU (2000)
Estimated damage: $10-15 billion.
Also known as Loveletter and The Love Bug, this Visual Basic script exploited one of the basic human weaknesses: the desire to be loved. On May 3, 2000, the virus was first detected in Hong Kong. The program was distributed by email with the subject line “I love you” and an attachment in the form of a file with a “double” extension .txt.vbs. The virus replicated in the same way as Melissa: it sent copies of itself to addresses from the Microsoft Outlook address book. The infected computer was searched for logins and passwords, which were sent to the author of the virus. By the way, the author was found - he turned out to be a citizen of the Philippines. He did not suffer any punishment because the Philippines had no laws against this type of crime.
Code Red (2001)
Estimated damage: $2.6 billion.
The Code Red network worm began spreading rapidly on the Internet on July 13, 2001, exploiting a hole in the Microsoft IIS web server. Tellingly, Microsoft released a patch to close this hole in mid-June, but this could not prevent the epidemic. The worm, created in China, was programmed to cause maximum damage: it actively searched for other vulnerable systems in order to infect the maximum number of servers. On a given day, a distributed DoS attack was to begin against a list of IP addresses, including US government servers. In less than a week, the virus infected almost 400 thousand servers.
SQL Slammer (2003)
Estimated Damage: Since the virus began spreading on Saturday, the cost of lost work time has been minimal. However, the worm infected half a million servers around the world and cut off South Korea from the Internet for 12 hours.
The virus began spreading on January 25, 2003, which immediately had a negative impact on global Internet traffic. His targets were servers. The virus was a 376-bit data packet that generated a random IP address and copied itself there. If there was a server at this address with an unpatched version of the Microsoft SQL Server Desktop Engine, then this computer also immediately began to demonstrate the same behavior: mass mailing to random addresses. The worm infected the first 75,000 computers in just 10 minutes, and huge amounts of junk traffic quickly overloaded communication channels around the world.
Blaster (2003)
Estimated damage: $2-10 billion.
The summer of 2003 was very favorable for the spread of various viruses. Several epidemics were registered at once. Almost simultaneously, the Blaster and Sobig viruses began to spread. The first of them, also known as Lovsan and MSBlast, was discovered on August 11, and in just two days the epidemic reached its peak. The virus affected personal computers running Windows 2000 and Windows XP, causing users to see a “system” message on the screen telling them to reboot.
Sobig.F (2003)
Estimated damage: $5-10 billion, more than 1 million infected PCs.
The Sobig outbreak began immediately after the Blaster outbreak, making August 2003 the worst month for antivirus firms and users around the world. The Sobig.F modification was the most destructive. It appeared on the Internet on August 19 and set a new world record (soon broken by MyDoom) by infecting more than 1 million computers in 24 hours. The virus propagated in the traditional way - via email through file attachments. This time they had a .pif extension. Interestingly, on September 10, 2003, the virus deactivated itself and no longer posed a threat. Despite this, Microsoft announced a $250 thousand reward for the author's head, but he has not yet been found.
Bagle (2004)
Estimated damage: tens of millions of dollars, and more every day.
The classic Bagle worm (Beagle) appeared on the Internet on January 18, 2004. It infected computers through a previously well-tested mechanism—file attachments via email. After infection, the virus opened a backdoor into the system, so that the attacker gained full access to it. To date, between 60 and 100 modifications of Bagle are known. Some of which are still active.
MyDoom (2004)
Estimated damage: at the peak of the epidemic, the average response time on the Internet increased by 10%, and website loading speeds slowed down by 50%.
In just a few hours on January 26, 2004, the MyDoom (Norvarg) epidemic spread throughout the Internet. No virus has ever demonstrated such a rate of spread before. The worm spread via email via attachments with the subject line “Mail Transaction Failed.” It also tried to reproduce through the Kazaa peer-to-peer network. According to experts, at some point every tenth email message in the world's mail traffic became infected. The virus, created as an experiment, ceased activity on its own on February 12, 2004.
Sasser (2004)
Estimated damage: tens of millions of dollars.
Sasser began spreading on April 30, 2004, and to date remains the last of the viruses that have caused significant damage to humanity. Since then, the situation has remained stable for more than two years. In April 2004, however, Sasser led to the blocking of satellite communications of some French news outlets, the cancellation of several Delta flights, and the blocking of many computer systems around the world. Unlike previous viruses, Sasser was not distributed by email, but exploited a security hole in Windows 2000 and Windows XP systems. While infecting the computer, it scanned the ports in search of new victims. The virus was written by a 17-year-old German schoolboy. He released his creation on his birthday, when he turned eighteen.
Code Red
A worm that appeared two years earlier than SQL Slammer - Code Red. The virus attacked computers through a running Microsoft IIS web server.
The Code Red virus managed to infect about 400 thousand servers, including the White House server. This worm replaced infected files and displayed the message “HELLO! Welcome to https://www.worm.com! Hacked By Chinese!
The total damage caused by this virus is approximately $2.6 billion. It was not possible to find the creators of this malicious program; only their approximate location was revealed - the Philippines.
Types of computer viruses and their characteristics
Good afternoon Each of us has heard the word “computer virus”. Some people know quite a lot about this concept, but for most readers, this word remains mysterious, incomprehensible, something distant.
What does a computer virus mean? Let's first define a common virus. A virus is a kind of crystal that has its own DNA, cytoplasm and other elements. But the virus does not have its own core, is not an independent organism and cannot exist outside of any living being, be it a cell or a multicellular organism.
Viruses can be dormant, incubating, or active. All this applies to computer viruses. Their essence is really similar. They also integrate into another organism, e.g. program, change its code, actively reproduce, sometimes even damage the PC hardware. Just like ordinary viruses, the types of computer viruses are quite diverse.
We can say that a computer virus is a program that is capable of creating multiple duplicates of itself, embedding itself in the code of other software, in the system memory, its startup, and introducing its numerous duplicates in various ways.
The purpose of computer viruses is to disrupt the operation of various software systems, delete many files, disrupt the structure of information, and block the operation of various PC components in order to impede their performance.
And this is true, just three days ago, my nephew came to see me, I downloaded games for him via torrent. During the download process, various shortcuts for various programs that I didn’t need began to appear on the monitor screen.
I then had to remove these software, but this is nonsense, the main thing is that a virus was introduced into it, which I removed. And then I did it in “Safe PC Mode” (In this mode, only some of the drivers and other programs are turned on, the most necessary ones, which makes it possible to search for a virus without interrupting the antivirus).
I advise you to use it, because... Many viruses first try to disable the antivirus, which is what happened to my computer. It turns on quite easily, press the hard reset button (next to the “Start” button), during the boot process you will be offered three options to turn on, one of which is “Normal Mode” and “Safe Mode”.
I also want to give you advice: when you download via Torrent, always watch what you download and how many files. Usually there should be one file if it is one program and not several. If there are several of them, this is already suspicious!
Also, watch out for so-called files called “Silent installation” among the downloaded applications. If you see a file like this, immediately uncheck it. Otherwise, it is not clear what you will install!
And one more piece of advice, if you use Kaspersky, it’s better to choose KIS, because... it blocks such silent installation files! In general, you shouldn’t skimp on a good antivirus! But let's return to the types of viruses.
Sobig F
About the theft of user passwords when using the HTTPS protocol
In August 2003, the Sobig F virus began to spread by email. Opening a file attached to an email was accompanied by rapid distribution of its copies over the network. To date, this is the fastest spreading virus in the history of computer technology - in 24 hours, about a million computers running the Microsoft Windows operating system were affected by this malicious program.
It is noteworthy that the Sobig F virus was deactivated a month after its appearance. Microsoft promised $250,000 for information about the creator of the virus, but the culprit was never found. The damage caused by the malware he created amounts to 5–10 billion dollars.
The most dangerous viruses in the entire history of computers
The history of computer viruses begins in 1983, when the American scientist Fred Cohen, in his dissertation work devoted to the study of self-replicating computer programs, first coined the term “computer virus.” The exact date is even known - November 3, 1983, when at a weekly computer security seminar at the University of Southern California (USA) a project was proposed to create a self-propagating program, which was immediately dubbed a “virus”. Debugging it required 8 hours of computer time on a VAX 11/750 machine running the Unix operating system, and exactly a week later, on November 10, the first demonstration took place. Based on the results of these studies, Fred Cohen published the work Computer Viruses: theory and experiments with a detailed description of the problem.
The foundations of the theory of self-propagating programs were laid back in the 40s of the twentieth century in the works of the American scientist John von Neumann, who is also known as the author of the basic principles of operation of a modern computer. These works described the theoretical foundations of self-reproducing mathematical automata.
Here we will talk about the most dangerous samples of malware in our long history.
Before discussing them, let's define what is meant by the most dangerous?
From the user's point of view, this is the virus that caused the maximum damage to him. And from the point of view of an information security officer, this is a virus that you have not yet been able to detect.
We will be guided by this criterion in the future.
In my opinion, the most dangerous malware is the one that opens up new possibilities for infection.
Creeper
The first Creeper network virus appeared in the early 70s on the military computer network Arpanet, the prototype of the Internet. The program was able to independently access the network via a modem and save a copy of itself on a remote machine. On infected systems, the virus detected itself with the message: I'M THE CREEPER: CATCH ME IF YOU CAN. Overall, the virus was harmless, but it irritated the staff.
To remove an annoying, but generally harmless virus, an unknown person created the Reaper program. In fact, it was also a virus that performed some functions typical of an antivirus: it spread across a computer network and, if the body of the Creeper virus was detected, it destroyed it.
The appearance of Creeper not only marked the beginning of modern malware, but also gave rise to a stage in the development of viruses, during which virus writing was the lot of a few talented programmers who did not pursue any material goals.
Brain
Brain (1986) - the first virus for IBM-compatible computers, causing a global epidemic. It was written by two programmer brothers - Basit Farooq Alvi and Amjad Alvi from Pakistan. Its distinctive feature was the function of replacing the infected sector with an uninfected original at the moment it was contacted. This gives us the right to call Brain the first known stealth virus.
Within a few months, the program expanded beyond Pakistan, and by the summer of 1987 the epidemic had reached global proportions. In fact, this was the first and, alas, far from the last virus epidemic for the IBM PC. In this case, the scale of the epidemic was certainly not comparable to current infections, but the Internet era was still ahead.
Virdem
German programmer Ralf Burger in 1986 discovered the possibility of a program creating copies of itself by adding its code to executable DOS files in COM format. A prototype of the program, called Virdem, was demonstrated at the computer underground forum - Chaos Computer Club (December, 1986, Hamburg, Germany). This was the impetus for the writing of hundreds of thousands of computer viruses that partially or fully used the ideas described by the author. In fact, this virus marked the beginning of mass infections.
Jerusalem
The most famous modification of the viral family of resident file viruses, Suriv (1987), the creation of an unknown programmer from Israel, Jerusalem, became the cause of a global viral epidemic, the first real pandemic caused by the MS-DOS virus. Thus, it was with this virus that the first computer pandemics began (from the Greek pandemía - the whole people) - epidemics characterized by spreading to the territory of many countries of the world.
It is thanks to this virus that the combination “Friday the 13th” still makes the hearts of system administrators beat faster. It was on Friday, May 13, 1987, that this virus began to destroy infected files when they tried to run them. He has proven himself in Europe, the USA and the Middle East. This virus was also named Jerusalem, “Friday the 13th 1813”, Hebrew University, Israeli and Suriv 3.
Jerusalem had several malicious features. The most famous was the one that removes from the computer all programs launched on Friday the 13th. Since the coincidence of Friday with the 13th of the month does not happen very often, most of the time Jerusalem spread unnoticed, without any interference in the actions of users. However, 30 minutes after loading into memory, the virus slowed down the speed of XT computers by 5 times and displayed a small black rectangle in the text mode of the screen.
Morris worm
| Robert Morris |
The Morris Worm (November 1988) was the first network worm to cause an epidemic. It was written by 23-year-old Cornell University (USA) student Robert Morris, who exploited security flaws in the Unix operating system for the VAX and Sun Microsystems platforms. In order to surreptitiously penetrate computer systems connected to the Arpanet network, passwords were selected (from a list containing 481 options). The total cost of damage is estimated at $96 million. The damage would have been much greater if the worm had originally been created for destructive purposes.
This malware showed that the Unix OS is as vulnerable to password guessing as other operating systems.
Chameleon
Chameleon (early 1990) - the first polymorphic virus. Its author, Mark Washburn, took information about the Vienna virus from the book Computer Viruses as a basis for writing the program. The Disease of High Technologies by Ralph Burger and added to them the improved principles of self-encryption of the Cascade virus - the property of changing the appearance of both the body of the virus and the decryptor itself.
This technology was quickly adopted and, in combination with Stealth and Armored technologies, allowed new viruses to successfully resist existing antivirus packages.
With the advent of this technology, fighting viruses has become much more difficult.
Concept
Concept (August, 1995) - the first macro virus to infect Microsoft Word documents. It was in 1995 that it became clear that not only executable files, but also document files could become infected.
This copy was not particularly malicious, its epidemic was very sluggish (for several years), and it did not affect very many computers (Kaspersky Lab registered only 800 complaints from clients about this virus). Compared to today, the scale of Concept looks very modest. But for 1995-1997. the result was very impressive. Like a small stream that gives strength to a stormy river, macroviruses predetermined the rapid emergence of viruses on the world stage.
There is an opinion among users that a macrovirus is just a harmless subroutine, capable only of minor dirty tricks such as replacing letters and punctuation marks. In fact, a macro virus can do a lot: formatting a hard drive or stealing something valuable is not a problem for it.
Win95.CIH
In June 1998, a virus of Taiwanese origin, Win95.CIH, was discovered, containing a logic bomb to destroy all information on hard drives and damage the contents of the BIOS on some motherboards. The date of operation of the program (April 26) coincided with the date of the accident at the Chernobyl nuclear power plant, as a result of which the virus received a second name - “Chernobyl”. It was this virus that showed the vulnerability of BIOS rewriting systems. Thus, it suddenly turned out that dangerous software can disable not only information, but also computer hardware.
The Win95.CIH virus was unique for its time. And not only because it became the first of the viruses that really spoil hardware. It does not change SYSTEM.INI and does not write. VXD files on Windows System, it only infects PE files... and (sometimes) erases Flash BIOS and hard drives... This is the first "truly resident" Win95/98 virus.
It is activated on April 26 (the date of the disaster at the Chernobyl nuclear power plant and the date of birth of the author of the virus).
LoveLetter
LoveLetter is a script virus that, on May 5, 2000, broke the record of the Melissa virus for the speed of spread. In just a few hours, millions of computers were affected - LoveLetter was included in the Guinness Book of Records.
The situation developed rapidly. The number of requests (and the number of victims) grew exponentially.
This virus spread through email messages and IRC channels. A letter with a virus is easy to highlight. The subject of the letter is ILOVEYOU, which immediately catches your eye. The letter itself contains the text kindly check the attached LOVELETTER coming from me and an attached file named LOVE-LETTER-FOR-YOU.TXT.vbs. The virus only triggered when the user opened the attached file.
The virus sent itself to all addresses that it found in the address book of the MS Outlook email program of the infected computer, and also wrote copies of itself to files on the hard drive (thereby irreversibly overwriting their original content). The victims of the virus were, in particular, pictures in JPEG format, Java Script and Visual Basic Script programs, as well as a number of other files. And the virus also hid video and music files in MP2 and MP3 formats.
In addition, the virus performed several actions to install itself into the system and to install individual additional virus modules, which it downloaded from the Internet.
All this indicates that the VBS.LoveLetter virus is very dangerous! Along with direct data corruption and violation of the integrity of the operating system’s protection, he sent out a large number of messages—copies of himself. In some cases, the virus has paralyzed the work of entire offices.
Ramen
Ramen (January, 2001) is a virus that in a matter of days infected a large number of large corporate systems based on the Linux operating system.
This dangerous Internet worm attacked servers running the Red Hat Linux 6.2 and Red Hat Linux 7.0 operating systems. The first reports of the appearance of this worm were received from Eastern European countries, which suggests its Eastern European origin. To propagate, the worm uses some weaknesses in applications of these operating systems.
The worm is an archive named ramen.tgz, containing 26 different executable files and shell scripts. Each executable file is archived in two copies: compiled to run on Red Hat 6.2 and compiled to run on Red Hat 7.0. The archive also contains an executable file named wu62, which is not used by the worm.
Although outwardly harmless, this worm is extremely dangerous, as it disrupts the normal functioning of the server. The operation of the http server will be disrupted by the destruction of the contents of all index.html files, anonymous ftp access to the server will be denied, the RPC and LPD services will be deleted, access restrictions through hosts.deny will be lifted.
The worm uses in its code many slightly modified exploits that were previously available on hacker sites, as well as on sites dedicated to network security.
It should be noted that the worm uses “holes” in attacks, the most recent of which has been known since the end of September 2000. However, when installing a system, vulnerable services are installed on it, and many users and administrators do not properly monitor warnings about “weak spots” » systems and they are not eliminated in a timely manner, makes the worm more than viable.
It was with its appearance that the myth that there are no viruses under Linux was destroyed.
CodeRed
CodeRed (July 12, 2001) is a representative of a new type of malicious code that can actively spread and work on infected computers without using files. During operation, such programs exist exclusively in system memory, and when transferred to other computers - in the form of special data packets.
The most detailed and prompt description and analysis of the worm was made by programmers from the eEye Digital Security group. They also gave the virus a name - a nod to the type of Mountain Dew drink and a warning phrase in the Hacked By Chinese virus! (“Hacked by the Chinese!”) is a reference to communist China, although in reality the virus was most likely written by ethnic Chinese in the Philippines. With this phrase, the worm replaced the content of websites on the infected server.
The worm exploited a vulnerability in the indexing utility that came with the Microsoft IIS web server. This vulnerability was described by the vendor, Microsoft, on their website MS01-033. In addition, a month before the epidemic, a corresponding patch was published.
eEye experts claim that the worm began its spread from Makati City in the Philippines.
In fact, this virus marked the beginning of a whole series of viruses (and this, alas, continues to this day). Its distinctive feature turned out to be that viruses appear some time after the corresponding updates from software manufacturers appear.
CERT (Community Emergency Response Team) estimates that the number of computers infected by the Code Red worm reaches approximately 350 thousand. The traffic it created on the Internet, as infected computers looked for new victims, left a significant imprint on the overall speed of the Internet.
Code Red's original intent was to use all computers infected by it to launch a DOS attack against Whitehouse.gov (the White House website).
This marked the beginning of exploitation of system administrators' careless attitude towards installing software updates.
Cabir
Cabir (June, 2004) is the first network worm to spread via the Bluetooth protocol and infect mobile phones running Symbian OS. With the appearance of this worm, it became clear that from now on not only PCs, but also smartphones are infected. These days, threats to smartphones already number in the millions. And it all started back in 2004.
| Cabir |
The figure below shows quarterly statistics on the increase in the number of mobile malware in 2013. It all started in 2004 with the first Cabir virus...
| According to Kaspersky Lab |
Kido
The main epidemic of 2009 was caused by the Kido (Conficker) worm, which infected millions of computers around the world. It used several methods to penetrate the victim’s computer: guessing passwords to network resources, spreading through flash drives, and using the Windows MS08-067 vulnerability. Each infected computer became part of a zombie network. The fight against the created botnet was complicated by the fact that Kido implemented the most modern and effective virus writing technologies. In particular, one of the modifications of the worm received updates from 500 domains, the addresses of which were randomly selected from a daily created list of 50 thousand addresses, and P2P connections were used as an additional update channel.
At the same time, the creators of Kido did not show much activity until March 2009, although, according to various estimates, by that time it had already been able to infect up to 5,000 thousand computers around the world. And on the night of April 8-9, 2009, the infected PCs were given a command to update using a P2P connection. In addition to the Kido update, two additional programs were downloaded onto infected PCs: an email worm of the Email-Worm.Win32.Iksmas family, which sends spam, and a false antivirus of the FraudTool.Win32.SpywareProtect2009 family, which demands money for removing supposedly found programs.
To combat this threat, a special Conficker Working Group was created, bringing together antivirus companies, Internet providers, independent research organizations, educational institutions and regulatory authorities. This is the first example of such widespread international cooperation, going beyond the usual contacts between antivirus experts.
The Kido epidemic continued throughout 2009. In November, the number of infected systems exceeded 7,000 thousand.
In 2012, cyber weapons appeared.
Wiper
At the end of April 2012, Iran was greatly alarmed by a “mystical” Trojan: it appeared from nowhere and destroyed many databases in dozens of organizations. One of those hit hardest was Iran's largest oil terminal, which was shut down for several days after oil contract data was destroyed.
The creators of Wiper made every effort to destroy absolutely all data that could be used to analyze incidents. Therefore, in none of the cases we analyzed after Wiper activation, almost no traces of the malicious program remained.
There is no doubt that there was a malware program known as Wiper that was attacking computer systems in Iran (and possibly other parts of the world) until the end of April 2012. It was written so professionally that, once activated, it would not left behind no data. Therefore, despite the fact that traces of infection were discovered, the malicious program itself remains unknown: no information has been received about any other incidents of overwriting the contents of a disk that occurred in the same way as when infecting Wiper, and not a single detection has been registered of this dangerous software with proactive defense components included in security solutions.
All this, in general, leads to the idea that this solution is more likely a product of the activities of technical laboratories for conducting computer wars in one of the developed countries, rather than simply the fruit of the development of attackers.
Flame
Flame is a very sophisticated set of attack tools, much more sophisticated than Duqu. This is a Trojan program - a backdoor, which also has features characteristic of worms and allows it to spread across a local network and through removable media upon receiving an appropriate order from its owner.
After infecting a system, Flame begins to perform a complex set of operations, including analyzing network traffic, taking screenshots, audio recording conversations, intercepting keystrokes, etc. All this data is available to operators through Flame command and control servers.
The Flame worm, created for cyber espionage, came to the attention of Kaspersky Lab experts while conducting research at the request of the International Telecommunication Union (ITU), which asked for assistance in finding an unknown malicious program that deleted confidential data from computers located in the Middle East. Although Flame has different functionality than the notorious cyber weapons Duqu and Stuxnet, all of these malicious programs have much in common: the geography of attacks, as well as a narrow target focus combined with the use of specific software vulnerabilities. This puts Flame on par with the “cybernetic superweapons” being deployed in the Middle East by unknown attackers. Without a doubt, Flame is one of the most sophisticated cyber threats ever. The program is large and incredibly complex in structure. It forces us to rethink such concepts as “cyber warfare” and “cyber espionage.”
The Flame worm is a huge package consisting of software modules, the total size of which, when fully deployed, is almost 20 MB. And therefore, the analysis of this dangerous program is very difficult. The reason Flame is so large is that it includes many different libraries, including code compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), as well as a Lua virtual machine.
Gauss
Gauss is a complex set of cyber espionage tools implemented by the same group that created the malicious Flame platform. The complex has a modular structure and supports remote deployment of new functionality implemented in the form of additional modules.
Gauss is a government-created “banking Trojan” with dangerous functionality of unknown purpose.”
In addition to stealing a variety of data from infected Windows computers, it contains an as yet unknown malicious function, the code of which is encrypted and which is activated only on systems of a certain configuration. Currently known modules perform the following functions :
• interception of cookies and passwords in the browser;
• collecting and sending system configuration data to attackers;
• infection of USB storage devices with a module designed to steal data;
• creating lists of the contents of system drives and folders;
• theft of data necessary to access accounts of various banking systems operating in the Middle East;
• interception of data on accounts on social networks, email services and instant messaging systems.
In general, readers should understand that no one will ever be able to create a complete list of all the most dangerous examples of malware, because the most dangerous virus for you will be the one you never managed to detect!
I LOVE YOU
ILOVEYOU is a computer virus that was successfully distributed via email with a letter with the subject “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.TXT.VBS”. After opening the attachment, the virus sent itself to all addresses in the address book and also made numerous changes to the operating system.
The damage caused by the virus created in 2001 amounts to 10–15 billion dollars. In honor of this event, ILOVEYOU was included in the Guinness Book of Records as the most destructive computer virus in the world.
Computer viruses
Author: Vladimir
Hello dear readers of my blog, I want to introduce you to computer viruses so that you have some idea of what they are and how to deal with them. So let's get started.
Computer viruses pose a serious threat to computer users around the world. Moreover, the danger of computer viruses can threaten not only the safety of information or the performance of the system or computer hardware. Recently, computer malware has been increasingly used to defraud users of funds by obtaining passwords and access codes to bank cards and accounts. As a result, viruses also cause material damage, so they are not only possible, but must be combated in every possible way.
What is a computer virus?
A computer virus is most often a small program or piece of software code that is placed in the body of an executable file or document. When the infected file is launched, the virus begins its malicious work.
To be more effective, viruses automatically create a copy of themselves after the first launch, place the infected file in startup, and try to spread the body of the virus through the local network, thereby infecting an increasing number of files and computers on the network. Viruses can get onto a user’s computer in various ways.
Most often, infection occurs after launching an already infected file, which can be sent to you by email, copied from a flash drive or disk, or when downloading programs from dubious sites. Viruses often penetrate a user's computer through a local network. Moreover, it is not necessary to open or launch anything. Viruses themselves are able to find holes in the operating system and ultimately infect system files, making your computer vulnerable to the penetration of other viruses.
Classification of computer viruses
As it turns out, computer viruses have different operating principles and purposes, so they are often classified according to one or another criteria. Malicious programs are most often divided into four groups:
Network worms;
Classic viruses;
Trojan programs;
Other malware.
Moreover, each group has its own additional classification. Knowing which group certain viruses belong to, you can develop measures to combat viruses and protect your computer from their penetration.
Network worms
Network worms, as the name suggests, are malicious software that spreads through local networks and the Internet. Network worms also use email, P2P, ICQ, IRC networks, LAN, wireless networks and networks for exchanging data between mobile devices.
In this case, infection can occur either after launching a file (attachment to a letter, link to a virus, etc.), or through receiving an infected network data packet. In the latter case, the worms begin to infect immediately after entering the user's computer, and are placed directly into the computer's RAM.
Email Worms – These worms use email to spread. The worm sends letters to various addresses that contain attached files, the extension of which is often hidden, and the file name has an attractive name. This is done in order to force the user to open the file and launch a worm on the computer.
The letter may also contain a link to a virus; by clicking on it, the user will open the virus. When email worms get onto a user's computer, they try to multiply as quickly as possible, sending emails with an attached worm to all recipients in your address book.
IM Worms are practically no different from mail-type worms. They are also distributed via E-Mail, but in the body of the letter there is a link to the virus; when you open it, the virus will use your computer to further spread itself.
File-sharing network worms use P2P networks to spread. The user uploads files online that are already infected with a virus. Now users who download this distribution will automatically become distributors of the virus.
This simple mechanism is not the only one in the arsenal of P2P worms. There is a more complex propagation mechanism when a network worm imitates the operation of a P2P network, while user requests are intercepted and the original files are replaced with infected viruses.
There are other network worms that enter a computer by exploiting vulnerabilities in the user's operating system or software. At the same time, completely harmless worms can penetrate the computer, which will only provide access for the virus itself to penetrate, ensuring its unhindered penetration by the software and the operating system itself.
Classic viruses
Classic viruses do not spread independently over the network, but end up on the user’s computer, as a rule, through the fault of the user himself. Very often this is the result of downloading programs from dubious sites, copying infected programs and files from removable media, or from publicly accessible network resources.
Computer viruses are, in turn, divided into file viruses, boot viruses, macro viruses, script viruses, polymorphic viruses, imaginary viruses, hidden or stealth viruses, retro viruses, companion viruses and others.
The most widespread are file viruses that rewrite themselves into the body of application startup files. After such an overwrite, the file usually stops working and it is usually impossible to restore such a file.
Such a virus is quite easy to detect, since the infected program stops working. File viruses also include parasitic viruses that also change the contents of the program code of the application's executable file, but the application remains operational.
Boot viruses and Trojans are also widespread and infect the hard disk boot area (MBR). At the same time, a message often appears on the screen stating that your computer is locked for a number of reasons and to unlock it you need to receive an SMS code (Trojan.Winlock).
Naturally, after sending the message, a certain amount of money is withdrawn from the money account, and the unlock code may not arrive. Another boot virus that is also a stealth virus, AntiEXE targets and damages specific executable files (exe). The AntiCMOS virus is also bootable and damages information recorded in the CMOS memory of the motherboard.
Stealth viruses are viruses that hide the actual information about an infected file from the system. That is, during the process of the system accessing the file, the virus transmits information to the system about the uninfected file. As a result, antivirus programs are practically unable to detect changes in the file.
However, this is true if the antivirus program was launched after the virus was loaded into the computer's memory. Therefore, to detect a virus, it is enough to scan when booting from a boot disk. Typical representatives of stealth viruses are Stoned.Monkey, Number, Beast and others. Stealth viruses can be written in the body of a file, however, when reading such a file, they tell the system the size of the uninfected file, so such viruses are said to have an invisible size or zero size.
Retro viruses are designed to combat antivirus software. Such viruses are specially developed for certain antivirus applications in order to destroy information about certain viruses in the virus signature database.
Once infected with such a virus (also called an anti-antivirus), antivirus programs can no longer protect the computer from the penetration of other viruses, and the security of the computer will be at risk. The most dangerous thing about this is that the user will be confident that the antivirus program is working properly. Therefore, such viruses pose the greatest danger.
Companion viruses create a duplicate file of the original file into which the virus is placed. In this case, the original executable file is not changed. When you start the program, a companion file is automatically launched and the virus begins to infect the computer, creating duplicate files with the .com extension.
Polymorphic viruses encrypt their code, which allows them to avoid detection by an antivirus by checking the virus signature. The difficulty of detecting such viruses lies in the fact that the encryption algorithm of the same virus may change during the process of infecting files, and, consequently, the signature of the virus changes.
One of the well-known representatives of polymorphic viruses is One_Half. This virus encrypts data on the hard drive, and as long as this virus is in the computer’s memory, all information is available to the user. After encrypting half of the hard drive, the message Disk is one half appears. Press any key to continue... After this, the information can be decrypted, but this will take considerable time.
Macro viruses are viruses that infect document files and use special scripts or macros to do this. Macro viruses are considered one of the serious dangers, since these viruses infect not the executable files themselves, but files with data. At the same time, a virus can be launched and documents can be infected on any operating system, which significantly expands the scope of virus infection.
Often the action of a macro virus is aimed at destroying a document, making it impossible to restore it. The documents that are most often infected with macro viruses are Microsoft Office documents. This is possible because Microsoft Office uses a programming language to write macros.
Therefore, virus developers have the opportunity to use the programming capabilities of office suites to write viruses. In this case, macro viruses can replace the “Save As” buttons in such a way that when saving a document, a macro virus is launched and the document is damaged, and the template used to create a new document is infected.
As a result, over time, all created documents will be infected with a macro virus. One of the most common macro viruses is WordMacro/Nuclear, which tries to infect a document template. At the same time, he does this secretly and does not betray his presence in any way. The FormatC virus, under certain conditions, can easily format the system partition, and the Nuclear macrovirus, when printing a document, adds a note at the end: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
In general, there are quite a lot of macro viruses, but each of them systematically damages documents, and this leads to the loss of important information.
Script viruses are microprograms that are written in a scripting language. Such viruses can be found in all kinds of files that use scripts, for example, exe, html and others. The languages Java, PHP, BAT, VBA and others are usually used to write them.
Trojan programs.
Trojans are malicious software aimed at all sorts of unauthorized actions, for example, accessing passwords, stealing information, extorting user funds, etc.
Trojan programs, along with computer viruses, are the most widespread.
Trojan remote administration utilities. This type of Trojan programs is aimed at remotely administering an infected computer. When such a Trojan gets onto your computer, no messages appear, but the attacker has access to all the controls on your computer.
That is, an attacker can simply do mischief (turn off and restart the computer, close running applications, etc.) or use remote control to collect information, open and read information from personal files, and delete them. Such Trojan programs are quite dangerous.
Password stealers are Trojan programs whose goal is to obtain the password for accessing certain resources. Once such a Trojan has settled on your computer, it begins to actively search the machine for files containing passwords, registration numbers, bank accounts and other important information.
This information is sent over the network to attackers who can use it for their own selfish purposes.
Internet clickers – these Trojan horses are designed to redirect a visitor to certain web pages to another site.
The purpose of such Trojans is to increase website traffic or in case of a hacker attack on an Internet resource, as well as to lure users with the aim of further infecting them with computer viruses.
Proxy server Trojans provide hidden access to certain network resources for the purpose of sending spam.
Spyware Trojans - read all user actions, monitor text input from the keyboard, take screenshots, monitor mouse movements and clicks, etc. Thus, attackers can gain access to protected resources, bank accounts, while reading the username and password entered by the user.
Rootkits were originally tools for obtaining administrator rights on a user's computer. However, now rootkits are malicious programs that try to hide certain processes, files, registry keys, etc. in the system. As a rule, rootkits have the least harmful impact on the user's computer.
Archive bombs are rare, but the effect of this type of malware can be simply stunning (hence the name bomb). When you try to open such an archive, the archiver begins to work unusually.
In this case, the system may simply freeze or the computer will be very slow. Bombs often occur when, when starting an archive, the free space of the hard drive begins to be filled with logical zeros, which quickly leads to the system stopping. There are usually three types of archive bombs: incorrect archive file header, repetition of data in the archive, and identical files.
An incorrect header in the archive leads to non-standard behavior of the archiver, which cannot correctly execute the decompression algorithm. As a result, this affects the system, which begins to slow down sharply.
When packaging duplicate and identical files and data into an archive, a fairly decent amount of files can be packed into a very small archive. It is known that a 200Kb RAR archive can contain up to 5GB of duplicate data. And the huge number of identical files (10,100 pieces) allows them to be packed into a very small RAR archive (only 30Kb).
So it turns out that when unzipped, all this information fills the huge space of the hard drive, leading to its almost complete filling. True, with the colossal capacity of modern hard drives, archive bombs are extremely rare.
Other malware.
This group of malicious programs includes various programs that practically do not pose a threat to the computer, but are necessary for the creation of other viruses and Trojans. This malware is also used to organize DoS attacks on servers, hack computers, and more.
Network DoS and DDoS attacks are designed to disable server equipment by increasing the load on it to critical. As a result, the server freezes and all the network resources that it provided become unavailable.
Programs of this type attack servers in a coordinated manner, under the control of an attacker or through a distributed attack. In this case, the program spreads to many computers on the network, from which the server is subsequently attacked. But at the same time, users of these computers may not even suspect that they are participating in a DoS attack on the server.
Exploits (Exploit, HackTool) are programs that are designed to hack access to remote computers. After the program is hacked, the attacker gains access to the computer and can subsequently control the computer.
Flood programs – these programs are designed to block network communication channels by clogging it with useless data.
Programs like Bad-Joke, Hoax are not even malware, and the only purpose of such software may be to inform the user with false messages. Such programs work on the human psyche, producing messages that can frighten the user, confuse, and mislead.
Virus encryptors are programs that encrypt and hide the presence of dangerous and malicious programs in the system. As a result, antivirus programs are unable to detect truly malicious software.
Signs of a computer virus infection.
You can determine whether your system is infected with a virus or not without necessarily scanning with anti-virus packages. Very often, viruses slow down your computer. Therefore, if you notice that out of the blue your computer has started to noticeably slow down, you should check your system with an antivirus. The presence of viruses that are embedded in program files often makes it impossible to launch an application, as well as unexpected crashes.
The presence of viruses is also indicated by the spontaneous launch of applications on the computer, rebooting the computer without your participation or warning messages.
The load on the system from viruses can be indicated by a large load on the hard drive when the computer is idle. This can be easily determined by the loading indicator on the front panel of the computer case. Viruses also often add themselves to autorun; if you open it, you can see strange programs in it. Also, duplicate files with a different extension may appear on the disk. Also, non-standard behavior of the system may indicate viruses or Trojans, for example, when opening one program, the Internet browser starts. When opening browsers, the start page with an unknown resource has changed. If you receive messages from friends or acquaintances online that they are receiving suspicious messages on your behalf, then your account has been hacked or you have a worm on your computer.
How to protect yourself from viruses?
There is no 100% protection against viruses. Not a single antivirus in the world is capable of 100% protecting a system from penetration. Moreover, if a hacker intends to hack your computer, then rest assured that he will certainly do this.
However, there are simple rules to thwart any malware attempts. Firstly, an antivirus program must be installed on the system. Secondly, do not trust incoming messages with attached files. Such messages should be scanned by antivirus software.
The same applies to files that you are going to copy to your computer from a flash drive or optical drive. Thirdly, avoid sites that have a lot of advertising banners and when clicking on links, additional tabs will open in the browser.
Conduct regular antivirus scans of your entire system. Use firewalls, firewalls and firewalls to protect your network.
Be suspicious and only then will you be able to give a worthy rebuff to the onslaught of the ever-growing number of viruses and spyware.
Well, that’s all, dear readers, I hope you found the article interesting and informative, bye everyone and see you again!
Also on this topic, watch the video:
