Iloveyou – May 2000: This worm attacked millions of Windows computers back in 2000, commonly through an email attachment. The virus was based on a Visual Script code and once installed, resent itself to a user’s Microsoft Outlook contacts list. According to various reports at the time, the virus spread so quickly that several enterprise firms had to shutdown email systems to deal with the issue. It reached approximately 45 million users in one day after being generated in Asia and at least 12 variations were subsequently produced.
Kournikova – February 2001: The Kournikova virus was unleashed in February 2011 by Dutch programmer, Jan de Wit, through Microsoft Outlook email systems globally. Named after the famous Russian tennis player, Anna Kournikova, the virus acted much like the previous Love Letter virus, and was based on a new Visual Basic script code. It was proclaimed one of the most prolific to date. De Wit was charged with 75 days gaol time, or 150 hours of community service, for generating the virus.
SoBig – January 2003: Officially identified as W32.Sobig.F@mm, this mass-mailing, network-aware worm sent itself to email addresses found in a host of file extensions including .txt, .html and .htm. The worm used its own SMTP engine and email spoofing to propagate. Its hard-coded deactivation date was September 10 2003, but updates were still being issued by security vendors to combat SoBig in 2007.
Slammer/Sapphire – 2003: The Slammer worm caused devastation following its release on January 25, 2003. According to reports at the time, cash machines froze, and airlines and hospitals dusted off paper forms to schedule flights and patients, after their systems were flooded by worm-generated traffic which knocked database servers offline. Slammer used a known buffer overflow in Microsoft’s SQL Server database to spread worldwide in approximately 10 minutes, doubling the number of computers it infected every 8.5 seconds, according to a study of the worm's outbreak published by The Cooperative Association for Internet Data Analysis (CAIDA). This was 250 times faster than Code Red. Slammer’s impact forced enterprises and vendors to change policies, increase vigilance to Internet threats, and work to foster better security from Microsoft.
"People realised that all the things that we didn't think were connected to the Internet actually were," The SANS Institute director of research, Alan Paller, said. "If your routers are connected to the Internet and they're full, nothing can flow, so an outage of Internet connections is an outage of the entire Internet infrastructure." The worm crafted packets of 376-bytes and sent them to randomly chosen IP addresses on port 1434/udp. If the packet was sent to a vulnerable machine, it would become infected and begin to propagate. As late as 2007, IBM Internet Security Systems staffers were claiming Slammer was still the most common threat being faced.
LoveBug – May 2000: On May 4, 2000, this virulent worm sent via email wreaked havoc on an estimated 45 million email users in just one day, MessageLabs reported. Within one night, the rate lifted from 1 in 1000 emails to just 1 in 28. It was claimed billions of damage was created in several countries. The LoveBug virus celebrates its 10th anniversary this month.
Can Spam and Mydoom – January 2004: The MyDoom worm tore through the Internet on January 26, 2004, deluging email systems with infected messages and setting records for infecting vulnerable systems. Most notably, the worm was used to launch a massive assault against The SCO Group, crippling the vendor’s website through a denial-of-service attack. As many as 1 million machines were suspected of carrying the virus. MessageLabs meanwhile, claimed it stopped 8.4m email messages containing the virus in the four days following its release, or one in every 12 emails.
Zotob/Mytob – August 2005: Derived from the Rbot virus, Zotob infected a raft of significant US and Canadian business including the ABC, CNN, Associated Press and The New York Times, when it launched on August 9, 2005. The worm used a vulnerability in a plug-and-play component of Microsoft’s Windows 2000 system and would replicate each time a PC was rebooted. It was used by hackers to download so-called bot programs that allowed remote servers to take control of compromised systems and steal information from them.
What was significant about Zotob was the arrests afterwards. According to various media reports, the FBI arrested Farid Essebar, an 18-year-old Moroccan believed to have been responsible for writing the Zotob and Mytob worms, and Atilla Ekici, a 21-year-old man from Turkey who apparently financed the effort. Turkish law enforcement officials also investigated 16 more suspects in connection with the Zotob worm and its variants allegedly associated with a credit card theft ring. Sophos senior technology consultant, Graham Cluley, said the news was further evidence of the growing alliance between hackers and those seeking to profit from cybercrime.
Storm - January 2007: Referred to as a worm, trojan or spam, Storm was a piece of malware which propagated itself by spreading across network-attached PCs. It was recognised as the biggest propagator of spam in its day, but most significantly created botnets. Once a PC visited an infected website and Storm was downloaded, the PC is considered compromised and could be controlled by someone else without the user knowing it. Together, these compromised PCs create botnets could be used to covertly send spam, launch distributed denial-of-service attacks, or host websites that downloaded more malware. At least 1 million instances of Storm were identified by security researchers. Storm had a variety of names and variants and generated millions of spam emails, most famously through a Valentine’s Day message.
Code Red – July 2001: The Code Red worm was discovered in July 2001 and spread through HTTP requests. According to Symantec, this code exploited a known buffer-overflow capability, allowing the worm to run on PCs. If the file C:\Notworm existed, the worm would go into an infinite sleep mode, but if the file didn’t exist, it would generate new threads attempting to exploit random IP addresses. Code Red would also corrupt information appearing on Web pages. If the date was between 20-28th of the month, Code Red would also attempt a denial-of-service attack on IP addresses. At least 250,000 hosts were identified as being infected.
Conficker – September 2008/2009: The first variant of Conficker infected at least 4 million IP addresses, while the second iteration, Conficker B, infected over 6m. The self-breeding worm took advantage of vulnerabilities in Microsoft Windows 2000, 2003 servers XP and Vista operating platforms. The first accounts of the worm appeared in September 2008. A significant date in its history was April 1, 2009, when it was expected millions of Conficker.C variant threads would download fresh instructions and generate catastrophic damage to systems globally.
Conficker-infected machines could be used for sending spam, logging keystrokes, or launching denial-of-service attacks, but an ad hoc group calling itself the Conficker Cabal largely prevented this from happening. This was achieved by cracking the Conficker algorithm used to find one of thousands of rendezvous points on the Internet where it can look for new code. Conficker underwent a major rewrite in December, and in 2009 a new version, dubbed Conficker B++ was released. This used new techniques to download software and gave its creators more flexibility with infected machines.