Famous Computer Malware

If you use the Internet – or a computer, for that matter – you have probably heard of computer malware, programs that invade a computer for various malicious purposes. Computer malware can perform all sorts of strange tricks, usually on unwitting users. Fortunately, our security systems have come a long way and most people nowadays would be more or less wiser to opening files from unknown sources, not to mention that almost every computer comes equipped with some sort of malware detector. However, back in the early days of the Internet, most people had probably not heard about malware, causing these programs to be distributed all over and disrupt communications worldwide. 

First, however, let us have a look at what some of these terms really mean. 

Technical Terms

Malware 

Malware is a broad category used to describe a piece of malicious software that specifically intends to infiltrate a computer system or server, and possibly damage it, without informed consent from the owner. Programs such as viruses, worms, adware, ransomware or other code fall into the category of malware. 

Virus

A virus is a type of malware that usually comes in the form of a program. Although there are tame computer viruses, the majority of them are harmful and have caused up to billions in damages. The costs incurred usually involve the loss of important files, having to reinstall the operating system or even requiring the victim to purchase a new computer if the machine has been corrupted beyond recovery. 

“Virus” is really only a subcategory of computer malware, but the term has often been misused, leading some people to think anything that can harm a computer is a virus. This may be exacerbated by “anti-virus” programs meant to detect and remove malware, which can result in people believing that all the programs that an anti-virus removes are called viruses. 

Worm

A worm differs from a virus in that it is self-contained and does not need to be inside an executable program to run. Worms usually duplicate themselves through network connections or emails to other directories, drives, computers, or networks. Some worms can even be transmitted through instant messaging platforms. Worms usually exploit vulnerabilities in servers or operating systems to allow themselves to run without any user intervention. 

Ransomware

Just as the name implies, ransomware quite literally holds a user’s data hostage and demands a ransom to restore the data. Ransomware usually comes to the computer from a file or program in an email attachment, which will then encrypt the files on the victim’s machine. A ransom note will be left behind, demanding a ransom in exchange for the decryption key for the files. In some cases, the hacker may not send the correct decryption key even after the ransom is paid. The encrypted files may also be stolen as a result. 

Melissa

The Melissa virus was created by David Smith in March 1999, who said that he named it after an exotic dancer from Florida. The virus would come in the form of an email, with the message “Here’s that document you asked for. Don’t show anyone else ;).” Clicking the included attachment would open a Microsoft Word document containing a list of passwords to pornographic websites. It would also send the virus out to the top 50 contacts in the user’s email address book. This caused a surge in email traffic, particularly disrupting the email services of large entities like governments and corporations. As such, some companies had to close their email systems until the virus was under control. 

The virus worked by infecting the Normal.dot template used by default in all Microsoft Word documents. This caused other documents to also become infected, resulting in users inadvertently distributing the virus if they unknowingly sent an infected document to another person. 

Another feature of Melissa was that it would trigger an activity once an hour on the minute according to the date. For instance, if it was the 10th of the month, then the activity would be triggered on the 10th minute of every hour on that day. If the user opened or closed a Word document at that exact minute, Melissa would insert a Simpson’s quote into the document. 

Melissa was said to cause US$80 million in damages in the United States and approximately $1.1 billion worldwide. Smith was sentenced to 20 months in federal jail and a fine of $5,000. Additionally, he served part of his sentence by assisting the FBI in apprehending other virus programmers. 

Although Melissa did not exactly do any lasting damage, it did alert the public to the existence of computer viruses. Unfortunately, it would not be the last virus computer users would have to deal with. 

ILOVEYOU

This may seem an innocuous name more suited for a card to a lover, but it was also the name of a very destructive worm, at least at the time it was launched. Starting from 5 May 2000, more than 10 million Windows computers were infected with this worm, causing it to make headlines around the world. 

The worm, also known as “Love Letter for you” or “Love Bug”, came in the form of an email with the subject line saying “ILOVEYOU”. Curious readers opened the email, which contained the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. However, at the time, most Windows computers hid the file extension by default, so most users simply thought the attachment was a text file. Upon opening the file, the Visual Basic script contained inside was activated and infected the computer with a worm. The worm would overwrite all sorts of files on the machine, including important documents, personal files and even media files. It would also download and execute a file called WIN-BUGSFIX.exe that would steal passwords and other confidential information stored on the machine and email it to the hackers. 

What really caused the ILOVEYOU worm to spread like wildfire was the fact that it would send a copy of itself to all of the user’s contacts in their email address book. Since the email would appear to come from an acquaintance, users were more likely to trust it and open the file. 

ILOVEYOU originated in Manila, Philippines by two young programmers, Reonel Ramones and Onel de Guzman, soon spreading worldwide all across the world. Most large corporations decided to shut down their email systems in order to avoid more cases of infection. Despite the action taken, the worm was estimated to have infected over 50 million computers worldwide in just 10 days – 10% of the total number of computers with an Internet connection – and caused a total of US$15 billion in damages and repairs. 

The perpetrators were apprehended but never faced charges as there was no such law in the Philippines against spreading computer malware at the time. Two months after the ILOVEYOU outbreak in July 2000, the Philippine Congress enacted a new law to address any such cases in the future. 

Nimda

Nimda – “admin” spelled backwards – was one of several viruses that debuted in 2001. At that time, it held the record for being the fastest propagating computer virus, reaching top attack lists just 22 minutes after its release. 

The worm attempted to target Internet servers rather than single computers. Additionally, it used several forms of travel through the Internet, not just email, making it spread much faster than previous viruses. Nimda could even run without requiring the victim to open any files or emails containing the worm, as it was able to infect websites to download the worm onto their visitors’ computers. If someone visited an infected website, a JavaScript code would run and download an .eml file containing the Nimda worm. 

Nimda would allow the hacker access to whatever account the victim was logged into on a computer. If the current account had only limited privileges, the hacker would similarly have limited privileges. However, a good number of people were logged in on an administrator account, allowing the hacker full control over the system. 

The Nimda worm could also infect executable files similar to how a virus would, but utilized a unique method by making a copy of itself under the name of the file it was infecting, and storing the original file as a resource in itself. When a user executed the modified file, the Nimda worm would run first, before the original program would start. 

Nimda was notably one of the most destructive viruses of the time. It infected an estimated 160,000 systems, resulting in a number of companies shutting down their Internet systems to avoid any additional infections. Some large corporations were infected, including Microsoft, Dell, the New York Times and even the federal court in Miami, Florida. 

Where exactly Nimda originated from is still unknown, but it is believed to have come from China. The creators of Nimda originally named the worm “Concept Virus (CV)” as indicated on a copyright notice on the first version, but it was popularly called Nimda by anti-virus researchers. On a later version of the worm, the text “This’s CV, No Nimda” was appended to the copyright notice, suggesting that the creators disagreed with the name the researchers had given the worm. 

You Are An Idiot

You Are An idiot was a trojan virus that came in the form of a Flash video. People would click a link to the website, “youdontknowwhoiam.com”, mostly out of clickbait – which would then play a video flashing from black to white while the text flashed from white to black in reverse order, which triggered seizures for some users. An annoying audio singing “You are an idiot! Ha ha ha ha ha ha ha ha ha ha ha ha ha!” would be played along with the video. The website was moved to the new domain “youareanidiot.org” in 2004. 

The trojan caused more annoyance than damage, although it did inconvenience the user by eventually crashing their computer. If someone visited the webpage and tried to close the tab, the website would open six additional windows and move them across the screen, annoying the user and eventually causing their computer to crash due to running out of memory space to maintain all the browser windows. Keyboard commands such as Alt+F4 and Ctrl+Alt+Del were disabled. However, the situation could be solved by force-stopping the browser through the task manager. 

Flashback

Computer malware may most commonly be seen on Windows operating systems, but Apple Macs are not immune either, which the Flashback trojan proved in September 2011. 

According to the Russian anti-virus company Dr. Web, an approximate 600,000 Macs were infected with the trojan soon after it was first detected. 

Flashback masquerades as an Adobe Flash player installer, hence the name. It usually appears to be a legitimate plug-in, and during installation, it also installs code that can steal passwords and other sensitive information users enter into their computers. Some later versions of Flashback were able to install themselves without any user intervention required. 

Users were mostly tricked into installing the malware by visiting a malicious site that prompted them to install the plug-in to view web content. Flashback also took advantage of Apple not having included Flash on its Macs for more than a year to convince users to install it in order to view the Flash versions of popular websites. Additionally, Flashback exploited a vulnerability in Java that Apple had been late to fix. Oracle, the developer of Java, had already patched that vulnerability, but since Apple insisted on maintaining its own version of Java, it was late to fix the vulnerability which allowed Flashback to infect more than half a million victims. 

CryptoLocker

Created in September 2013, CryptoLocker is considered to be one of the first ransomware. CryptoLocker was distributed through email as an executable file, and similar to the ILOVEYOU worm discussed in the previous article, took advantage of Windows hiding file extensions by default to trick users into thinking it was a PDF file. 

Emails containing CryptoLocker commonly came in the guise of “support” emails from legitimate companies such as FedEx. The emails would pretend to be relating to customer support, prompting the user to open the attached file, thus allowing the ransomware to run. 

Once activated, CryptoLocker will attempt to connect to a random domain, usually generated by a Domain Generation Algorithm. It receives a public encryption key from the server, then scanning for files that contain any of a long list of file extensions. These files will be encrypted with the public encryption key using RSA-2048 encryption which is very difficult to crack or decrypt. While the public key is stored on the local machine, the private key to decrypt the files will be stored on the server instead, making it impossible to obtain the key by going through the registry on the infected computer. 

CryptoLocker demanded a ransom of 500 units of currency (usually $500, €500 or £500) or the equivalent in Bitcoin in order to release the files. The sum had to be paid within 72 hours or the decryption code would be deleted, thereby preventing the files from ever being recovered. After receiving the payment and decrypting the files, CryptoLocker would delete itself so the user could recover their data. It was estimated that 1.3% of infected users paid the ransom, and most of their data was recovered. However, others lost large amounts of data, and the hackers were reported to have gained $3 million from CryptoLocker ransom fees. 

Discussion

Some researchers believe that computer malware provides a valuable avenue into studying artificial life due to the ability of some malware to replicate itself, similar to survival and reproduction. 

What do you think constitutes artificial life? 

If a malicious artificial intelligence causes harm to its victims, should the artificial intelligence or its creator be held responsible for the wrongdoing?