The 10 Worst Virus Attacks
A look back at a few of the greatest malware attacks that ever wreaked IT havoc.
Paul D. Kretkowski on November 12, 2007
Malware is big business. In 2006alone, it resulted in an estimated 13.3 billion in direct damage, including labor costs to roll back its effects, loss of worker productivity, and loss of revenue from system degradation and outage.
These expenses are nothing new to system administrators, who have been dealing with the costs and complexities of malicious code for decades. Here are some of the worst virus attacks of the past, showing that in the malware world, great offense will always beat great defense – at least until someone creates a patch.
One of the first-ever Internet worms, Morris was created by Cornell University student Robert T. Morris, who claimed its purpose was to gauge the size of the Internet. Instead, since it used existing flaws in Unix sendmail and infected a given computer multiple times, it crippled roughly 6,000computers (the Internet had an estimated 60,000). Although Morris caused between 10and 100 million in damage, he wound up with just three years' probation and a 10,050 fine -along with a sweet teaching gig at MIT.
Allegedly named for a Florida lap dancer who David L. Smith, its creator, fancied, Melissa forced major companies such as Microsoft, Intel Corp. and Alcatel-Lucent to shut down their email gateways due to the large volume of traffic the virus generated. Smith faced 40 years in prison and enormous fines, which he magically reducedto 20months and 5,000 by spending a few years undercover helping the FBI catch other malware authors.
Starting on May 4 in the Philippines, this worm spread worldwide in a single day by using infected computers' email address lists to send large numbers of messages directed at new targets. It is thought to have caused 5.5 billion in damage, mostly in lost staff time, as corporate and government email systems had to be shut down to eradicate the virus.
Code Red, 2001
It began on July 13. Code Red infected computers running the Microsoft IIS Web server, exploiting a buffer overflow and defacing Web sites with the text, HELLO! Welcome to http://www.worm.com! Hacked By Chinese! A fix had been available for this vulnerability for about a month, limiting its damage – kind of – to just 2.6 billion, but Code Red still managed to cause a major disruption in connectivity, according to the Internet Storm Center. (Hacked by Chinese evolved into a fairly common IT-world putdown, although never as popular as All your base are belong to us.)
Nimda (admin spelled backwards) took just 22minutes to spread as far and wide as Code Red. Nimda's secret was using several different propagation vectors: It created masses of emails to transmit itself, lured users to infected Web sites, and took advantage of lingering problems with Microsoft IIS security and previously installed Code Red or Sadmind worms. Nimda cost an estimated 635 million in damage.
SQL Slammer, 2003
On January 25, this worm began using a buffer-overflow bug in Microsoft SQL Server and MSDE (Microsoft Desktop Engine) database products. It rapidly distributed copies of itself around the world, causing major denials of service and slowing down the entire Internet. An estimated 150,000 to 200,000 systems were affected. As with Code Red, a patch for the SQL Server flaw had been available for months.
MS Blaster, 2003
Beginning on August 11, Blaster spread via various Windows operating systems and targeted Microsoft's windowsupdate.com site with DoS (denial-of-service) attacks. It caused widespread trouble and multiple restarts in machines running Windows NT, Windows XP (64-bit) and Windows 2003, although a patch for this vulnerability was already available. Victimsincluded the Federal Reserve Bank of Atlanta, BMW AG, Philadelphia's city hall, and thousands of home and corporate users. Although its ultimate origin is thought to be Chinese, the Blaster.B variantwas created by then-18-year-old Jeffrey Lee Parson, who was caught because he programmed it to contact a domain registered to his father.
This email-transmitted virus, first identified on January 26, quickly spread by appearing to be an error message with an attachment that, when opened, emailed copies of the virus to addresses in the victim's address book, and also propagated itself through the Kazaa file-sharing service. Oddly, it avoided infecting computers at certain universities (University of California, Berkeley; Massachusetts Institute of Technology; Rutgers University and Stanford University) and corporations (Microsoft and Symantec Corp.), but then launched a distributed DoS attack against Microsoft and The SCO Group Inc. from about 1 million infected machines. Later versions attacked the Google, AltaVista and Lycos Inc. search engines.
On April 30, Sasser spread among Windows XP and Windows 2000machines by exploiting a buffer overflow in these operating systems. It had unusually direct physical-world consequences, resulting in Delta Air Lines Inc. canceling 40 trans-Atlantic flights and forcing Australian trains to halt because operators could not communicate with signalmen. Despite this, Sasser's then-teenage German creator was tried as a juvenile and drew a mere 21-month suspended sentence for releasing Sasser into the wild.
Detected on March 19, Witty was the first worm to specifically attack network-protection software, in this case IBM Internet Security Systems' products (BlackICE, RealSecure Desktop, RealSecure Network and RealSecure Server Sensor). It also carried a specifically destructive payload, alternating attacks on random IP addresses in batches of 20,000 with overwriting parts of infected computers' hard disks, gradually rendering them unusable. Witty's overall effects were relatively small because of its vendor-specificity; however, it demonstrated that a worm could affect a population of machines and networks whose administrators were actively taking steps to improve security.