10 of 17Image
No one has ever identified the first person to think of distributing malware that disguised itself as legitimate security software. It was a stroke of evil genius, and it spawned an underground industry that is still going strong today.
This is an early example of fake antivirus software. Other products that appeared in the wake of XP Service Pack 2 mimicked the look and feel of the new Security Center.
In recent years, rogue security software has targeted the Chrome browser, Mac OS X, and legitimate security products using similar names. Despite occasional well-publicized prosecutions, there’s no sign that this category will die any time soon.
For a security researcher, the mere mention of the word rootkit can create a sickening feeling in the pit of the stomach. Bagle was one of the first examples to spread widely. It was also surprisingly sophisticated, as the above graphic (included with a contemporaneous F-Secure writeup) makes clear.
As the authors of the report note, the financial success of botnets had inspired malware authors to step up their game: “Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality.”
As trends go, it was anything but welcome.
In January 2007, a deadly storm hit Europe. Malware authors used the news as an opportunity to practice social engineering. The malicious payload was delivered with subject lines such as "230 dead as storm batters Europe." A thorough writeup by Trend Micro suggests just how effective it was:
The spam attack started just as the storm in Europe was at its strongest on January 18. Over the next few hours and into the next day, as hundreds of thousands of recipients, interested in information about the storm, opened their inboxes, the global computing community found itself in the face of a huge threat attack.
Besides effective social engineering, the Storm worm was among the first widely successful malware examples to use polymorphic techniques, capable of changing its packing code every 10 minutes to frustrate antivirus signatures. It also employed a peer-to-peer network that could rapidly change the IP addresses of its command-and-control servers.
Various members of the Nuwar family continued to deliver malicious payloads throughout 2007. Microsoft added it to the Malicious Software Removal tool in September 2007, and it immediately saw a precipitous decline. It was still active, but at a greatly reduced level, in mid-2008 and had begun using RSA encryption to hide its workings from security researchers.