12 of 17Image
In January 2007, a deadly storm hit Europe. Malware authors used the news as an opportunity to practice social engineering. The malicious payload was delivered with subject lines such as "230 dead as storm batters Europe." A thorough writeup by Trend Micro suggests just how effective it was:
The spam attack started just as the storm in Europe was at its strongest on January 18. Over the next few hours and into the next day, as hundreds of thousands of recipients, interested in information about the storm, opened their inboxes, the global computing community found itself in the face of a huge threat attack.
Besides effective social engineering, the Storm worm was among the first widely successful malware examples to use polymorphic techniques, capable of changing its packing code every 10 minutes to frustrate antivirus signatures. It also employed a peer-to-peer network that could rapidly change the IP addresses of its command-and-control servers.
Various members of the Nuwar family continued to deliver malicious payloads throughout 2007. Microsoft added it to the Malicious Software Removal tool in September 2007, and it immediately saw a precipitous decline. It was still active, but at a greatly reduced level, in mid-2008 and had begun using RSA encryption to hide its workings from security researchers.
A decade ago, social media didn’t exist. By 2008, Facebook had become popular enough to attract the attention of malware authors. One of them created an annoying cross-platform worm that targets Windows, Mac OS X, and even Linux. The worm gathered login details, built a botnet, and made money by installing additional malware. It also used a common social engineering trick, trying to convince potential victims that they needed to install a Flash Player update that was actually the malicious payload.
Facebook took down the network by decapitating its control servers in early 2011.
All pretty routine stuff, by modern standards, but the twist is that this gang was unmasked after several years of making Facebook users’ lives miserable. ZDNet blogger Dancho Danchev published his own takedown of the botnet master on January 9, 2012, complete with embarrassing personal photos. Facebook publicly revealed the identities of the entire gang the following week.
(The image above was captured by an amateur researcher.)
Conficker is the poster child for modern malware.
Its original incarnation in late 2008 exploited a vulnerability that had been patched a month earlier, but because many Windows users are slow to apply patches, it was extremely effective.
But its particular genius was the way it used a Windows feature called AutoRun, along with social engineering, to spread like wildfire. As the dialog box above shows, Conficker spread by infecting ubiquitous USB flash drives (another technology that didn’t exist at the beginning of the decade). It convinced unwary users to click an innocent-looking option in the AutoRun dialog box that appeared when a USB drive was inserted into a PC.
To add insult to injury, it then used a simple dictionary attack to find administrator accounts on the network that used pathetically weak passwords like letmein and 123456 and asdfgh and Admin. Turns out there’s a lot of lazy admins out there.
Microsoft’s response in February 2009 included a $250,000 bounty for identifying the Conficker authors. It closed the USB Autorun hole in the initial release of Windows 7 but didn’t deliver the equivalent patch as a Critical update for Windows XP and Vista until early 2011.
Microsoft and a loose amalgamation of security professionals called the Conficker Working Group shut down the Conficker botnet by taking over its command-and-control servers through legal processes. Today, there are still several million Conficker-infected PCs, but their ability to be controlled by evil forces is long gone.