The World’s Most Destructive Viruses

The world of computer viruses has changed drastically over the last 25 or so years. In the early days, internet users were very naïve towards email attachments, contributing to the alarming speed that viruses could spread across the globe.

These days, viruses very rarely land in our inboxes due to preconfigured firewalls and strict measures from the likes of Gmail and Outlook.

However, when viruses do successfully infect machines and propagate effectively, they can be highly destructive in their nature and bring some of the largest corporations to their knees. While some viruses are created to simply spread as far and wide as possible, others have more sinister ‘payloads’ such as the construction of botnets and execution of denial of service attacks.

We took a look at the most destructive viruses to wreak havoc on the internet, and compiled the below visualisation:

The most destructive viruses of all time

How They Work

MYDOOM

  1. Transmitted via email with infected attachment.
  2. If attachment is executed, the worm plunders user’s address book and resends the worm to email addresses.
  3. It also copies itself into the ‘shared folder’ of P2P file sharing software KaZaA in an effort to spread further.
  4. Opens backdoor on port 3127/tcp to allow control of PC.
  5. Launches a denial of service attack on SCO Group.

SOBIG

  1. Transmitted via email with infected attachment.
  2. Copies itself to machine and adds registry to automatically start every time computer is turned on.
  3. Downloads ‘Lala’ Trojan.
  4. Scours hard disk for certain files and harvests any email addresses found, creating a list of targets.
  5. Also searches for local network shares and copies itself onto root drives, infected systems when a user logs on.
  6. Blasts itself to target list using its own SMTP Server, using a random email from the list to ‘spoof’ the from address.
  7. Deactivates September 10th 2003.

ILOVEYOU

  1. Transmitted via email with infected attachment.
  2. When executed, plunders address book and resends itself to everyone in it.
  3. Destroys JPEG, MP3, VPOS, JS, JSE, CSS, WSH, SCT AND HTA files.

Code Red

  1. Arrives at servers on TCP port 80 as a GET request.
  2. Request contains code that exploits a known buffer overflow vulnerability.
  3. Attempts to create 100 copies of itself, resulting in high CPU loads.
  4. Defaced affected websites to display “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”
  5. Other activities based on day of the month:
    • Days 1-19: Attempts to spread itself by looking for more IIS servers on the web.
    • Days 20–27: Launches denial of service attacks on several IP addresses. The IP address of the White House web server was among those.
    • Days 28-end of month: Sleeps, no active attacks.

SQL Slammer

  1. Aggressively scans internet for vulnerable systems, having a degrading effect on the speed of the entire internet.
  2. Exploited two buffer overflow bugs in Microsoft’s SQL Server database, allowing a portion of system memory to be overwritten.
  3. Opens up a socket on infected computer and attempts to repeatedly send itself to randomly generated IP addresses.
  4. Slowdown was caused by collapse of routers under the burden of high bombardment traffic from infected servers.

Melissa

  1. Transmitted via email with infected attachment.
  2. When executed disables a number of safeguards in Word 97 or 2000, and plunders Microsoft Outlooks address book and sends itself to the first 50 contacts.

Sasser

  1. Does not require user interaction or email to spread.
  2. Takes advantage of buffer overflow exploit in Local Security Authority Subsystem (LSASS).
  3. Once infected, the worm looks for other vulnerable systems online and on the local network, instructing them to download the virus.

Anna Kournikova

  1. Transmitted via email with infected attachment.
  2. Once opened plunders Microsoft Outlook address book and sends itself to everyone listed.

Conficker

  1. Utilises a flaw in the Windows OS and dictionary attacks on weak passwords to spread.
  2. Can also copy itself into shared folders and infect USB devices such as memory sticks.
  3. Updates self by downloading latest version from any of 250 pseudorandom domains.

Nimda

  1. Transmitted via email attachment, open network shares, browsing compromised sites, exploitation of Microsoft IIS vulnerabilities and by backdoors left behind by Code Red.
  2. Can search for .exe files and embed itself as a resource.
  3. Can plunder email client address books and send itself to contacts.
  4. Can scan the internet for vulnerable servers, infecting random pages and spreading to any users browsing.

Sircam

  1. Transmitted via email with infected attachment.
  2. Once executed, document files on the computer are randomly selected, infected, and emailed out to addresses in the host’s address book.
  3. This results in many private files being shared with contacts.
  4. Can also spread via open shares on a network.

Blaster

  1. Takes advantage of a known vulnerability in Windows called the Distributed Component Object Model.
  2. Allowed it to spread without user interaction, by spamming itself to large numbers of random IP addresses.
  3. Initiates a SYN flood against port 80 of windowsupdate.com if system date is after August 15th and before December 31st , resulting in a DDoS attack against the site.

Morris Worm

  1. Exploited vulnerabilities in Unix sendmail, finger and rsh/rexec as well as weak passwords, spreading across the internet.
  2. Infected computers multiple times, slowing machines down until the point of being unusable.
Share on Twitter, Facebook, Google+