Skip to content

Bit9

← Back to Blog
15 Feb 2011

What’s the Score? 20 Years of Malware & Security

Harry Sverdlove

RSA is celebrating its 20th anniversary this week in San Francisco. On this occasion, it’s worth taking a look back at the past two decades of security. Some things have changed dramatically, others have stayed the same.

In 1991, the year of the first RSA conference, Symantec released Norton Antivirus (the other major antivirus player at the time, Central Point, would be acquired by Symantec in 1994). It was a blacklisting technology, using signatures to identify malware. At that time, there were maybe a few hundred signatures. That number stayed under 10,000 for almost a decade, but has grown out of control in the past five years. It broke the 100,000 mark in 2005, the 1 million mark in 2008, and approached 5 million in 2010. In 2009, Symantec wrote 2.9 million signatures (almost 8,000 new signatures every day); more than half of all signatures written since they first introduced their technology. We’re talking about new signatures, not total. Cumulatively, we’re approaching the 10 million mark.

These are signatures, not actual threats. Many of these signatures are pattern based, intended to identify multiple variants of the same threat. Just last month, IT security lab AV-Test registered its 50 millionth sample in its malware repository. And that’s just the malware we know. It doesn’t includes the millions of uncharted samples. In 20 years, we’ve gone from a few dozen known attacks to tens of millions; from a few hundred signatures to almost 10 million.

While the volume of threats has grown uncontrollably, so has the sophistication and nature of the attacker.

Let’s take a look at some of the high profile attacks over the past 20 years:

- 1990: The first polymorphic attack hit the world stage with the Chameleon virus.

- 1995: Windows 95 is released, and the first macro virus appears in the wild, Concept. It did not cause any damage, but it made the point that a new breed of attacks were on the horizon.

- 1999: The Melissa macro virus showed the power of macros and social engineering. Arriving as an email entitled “Important message from xxx” with an attachment and message of “Here is the document you asked for… don’t show anyone else ;-) ”, it quickly spread through address books. It clogged email servers around the world, causing an estimate $1B dollars worldwide in damage.

- 2000: The infamous ILOVEYOU or LoveBug worm wreaked havoc on over 45 million computers, causing an estimated $10B in damage (ILOVEYOU has the dubious distinction of being one of the first multi-billion dollar attacks). It arrived via email as an attachment, or via IRC as a link, and users were more than happy to open it. It spread in a similar manner as Melissa, and also through mIRC, but also modified system settings and dropped additional payloads onto each computer, and attempted to steal password information.

- 2001: This was a particularly bad year to be in security. Among the most notable attacks that year were Code Red and Nimda. Code Red was one of the first memory-only worms, leaving no files or trace of on the hard drive. Exploiting a buffer overflow vulnerability, Code Red attacked IIS web servers. It is estimated to be the most expensive malware of 2001, causing $2.75B in cleanup or lost productivity costs. On its heels, came Nimda (“admin” spelled backwards), one of the fastest spreading worms of all time. Nimda spread through multiple vectors, including back doors left open by a Code Red variant.

- 2003: This year saw attacks on SQL Server (Slammer) and Distributed Denial of Service (Blaster), and most notably, the second most expensive attack of all time, Sobig. It was the fastest email spreading worm of its day, and it also dropped a trojan that could turn an infected system into a spamming bot. It caused an estimated $37.1B in damage.

- 2004: Another year of nasty attacks (Netsky, Sasser, Vundo, …) but the clear standout, and the most costly virus of all time, was Mydoom. With an estimated cleanup cost of $38.5B,  it remains the fastest spreading mass mailer worm. It is estimated that, shortly after its release, 20-30% of worldwide email traffic was due to Mydoom. In addition to containing its own SMTP engine which it used to spread via email, it would also use the infected systems in organized Denial of Service (DoS) attacks on various high profile sites.

- 2006-2007: The war of the botnets heats up, with the Stration (aka Warezov) and Storm worms vying for top position in number of machines infected. Believed to originate from Russian gangs, later variants of these worms tried to gain control of the systems compromised by their rival. It is estimated that Stration, at its peak, was generating a new variant every 30 minutes, and accounted for nearly one-third of all reported malware infections. Millions of computers are compromised by these attacks and form large networks of botnets, able to be controlled remotely.

- 2008: As social networking increases in popularity, they become a rich target for attack. High profile attacks like Koobface (anagram of “facebook”) make their debut. One of the most sophisticated attacks was the Conficker worm, which combined several vulnerabilities and techniques for spreading. Estimates of its spread are hard to come by, with more hype than fact, but Conficker likely infected several million computers.

- 2009: Cyber warfare heats up. In mid 2009, an organized set of DDoS attacks on web sites in the United States and South Korea occur. Operation Aurora, a series of state-sponsored and coordinated attacks against corporations (including Google, Adobe and Juniper) was publicly disclosed. The attacks were multi-faceted, involved multiple levels of encryption, and used sophisticated techniques to remain stealth. While such attacks have occurred for years, the level of public disclosure raised the awareness that the enemy had changed. From garage hacker, to individual criminals, to organized crime, and now to state sponsored and targeted (well financed and highly advanced). A new term was added to the public lexicon to describe this new type of attack: APT (Advanced Persistent Threat).

- 2010: Typifying exactly how dangerous today’s attacks can be, Stuxnet makes its debut. As I blogged about at the time, Stuxnet is one of the most advanced attacks ever written. Designed to target SCADA systems, such as those used in nuclear power plants, Stuxnet has been dubbed a “cyber super weapon”. Also, the Zeus trojan continues to steal millions of dollars. Zeus was first identified in 2007. It is essentially a toolkit that can be used to craft custom malware for controlling computers and stealing information. In 2009, several high profile outbreaks were reported, and again in 2010. Signature based detection is simply ineffective at detecting or stopping it. Lastly, as if to rub salt in the wound of a 20 year-old technology that has not kept pace with the threat, the “Here you have” email virus appears, in an attack almost identical to the Melissa virus of 1999. With an email body reading “This is The Document I told you about, you can find it Here”, this virus shows that you can still trick people into opening anything and there’s very little traditional antivirus can do about it.

2011 is still young, so we’ll see what demons lurk in the waiting. But just last week, McAfee produced a report on an attack dubbed “Night Dragon” that details a sophisticated set of attacks originating from China against global oil and energy companies. In fairness to my timeline, these attacks occurred at the end of 2009 and through 2010, but the report was only just released. It’s reminiscent of Operation Aurora, where the attack is targeted and multi-pronged, involves several vulnerabilities and techniques, and is sponsored by a determined and well-financed enemy. We will see more of these types of attacks this year.

Remarkably, in twenty years, the basic nature of the antivirus technology that was first introduced in 1991 has not evolved much. Sure, they’re building new malware signatures at record pace, but playing the numbers game is a losing proposition. More importantly, the enemy is developing specialized attacks designed for penetration and stealth, not broad based infection. With the growth of mobile and smart devices, the perimeter surrounding a company’s assets is becoming less defined and the number of vulnerable entry points is exploding. Two decades later, at this year’s RSA, there will be recognition that a new approach to security is needed.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US