The Internet is an Internet lover's paradise, a gamer's haven, a business's lifeline, and a hacker's playground. Over the past two decades, hundreds of worms have devastated the infrastructure of millions of computers around the world, causing billions of dollars of damage-and the life of the worm is far from over. Let's take a look at the last 20 years to see which of these worms have stood out from among the rest.
10. Jerusalem (also known as BlackBox)
Discovered in 1987, Jerusalem is one of the earliest worms. It is also one of the most commonly known viruses, deleting files that are executed on each Friday the 13th. Its name comes from the city in which it was first detected, the city of Jerusalem.
The worm, which infects DOS, increases the file size of all files run within DOS (with the exception of COMMAND.COM).
Jerusalem is a variant of the Suriv virus, which also deletes files at random periods during the year (April Fool's Day and/or Friday the 13th depending on the variant). The Jerusalem worm inspired a host of similar worms that grow by a specified file size when executed. Another variant, Frère, plays the song Frère Jacques on the 13th day of the month.
While Jerusalem and its relatives were quite common in their day, they became less of a threat when Windows was introduced.
9. Michelangelo
In 1991, thousands of machines running MS-DOS were hit by a new worm, one which was scheduled to be activated on the artist Michelangelo's birthday (March 6th). On that day, the virus would overwrite the hard disk or change the master boot record of infected hosts.
When the worm came to mainstream attention, mass hysteria reigned and millions of computers were believed to be at risk. After March 6th, however, it was realized that the damage was minimal. Only 10,000 to 20,000 cases of data loss were reported.
Ironically, however, because of the media hype, the period before March 6, 1992 became known as "Michelangelo Madness," with users buying anti-virus software in droves, some for the very first time. In a way, the "madness" led many people to prepare for the outbreak and helped minimize the actual damage caused by the worm.
8. Storm Worm
One of the newest worms to hit the Internet was the Storm Worm, which debuted in January of 2007. Its name came from a widely circulated email about the Kyrill weather storm in Europe, and its subject was "230 dead as storm batters Europe." The virus first hit on January 19th, and three days later, the virus accounted for 8% of all infected machines.
If your computer was infected by the Storm Worm, your machine became part of a large botnet. The botnet acted to perform automated tasks that ranged from gathering data on the host machine, to DDOSing websites, to sending infected emails to others. As of September of this year, an estimated 1 million to 10 million computers were still part of this botnet, and each of these computers was infected by one of the 1.2 billion emails sent from the infected hosts.
Storm Worm is a difficult worm to track down because the botnet is decentralized and the computers that are part of the botnet are consistently being updated with the fast flux DNS technique. Consequently, it has been difficult for infected machines to be isolated and cleaned.
7. Sobig
In 2003, millions of computers were infected with the Sobig worm and its variants. The worm was disguised as a benign email. The attachment was often a *.pif or *.scr file that would infect any host if downloaded and executed. Sobig-infected hosts would then activate their own SMTP host, gathering email addresses and continually propagating through additional messages.
Sobig depended heavily on public websites to execute additional stages of the virus. Fortunately, in earlier cases, these sites were shut down after the discovery of the worm. Later, when Geocities was found to be the primary hosting point for Sobig variants, the worm would instead communicate with cable modems that were hacked that would later serve as another stage in the worm's execution.
The result? Sobig infected approximately 500,000 computers worldwide and cost as much as $1 billion in lost productivity.
6. MSBlast
The summer of 2003 wasn't much easier for those building anti-virus definitions or those at businesses or academic institutions. In July of that year, Microsoft announced a vulnerability within Windows. A month later, that vulnerability was exploited. This worm was called MSBlast, a name created by the worm's author, and it included a personal message from the author to Bill Gates. The note read, "billy gates why do you make this possible? Stop making money and fix your software!!"
When MSBlast hit, it installed a TFTP (Trivial File Transfer Protocol) server and downloaded code onto the infected host. Within several hours of its discovery, it had hit nearly 7,000 computers. Six months later, over 25 million hosts were known to be infected. The Windows Blaster Worm Removal Tool was finally launched by Microsoft in January of 2004 to remove traces of the worm.
A 19-year-old from Minnesota, Jeffrey Lee Parson, was arrested and sentenced to 18 months in prison with 10 months of community service after launching a variant of the MSBlast worm that affected nearly 50,000 computers.
5. Melissa
Want porn but don't have any? In 1999, hungry and curious minds downloaded a file called List.DOC in the alt.sex Usenet discussion group, assuming that they were getting free access to over 80 pornographic websites. Little did they know that the file within was responsible for mass-mailing thousands of recipients and shutting down nearly the entire Internet.
You get what you pay for.
Melissa spread through Microsoft Word 97 and Word 2000, mass emailing the first 50 entries from a user's address book in Outlook 97/98 when the document was opened. The Melissa worm randomly inserted quotes from The Simpsons TV show into documents on the host computer and deleted critical Windows files.
The Melissa worm caused $1 billion in damages. Melissa's creator, a David Smith from New Jersey, named the worm after a lap dancer he met while vacationing in Florida. Smith was imprisoned for 20 months and fined $5,000.
4. Code Red
Friday the 13th was a bad day in July of 2001; it was the day Code Red was released. The worm took advantage of a buffer overflow vulnerability in Microsoft IIS servers and would self-replicate by exploiting the same vulnerability in other Microsoft IIS machines. Web servers infected by the Code Red worm would display the following message:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
After 20 to 27 days, infected machines would attempt to launch a denial of service on many IP addresses, including the IP address of www.whitehouse.gov.
Code Red and its successor, Code Red II, are known as two of the most expensive worms in Internet history, with damages estimated at $2 billion and at a rate of $200 million in damages per day.
3. Nimda
In the fall of 2001, Nimda ("admin" spelled backwards) infected a variety of Microsoft machines very rapidly through an email exploit. Nimda spread by finding email addresses in .html files located in the user's web cache folder and by looking at the user's email contacts as retrieved by the MAPI service. The consequences were heavy: all web related files were appended with Javascript that allowed further propagation of the worm, users' drives were shared without their consent, and "Guest" user accounts with Administrator privileges were created and enabled.
A market research firm estimated that Nimda caused $530 million in damages after only one week of propagation.
Several months later, reports indicated that Nimda was still a threat.
2. ILOVEYOU (also known as VBS/Loveletter or Love Bug Worm)
You may have gotten an email in 2000 with the subject line "ILOVEYOU." If you deleted it, you were safe from one of the most costly worms in computer history. The attachment in that email, a file called LOVE-LETTER-FOR-YOU.TXT.vbs, started a worm that spread like wildfire by accessing email addresses found in users' Outlook contact lists. Unsuspecting recipients, believing the email to be benign, would execute the document only to have most of their files overwritten.
The net result was an estimated $5.5 billion to $8.7 billion in damages. Ten percent of all Internet-connected computers were hit.
Onel A. de Guzman, the creator of the virus and a resident of the Philippines, had all charges dropped against him for creating the worm because there were no laws at the time prohibiting the creation of computer worms. Since then, the government of the Philippines has laid out penalties for cybercrime that include imprisonment for 6 months to 3 years and a fine of at least 100,000 pesos (USD $2000).
1. Morris Worm (also known as the Great Worm)
How big is the Internet, you ask? In 1988, Cornell University student named Robert Tappan Morris launched 99 lines of code in his quest for the answer. While his intentions were not malicious, there were bugs in his code that caused affected hosts to encounter a plethora of stability problems that effectively made these systems unusable. The result was increased load averages on over 6,000 UNIX machines across the country which caused between $10,000,000 and $100,000,000 of damage.
