List of Abbreviations
Chapter 5. Trend and Incident Analysis
5.4 The Weaponisation of the Internet
5.4.1.13 Malware
From Figure 5.7, there is a noticeable decrease in major malware outbreaks; the only noticeable incident was the Stuxnet worm, and this is due to its advanced design rather than sheer quantity of
167
infections. Table 5.4 lists the most expensive malware in terms of estimated financial impact, which is usually due to lost productivity and clean up (Kretkowski, 2007; Marquit, 2010).
Table 5.4: Costliest Malware, sources: Kretkowski (2007) and Marquit (2010)
Name Year Impact (US$)
Morris 1988 10 million
Blaster 2003 320 million
Sasser 2004 500 million
Nimda 2001 635 million
SQL Slammer 2003 750 million
SirCam 2001 1 billion
Melissa 1999 1.2 billion
Code Red 2001 2 billion
Conficker 2007 9.1 billion
ILOVEYOU 2000 15 billion
SoBig 2003 37.1 billion
MyDoom 2004 38.5 billion
In addition to its financial impact, the speed at which the SQL Slammer worm spread was phenomenal; in half an hour it had infected many countries across all continents, and is shown by the interactive timeline (PBS.org, 2003b). The Witty worm of 2004 was the first known to be specifically designed to attack network security software. This attack was vendor specific to the product family of IBM Internet Security Systems; this limited its overall damage, even though it carried a destructive payload which gradually overwrites the hard-drive of infected PCs (Kretkowski, 2007). The Storm worm of 2006 was used to infect computers and turn them into bots, used to send spam; many versions tricked potential victims into downloading the malware with the use of fake links to online news reports or videos (Strickland, 2008).
In 2009 there was a resurgence of the Conficker worm; reports indicate that British and French military systems were infected, causing widespread outages (Kirk, 2009; Willsher, 2009). There were reports that British warships were affected (Kirk, 2009) and that French fighter aircraft were prevented from taking off due to the infections (Willsher, 2009). This incident illustrates the possible use of malware to disrupt military systems and hinder war-fighting capability.
The Mariposa botnet has also been considered as the worst malware of all time; it was estimated to have infected approximately 12 million PCs and stole credit card and online banking details
168
(Associated Press, 2010). It appeared in late 2008, and spread through over 190 countries; those arrested by Spanish police in connection with some of the larger botnets bought this on the black market (Associated Press, 2010).
Other versions of credential stealing malware are the Zeus series and SpyEye Trojans; these were originally rivals, but there were plans to merge the two into a single, powerful kit. There were also reports that existing clients of Zeus would receive a discount when purchasing SpyEye (Krebs, 2010). Stevens and Jackson (2010) provide an in-depth report of the Zeus Trojan, which illustrates how advanced the Trojan was; the most expensive version was selling for approximately US$ 3000 to US$ 4000. The Zeus malware also migrated to mobile platforms to target mobile banking (Kitten, 2010). The Rustock botnet was estimated to control over one million bots, making this the largest single botnet in 2010; the cost of hiring ten thousand bots was US$ 15 in 2010 (Symantec Corporation, 2011a). This indicates an underground economy based on the production and hiring of malware used for cyber-crime, spam, and DDoS attacks. Occasionally the kits for the malware are made freely available online: the Zeus code eventually appeared for free, followed a few weeks later by the "Black Hole" exploit kit (Fisher, 2011c).
The Stuxnet worm of 2010 was extremely advanced: it exploited four zero-day vulnerabilities, had multiple propagation methods, and utilised stolen digital certificates; it also is the first malware to specifically target industrial control systems (Falliere, O Murchu, & Chien, 2010; Keizer, 2010;
Matrosov, Rodionov, Harley, & Malcho, 2010). Despite this, some experts believe there were mistakes, and that the worm could have been far more effective (Fisher & Roberts, 2011). The infection statistics of the worm were unusual: over 50% of the infections occurred in Iran (Falliere, O Murchu, & Chien, 2010; Keizer, 2010; Matrosov, Rodionov, Harley, & Malcho, 2010); and the targeted Siemens programmable logic controllers were used in an Iranian nuclear facility which was affected by the worm (Keizer, 2010; Moyer, 2010). This leads many to believe that the facility was the ultimate target of the worm, and that due to its sophistication, it was created by a state- sponsored group (Fisher & Roberts, 2011; Keizer, 2010; Moyer, 2010). The ability to spread through USB drives allows the virus to cross over air-gaps into sensitive industrial networks, and the interference of the control systems may result in physical damage to the equipment. This incident is important as the capability to attack infrastructure through pseudo-targeted malware (in that it is product-specific) has been clearly demonstrated. There are also reports that the code for the worm is available to criminal elements (Kiley, 2010).
169
From Figure 5.7 and Table 5.4, it can be seen that the period from 1999-2004 exhibited the bulk of the damaging malware; subsequently, the malware appears to be focussed more on creating botnets for use in cyber-crime; there appears to be an online black market economy based on these botnets.
The impact of Conficker on military systems in 2009 and the Stuxnet incident in 2010 illustrate that the use of malware in a military network warfare scenario is no longer theoretical; the capability to target and affect both infrastructure and military information systems has been clearly demonstrated.