Top 10 Worms of the past 10 years
I was asked at some point about worms and their exploits... so this is list to cover that subject. BTW that is MY list, not an official one or whatever.. those are the ones that caught my eye during my research on the matter. Also, I tried to mention the originals rather than the variants.. so for example.. no Duqu or Flame.. just Stuxnet.
Date: Jan 2004
Name: MyDoom
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / P2P shares
Description: Spread through failed mail messages that propagate across the target's address-book when executed whilst sharing itself though other available p2p networks. Payload contains a backdoor on port 3127/tcp for remote control as well as a timed DoS attack on the SCO and Microsoft sites.
Infections: 33 million
Resources:
http://www.f-secure.com/v-descs/novarg.shtml
http://en.wikipedia.org/wiki/Mydoom
http://news.cnet.com/MyDoom-virus-declared-worst-ever/2100-7349_3-5149764.html
Date: Feb 2004
Name: Sasser
Exploit: MS04-011
CVE-ID: 2003-0533
Method: Scan and exploit
Description: Looks for vulnerable systems and exploits the LSASS bof when found. Opens a shell on port 9996/tcp and pulls the worm from the infected system via FTP. It will check to see if the system is infected and stop if the system is already compromised. Adds itself on autorun and creates an FTP server on port 5554/tcp to further spread the infection. Uses the local system IP to generate a list of targets, spawns 128 threads and gets to work(avoiding RFC 1918 addresses).
Infections: 250,000
Resources:
http://www.f-secure.com/v-descs/sasser.shtml
http://malware.wikia.com/wiki/Sasser
http://en.wikipedia.org/wiki/Sasser_%28computer_worm%29
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0533
http://www.nbcnews.com/id/4890780/ns/technology_and_science-security/t/sasser-infections-begin-subside/
Date: Jan 2006
Name: Nyxem
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / network shares
Description: Mostly spreading via mail but also via locally mounted network shares. The payload is set disable a variety of AV products and use local shares and address-book records to propagate itself further. On the 3rd day of every month, the virus searches for files with the following 12 extensions .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp on all available drives and replaces them with the text string "DATA Error [47 0F 94 93 F4 K5]".
Infections: 400,000 to 1 million
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-011712-2537-99
http://www.f-secure.com/v-descs/nyxem_e.shtml
http://www.caida.org/research/security/blackworm/
Date: Nov 2006
Name: Storm
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign
Description: Mass mailing worm which propagates itself using the address-book information harvested from the target system. Kills a variety of investigative utilities including AV (based on their window name). Installs itself in the registry and hides using the SDDT rootkit technique whilst pulling more malware from the net.
Infections: 2 to 50 million
Resources:
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=140835
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Dorf-A.aspx
http://www.eset.com/us/threat-center/encyclopedia/threats/win32nuwara/
http://en.wikipedia.org/wiki/Storm_Worm
http://spamtrackers.eu/wiki/index.php?title=Storm#Storm_.2F_Zhelatin_timeline
Date: Aug 2008
Name: Koobface
Exploit: n/a*
CVE-ID: n/a*
Method: Social Networks
Description: Infected systems become part of a p2p botnet which further spread itself via social networks. It manipulates searches to inject advertisements and can remotely install further pay-per-install malware, but also steal credentials and licenses, block access to sites or direct traffic to particular sites, act as a command&control server, break CAPTCHAs and even propagate itself via newly created blogspot accounts/pages.
Infections: 400,000 to 800,000
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99
http://www.f-secure.com/v-descs/net-worm_w32_koobface_bm.shtml
http://en.wikipedia.org/wiki/Koobface
http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?pagewanted=all&_r=0
Date: Oct 2008
Name: Conficker
Exploit: MS08-067
CVE-ID: CVE-2008-4250
Method: Scan and exploit
Description: Exploit the RPC bof and connect to the source's HTTP server running on a random port (1024-10000) to download the worm's DLL. Saves the DLL on the system folder and triggers it on system startup via svchost (saved in registry). It will attempt to attack local network systems and execute dictionary attacks to the password protected shares it detects. The latest variants even copy themselves in any removable media and take advantage of Windows AutoRun to further propagate themselves. In the meantime System Restore Points are reset, Error reporting, updating, diagnostic and antivirus tools are disabled watched for and terminated.
Infections: 9 to 15 million
Resources:
http://www.sans.org/security-resources/malwarefaq/conficker-worm.php
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
http://en.wikipedia.org/wiki/Conficker
Date: July 2009
Name: Daprosy
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / mapped, fixed, and removable drives
Description: Spreading through email, removable devices via autorun and fixed or mapped drives. Uses key-logging to extract target emails to further propagate itself and send sensitive information to the author. Disables System Restore, hides folders and adds itself in the startup folder.
Infections: n/a
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-071521-4358-99
http://en.wikipedia.org/wiki/Daprosy_Worm
Date: Jun 2010
Name: Stuxnet
Exploit:
CVE-ID:CVE-2010-2568 / CVE-2008-4250 / CVE-2010-2729 / CVE-2010-3888 / CVE-2010-2743 / CVE-2012-3015
Method: USB Media / Scan and exploit
Description: Post exploitation the worm would look for Siemens software, if not found it will spread itself to up to three others and lay dormant until the 24th June 2012 when it was scheduled to erase itself. A range of exploits were used to propagate the worm and yet another to deliver the payload to the target... which was SCADA systems. The worm also had rootkit capabilities using digitally signed certificates stolen from JMicron and Realtek. Two websites where used as command and control for the worm and to offload any industrial espionage information involved. There is a library worth of documentation for this one and its variations so I will not further attempt to "sum-up" the brilliant work involved!
Infections: 6 million (minimum)
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
http://en.wikipedia.org/wiki/Stuxnet
http://virus.wikidot.com/stuxnet
Date: Aug 2011
Name: Morto
Exploit: n/a*
CVE-ID: n/a*
Method: RDP Brute force
Description:
Based on a dictionary attack aimed to administrator accounts via Microsoft's RDP Service. After the initial infection the worm adds some registry entries, files and injects its DLL to svchost.exe and removes its initial file; then the scanning begins. Using a list of around 100 common passwords the worm performs a dictionary attack to all available RDP targets (starting with the local network).
Infections: 1,000 - 2,000
Resources:
http://www.f-secure.com/v-descs/worm_w32_morto_a.shtml
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Morto.A
https://isc.sans.edu//diary/Internet+Worm+in+the+Wild/11470
http://blogs.technet.com/b/mmpc/archive/2011/08/29/more-on-morto.aspx
Date: Apr 2013
Name: Kelihos
Exploit: JAVA_EXPLOIT.BB
CVE-ID: CVE-2013-0422
Method: Spam campaign
Description: Using a drive-by attack via a spam campaign based on the Boston Marathon attacks, users are lead to pages that exploit the Java Security Manager Bypass Vulnerability and download a malware onto the system. The worm steal financial information, monitors web traffic, steals bitcoins and any credentials are stored in a variety of applications whilst hiding itself, use the target's contact to further propagate whilst providing remote p2p command and control capabilities.
Infections: 110,000
Resources:
http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
Th-Th-Th-Th-Th-... That's all, folks!
* Some of the worms mentioned do not take advantage of a particular vulnerability yet they employ social engineering techniques to convince their victims to execute the initial malicious code.
Date: Jan 2004
Name: MyDoom
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / P2P shares
Description: Spread through failed mail messages that propagate across the target's address-book when executed whilst sharing itself though other available p2p networks. Payload contains a backdoor on port 3127/tcp for remote control as well as a timed DoS attack on the SCO and Microsoft sites.
Infections: 33 million
Resources:
http://www.f-secure.com/v-descs/novarg.shtml
http://en.wikipedia.org/wiki/Mydoom
http://news.cnet.com/MyDoom-virus-declared-worst-ever/2100-7349_3-5149764.html
Date: Feb 2004
Name: Sasser
Exploit: MS04-011
CVE-ID: 2003-0533
Method: Scan and exploit
Description: Looks for vulnerable systems and exploits the LSASS bof when found. Opens a shell on port 9996/tcp and pulls the worm from the infected system via FTP. It will check to see if the system is infected and stop if the system is already compromised. Adds itself on autorun and creates an FTP server on port 5554/tcp to further spread the infection. Uses the local system IP to generate a list of targets, spawns 128 threads and gets to work(avoiding RFC 1918 addresses).
Infections: 250,000
Resources:
http://www.f-secure.com/v-descs/sasser.shtml
http://malware.wikia.com/wiki/Sasser
http://en.wikipedia.org/wiki/Sasser_%28computer_worm%29
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0533
http://www.nbcnews.com/id/4890780/ns/technology_and_science-security/t/sasser-infections-begin-subside/
Date: Jan 2006
Name: Nyxem
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / network shares
Description: Mostly spreading via mail but also via locally mounted network shares. The payload is set disable a variety of AV products and use local shares and address-book records to propagate itself further. On the 3rd day of every month, the virus searches for files with the following 12 extensions .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp on all available drives and replaces them with the text string "DATA Error [47 0F 94 93 F4 K5]".
Infections: 400,000 to 1 million
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-011712-2537-99
http://www.f-secure.com/v-descs/nyxem_e.shtml
http://www.caida.org/research/security/blackworm/
Date: Nov 2006
Name: Storm
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign
Description: Mass mailing worm which propagates itself using the address-book information harvested from the target system. Kills a variety of investigative utilities including AV (based on their window name). Installs itself in the registry and hides using the SDDT rootkit technique whilst pulling more malware from the net.
Infections: 2 to 50 million
Resources:
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=140835
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Dorf-A.aspx
http://www.eset.com/us/threat-center/encyclopedia/threats/win32nuwara/
http://en.wikipedia.org/wiki/Storm_Worm
http://spamtrackers.eu/wiki/index.php?title=Storm#Storm_.2F_Zhelatin_timeline
Date: Aug 2008
Name: Koobface
Exploit: n/a*
CVE-ID: n/a*
Method: Social Networks
Description: Infected systems become part of a p2p botnet which further spread itself via social networks. It manipulates searches to inject advertisements and can remotely install further pay-per-install malware, but also steal credentials and licenses, block access to sites or direct traffic to particular sites, act as a command&control server, break CAPTCHAs and even propagate itself via newly created blogspot accounts/pages.
Infections: 400,000 to 800,000
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99
http://www.f-secure.com/v-descs/net-worm_w32_koobface_bm.shtml
http://en.wikipedia.org/wiki/Koobface
http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?pagewanted=all&_r=0
Date: Oct 2008
Name: Conficker
Exploit: MS08-067
CVE-ID: CVE-2008-4250
Method: Scan and exploit
Description: Exploit the RPC bof and connect to the source's HTTP server running on a random port (1024-10000) to download the worm's DLL. Saves the DLL on the system folder and triggers it on system startup via svchost (saved in registry). It will attempt to attack local network systems and execute dictionary attacks to the password protected shares it detects. The latest variants even copy themselves in any removable media and take advantage of Windows AutoRun to further propagate themselves. In the meantime System Restore Points are reset, Error reporting, updating, diagnostic and antivirus tools are disabled watched for and terminated.
Infections: 9 to 15 million
Resources:
http://www.sans.org/security-resources/malwarefaq/conficker-worm.php
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
http://en.wikipedia.org/wiki/Conficker
Date: July 2009
Name: Daprosy
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / mapped, fixed, and removable drives
Description: Spreading through email, removable devices via autorun and fixed or mapped drives. Uses key-logging to extract target emails to further propagate itself and send sensitive information to the author. Disables System Restore, hides folders and adds itself in the startup folder.
Infections: n/a
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-071521-4358-99
http://en.wikipedia.org/wiki/Daprosy_Worm
Date: Jun 2010
Name: Stuxnet
Exploit:
CVE-ID:CVE-2010-2568 / CVE-2008-4250 / CVE-2010-2729 / CVE-2010-3888 / CVE-2010-2743 / CVE-2012-3015
Method: USB Media / Scan and exploit
Description: Post exploitation the worm would look for Siemens software, if not found it will spread itself to up to three others and lay dormant until the 24th June 2012 when it was scheduled to erase itself. A range of exploits were used to propagate the worm and yet another to deliver the payload to the target... which was SCADA systems. The worm also had rootkit capabilities using digitally signed certificates stolen from JMicron and Realtek. Two websites where used as command and control for the worm and to offload any industrial espionage information involved. There is a library worth of documentation for this one and its variations so I will not further attempt to "sum-up" the brilliant work involved!
Infections: 6 million (minimum)
Resources:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
http://en.wikipedia.org/wiki/Stuxnet
http://virus.wikidot.com/stuxnet
Date: Aug 2011
Name: Morto
Exploit: n/a*
CVE-ID: n/a*
Method: RDP Brute force
Description:
Based on a dictionary attack aimed to administrator accounts via Microsoft's RDP Service. After the initial infection the worm adds some registry entries, files and injects its DLL to svchost.exe and removes its initial file; then the scanning begins. Using a list of around 100 common passwords the worm performs a dictionary attack to all available RDP targets (starting with the local network).
Infections: 1,000 - 2,000
Resources:
http://www.f-secure.com/v-descs/worm_w32_morto_a.shtml
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Morto.A
https://isc.sans.edu//diary/Internet+Worm+in+the+Wild/11470
http://blogs.technet.com/b/mmpc/archive/2011/08/29/more-on-morto.aspx
Date: Apr 2013
Name: Kelihos
Exploit: JAVA_EXPLOIT.BB
CVE-ID: CVE-2013-0422
Method: Spam campaign
Description: Using a drive-by attack via a spam campaign based on the Boston Marathon attacks, users are lead to pages that exploit the Java Security Manager Bypass Vulnerability and download a malware onto the system. The worm steal financial information, monitors web traffic, steals bitcoins and any credentials are stored in a variety of applications whilst hiding itself, use the target's contact to further propagate whilst providing remote p2p command and control capabilities.
Infections: 110,000
Resources:
http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
Th-Th-Th-Th-Th-... That's all, folks!
* Some of the worms mentioned do not take advantage of a particular vulnerability yet they employ social engineering techniques to convince their victims to execute the initial malicious code.