16 deadliest Malwares of all time 

Introduction:

Through decades Hackers have been launching Cyber-Attacks against organizations and individuals using deadly malwares to help them break into systems, gain access to devices and leak confidential data.

So the other day I was asking myself, what are the worst Cyber-Attacks ever happened, more specifically what are the deadliest viruses of all time that Hackers used to launch those Cyber-Attacks!!

To answer the question, I've called up my information & done some research, and here we are listing the 16 deadliest viruses that occurred throughout history...

What's the Malware?

Malware is any malicious software that is designed to cause disruption in systems and networks.

They take many forms each is designed differently and functions in a specific way to satisfy the type of attack carried out by the Hacker.

The types of Malware can be categorized into the following categories:

- Virus:

The evil dude in the Malware family, he's straightforward and conducts the job directly.

The virus can't run automatically, therefore it requires the victim to run it so it sets off with the work, and usually, it doesn't spread itself on the network but on the infected device only.

- Worms:

Worms are designed unlike viruses, they are the extroverts in the Malware family, they tend to target a specific file or area in the system and corrupt it, as well they don't need the help of the victim to spread, as they spread themselves on the network the infected device is connected to, and also they can send themselves through the email to the contact list on that device.

- Trojan:

It's the smart buddy among the Malwares, it tends to masquerade as something else to get into the targeted devices, it shows up as a file, video, picture, etc...

The Trojan requires the victim to run it, and this can be easier than ever especially with random victims, ass it takes no more than opening a file or clicking on a picture. and once it runs it usually opens a Backdoor for the Hacker to share you with your device, or it can work behind the scenes and store everything you do on your device to send it to the Hacker later or does both of the things at the same time. 

- Botnet:

It's the respectful one in the family, all it does after infecting the device is send a message informing the Hacker who sent it that it's on the targeted device, and keep on that device so peacefully.

The Hacker usually send these Botnets to many other devices "as many as possible", sometimes it can be sent to millions of devices worldwide,  and they keep deactivated till the Hacker command them to do a specific thing, usually, that thing is a DDoS-Attack against websites, networks, and servers to shut it down and get it out of services for a period depending on two factors:

1- The ability of the security team of the target to figure out a way to shut the attack down.

2- The Hacker and when he decides to stop the attack.

What's the difference between Malware, Spyware, and Ransomware?

Ransomware and Spyware are both types of Malware used by Crackers to serve different purposes...

Ransomware:

Malicious software that encrypts the files on the infected device. This may either be a system-level encryption or infect your personal files and encrypt them as well and prevents the victim from accessing their data till a ransom is paid for getting the decryption key in return and gain access to the data again. 

Spyware:

Malicious software that is installed onto users' devices without them knowing to track or monitor what they are doing on their devices.

Spyware can be used for:

Marketing purposes:

To collect information about the user's searching habits, browser history, most visited sites, etc.., 

in order to send relevant and targeted ads that match the user's interests.

Malicious Purposes:

To spy on individuals and collect confidential data in order to manipulate, blackmail, or threaten the victim to take a specific action.

The Spyware can sneak its way onto devices through many ways, by visiting infected websites, from another infected device, and mostly through free software downloads-things that deceive extending the device's functionality or offering uncommon catchy service.

Deadliest Malwares of all time:

SASSER:

This worm was written by an 18 years old German guy Sven Jaschan and another college dude in 2004 to target vulnerable versions of Windows XP and Windows 2000.

The worm exploited the open port 139 in vulnerable Windows OS and shut down many services and cut communications.

The worm infected millions of PCs worldwide, and the effect reached the American flight company Delta Air Lines, Agence France-Press, the X-Ray department at the Lund university hospital caused taking it out of service for several hours, and many other organizations, resulting in a general estimated loss of  $500 Million.

KLEZ:

Klez is a worm that spread in 2001 and infected around 7 million PCs worldwide, in other words approximately 7% of all the PCs back then.

This worm exploits a vulnerability in Internet Explorer's MSHTML "Trident layout engine" which is a proprietary browser engine that is used to render HTML emails.

The worm is sent through an email sent to the victim that contains a portion of text consisting of either an internal HTML frame tag that causes a buggy email which leads to automatically executing the worm or a text with an attachment convincing the victim to click on the file and download it and once it's executed, it copies itself and gathers email addresses from the Windows Address Book "WAB" as well from files stored on the infected device like the (exe, HTML, htm, doc, jpg, mp3, pdf, txt, bat...) and then send itself to those addresses.

The worm as mentioned sends itself to addresses on the infected device, copies itself to windows system file using a file name starting with "Wink", modify the system registry to run automatically the next time the Windows run, tries to delete security-related software files like "ANTI-VIR. DAT", delete autorun from entries from some windows registry keys and much other destructive behaviors that resulted in an estimated damage of $19.8 Billion Dollars.

ILOVEYOU:

Also known as Love Bug or  Love Letter For You as it shows itself in the email sent to the victim, is a computer worm that was created by the Philippines college student Onel de Guzman and spread in 2000 to infect 10 million Windows devices worldwide causing estimated damage of  $15 Billion.

The worm is sent in a form of an email with the subject "ILOVEYOU" and the attachment "Love-Letter-For-You.TXT.vbs" when Windows used to hide the "VBS" extension as it used to deal with it as a familiar Windows file, thus the victim thinks its a normal. TXT file and open it to activate the worm that immediately starts overwriting random files including office files and many other then copies itself to all addresses in the WAB "Windows Address Book" automatically send itself there which made it spread like fire in the hay.

The VBS or Microsoft Visual Basic Scripting Edition is an active scripting language developed by Microsoft that allows administrators to create mighty tools to deal with devices with error handling, subroutines which are a set of codes that are dedicated to doing a specific task, and many other advanced programming constructs.

SOBIG:

It's a worm written in C++ that occurred in 2003 and infected millions of windows based devices worldwide ranking the second in the fastest malware to spread after Mydoom causing estimated damage of $30 Billion.

The worm had many versions since the time it was first released Sobig A in August 2002 till the last version Sobig F that spread widely and infected millions of devices in August of the following year 2003.

It's categorized as a worm and a Trojan at the same time, as it's used to spread via emails sent to the victims with various subjects like "Approved!, Thank you!, Your application!" and an attachment that includes the worm which was a file with the extension of ".pif" or ".scr" encouraging the victim to open the file so the worm gets executed.

Once the worm is executed, it copies itself to "%windows%\winpper32.exe", adds values to some registry keys, retrieves URLs from remote servers using the SMTP which is an internet standard communication protocol that's used by emails servers and other messaging agents to send and receive mail messages, and through the port 8998 to install software that will open a backdoor to the Hacker in the infected device and to update itself later, then contact 20 IP addresses on UDP "User Datagram Protocol" through which applications can send messages to other hosts on an IP network, and collects the mailing addresses from the infected device and sends itself to them in a ". ZIP" file using the same method to convince the target to click on the file.

MYDOOM:

My doom or as it's also known Novarg , Mimail is at the peak of the fastest & most spread malware in history surpassing the malware Sobig and LIloveYou, it's a worm created by Linux or an open-source supporter in 2004, by an unknown Hacker that infected 50 million Windows OS running devices around the globe and believed to be dedicated to targeting the SCO group by launching what's known by the DDoS attacks.

The worm infects devices by sending spamming emails with the text message "andy; I'm just doing my job, nothing personal, sorry", and the subject "Error", "Test", "Mail Delivery System", "Mail Transaction Failed" in different languages like French and English...

The email contains an attachment which when opened automatically executes the worm to start its work immediately by copying itself to the "Shared Folder" of the peer-to-peer sharing to use it as a second way for spreading, as well it copies itself to the %System% or %Temp% directories and add registry value to one of two keys so it runs automatically when Windows runs.

It collects email addresses from different sources on the infected device to send itself to with the attachment that contains the worm, as well it creates a backdoor Trojan in the directories %Windows% or %System% which gives the Trojan unauthorized access to the infected device, then it edits the default values in a registry key which leads Explorer.exe to load and execute the Trojan every time the Windows runs.

The worm may copy itself to random directories on the infected device too, and after all, the worm functions when in need by allowing the Hacker with remote access to the infected device to use in launching DDoS attacks to shut down websites, servers, and corrupting services resulting in approximate damage of $38 Billion.

WANNACRY:

WannaCry is a ransomware Cryptoworm that occurred in 2017 and targeted Windows-based devices worldwide, the ransomware exploited the EternalBlue exploit which was developed by the U.S NSA.

The exploit was leaked by the Hacking group The Shadow Brokers, and exploited by the ransomware to propagate through to infect the Windows devices which kept running on the old Windows version which was vulnerable to that exploit, though Microsoft released patches to block that vulnerability right after it got known.

The Cryptoworm encrypt the data on the infected device right after it's executed and demands a ransom to be sent to a specific Bitcoin address to receive the decryption key within a specific time which was around a week to decrypt the data, otherwise, all of the encrypted data on the device will be deleted and never able to be retrieved.

The ransomware managed to infect 200,000 devices in 150 countries causing damage around $4 Billion before it got stopped by the British security researcher Marcus Hutchins by discovering the kill switch that stopped the Cyber-Attack.

STUXNET:

Stuxnet is a malicious worm that occurred in 2010 believed to be a cyberweapon developed by the US and Israel to target and corrupt the Iranian nuclear program.

The worm targeted the devices and machines running on Windows operating system, and it managed to get one-fifth of the Iranian nuclear centrifuges out of service by targeting both the Programmable Logic Controllers "PLCs" which are industrial computers adapted for controlling the manufacturing process such as machines and robotic devices, and the Supervisory Control And Data Acquisition "SCADA" which is the control system architecture comprising computers and networked data communications for high-level supervision of machines, sensors, process and other devices like the PLCs.

The worm spread through an infected USB driver, and it consists of 3 modules, the worm that executes the routines related to the payload attack, the file link that executes the propagated copies of the worm, and a rootkit component that is responsible for hiding the malicious files and processes to avoid driving attention to the attack, and it managed to infect 200,000 devices and ruin or physically degrade 1000 machines.

SQL SLAMMER:

A computer worm occurred in 2003 that slowed down the internet and spread hysterically infected nearly 75,00 devices worldwide in ten minutes,

The worm was used to launch DDoS attacks against servers and hosts on the internet, exploiting the buffer overflow flaw in Microsoft's SQL Server and Desktop Engine database products. Buffers are areas set aside to hold data, and the Buffer overflow is an aberration when a program while writing data to a buffer overruns the Buffer's boundary.

It selects random IP addresses used by devices that are vulnerable to the bug to send itself to and after copies itself to other devices on the internet, staying on the infected devices without corrupting any files or systems though ready to be in service when called to a DDoS attack by devoting the device it's in to launch the attack and overwhelm servers by the non-standable traffic so they go out of service.

The worm got noticed due to the slow down that happened on the internet, and the servers that went out of service though they were supposed to slow the traffic or stop it for a while when overwhelmed and not shut down completely, thus the worm managed to infect around 200,000 devices and cause a loss of $750 millions to $1.2 Billion.

FLASHBACK:

Also known as FakeFlash is a Trojan that was first discovered in 2012 and infected Mac OS-based devices.

The Trojan first used to spread through a fake Adobe Flash Installer to install and execute the malware, then it used an infected webpage that exploit a Java vulnerability on MAC OS by redirecting the user to a compromised bogus site in which a Javascript code caused applet "an application that performs a specific task" that contains the exploit to load and download an executable file which connects to a remote server to download and run the malicious code.

Each infected Mac device is given a unique ID that is sent to the remote server and is added to the botnet list. The infected devices reached 600,000 with 274 Mac devices in the headquarter of Apple.

CRYPTOLOCKER:

The CryptoLocker attack is a cyber-attack that occurred in 2013, utilized a Trojan to target the devices running Windows OS to encrypt certain files on the device and demand a ransom to be paid in order to decrypt the files.

The ransomware propagated via emails accompanied with a malicious attachment, and once executed, it encrypts specific important files on the local and mounted network drivers using the RSA Public-Key Cryptography which is a cryptosystem that's widely used for secure data transmission and shows a window with the note demanding the user to pay a ransom in Bitcoin in order to get the decryption key in a certain amount of time. And if time passes and the ransom isn't paid, the victim needs to use an online service offered by the ransomware creators to decrypt the files for a dramatically increased price, or the files will be deleted permanently.

It's believed that the ransomware creators managed to make $3 Million from the ransoms paid, from around 500,000 infected devices worldwide, and estimated total damage of $650 Million.

ZEUS:

Trojan horse malware occurred in 2007 and targeted Windows-running devices. It used to steal banking information using one of the three methods:

- Man-In-The-Browser Attack:

Similar to the Man-In-the-Middle "MITM" attack, though the MITB is a proxy Trojan that infects web browser pages exploiting the vulnerabilities in browser security to modify the web pages, the transactions, and even add transactions without neither the host nor the client notice.

- Keystroke Logging:

Also known as Key Logging is software that records anything written or pressed on the infected device and allows the person operating the Key Logger to retrieve the data at any time they want.

- Form Grabbing:

Malware that retrieves authorizations and log-in credentials from web data before it goes on the internet to a secure web server, which will help it avoid HTTPS encryption.

The Trojan spreads through either the Drive-By Downloads, which are are the downloads that happened either without the user's knowledge or with the user downloading though being unaware of the consequences, or using the phishing schemes, to then reach out to confidential banking information and make illegal banks transfers worth thousands of dollars.

The Trojan managed to compromise 74,000 FTP accounts on websites like Nasa, Bank Of America, Oracle, CISCO, and many more. The FTP stands for File Transfer Protocol which is a standard communication protocol used to transfer files from a server to the client on the computer network.

In total, the Trojan managed to infect 76,000 computers in 196 countries affecting 500 companies, 2500 organizations, and was behind 44% of all Banking malware attacks that happened ever causing estimated damage of $3 Billion.

Duo to the Trojan, around 100 people were arrested being accused to be a part of creating or spreading the malware, and an early report of the FBI declared that the Algerian Black-Hat Hamza Bendellaj was the mastermind behind the malware.

CONFICKER:

Conficker is also known by Downup, Kido and Downadup is a computer worm that occurred in 2008 and infected Windows operating system exploiting a security vulnerability in Windows, it propagated using Dictionary attacks as well it was coded via advanced malware techniques to form a botnet to get the device into the botnet circle with the millions of other infected devices around the world.

The malware had many versions, starting with the Conficker. A that used to generate 250 URLs a day to check for updates, and reset the system's restore point, to Conficker. B, Conficker. C, Conficker.D which was developed to generate 50,000 URLs, though scroll only 500 a day, reaching its last version, Conficker. E that when executed used to block accesses to many security websites, make changes in PC's settings, stops system and security services.

The malware managed to infect between 9 to 15 million devices in 190 countries, leaving an estimated damage of $9 Billion.

BLASTER:

Also known as Lovesan and MSBLAS is a computer worm that targeted the devices running on Windows XP and Windows 2000 in 2003.

The worm exploited a buffer overflow in the DCOM RPC service on the targeted devices which allowed the worm to spread without needing the user to download or open attachments by spamming itself to random IP addresses on the internet.

DCOM or Distributed Component Object Model is a Microsoft owned technology for communication between software components on networked computers, while RCP stands for "Remote Procedure Call" which is when a program causes a subroutine "a set of program instructions that perform a specific task, packed as a unit " to execute in another location "Address Space" like another computer on the same network like it was coded to be the local procedure call, without the programmer coding details for this remote interaction.

It's was coded to launch an SYN flood against port 80 of windowsupdate.com, which is a kind of denial of service attacks attack that initiates a connection to a server without finishing the connection, the thing that leaves the server spending resources waiting for a response with a half-opened connection, which causes the system to be irresponsive and get out of service, the executable MSBlast.exe of the worm contains two messages, the first goes Lovesan and it shows:

I just want to say LOVE YOU SAN!!

The second one shows:

billy gates why do you make this possible? Stop making money and fix your software.

And also the worn create a registry entry value so it starts every time windows start.

The creator of the B variant of Blaster 18 years old Jeffery Lee was arrested and sentenced to 18 months in prison in 2005, though still the creator of Blaster A hasn't been caught.

MELISSA:

A micro mass-mailing virus that occurred in 1999 was created by David L. Smith. The micro virus is a virus written using a micro language, embedded in a software or application like Microsoft Office.

Embedded software is allowed by windows therefore the embedded Melissa micro virus managed to break through Windows devices and execute once the infected document is clicked on.

Melissa used to spread through an email titled "Important message from" followed by the username, including the message "Here's that document you asked for. Don't show anyone else;" accompanied by a word file attachment containing a list of porn sites with their logins, which once is opened, the virus gets executed right away and spread itself to the top 50 emailing addresses in the victim's email address.

Smith was arrested in 1999 accused of creating the virus that caused estimated damage of $80 Billion, and sentenced to 10 years in prison, though he served only 20 months with a $5000 fine after he cooperated with the FBI to get to other viruses creators like the Anna Kournikova virus.

MIRAI:

Mirai or as it means in Japanese "Future", is a malware that occurred in 2016 that used to target Linux running IoT devices to turn them into botnets to launch large-scale network attacks.

The botnet was used to target IoT "Internet Of Things" devices which are the devices that are embedded with sensors, software, or any other technologies that connect and exchange data with other devices on the internet to devote them to launching DDoS attacks against sites and servers like the servers of the famous game Minecraft and other DDoS protection service companies.

The infected devices keep scanning IP addresses of IoT devices from a table of ranges of IP addresses provided by the malware excluding the IPs of the US Postal Service and the Department Of Defence, to spot the vulnerable IoT devices, and keep functioning normally except for the increased Bandwidth in the network.

The attack is carried out through two phases, the first is devoted to identifying the vulnerable IoT devices by sending TCP SYN probes to the Range of IPv4 addresses excluding the blacklisted ones on telnet TCP 23 and 2323. The telnet as described is an application protocol that is used on the internet ad local networks that provides an interactive text-oriented communication facility using a virtual terminal connection.

 

The devices that respond to the probes are taken to the second phase in which a Brute-Force attack is carried out against the devices using a list of default usernames and passwords applied in the IoT devices to penetrate into them. Once the IoT device allows the telnet access, the victim's IP address with the successfully used credentials is sent to a collection server.

The creators of the botnet are believed to be Paras Jha the owner of the DDoS mitigation service company ProTraf Solutions, Josiah White, and Dalton Norman. Later the Source Code of the botnet was published as an OSS "Open Source Software".

SPYEYE:

A SpyEye spyware "keylogger / Formgrabber" is a Trojan that occurred from Russia in 2009 that was created to steal confidential banking data to do illegal money transfers.

The Spyware targeted the browsers Google Chrome, Opera, Firefox, and Internet Explorer running on Windows devices, and keystrokes users' Logins data through a method called Formgrabbing, to then send the data to the remote Attacker who may install malicious software using a rootkit to hide his malicious activities, as well make money transactions even if the client is logged in to their bank accounts and furthermore without them noticing the fraudulent transactions due to the ability to keep the transfers hidden, in other words, the victim will keep seeing his faked balance after the fraudulent transfers happed thinking all is normal, while the bank can see the transfer and the actual balance.

When the Trojan is run, it makes registry modifications to make sure its copy executes each time the device runs, and it avoids being detected by hooking certain APIs "Application Programming Interface" like "NTQueryDirectoryFile" which are a type of software offering services to other software, in other words, an API is a connection between computers' programs.

The spyware according to Microsoft's official website collects the following information and send them to a remote server:

- Bot GUID (A unique identifier associated with the malware)

- Current Username

- Computer's Name

- Volume Serial Number

- Process Name Associated With Captured Data

- Name Of Hooked API Function

- Keystrokes 

-Local Time

- Time Zone

- Operating System Version 

- Language

And in case it's caught, the Win32/SpyEye deletes its old copies from the infected computer.

Many copies of the SpyEye spyware were sold on hidden / undercover forums for $500+. Later the founder of SpyEye Aleksander Panin and the co-founder Hamza Bendellaj the mastermind behind Zeus Trojan Horse were arrested and accused of launching the spyware besides many other Cybercrimes charges which led them to 9 years and a half sentence to Panin, and a 24+ years sentence to Hamza.

Conclusion:

The Malware family as we saw varies depending on the purpose they made for and the way they function, though they all share the evil and harmful nature which has been causing the world arms and legs almost since the internet was available to the public..

And as shown in the coverage of each malware, except for the few, most of them spread through emails attached with a malicious file which once opened the malware automatically gets executed, the thing that leads to the main key factor in the matter of being a victim or staying smart and safe, which can be summarized in 5 words, Don't Click On Unfamiliar Things.

Take a look here to know more about how to protect yourself from malicious Hacker's attacks, and leave me your opinion and adds on the topic in the comments or by emailing me with your thoughts and feedback!!

Thanks For Reading!