TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time. While the question begs more questions, TrendLabs experts give out recurring answers based on high-level assessments of malware effectiveness in endangering users’ online experiences relative to the technologies available during the time the malware reached peak prevalence. As MSBLAST celebrates its sixth year anniversary of plaguing the Internet, we’ve highlighted the worst we’ve seen so far, along with the runners-up, of which MSBLAST is one.
- DOWNAD: Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
The attack was also notable for generating up to 50,000 domains and connecting to 500 of these, strategically evading efficient domain takedown (or even monitoring potentially malicious sites) and taking advantage of low-cost domain name registration.
- KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace. It infects user profiles so that cybercriminals are able to break into users’ circle of trust, increasing chances of propagation (infected user’s contacts assume posted links are harmless because they trust the profile owner)
KOOBFACE possesses a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines
- ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits. Underground research and documented cases reveal it is a thriving business where infected computers give up their owners’ personal information (credit card info) to remote servers / cybercriminals.
ZBOT variants are especially damaging due to their ever-changing social engineering techniques that are often understated (not sensational)
- SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC). Noteworthy is the fact that this was achieved despite it being a solitary packet worm in memory, attacking without a file system component, and exploiting an already patched buffer overflow bug in MS SQL Server and Desktop Engine (MS02-039).
However, what is more notable is that trickling effects of this threat are still being seen in present-day Internet.
- VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.
Here are other notable attacks that though not as severely as the ones listed above, affected users from around the globe with their remarkable routines:
- Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
- MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
- SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
- Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
- ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)
Each of the top threats were the most dangerous during their time and within their respective fields. Notably, all of them are attacks that gained momentum via the Internet.
The most dangerous is still likely the newest one to come out of the malware underground markets. In the majority there can only be better versions of already detected variants so users should be most involved in keeping their personal information safe from theft. Companies likewise should safeguard company information and assets with the same vigilance as a country at war.
These days the most likely way threats come in is the Internet. Thus we consider that the most obvious and effective way to stop them is to control/proof the URL being recalled by the browser or applications. For your safety we hope you already had switched on the Web Reputation Service in your Trend Micro product. In case you are still uncertain you may test it for free by using TrendProtect Toolbar with your Internet Explorer browser or install try our Web Protection Add-On which may work along with your existing security solution.