Timeline: A Decade of Malware

An evolution from script kiddies to syndicates

With first decade of the millennium coming to a close this year, it seems a good time to take a look back at some of the malware that has helped shape the current-day attacks on the Web. Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money.

Looking back at the most notable malware of the last ten years, we begin to see how the industry has taken shape. From pesky spam pranks to a multi-million dollar 'black hat' industry, malware continues to evolve at a rapid pace, with no signs of slowing.

1. 2001: Loveletter steals free Internet access Modern malware is commercially motivated. Instead of writing malware for ego gratification, today's attackers are using malware to make money. In hindsight, the May 2000 Loveletter worm was a harbinger of things to come. The Loveletter worm combined social engineering (love letter for you) with a password-stealing trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm's author (Read about current social engineering tactics in CSO's social engineering guide).

2. 2002: JS/Exception bombs usher in malicious marketing In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm's ability to infect Web pages. As such, Nimda can be viewed as a pioneer in malware's eventual move to the Web.

3. 2003: Sobig worm popularizes spam proxy trojans January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers; even harvesting the victims own email contacts to add to the spammers' mailing lists.

4. 2004: Bagle worm vies for dominance to harvest addresses and account information The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K's code was the message, "Hey Netsky, f*ck off you b*tch, don't ruine our business, wanna start a war?"

5. 2005: Bot-delivering breaking news alerts Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month's tsunami in the Indian ocean, scammers began targeting people's fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots (Read about how botnets are hunted and destroyed in The Botnet Hunters).

6. 2006: The as-yet-unnamed Storm worm emerges By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed "230 dead as storm batters Europe." Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the trojan family (and its associated botnet) its new name, Storm (Also see: How a Botnet Gets its Name).

7. 2007: MPack publicity popularizes exploit frameworks In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed Web attacks. The release of free or low cost SQL injection tools in the Fall of 2007.

8. 2008: Goolag and automated injection attacks complete cloud-based malware-as-a-service In 2008, remote discovery tools such as Goolag further cemented cloud-based malware delivery via the Web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases

9. 2009: Gumblar incorporates and expands a decade's evolution of malware The 2009 Gumblar attacks can be viewed as the culmination of a decade's evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetization, as well as long term potential profits via its ability to intercept, tamper with and steal Internet and network communications. Gumblar also includes the ultimate in social engineering; turning perfectly good, reputable websites against their visitors.

10. 2010: ? If the poorly coded and fairly innocuous Loveletter ushered in the beginning of the decade, and the highly sophisticated, multi-pronged Gumblar is ending the decade, one can only wonder, and worry, at what the next ten years may bring (Also see: 10 IT Security Predictions for 2010).

Mary Landesman is a senior security researcher with ScanSafe, a provider of SaaS Web security products.

Read more about data protection in CSOonline's Data Protection section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mary Landesman

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?