Malware and spyware have existed since computers started being adopted for corporate and personal uses. The Creeper program is one of the very first examples of a computer virus. With innovations in technology that help humankind, hackers too get better at stealing, misusing and destroying sensitive or personal data. This data can comprise company information, banking details or even personal media.
Some of these malware are more destructive or dangerous than others, especially when they are hard to detect or remove. These viruses generally target computers running the Windows Operating System, but they can also infect Android devices and computers running the Linux OS (or other UNIX-based/UNIX-like systems). With the antivirus software we have nowadays and in-built or native malware protection our Operating Systems offer, it is generally hard for malware to get through. However, some of these malware have caused massive amounts of damage and data leaks despite these.
MyDoom was first reported in 2004 and is one of the most destructive malware to ever exist. It spread like wildfire and has caused over $38 billion in damages. The virus was responsible for generating around a quarter of all emails being sent globally at one point in time. Even now, a small percentage of emails containing malware are infected by MyDoom. It is one of the most persistent viruses that simply does not cease to exist and is extremely self-sufficient.
The malware is very efficient in replicating itself by spreading to other systems through attachments and spoofed emails. During the virus’ peak, both Microsoft and the SCO Group had announced a $250,000 reward for finding out the creator of this virus. The virus is so deadly that the Secret Service and FBI had also gotten involved in investigating the origins of the malware.
By February of 2004, MyDoom had infected over a million computers and using these machines, had launched one of the largest DDoS (Distributed Denial of Service) attacks ever, forcing the SCO group to take down their website. The virus even ended up taking down Google (Search Engine and Services) on the 26th of July, 2004.
MyDoom spreads by spoofing the email address in an infected computer and then automatically sending itself to the contacts of the victim as malicious attachments. When these attachments are opened, the virus replicates itself and repeats the process all over again. This allows the virus to rope in multiple computer systems for performing DDoS attacks.
Through this method, the virus can keep doing this forever, however, due to users becoming aware of malicious emails and malware, the impact of the virus has now started to decrease. However, even now, MyDoom can be found in thousands of emails originating from China, Russia and other countries. The later iterations of the virus feature more alluring or interesting subject lines that end up making unsuspecting users open up the email attachments.
DarkTequila is another covert malware that was only discovered after operating for around five years. According to investigations by Kaspersky Lab, the virus has been operational since 2013 and was finally identified in 2018. Even though the virus mainly spread in Mexico and Latin America, it does not make the virus any less deadly. It is extremely evasive and efficient spyware that is capable of stealing all kinds of data.
However, the virus specialises in stealing financial data such as bank credentials and corporate asset information. DarkTequila is also capable of spying on other activities of the victims and stealing their passwords for email, file sharing and other media accounts. It is a very sophisticated virus that activates itself only when it is safe to do so and evades most anti-virus security systems till then.
This malware spreads through USB devices such as hard drives and pen drives as well as emails. According to Kaspersky Lab, phishing emails containing DarkTequila are sophisticated enough to avoid being detected by most email providers and spam filters. Spanish code has been found in the code of the DarkTequila, thus, making it seem like the creator of the virus is of Latin American or Mexican origin.
Even though it affected Mexicans mostly, the virus can operate in any area and can activate itself at any given time for harvesting data that can be sold or used in the future. Even though it was mainly focused on stealing banking information, it also stole data for domain registers, email clients, e-commerce sites, file storage and network solutions. The virus activates its malicious payload only when it can evade discovery.
The virus is connected to a command and control server, capable of being monitored, controlled, cleaned up and uninstalled. The payload consists of a keylogger that logs all the credentials and passwords as well as a data stealer that extracts data from email, browsers, FTP clients and other portals. DarkTequila also contains a very advanced USB infector that allows the virus to replicate itself by infecting other systems through USB drives.
BlackEnergy is a trojan that has existed since 2007 as a toolkit that generates bots for executing DDoS attacks. However, in 2014, an upgraded BlackEnergy 3 caused massive havoc with the help of various plugins and additional features for penetration, monitoring and system destruction. By 2014, BlackEnergy was capable of SCADA-based plugin deployment and remote monitoring or remote system corruption.
The virus infected many systems involved in Industrial Control and energy markets globally. Even though it was initially an HTTP-based toolkit, the later iterations of the virus were much more sophisticated with abilities that went beyond just executing DDoS attacks. BlackEnergy attacks originating from Russia were carried out through the distribution of word or PowerPoint documents that were attached to emails.
Due to being attachments that seemed like genuine documents, users were lured into clicking and activating the malware. Eventually, the malware started being spread through excel documents via phishing emails. The virus mainly targets entire networks of systems.
Once these malicious documents are opened, the trojan is triggered that enables macros that help the virus infect the system in various ways. For instance, BlackEnergy can execute local files or remote files (after downloading). The trojan can also target multiple IP addresses through each hostname and can evade detection by cybersecurity software through a runtime encrypter.
The virus is capable of updating itself and being controlled remotely, allowing the command centre to secretly view systems, use screenshot features, discover networks and steal passwords with keystroke logging. BlackEnergy can also list accounts and launch queries (hardware, Windows/OS, BIOS) with the help of plugins. Finally, the virus can completely corrupt the system or destroy the network.
Viruses will get more sophisticated with time but very few malware or spyware have left the kind of impression these three have managed to leave. These three malware have caused billions of dollars in damage together, destroying the networks, digital assets, data and computers of organisations that fell victim to these. Any user or system that could not contain these malware only helped spread them further, to the point where they still exist today.