Stuxnet Virus

Stuxnet is a malicious computer worm that became infamous for its use to attack Iranian nuclear facilities. That attack made global news headlines in 2010 when it was first discovered. As Malwarebytes' Senior Director of Threat Intelligence Jérôme Segura said in his article Stuxnet  new light through old windows "Very few pieces of malware have garnered the same kind of worldwide attention as Stuxnet."

While a computer worm, Stuxnet is malicious software, it has been used to attack electro-mechanical equipment. As in the case of the major attack in Iran, attackers used Stuxnet to exploit multiple zero-day Windows vulnerabilities, search infected PCs for a connection to the software that controlled the electro-mechanical equipment, and send instructions intended to damage the equipment. While many types of malware infect a computer through the Internet, another unique feature of the Stuxnet attack in Iran is that the malware was introduced to the PCs via infected USB drives.

"Very few pieces of malware have garnered the same kind of worldwide attention as Stuxnet."

-Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes

Many people call the malware "Stuxnet virus" even though it’s not a computer virus — it’s a computer worm. Although both viruses and worms are types of malware that can corrupt files, a computer worm can be far more sophisticated. For starters, unlike a virus, a worm doesn’t require human interaction to activate. Instead, it self-propagates, sometimes prolifically after it enters a system. Besides deleting data, a computer worm can overload networks, consume bandwidth, open a backdoor, diminish hard drive space, and drop other dangerous malware like rootkits, spyware, and ransomware.

What was the Stuxnet attack in Iran?

According to the book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, in 2010, visiting inspectors from the Atomic Energy Agency were surprised to see many of Iran’s centrifuges failing. Neither the Iranians nor the inspectors could fathom why the Siemens-made equipment, designed to enrich uranium powering nuclear reactors, was malfunctioning so catastrophically.

It was hard to imagine that a piece of malicious software was responsible. After all, Iran’s nuclear facilities were air-gapped — meaning they weren’t connected to a network or the Internet. For a malware attack to occur on the air-gapped uranium enrichment plant, someone must have consciously or subconsciously added the malware physically, perhaps through an infected USB drive.

When a security team from Belarus came to investigate some malfunctioning computers in Iran, it found a highly complex malicious software. This aggressive malware would later spread further into the wild, with researchers dubbing it as Stuxnet, the “world’s first digital weapon.”

Stuxnet so dangerous

Experts call Stuxnet an incredibly complex piece of code and the world's first cyberweapon. It may have physically degraded nearly 1000 Iranian centrifuges. Stuxnet worked by infecting the programmable logic controllers (PLCs) that controlled the centrifuges and sabotaged them.  Centrifuges spin at extraordinarily fast speeds, creating a force many times faster than gravity in order to separate elements in uranium gas. The worm manipulated the centrifuges’ operating speed, creating enough stress to damage them. Stuxnet took its time, waiting weeks to slow down the centrifuges after accelerating them temporarily, making its activities hard to detect.

Stuxnet was also hard to detect because it was a completely new malware, an emerging threat with no known signatures. In addition, Stuxnet exploited multiple zero-day vulnerabilities, which are unfixed software security flaws. Stuxnet also sent fake industrial process control sensor signals to hide its presence and malicious activity. In addition, Stuxnet was also able to drop a rootkit. Rootkits can give a threat actor control of a system at its core. With a rootkit installation, Stuxnet was more capable of furtive action.

Strong cybersecurity measures are critical to any business. Reports of cyberattacks are in the news regularly, and it’s not always malicious software attacking useful software; as in the case of Stuxnet, malware can be used to ultimately attack electro-mechanical devices, hardware, and infrastructure. One of the most notable cybersecurity incidents of 2021 was a ransomware attack that shut down the largest fuel pipeline in the US for nearly a week. It was later determined that a single compromised password enabled the attack. Other ransomware attack targets during the year included the world's largest meatpacker and the largest ferry service in Massachusetts.

Whether it’s ransomware, computer worms, phishing, business email compromise, or another threat that keeps you up at night, you can take steps to protect your business. In our mission to bring cyber protection to everyone, Malwarebytes offers security solutions to businesses of all sizes. Your company can also adopt security best practices, such as:

Apply a strict Bring your own device policy that prevents employees and contractors from introducing potential threats.

Air gaps are any computers that could affect national security.

Air gaps are all legacy systems that serve as human interfaces.

Adopt a sophisticated password regime with two-factor authentication that hinders brute force attacks and prevents stolen passwords from becoming threat vectors.

Secure computers and networks with the latest patches.

Use AI-powered cybersecurity software with machine learning capabilities.

Apply easy backup and restore at every possible level to minimize disruption, especially for critical systems.

Constantly monitor processors and servers for anomalies.

Try a demilitarized zone (DMZ) for industrial networks.

Look up application whitelisting for enhanced software security.

Slammer virus

The SQL slammer worm is a computer virus (technically, a computer worm) that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within 10 minutes. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited two buffer overflow bugs in Microsoft's flagship SQL Server database product. Other names include W32.SQLExp.Worm, DDOS.SQLP1434.A, the Sapphire Worm, SQL_HEL, and W32/SQLSlammer.

Computer Virus   

The virus is a piece of program code that, like a biological virus, makes copies of itself and spreads by attaching itself to a host, often damaging the host in the process.

Computer Worm 

A computer worm is a self-replicating computer program, similar to a computer virus. It is self-contained and does not need to be part of another program to propagate itself.

According to NSF DARPA, Silicon Defense, Cisco Systems, AT&T, NIST, and CAIDA members. Sapphire's spreading strategy is based on random scanning -- it selects IP addresses at random to infect, eventually finding all susceptible hosts. Random scanning worms initially spread exponentially rapidly, but the rapid infection of new hosts becomes less effective as the worm spends more effort retrying addresses that are either already infected or immune. Thus as with the Code Red worm of 2001, the proportion of infected hosts follows a classic logistic form of initially exponential growth in a finite system. We refer to this as the random constant spread (RCS) model.

W32.SQLExp.Worm attacks a vulnerable system

Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434

Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service.

Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses.

Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.

Protect your system against the Slammer worm

Download SQL Server 2000 SP3a or MSDE 2000 SP2.

Install the following SQL Server 2000 Security Tools:

SQL Scan

SQL Check

SQL Critical Update

These tools allow you to scan instances of SQL Server 2000 or MSDE 2000 on your corporate network, detect security vulnerabilities, check a single machine, and apply security update MS02-061 to any vulnerable system.

Slammer Work

Get Inside

Slammer masquerades as a single UDP packet, one that would normally be a harmless request to find a specific database service. The first byte in the string - 04 - tells SQL Server that the data following it is the name of the online database being sought. Microsoft's tech specs dictate that this name be at most 16 bytes long and end in a telltale 00. But in the Slammer packet, the bytes run on, craftily coded so there is no 00 among them. As a result, the SQL software pastes the whole thing into memory.

Reprogram the Machine

The initial string of 01 characters spills past the 128 bytes of memory reserved for the SQL Server request and into the computer's stack next door. "Stack" is programmer-speak for an orderly list of information the computer shuffles to remind itself what to do next, like tidy paperwork on a desk. The first thing the computer does after opening Slammer's too-long UDP "request" is overwritten its own stack with new instructions that Slammer has disguised as a routine query. The computer reprograms itself without realizing it.

Choose Victims at Random

Slammer generates a random IP address, targeting another computer that could be anywhere on the Internet. To randomize, Slammer deploys a time-honored programmer's trick: It looks up the number of milliseconds that have elapsed on the CPU's system clock since it was booted and interprets the number as an IP address.

Replicate

The envelope is addressed, now it just needs to be stuffed. Slammer points to its own code as the data to send. The infected computer writes out a new copy of the worm and licks the UDP stamp.

Repeat

After sending off the first tainted packet, Slammer loops around immediately to send another to a different computer. It doesn't waste a single millisecond. Instead of making another call to the system clock to get the time, it just shuffles the bits of the IP address already in memory to create a new one. Slammer's one bug is buried here: The reshuffling leaves a few digits in the address unchanged. It hardly matters, though, since the computer is now spewing packets as fast as its network cable can carry them away. A home PC could cram a couple hundred copies onto its broadband link every second. Corporate data centers became nasty breeding grounds, launching tens of thousands per second. Slammer commandeered just 75,000 SQL machines. But because it replicated so fast, the worm was able to take down millions more, kicking them offline with a flood of meaningless traffic.

Anna Kournikova Virus

The Anna Kournikova Virus was a worm that spread by email, disguised as an email attachment with the filed name “AnnaKournikova.jpg.VBS.” The virus was a Visual Basic script that, once opened, emailed itself to all the contacts within the user's Outlook address book. Anna Kournikova was a payload-free virus, however, and did not erase any files or send information back to the creator.

A new Visual Basic script (VBS) virus that appears to have originated in Europe has made its way to the U.S. and is clogging up e-mail systems across the country Monday, according to antivirus vendors. The virus, which spreads itself through e-mail systems using Microsoft Corp.’s Outlook in a way similar to the notorious “LoveLetter” virus apparently made its way from Europe to the U.S. overnight, according to Vincent Weafer, director of antivirus research for antivirus vendor Symantec Corp. Computer Associates International Inc. (CA) also received reports of its existence in the Asia-Pacific region, said Ian Hameroff, a CA business manager, called the threat a “worm” rather than a virus. Vendors Trend Micro Inc. and McAfee.com Corp. also issued warnings, containing the same basic information.

The virus, as all but CA, has termed the threat, features one of three variants of the subject line “Here you go :-)” as well as three variants of the name for the attachment, based around “Anna.Kournikova.jpg.vbs.” The image is intended to appear to be a .JPG image of Russian tennis star Anna Kournikova. The e-mail resends itself, but does not appear to do any damage like deleting files or corrupting data.

“Damage is a variable term,” CA’s Hameroff said. “This does cause damage in ways such as inappropriate bandwidth use or by filling up an e-mail server.”

The virus appears to be doing both ably.

“We started getting reports from U.S. customers overnight,” Symantec’s Weafer said. “At this point, we believe it came from Europe, but we haven’t been able to narrow it down any further yet,” he added.CA hasn’t been able to nail down the origin either, Hameroff said. The worm, or virus depending on the source, tries to launch a browser on Jan. 26 of any year that links to a domain name in the Netherlands, he said, adding that doesn’t necessarily mean that is the country of origin.

Because there are only three variants on the subject line and the name of the attachment, Weafer believes the virus will be easy to filter out, but he doesn’t think it is a variant of any previously discovered virus. CA came to the same conclusion, with Hameroff saying: “it’s very simplistic” and appears to be a sample piece of work shared among “black hat sites” of hackers and miscreants. Finland-based security vendor F-Secure Corp., which calls the virus “On-the-fly,” said in a statement that it appears to be spreading faster than many of last year’s bigger viruses, adding that it is currently spreading as fast as “LoveLetter,” which infected an estimated 15 million computers.

According to Symantec’s Weafer, the virus has hit “about 50” of Symantec’s large customers so far.

“Most likely, this came from the virus generation kit which allows ‘script kiddies’ to create viruses easily,” he added. Script kiddies are computer users who usually lack programming skills, but use easy-to-assemble kits and scripts to create viruses. The security vendors are recommending that computer users update antivirus software and “use good judgment in executing e-mail like this” that contains attachments, Hameroff said.

Storm Worm Virus

What is a computer worm? 

Several things may come to mind when you think of the word “worm." You may think of delicious soft chewie candies that are sugary and maybe a little sour. Or you may think of the cold-blooded invertebrate animals that wiggle across the Earth’s surface. And if you’re thinking in computing terms, the malware may spring to mind. Similar to real worms, you can say that computer worms don’t have much of a backbone because they often rely on trickery to infect their hosts. They may also seem a bit coldblooded because they can be remorselessly destructive. Let’s learn more about them.

Worm definition

A computer worm is a subset of the Trojan horse malware that can propagate or self-replicate from one computer to another without human activation after breaching a system. Typically, a worm spreads across a network through your Internet or LAN (Local Area Network) connection. Naturally, you must be wondering what is a trojan and how does it relate to computer worms?   To keep it brief, a Trojan uses trickery and social engineering to deceive people into running it. For example, a Trojan may pretend to be legitimate software. A worm is a type of Trojan because it normally relies on social engineering to attack systems.  

How does a computer worm spread?

Phishing: 

Fraudulent emails that look authentic can carry worms in corrupt attachments. Such emails may also invite users to click malicious links or visit websites designed to infect users with worms.

Spear-Phishing:

Targeted phishing attempts can carry dangerous malware like ransomware crypto worms.  

Networks: 

Worms can self-replicate across networks via shared access.

Security holes: 

Some worm variants can infiltrate a system by exploiting software vulnerabilities.

File sharing:

P2P file networks can carry malware like worms.

Social networks: 

Social platforms like MySpace have been affected by certain types of worms.

Instant messengers (IMs):

All types of malware, including worms, can spread through text messages and IM platforms such as Internet Relay Chat (IRC).  

External devices:

Worms can infect USB sticks and external hard drives.

What does a computer worm do?

Once a computer worm has breached your computer’s defenses it can perform several malicious actions:

Drop other malware like spyware or ransomware

Consume bandwidth

Delete files

Overload networks

Steal data

Open a backdoor

Deplete hard drive space

Computer worm vs. virus

Some people think that a computer worm and a computer virus are the same things because the two behave similarly. They may even use the terms like "worm computer virus" or "worm virus malware." The truth is that the two are comparable but different threats. The defining difference between a virus and a worm is that viruses rely on human action for activation and need a host system to replicate. In other words, a virus won’t harm your system unless you run it. For example, a virus on a flash drive connected to your computer won’t damage your system unless you activate it. And as mentioned above, a worm doesn’t need a host system or user action to spread.

Computer worm examples

• Morris Worm: Also known as the Internet worm, this was one of the first computer worms to spread via the Internet and earn notoriety in the media.
• Bagle: Also known as Beagle, Mitglieder, and Lodeight, this mass-mailing worm had many variants.
• Blaster: Also known as MSBlast, Loves, and Lovsan, this worm attacked computers running Windows XP and Windows 2000.
• Conficker: Also known as Downup, Downadup, and Kido, this worm exploited flaws in Windows to infect millions of computers in over a hundred countries.
• ILOVEYOU: The ILOVEYOU worm infected tens of millions of computers globally, resulting in billions of dollars in damage.
• Mydoom: This became the fastest-spreading email worm in 2004, sending junk email across computers.
• Ryuk: Although Ryuk wasn't always a worm, it's now worm-like ransomware.
• SQL Slammer: The SQL Slammer worm gained infamy for slowing down Internet traffic with denial-of-service attacks on some Internet hosts.
• Storm Worm: This worm utilized social engineering with fake news of a disastrous storm to drop botnets on compromised machines.
• Stuxnet: Some experts believe this sophisticated worm was developed for years to launch a cyberattack.

Symptoms of a computer worm 

Many of the symptoms of a computer worm are like that of a computer virus. For example, you may have a computer worm if your computer slows down, freezes, crashes, or throws up error messages. You may also notice that files are missing or corrupted or that your hard drive's space is rapidly depleting inexplicably. Additionally, you may see alerts from your firewall about a breach. 

MyDoom Virus

What is MyDoom?

While many people call it a virus, technically MyDoom is a worm, as it can operate and spread independently from the host.MyDoom (also known as Nova, W32.MyDoom@mm, Shimgapi, and Email. R) spreads through malicious email attachments. After the victim clicks on the attachment, the worm gets inside the operating system and sends emails to all the victim’s contacts. When people see a familiar name, they are more likely to open a suspicious file. At the time of discovery in 2004, you could also get MyDoom by using the file-sharing platform Kazaa, which is no longer operating.MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.

Technical details

MyDoom arrives with one of the following subject lines: test, hi, hello, mail delivery system, mail transaction failed, server report, status, or error. According to cybersecurity experts, the malicious email attachments typically contain pif, scr, exe, cmd, bat, htm, txt, doc, and zip extensions. When MyDoom is executed, it copies itself to the %system% or %temp% directories. The worm also creates a registry value in one of the following keys:

1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This causes the worm to start whenever you launch your Windows computer. MyDoom also deploys a backdoor Trojan, allowing unauthorized access to your system, and copies itself to P2P to spread through downloads. After all of this is done, an infected device turns into a so-called zombie — a remotely controlled machine that can be used in DDoS attacks.

Variants

The first version of MyDoom was called MyDoom.A, followed by MyDoom.B, which additionally modified the host file of an infected computer to prevent the use of antimalware software. However, MyDoom.B did not spread as fast as the previous variant. When it launched a DDoS attack against Microsoft in 2004, the botnet was not big enough to take down the site.A bunch of other MyDoom variants – C, F, G/H, U, V, W, X – were spotted in the wild later, but none achieved the notoriety of the A variant.

When was MyDoom popular?

MyDoom was first spotted on January 26, 2004, when internet users around the world started to get emails with suspicious attachments. Most people in those days didn’t have a clue about phishing emails, social engineering, or hacking attacks. No wonder many of them clicked on a link and helped spread MyDoom like wildfire.The malicious email contained the message “I'm just doing my job, nothing personal, sorry.” The spread of MyDoom was so fast that slowed the global internet by ten percent on the day of its launch. One in ten email messages in the world at the time of the attack was associated with this notorious worm. On January 28, MyDoom reached its peak and then started to slowly decline. However, the virus was slowed down not by cybersecurity experts but by its developers, as variant B had bugs.

The biggest attack

On January 26, MyDoom took down Google, preventing people from using Google Search. Another popular search engine, Yahoo, was slowed down but managed to keep operating.MyDoom also blocked access to websites of over 60 security companies, so users couldn’t download antivirus software to clean their computers. Tech industry leaders like Microsoft offered a $250,000 bounty to anyone who could track down the attackers. However, the culprits were never found. Estimates say that MyDoom caused $38 billion in damages, making it one of the worst viruses ever. Security researchers believe MyDoom has infected around 50 million computers worldwide.

Is MyDoom still active?

While more than 18 years have passed since the launch of MyDoom, the worm is still active and running. However, it is contained in just over 1% of malicious emails worldwide, mostly those sent by spammers originating from China and the US.MyDoom hasn’t changed its tactics throughout the years: once the worm infects a computer, it starts searching for other email addresses through which to distribute itself.

How to tell if a device is infected with MyDoom

If you have a feeling that your computer may be infected with MyDoom or any other type of malware, pay attention to its performance. However, MyDoom is considered to be a sophisticated worm, so it can be hard to notice any difference for non-professionals. Here’s what you need to look for:

• Your computer has become slower than usual.
• Unexpected pop-ups appear.
• The computer fan is constantly running.
• The default homepage changes.
• You notice toolbars in your browser you don’t remember adding.
• Mass emails are being sent from your account.
• Your security software is disabled for no reason.

More attentive readers can also check for specific signs attributed to MyDoom:

TCP ports are opened. MyDoom.An opened ports in the range of 3127-3198. Other variants opened ports such as 80, 139, 445, 1080, 8080, and 10080. The virus needs an open port to establish a backdoor and take control over the infected computer.

A random .txt file appears. Some variants of MyDoom create a .txt file containing random data.

The host file is overwritten. MyDoom can overwrite the host file, so you can’t use your antivirus software.

ILOVEYOU Virus

What is the ILOVEYOU virus?

The ILOVEYOU virus comes in an email with "ILOVEYOU" in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient's Microsoft Outlook address book. Perhaps more seriously, it results in the loss of every JPEG, MP3, and certain other files on all recipients' hard disks. Since Microsoft Outlook is widely installed as the default email management application in corporate networks worldwide, the ILOVEYOU virus can spread rapidly within a corporation. In fact, this is exactly what happened on May 4, 2000. In just about 10 days, ILOVEYOU reached an estimated 45 million users and caused about $10 Billion in damages.

It spread so quickly that many major enterprises like the Ford Motor Company, AT&T, and Microsoft, as well as government organizations like the Pentagon, CIA, U.S. Army, and parliaments in Denmark and the U.K., had to completely shut down their email services as they tried to bring the virus under control and mitigate its damage.ILOVEYOU is also known as the "love letter virus" and the "love bug worm." Although commonly referred to as a computer virus, ILOVEYOU is actually a worm.

While a virus is a malicious code that replicates itself following a human intervention, a worm is a type of malware that can replicate itself and spread from system to system without human interaction or intervention. It doesn't even need to attach itself to Software. ILOVEYOU works via email, specifically via a malicious email attachment. When the affected user opens the attachment, their action instantly downloads the worm into their system without their knowledge and starts spreading it across the network. The email consisted of the subject line "ILOVEYOU" and a simple message: "kindly check the attached LOVELETTER coming from me." When a recipient opened their email, the virus sent copies of itself to everyone in their address book. These recipients assumed the email was a genuine declaration of love or a funny joke, opened it out of curiosity, and inadvertently helped spread it further.

How do the ILOVEYOU virus work and spread?

The Attachment in the ILOVEYOU virus is a VBScript program that recipients at the time mistook for a simple text file because the extension .vbs was hidden from view on Windows machines. When the file is opened, it finds the recipient's Outlook address book and re-sends the note to everyone in it. It then overwrites -- and thus destroys -- all files of types:

• JPEG
• MP3
• VPOS
• JS
• JSE
• CSS
• WSH
• SCT
• HTA

ILOVEYOU could -- and did -- destroy all kinds of files including photographs, audio files, and documents. Affected users who didn't have backup copies lost them permanently. In March 1999, similar to ILOVEYOU, the Melissa Virus also replicated itself by using Outlook address books. However, it only infected about 1 million computers and wasn't as successful as ILOVEYOU at destroying user files.ILOVEYOU also resets the recipient's Internet Explorer start page in a way that may cause further trouble, changing certain Windows registries. settings and spreading itself through Internet Relay Chat.

How did affected companies react to ILOVEYOU?

To ward off ILOVEYOU, one of the first things affected companies did at the time was to screen out emails with "ILOVEYOU" in the subject line. However, this strategy was only moderately successful. Hackers quickly introduced copycat variations with subject lines including "JOKE" and "Mother's Day!" as the content but containing the same or similar VBScript code as the ILOVEYOU worm. One of the most sinister mutations was a version with the subject line containing "VIRUS ALERT!!!" This email posed as a virus fix from Symantec and started out with the greeting, "Dear Symantec Customer." The attachment, which contains the same VBS format file as ILOVEYOU, is called "protect.VBS."

How to stay safe from ILOVEYOU and similar attacks

Since ILOVEYOU, thousands of other viruses and worms have impacted organizations all over the world. The problem is not going away, so companies should take proactive steps to protect themselves. Most importantly, they should install Antivirus Software on their systems to continuously screen for ILOVEYOU and other kinds of viruses. Antivirus software can also remove these viruses from infected systems and protect systems from future viruses. To make sure the antivirus works well, it's crucial to regularly update it. Users should never open any email attachment without screening it first with antivirus software, especially if the sender or attachment type is unknown or unfamiliar. If a system is already infected, the organization should immediately run a virus scan. Starting it in Safe Mode can help handle malicious files. It's also critical to disconnect all affected systems from the internet to prevent the virus from spreading.

The long-term impact of the ILOVEYOU virus

ILOVEYOU was one of the first real-world examples of the use of Social Engineering to perpetrate a CyberCrime. In the 20+ years since ILOVEYOU was created and unleashed, social engineering has become a common attack vector, particularly following the COVID-19 pandemic. ILOVEYOU was also one of the first serious malware incidents to demonstrate the potentially dangerous impact of Spam Email. On a positive note, the virus created a fundamental shift in the cybersecurity landscape by shining a light on how bad actors leverage human emotions and needs (e.g., the need to be loved or a propensity to fall for flattery) to launch attacks. It also forced companies and security professionals to start thinking more seriously about enterprise security as well as user security awareness and education, especially around social engineering, spam, and phishing.

Cryptolocker Virus

Cryptolocker Virus Definition

Cryptolocker is a malware threat that gained notoriety over the last few years. It is a Trojan horse that infects your computer and then searches for files to encrypt. This includes anything on your hard drives and all connected media — for example, USB memory sticks or any shared network drives. In addition, the malware seeks out files and folders you store in the cloud. Only computers running a version of Windows are susceptible to Cryptolocker; the Trojan does not target Macs. Once your desktop or laptop is infected, files are "locked" using what's known as asymmetric encryption. This method relies on two "keys," one public and one private. Hackers encrypt your data using the public key, but it can only be decrypted using the unique private key they hold. The Cryptolocker virus will display warning screens indicating that your data will be destroyed if you do not pay a ransom to obtain the private key.

Common Infection Methods and Risks

The most common method of infection is via emails with unknown attachments. Although the attachments often appear to be standard file types such as *.doc or *.pdf, they in fact contain a double extension — a hidden executable (*.exe). Once opened, the attachment creates a window and activates a downloader, which infects your computer. Because the program is a Trojan, it cannot self-replicate, meaning it must be downloaded to infect your computer. In addition to malicious email attachments, this malware may also come from websites that prompt you to download a plug-in or video player. Typically, you will see nothing wrong with your computer until all files have been encrypted. Then, a warning will pop up indicating that you have been infected and show a countdown timer until all your data is destroyed. Many antivirus programs can remove this Trojan, but cannot decrypt your data. In some cases, users have re-installed the Trojan after removal in order to pay the ransom and unlock their data.

Protection from this Ransomware starts with safe Internet use — don't open any attachments from unknown email addresses, even if they claim to be from your bank or workplace, and don't download any files from an unfamiliar website. If you believe you may be infected, run a full system scan using a reputable antivirus program. It may be possible unlock your files if you regularly use Windows System Restore to create restore points, but in some cases, you may need to go even deeper and use a Rescue disk utility. Here, a disk image of the Rescue utility is created and copied to a DVD or USB drive. You will then have to boot your computer using this external media, which disinfects the machine. Again, there is no guarantee of full data recovery.

Cryptolocker can cause serious damage to personal and business computers. By always creating a physically separate backup of critical files, regularly running antivirus scans and avoiding unknown email attachments, you can minimize the chance of infection.

links related to the Cryptolocker Virus

What is Ransomware

Ransomware poses a threat to you and your device, but what makes this form of malware so special? The word "ransom" tells you everything you need to know about this pest. Ransomware is extortion software that can lock your computer and then demand a ransom for its release. In most cases, ransomware infection occurs as follows. The malware first gains access to the device. Depending on the type of ransomware, either the entire operating system or individual files are encrypted. A ransom is then demanded from the victim. If you want to minimize the risk of a ransomware attack, you should rely on high-quality ransomware protection software.

Ransomware: part of the malware family

Malware is a portmanteau of the words "malicious" and "software". The term malware, therefore, covers all malicious software that can be dangerous to your computer. This includes viruses and Trojans.

How to detect ransomware and protect yourself from it

When it comes to protecting against ransomware, prevention is better than cure. To achieve this, a watchful eye and the right security software are crucial. Vulnerability scans can also help you to find intruders in your system. First, it's important to make sure your computer is not an ideal target for ransomware. Device software should always be kept up to date in order to benefit from the latest security patches. In addition, careful action, especially with regard to rogue websites and email attachments, is vital. But even the best preventive measures can fail, making it all the more essential to have a contingency plan. In the case of ransomware, a contingency plan consists of having a backup of your data. To learn how to create a backup and what additional measures you can put in place to protect your device.

Fighting encryption Trojans 

The most common ransomware infection routes include visiting malicious websites, downloading a malicious attachment, or via unwanted add-ons during downloads. A single careless moment is enough to trigger a ransomware attack. Since malware is designed to remain undetected for as long as possible, it is difficult to identify an infection. A ransomware attack is most likely to be detected by security software. Obviously, changes to file extensions, increased CPU activity, and other dubious activity on your computer may indicate an infection. When removing ransomware, there are basically three options available to you. The first is to pay the ransom, which is definitely not recommended. It is, therefore, best to try to remove the ransomware from your computer. If this is not possible, only one step remains: you will need to reset your computer to factory settings.

What forms of ransomware are there and what does that mean for you?

As mentioned above, the threat posed by ransomware depends on the variant of the virus. The first thing to consider is that there are two main categories of ransomware: locker ransomware and crypto-ransomware. These can be distinguished as follows:

Locker ransomware 

basic computer functions are affected

Crypto ransomware 

individual files are encrypted

The type of malware also makes a significant difference when it comes to identifying and dealing with ransomware. Within the two main categories, distinctions are made between numerous additional types of ransomware. These include, for example, Locky, wanna cry, and Bad Rabbit.

History of ransomware

Blackmailing computer users in this way is not a 21st-century invention. As early as 1989, a primitive pioneer of ransomware was used. The first concrete cases of ransomware were reported in Russia in 2005. Since then, ransomware has spread all over the world, with new types continuing to prove successful. In 2011, a dramatic increase in ransomware attacks was observed. In the course of further attacks, manufacturers of antivirus software have increasingly focused their virus scanners on ransomware, especially since 2016. Regional differences can often be seen in the various ransomware attacks. For example:

Incorrect messages about unlicensed applications:

In some countries, Trojans notify the victim that unlicensed software is installed on their computer. The message then prompts the user to make a payment.

False claims about illegal content:

In countries where illegal software downloads are common practice, this approach is not particularly successful for cybercriminals. Instead, ransomware messages claim that they are from law enforcement agencies and that child pornography or other illegal content has been found on the victim's computer. The message also contains a demand for a penalty fee to be paid.

The largest ransomware attack

One of the largest and most serious ransomware attacks took place in the spring of 2017 and was called WannaCry. In the course of the attack, approximately 200,000 victims from roughly 150 countries were asked to pay a ransom in Bitcoin.

Malware Penetrates Computers and IT Systems

For many computer virus writers and cybercriminals, the objective is to distribute their virus, worm, or Trojan virus to as many computers or mobile phones as possible – so that they can maximize malware penetration. There are three main ways in which this can be achieved:

Via Social Engineering

Infecting a system without the user's knowledge

A combination of both of these methods

In addition, the malware creator will often take steps to prevent the infection from being detected by antivirus programs.

Discover more in the following articles:

Social engineering 

Malware Implementation Techniques

Combining Social Engineering & Malware Implementation Techniques

Why Cybercriminals Try to Combat Antivirus Software