Straight from dingy apartment…

…there comes a hacker! Drinking Coca-Cola, eating pizza, watching Matrix and with no particular education.

This is how an average hacker is like. At least in the eyes of my friends.

I spoke to 20 people from outside cyber security industry. I was curious to know what the general impression about the mysterious hacker figure is.

Perhaps this profession could use some public relations.


First things first. Where does a hacker come from? Well… my responders have no doubt the Cold War has never gone away. Captain America
takes the stand!

Where does a hacker come from?

It’s obviously a man (95% of votes). A young one. 25 years old.

Quite surprisingly, our young American pal dropped out of school. Somewhere around getting secondary education diploma (95%
of responds!).

Plenty of time to take up some hobby, right? Looks like our protagonist
is living the dream. His passion is hacking and technology (70%).

25-years old American pal with no particular education having fun with computers. Having fun exactly where? Where do you spend your nights My Friend?

Regular apartment in a regular block in a regular city.

Well, some would bet it’s a basement (10%), others believe they live with their parents (10%). Some see them squatting (15%).

Most however, see them clearly in a small, dingy apartment in a regular block (50%).

Pizza & Coca-Cola. Living the dream.

Whatever the place they drink either Coca-Cola (75%!), Red Bull (20%)
or Sprite (5%).

Calories are being supplemented also through pizza (53%), McDonald’s (18%) or an instant soup (17%).

They do not feast alone though! No, no, no. There is cat squinting from behind the monitor (53%). Or a hamster (25%). Or a rat (10%).

Finally, cinematography. What could be this one movie? The favorite one? The one and only?


Matrix obviously (45%)! Star Wars is fun as well (25%) and James Bond might reveal some aspirations (20%).

Generally speaking, doesn’t look like a healthy and outgoing character.

Don’t you think?


Thirsty adversaries are constantly looming over horizon. There will be a day when cyber reality as we know it falls apart.

Unthinkable disaster will firstly emerge in a body of a messenger. Then this messenger will set a Doomsday. Finally, we will understand potential consequences. And we will panic.

Actually, such a scenario had already happened before. Several times. Would you like to take a closer look?


… with a bow and crown appeared out of nowhere in April 1991. Bearing the name of Michelangelo. This boot sector virus was arriving most frequently through infected floppy disks with software. Its malicious payload was capable of overwriting all data on a hard disk, which basically made any recovery almost impossible. With no back-ups this could be pretty disturbing. However, it was not about to happen immediately. The particular day had to arrive.

The cataclysm date was not a coincidence. Set on 6th of March 1992 was about to bring utter destruction to celebrate great Michelangelo’s birthday.

Mass panic started to gain field in January 1992. One of the computer manufacturers accidentally shipped 500 computers infected with the virus. Then, another one would ship computers with antivirus software preinstalled. Finally, John McAffe told the press that hundreds of thousands of computers may be destroyed by the virus. Another prediction went into millions. Brace yourself!

6th of March arrived peacefully. Although much anticipated, catastrophe did not materialize itself. There was a spike in detections, however, mostly to other than Michelangelo malware. The virus failed to destroy thousands of machines. Cyber reality survived – all in all – untouched.

Apparently, it was not yet the time for the Doomsday.


… and rode a red horse of inflated ego. Known by the name of CIH appeared at the cyber surface in June 1998. It came as a punishment. And as a warning. The warning to the antivirus software developers. Do-not-claim-you-are-so-damn-efficient-or-I-will-prove-you-wrong message.

CIH started its journey at the Tatung University in Taiwan. Then it went into wild. Spreading joyfully was about to bring a calamity on 26th of April 1999. Just enough time to expand satisfyingly.

The virus spread mostly through pirated software. However, couple of legitimate players got caught as well. Naming only 3 European PC gaming magazines shipping infected CD-ROMs, Yamaha delivering an infected version of a firmware update software or IBM releasing their new Aptiva personal computers with the virus preinstalled.

CIH virus went after executable files. After the execution, the virus stayed in memory and infected other programs as they were accessed. When the milk was spilled, CIH overwrote most of the data on the computer. Moreover, it attacked the Flash BIOS chip of the machine. If succeeded, a machine was unable to boot.

Oh, there was a publicity. From conspiracy theory to we-are-doomed statements. On top of that the date itself. 26th of April. The anniversary of the Chernobyl disaster. There could have not been the better date to bring cyber apocalypse.

Well… although we can not underestimate the impact of the virus, its epicenter wound up in Asia. Millions of infections? Sure. Disruptions in productivity? Correct. Pissed off office workers? No doubt.

Unfortunately – with all due respect my friends – this is not enough to qualify for the pledged Armageddon.

Apparently, not yet the time again.


… and rode a black horse. Emerged in January 2003 with an intention to bring absolute catastrophe with the .F variant on 26th of August the same year. Will be remembered by the name of Sobig. Another 26th! Already feeling chills.

Sobig was spreading through email and network shares. Based on its own SMTP engine, was not only spamming itself ferociously, but also downloading a Lala trojan. The trojan which turned infected machines into spamming zombies. For the very first time in history computers were turned into relays so easily.

The third horseman partially learned his lesson. Although payload – which was downloaded on 26th of August – did not make any great entrance, Sobig worm made an everlasting impact on the cyber reality.

Our black character became the fastest spreading worm of its time. Even today still holds the second position, after Mydoom only. At its peak responsible for 2/3 of world’s spam in general! (See also: BRIEF STORY ON HOW TO FINALLY GET PEOPLE NERVOUS ABOUT THIS WHOLE CYBER SECURITY and BATTLE OF WORMS IN 5 ACTS.)

More significantly, Sobig was the very first creator of a spam botnet. As the concept was successfully tried and tested, it opened immense opportunities for the future.

The worm was hugely prosperous. Even though the trigger date did not bring the worst – cyber space survived in a pretty good shape – it opened a whole new chapter. Obviously, the intent was to take advantage, not to kill the milk cow.

Not yet the time.


…and was supposed to force unconditional cyber surrender on 1st of April 2009. The death rider was carrying the name of Conficker.

Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. Furthermore, this deadly threat was one great enigma. From the very beginning no one knew where did it come from and where was it heading.

Since its appearance in November 2008, it was simply an unsolvable mystery. This extremely prolific network worm was made a great use of MS08-067 vulnerability, which forced servers around the globe to incorrectly handle RPC requests. Several methods of infections and applied stealth techniques put Conficker always couple of steps ahead of the good guys (see also: THE GREATEST MYSTERY IN THE HISTORY OF CYBER SECURITY?).

Although the greatest minds of cyber security industry for months worked in a special force called Conficker Working Group – intending to track, annihilate and indict authors of the worm – no one really came to any practical conclusion about neither the adversary, nor the intentions. The world was pretty much kept in the dark.

There was one thing known for certain though. Conficker.C, one of the first major rewrites, was spotted in February 2009. The Doomsday was about to arrive two months later.

On April Fools’ Day 2009, the worm was to connect to its headquarters and download deadly payload. By the time, the worm was practically everywhere.
F-Secure estimated number of infections at around 2.9 million. And raising! The global botnet was to be activated and allegedly there was no person on Earth who could fully fend off the threat.

The publicity was massive. Wall to wall coverage. Newspapers, tv news stations, internet portals, blogs and cyber industry announcements. You could basically follow this upcoming cyber Armageddon from the front row seat. The world held its breath. Are we doomed? Is it finally the time?

Well, we are still here, right? 1st of April arrived and nothing spectacular happened. To be more specific, not only nothing spectacular happened. Actually, nothing happened. Sure, the Conficker Working Group did its job and significantly crippled created botnet, however, millions of infections were still there. The hype did not live up to reality. Again.


Surely, no one can provide definitive answer. However, both cyber security industry and malicious tools & techniques have evolved significantly in recent years. One could assume such evolution would impede any massive cyber Armageddon in the future. No doubt there is a logic in such a statement.

Firstly, if you wish to cash out your infections you can not bring so much attention. People are to be kept in the dark. For as long as possible.

Secondly, if you wish to bring absolute havoc and utter destruction, then again, silence is the key. You should not give time to raise defenses. People should be caught off-guard.

Finally… is it not already a theme of the past? Massive, common destruction of a big chunk of cyber reality? Didn’t former Horsemen of Cyber Apocalypse taught us enough to make it impossible?

We shall see.   

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used blog posts available at
Furthermore I used my own research materials.


Cyber Armageddon was supposed to emerge on 1st of April 2009. Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. CBS network predicted disruption to the internet as a whole. The finest security experts from around the globe joined forces and went on a month’s long battle to seize control.

The situation looked extraordinary.

Especially that no one had a clue who is the enemy.


Well… at least the basics. The threat was quickly classified as a net-worm. Net-worm which exploits MS08-067 vulnerability allowing remote code execution with a specially crafted Remote Procedure Call (RPC). Security hole inviting adversaries to attack through a good old stack overflow technique. The worm spreads via internet, local area network and removable media. When multiplying over a network it uses three different methods: exploitation of the vulnerability, file sharing or exploitation of the Windows Autorun.

Moreover, it makes number of changes to the Windows Registry and hides its actions through numerous stealth techniques. It opens a HTTP server and waits quietly for instructions. It goes with the name of Conficker. Or Downadup. Or Kido. And it started spreading on 20th of November 2008.

That was the easy part. Apart from the technicalities, no one has the slightest idea who is behind creation of Conficker (the most popular of the names). Months of investigation brought nothing reliable. No one can imply what is the goal of Conficker. Was it supposed to create a massive botnet of zombie computers? Or was it about infecting users with scareware and extort money? Or was it a state-funded field test before the famous Stuxnet?

$250 000 reward for any useful information from Microsoft has never been collected. Number of infections ranges from 9 to 15 million of machines worldwide. All the notable infections, such as French Navy, UK’s Ministry of Defense or Bundeswehr, faded away without consequences. Instructions were never sent. All the infections went for nothing. What the hell?


Extraordinary situation requires extraordinary activities.

Never before had there been such an endeavor. Non-profit, public sector and business parties joined their forces to fend off Conficker activity. Basically, every single significant party was there. Just name it. Microsoft, Facebook, Cisco, Trend Micro, IBM, F-Secure or AOL. Everyone was there.

Conficker Working Group operated through 3 streams. The first one focused on analysis and research. Delivering samples, coordination of the information flow, exploring emerging variants. The second stream was about communication. Remember, the whole world is watching, right? Press releases, joint messaging.

Finally, the third stream was about to set up the biggest domain blocking project in history. The challenge was quite compelling – to shut down over
1 million domains across 110 countries.

Why to block insane number of domains? To thwart Conficker mode of operation.

Conficker worm tried to call its headquarters once a day. Intending to get instructions. It did it by trying to connect to various web addresses. If the worm found an active web server, it would download and execute a payload. This basically meant bad guys could do whatever they wanted with infected machines.

Web addresses were generated through a complicated algorithm. At the beginning providing 250 pseudorandom domains. Later, trying to download orders from 500 out of 50 000 pseudorandom domains. Predicting, registering and shutting down all those domains would do the trick. Would prevent infected machines from getting any commands. And this was the challenge.

This unprecedented effort was actually successful. The Conficker Working Group managed to almost completely stem the botnet. Without the connection to headquarters it was simply useless. That means full success, correct?

You never know with Conficker


This is probably the theory most experts incline to. Exploited vulnerability was commonly known as of 23rd of October 2008. This was the date when a security update was published. The very first variant of Conficker did not infect systems with Ukrainian IPs or Ukrainian keyboard layout. This could point out its origin.

As Ukraine is not publicly known for any state-funded cyber attacks, it leads to a conclusion that it were some hoodies trying to infect and then monetize the potential botnet. However, as it went far beyond their expectations and brought immense portion of publicity, their impunity was severely threatened. So, they stepped back. Conficker left in the wild, living on its own. Seems logic, right?

Something cracks here though. If they were scared enough to leave a potential profit aside, what was with the months-long cat-and-mouse game with the cyber industry? Conficker Working Group mentioned 5 main variants of the worm.

Rewrite in the .B variant introduced a backdoor with auto-update functionality.

The .C variant selected its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. It increased defenses and added peer-to-peer capabilities.

The .E variant went even further – piggybacking on Conficker.C attempted to install ‘Waldec’, scareware imitating an anti-virus software.

If you are scared and trying to hide, usually you do not come back to the crime scene. Unless you are not really scared.


That is obviously just a speculation. However, educated one.

Some security experts are of the opinion that Conficker was simply a smoke screen to hide a real objective of the operation. While eyes of the world were focused on the mysterious worm, important doors were opened. The doors to the Iranian nuclear program.

Could it has been about executing one of the most successful cyberespionage operation in history? Delivering Stuxnet to the underground facility at Natanz?

The speculation goes as follows. Firstly, both Conficker and Stuxnet were written with extraordinary sophistication. Secondly, infection rates for both malware were far higher in Iran than in the United States. Thirdly, there is a date correlation in development and deployment of their different variants.

Finally, both Stuxnet and Conficker used the very same Windows vulnerability and had similar way of spreading and infecting new machines. How do you feel? Is it enough to consider this theory legit?

Both the White House and Israeli’s Prime Minister refused to comment.


Conficker Working Group concluded it is impossible to indicate who initiated Conficker spreading. Months long investigation of the greatest minds of cyber security industry came to no conclusion.

Although the botnet itself got crippled, majority of the infections remained untouched. If it really was a field test of a state-funded hacking group, it was pretty damn successful.

Whereas if it was supposed to be a profit-oriented botnet launched by Ukrainian hoodies, then it really went south.

To be continued? In February 2021 – based on F-Secure Enpoint Clients data – Conficker was the 4th most often detected malware…

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used What we’ve learned from 10 years of the Conficker mystery from, Conficker Working Group: Efforts To Fight Botnet A Mixed Bag from, Conficker Working Group says worm is stopped, but not gone from On top of that I used my own research and interviews.


In 1999 access to the internet was a luxury. In the United States only around 35% of the population had access to worldwide network. It was just over 21% in the United Kingdom and almost exactly 20% in Germany. Russia had 1,02% of its citizens surfing through the web.

These were the golden times of jokes and funny pictures flying around in emails. The times, when although computer malware was already intrinsic to cyber reality, no one really bothered about decent anti-malware software.

Exactly these were the times when within a 2-year span the first truly global computer malware superstars were recognized.

They reconstructed cyber reality entirely through 4 phases.


One of the first successful mass-mailing viruses, the first malware rock star was born just at the brink of new millennium. At the time David Kwyjibo Smith happened to visit one of the strip clubs in Florida. One of the ladies apparently left him with an exceptional impression. As a result our story begins with the female name. The name is Melissa.

It all started on Friday, 26th of March 1999. Word macro virus was written in Microsoft’s Visual Basic and propagated itself through emails. The whole trick was to lure users to open an attachment. The subject of emails was Important Message From…. The attachment was called list.doc and contained a list of 80 pornographic websites. Once executed, the virus mailed itself to 50 addresses in users’ Address Book.

Beside mailing itself, Melissa virus went after Microsoft Word application. It infected template, which was used by default in all Word documents. Thus, Melissa was able to infect all new documents in order to spread itself as far as possible. Furthermore – as most malware of the time – it had a singular comedy wrinkle.

If executed when minutes of an hour matched a day of a month – e.g. 16:25 on 25th day of a month – it put the following sentence into the new document:

Twenty-two points, plus triple-word-score, 
plus fifty points for using all my letters. 
Game’s over. I’m outta here.

The Simpsons… and Melissa virus

Given the times, the propagation of the virus was tremendous. It went over
100 000 infections. 300 organizations reported being severely affected, which forced them to shut down their email gateways and caused significant losses in productivity. For the very first time in the modern cyber history such a burden was put on email servers (see SO MUCH FOR GOOD INTENTIONS to check the ancient era).

Luckily, all in all, Melissa did relatively little damage. However, it spread as nothing before and showed the way for others alike. The precedence was alive and kicking.


If Melissa was a rock star, then ILOVEYOU worm was the band of Beatles. Wall to wall media coverage, worldwide alerts and number of press conferences. 45 million of infections in just two days. Absolute havoc within cyber security industry. All that coming from the 24-year old student from Manilla – the capital of the Philippines – Onel De Guzman. At the beginnings of May 2000, for the very first time the world gave so much attention to a virtual incident. The first truly global computer malware was successfully baptized.

ILOVEYOU worm, written in Visual Basic script, propagated itself through email. Using Outlook or mIRC client. Due to the bug in Windows 95, the extension of the file in a mail attachment was hidden after the first dot. The worm, when executed, mailed itself to everyone in users’ Address Book. Moreover, it copied itself to the Windows System Directory and Registry, so that it could be executed whenever the system was rebooted. Unfortunately, the worm was also destroying much of victims’ hard drives by overwriting and deleting them.

Beside mass-mailing and overwriting files, ILOVEYOU payload contained
a password stealing trojan called Barok. All stolen passwords were then mailed to

The idea behind the worm was straightforward. At the time the internet access in Manilla was expensive. You needed to buy a limited access directly from a service provider. Guzman decided to steal credentials from richer ones. Couple of hours after releasing ILOVEYOU into the wild, there were plenty of credentials to sift through.

Never before was there such a successful social engineering technique applied within cyber world. Simplicity is the key to brilliance, right? The subject of the email was ILOVEYOU. The attachment was LOVE-LETTER-FOR-YOU.txt.vbs. Simply perfect.

In five hours, ILOVEYOU spread across Asia, Europe and North America, some 15 times faster than the Melissa virus did when it struck a year before, infecting over 1 million computers.

Soon after starting business on May 4, the United Kingdom’s House of Commons had to take its overloaded email servers offline, as did the Ford Motor Company and even Microsoft, whose Outlook software was the primary means of spreading the virus.

James Griffiths, CNN

At the time there was no bigger story. This is what Mikko Hyppönen, CTO of F-Secure told BBC:

I remember working on the case all day from 09:41, when it started, until midnight, then going to bed only to be woken up at 3am by calls from the USA. When I hung up my phone and looked at the screen, it showed that I had received and missed 40+ phone calls during that 30-minute conference call. All those calls were coming in from partners, vendors and media. Everybody wanted to know what was happening and how to fight the outbreak.

Although a patch to fight the outbreak was available at the very same day – on 4th of May -, ILOVEYOU worm spread wide and fast. It couldn’t have been more successful. Baptism of fire was passed with the highest grade possible.


So there is this young adult from the Netherlands. Computers savvy and very much interested in the art of hacking. He witnessed and paid close attention to the havoc caused by ILOVEYOU bug.

Last week I read an article about some research about the impact of the LoveLetter-virus. The title of that article says enough: Surfing people haven’t learned anything from the I Love You-virus.

Jan De Wit told

Could it be so simple to simply rerun the trap?

20-year old at the time Jan De Wit decided to follow the best practices
of hacking community. He took an off-the-shelf Visual Basic Worm Generator and went on a mission to verify if the world had learned anything from the love bug. As you may suspect, it had not.

This time the social engineering part was based on a female attractiveness.
De Wit promised his victims to show a picture of a Russian tennis player – Anna Kournikova. Once again, the generated worm propagated itself through email. Using the very same Windows vulnerability, which hid attachments extensions after the first dot. The subject was Here you have. The file was called Anna Kournikova.jpg.vbs. People were hooked like bees around the honeypot.

The biggest outbreak took place on 12th of January 2001. F-Secure estimated there were several hundreds of infections within hours. Although ANNAKOURNIKOVA worm worked alike its loving predecessor – copying itself to Windows Directory and sending itself through users’ Address Book – it did not corrupt any files on hard drives. Basically, the worm did not do much harm – it increased CPU utilization and clogged networks. However, it was again extremely virulent.

Same shit, different day. The formerly proved concept was still alive and kicking.


We successfully tried out Word Macro virus. We proved the promise of love and nudity will lure people into downloading whatever you wish. However, nothing that serious happened, right? Some media circus, some time-consuming cleaning up and probably guilt trips from more computer-savvy PC users. It did not cause so much trouble, though. Aspirations should be higher. Let’s get it up just one level up the ladder.

Memory-resident worm – called CodeRed later – was targeting Microsoft’s Internet Information Servers (IIS). They were predominantly used for web servers. At the time, the software was a basis for nearly 6 million websites. The worm used – not surprisingly – a month-earlier published vulnerability called Index Server ISAPI Vulnerability. This vulnerability allowed to conduct a buffer overflow attack, which simply pass more data to a buffer than it could handle. Once on the server, CodeRed scanned the network in order to find another IISs to infect them.

The worm was firstly detected on Friday, 13th of July 2001. It was the very first successful large-scale mixed threat attack to target enterprise network. Once in the network, CodeRed was preparing Denial-of-Service (DoS) attack. There were several fixed addresses targeted. One of them was

The mode of operation of the worm was quite sophisticated. If a date was from 1st to 19th of a month, it was spreading as wide as possible. The actual DoS happened from 20th till 27th of the given month. Then there was an Eternal Sleep Mode, which basically was supposed to end the existence of the malware.

Another curiosity is a message which was defacing web pages if the language of an infected server was American English. Here we go!

Seems cut and dried, don’t you think?

The thing is that the recent malware outbreaks were still fresh and vivid. MELISSA, ILOVEYOU, ANNAKOURNIKOVA and dozens of less successful viruses experienced authorities quite heavily. The blame game started. Microsoft was an easy target, obviously.

Firstly, criticized for having their own Hotmail and Windows Update servers not entirely patched. Secondly, for seemingly unsuccessful patching campaign. Finally, for the whole notification process in general. Once the milk is spilled, what could we do? How about overcompensating with a wave of publicity?

Microsoft took a massive media announcements tour. Additionally, FBI issued an official alert, which stated that the operation of the whole internet was at risk.

Tech news site the Register and virus hoax information site Vmyths both argue that the flood of warning emails, calls to antivirus support lines and general level of hysteria can cause more damage to the internet than the worm itself.

reported by The Guardian

Number of infections reached 359 thousand on Thursday 19th and then
– exactly as programmed – started the partially successful DoS attack
(the White House site had to be moved). Along with subsequent variants
– more prolific and with installed backdoor – CodeRed was the costliest malware incident of the 2001. 

After CodeRed one thing was obvious – no one and nothing is entirely secure. Endless line of potential threats. Whole new game. Whole new level.


At the beginning of 1999 PC users looked pretty much untroubled. Then MELISSA was born and gave a compelling lesson about the necessity of gateway filtering and scanning attachments. Actually, regular scanning in general. The outbreak of this very Word Macro virus not only brought some customers to cyber security companies, but also contributed to identification of loads of other malware already sitting comfortably on users’ machines.

Then came the actual baptism of fire. ILOVEYOU worm smashed existing status quo and proved how easily it is to hack humans. It became evident people should not be trusted. Support was needed. One of the low hanging fruits was to establish decent spam protection. Besides, PC users learned it could be useful to regularly conduct back-ups (not for long, right?). Furthermore, it was as clear as crystal the times when once-a-month signatures update was enough, were long gone.

Soon we realized we have not learned a thing. Previously known and tried concept was successfully resurrected. ANNAKOURNIKOVA worm was once again simple and terribly virulent. Basic social engineering and email attachment. Once again people! Spam protection, back-ups and regular updates could be kind of useful.

Finally, something taking security considerations into the whole new level. Although the general reaction to CodeRed might be considered as overblown, it taught no less important lesson. Enterprise networks are as vulnerable as anything else in cyber world. It explicitly showed manual patching was no longer a sufficient process. Moreover, beside health-check scanning, vulnerability scanning became a thing.

Tools and techniques used during all 4 incidents were not that sophisticated. Nor were the actual consequences for the general public. They brought, however, much greater sense. The realization this whole cyber world could be in real danger in the very near future (see: BRIEF STORY ON HOW TO FINALLY GET PEOPLE NERVOUS ABOUT THIS WHOLE CYBER SECURITY).

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used Internet access data from, A decade on from the ILOVEYOU bug from, Anna Worm Writer Tells All from, Code Red worm from, I love you’: How a badly-coded computer virus caused billions in damage and exposed vulnerabilities which remain 20 years on from


It was not until 2003 when the world realized that consequences of cyber attacks go far beyond just virtual inconveniences. Grounded aircrafts, useless ATMs, unavailable 911 emergency network, shut down railroad system and worldwide press agencies temporarily locked down. Eventually the very first in history rise of spam botnets. And this is just a scarce of direct consequences of 2003 upswing of computer malware.

At the time the real world was preparing itself to the U.S. invasion on Iraq. Martin Scorsese won the Golden Globe for ‘Gangs of New York’ and Kobe Bryant was endlessly throwing three pointers. Meanwhile cyber world was just about to get acquainted with Sobig and Slammer worms. Later that year the merry company was broaden by Blaster and Welchia. Then there was a Battle of Worms (see: Battle of Worms in 5 Acts) nailed down with the outburst of Sasser. Havoc.

Cyber security was making headlines. Repeatedly. Finally.


One of the darkest periods in cyber security history started somewhere around 9th of January 2003. Unknown author released into the wild Sobig worm. Spreading through email and network shares, based on its own SMTP engine, was not only spamming itself ferociously, but also downloading a Lala trojan. The trojan which turned infected machines into spamming zombies. For the very first time in history computers were turned into relays so easily. Spam business crossed the Rubicon – it was no longer manual, hand-made job. It was now all about automation.

Sobig worm made headlines pretty quickly. Especially BBC ones. The worm went after a mailing list for fans of Archers, long-running radio drama. Just at the time when one of the Archers characters was teaching another one how to use email. Perfect timing, right?

The real fun started almost exactly two weeks later. On 25th of January, Saturday, at 5:30 GMT emerged unknown, scary and prolific as hell, the one and only Slammer worm. Slammer needed only 15 minutes to spread worldwide. Simple piece of code, which exploited a vulnerability known for over 6 months (!), affected 90% of all vulnerable hosts within 10 minutes. It took down 5 out of 13 world’s DNS root servers. Another 5 experienced massive packet loss.

Although the patch for the exposed vulnerability was available at hand, consequences were unprecedented. Windows XP activation servers in Redmond were taken offline. Continental Airlines had to cancel and delay number of flights. Bank of America ATMs refused to dispense cash. In South Korea the entire internet infrastructure was knocked out.

As many as five of the 13 Internet root nameservers have been downed because of the outbreak. Effects were so marked because the worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. SQL Slammer’s code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial-of-service attack.

F-Secure Alert

Internet attack causing a dramatic increase in network traffic worldwide.

Microsoft Statement on Slammer Worm Attack

Slammer worm targeted a flaw in the Microsoft’s SQL Server database. It sent UDP diagram to port 1434. Then it exploited a buffer overflow vulnerability in the SQL Server Monitor. When in memory, it sent datagrams and worm code to random IP addresses. Consequently, causing massive Distributed Denial of Service (DDoS) attack.

The New York Times reported that even Microsoft had number of unpatched machines. Their MSN Internet Service had significant slowdowns caused by Slammer. Any silver lining? Here you go:

Patching was 100% effective in preventing reinfection and so, in its own ironic way, Slammer helped make the Internet that little bit more secure.

David Litchfield – discoverer of the vulnerability


Starting from January 2003, upcoming months became a baptism of fire for the cyber security community. Not a successful one.

The hammering code of Slammer along with its incredible easiness in spreading was, in fact, the main reason of its twilight. The bandwidth could no longer support the exponential growth of generated packets. Furthermore, as it was a memory-resident worm, it had no looks for a long-lasting future.

Nevertheless, Sobig and Slammer were just a forefront of what was about to bang the world just 6 months later, in August 2003.

First came Blaster. Worm exploiting DCOM RPC vulnerability emerged on Monday, 11th of August. Once the exploit code was successfully sent to the target, communication was maintained through TCP port 135. Then a remote command shell listening on TCP port 4444 was opened. Finally, the Trivial File System Protocol (TFTP) was set up listening on UDP port 69. The last step provided targeted machine with the main Blaster payload. The payload, which shared some interesting thoughts with the world:

I just want to say LOVE YOU SAN
billy gates why do you make it possible?
stop making money and fix your software

Blaster message to the world

Hence, not surprisingly, Blaster went after Microsoft. Although its SYN flood attack was not successful, it sprayed significantly and managed to severely disturb e.g. CTX railroad system, Air Canada, BMW, the Federal Reserve Bank of Atlanta or Swedish telco TeliaSonera. Stay tuned though! The fun part has only started.

Exactly one week later – 18th of August – another Monday, another surprise. This time positive one. Who would have thought, right? There it is. The rescuer. Nematode deleting Blaster and patching missing vulnerabilities. With no intentional harmful effects. Welchia worm.

Welchia primarily used the very same vulnerability exploit as Blaster. It was supported though with yet another attack vector – exploiting WebDav vulnerability through TCP port 80. Both ways led into creating remote shell listening on any random TCP port between 666 and 765. Savvy and with only the best intentions. The outcome was unfortunately not straightforward positive.

This worm, even though it pretends to be friendly, is even more problematic because of the propagation technique it uses. And, even if you have patched against the DCOM RPC vulnerability, you are still at risk because it uses another avenue to infect.

In some cases enterprise users have been unable to access critical network resources. This is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm.

Vincent Weafer, Symantec’s Security Response Unit

Welchia was literally causing another Denial of Service (DoS) through swamping network systems with traffic. So much for good intentions (see: SO MUCH FOR GOOD INTENTIONS).

So there it is, August 2003. The world had just regained consciousness from the Slammer bomb. We have number of Blaster variants flying around the world. The Welchia propagates itself mercilessly. How about making it just a bit spicier?

19th of August. Just one day after the Welchia outburst. The old friend is back with new superpowers. Propagating itself faster than any other worm of its time. Let’s welcome back Sobig. The ‘.F’ variant.

It’s now Blaster, Welchia and Sobig playing around at the very same time.


At the time one could have thought it was just a dangerous thunderstorm. Vivid, ferocious and nasty, but still accidental. Not this time my friends. Not anymore.

While cyber security industry was doing their best to fend-off two worms and one nematode, hoodies were silently preparing something special. Again.

2004 was supposed to be pretty pleasant. Euro 2004 in Portugal, Olympic Games in Athens and grand premiere of the Brad Pitt’s Achilles and Troy movie. It was about to be a whole different experience for cyber security geeks.

January 2004 opened a new chapter in the cyber world. First appeared the Mydoom worm. Beating all the possible notable records of spreading.

The worst email worm incident in history.

Mikko Hyppönen, CSO of F-Secure

Then it all went even heavier. The Battle of Worms emerged at full swing late February (see: Battle of Worms in 5 Acts) including afore mentioned Mydoom complemented with NetSky and Bagle. Another unprecedented event with severe consequences across the globe.

The nail in the coffin was yet to emerge. The very last participant of the Battle of Worms and one of the most destructive worms ever – Sasser. This network worm emerged in April 2004 and made use of LSASS buffer overflow vulnerability. It opened remote shell on TCP port 9996 and used FTP server on TCP port 5554 to spread itself. It spread marvelously. Within hours there were millions of infections causing repeated crashes and reboots of systems. Agence France-Presse (AFP) had all its satellite communication blocked for hours. Delta Air Lines had to cancel several transatlantic flights. Finish Sampo Bank came to a complete halt and had to close their 130 offices in Finland. And that is obviously not the entire list.

Crazy ride started early January 2003. It peaked several times. Firstly, Slammer partially stopped the worldwide internet. Then Blaster heavily disturbed several of high-profile industries. Welchia on the other hand played around with Navy Marine Corps consuming three quarters of its intranet capacity. The Battle of Worms has changed the status quo for the whole cyber security industry being always two steps ahead of everyone. With the Grand Finale in the body of Sasser. With grounded flights and closed banks. There was no longer coming back.


This was a harsh clash with cyber reality. Well actually… a clash with reality. Cyber world was no longer an isolated island with no consequences to the day-to-day existence of people across the globe. Cyber adversaries provoked real problems for real people. No one could ignore this fact any longer. Critical infrastructure, essential services and daily activities from now on were the target. In the hindsight it is plainly visible it has never got any better.

16 years later we are much better prepared, obviously. Probably the most tangible outcome of the 2003-2004 cyber havoc was the change in approach towards automatic updates. We came to a brutal realization that critical vulnerability patches had to be applied as quickly as possible. Most of us have learned the lesson.

So did hackers. Successful infection means silent infection. You are not supposed to know there is some piece of malicious code nesting in your system. Systems are not to reboot and slow down machine performance. Apart from ransomware you are to be kept in dark. For as long as possible.

Blaster was pretty active for next several years. Slammer came back in December 2016. It made the top 10 common threats of the month. Bagle is still up there. We can still see detections of the worm. The same with SkyNet. We have not got rid of them. We simply intent to control prevailed versions. Let’s see for how long.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used Microsoft Statement on the Slammer Worm Attack,
The Inside Story of SQL Slammer from, Friendly Welchia Worm Wreaking Havoc from and MyDoom declared worst ever from



The fastest spreading worm ever emerged from nowhere on Monday, January 26th, 2004. Shortly after its release into the wild it accounted for around 30% of email traffic worldwide. Correct. Almost 30% of the whole email traffic in the world was solely caused by this very worm. The hero of the day was later called Mydoom.

Mydoom spread through email and – popular at the time – Kazaa Peer-To-Peer network. Most of the email subjects suggested transmission errors, mail delivery failures, tests or server reports. The lure was to open an attachment, which, when executed, sent out the worm through user’s address book and network shares.

Opening of the attachment led to two adverse activities. Firstly, any infected machine was used for a DDoS (Distributed Denial of Service) attack on 1st of February 2004 against the SCO Group, American software company. Secondly, a backdoor listening on the first available TCP port between 3127 and 3198 was installed. The latter enabled an adversary to turn an infected machine into a proxy, but also opened the doors for executing any additional malicious pieces of code.

Soon it was not only about the SCO Group. The second variant went bigger targeting Microsoft. Both to-be-victims offered $250 000 for any information leading to the arrest of the worm creator. There was FBI involved and a lot of publicity.  

Despite the overwhelming sense of urgency on the defense side, Mydoom – using over one million machines – managed to take down the SCO domain. It did not work with Microsoft though. They managed to prepare themselves well enough.

Both variants had their expiration date hardcoded. The first one retired on 12th of February. The second one on the 1st of March. Was it supposed to be one-time shot? With a specific purpose, written on demand? There was a clue indicating such a scenario. Take a look:

andy; I’m just doing my job, nothing personal, sorry,

This was the message embedded in the code of the worm. This ‘job’ caused billion dollars’ worth losses around the globe. At the time Mikko Hyppönen described Mydoom as ‘the worst email worm incident in history’. Well… actually the real fun was just about to start.


There were just about a bit more than two weeks of peaceful spreading of Mydoom. Almost uninterrupted. Full success leaving thousands of backdoors operating on infected machines. Until there was Monday, 16th of February 2004. Can-you-top-this game started-off.

Out of nowhere emerged a 17-year-old German malware enthusiast Sven Jaschar and his creation – NetSky. Another network-spreading worm, which managed to easily distribute itself worldwide. Another one luring its victims through social engineered emails. With just one difference. NetSky was literally chasing down Mydoom. Its sole purpose was to remove or disable it.

The real playground-style brawl started on Wednesday, 25th of February. This is what was found inside the code of NetSky.C:

We are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz–>]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware.

Pretty compelling, right?


The more the merrier. NetSky was actually hunting down not only the famous Mydoom. In fact, there was yet another target – Bagle. One more network-spreading worm, with its own SMTP engine, joyfully installing backdoors.

Different variants of Bagle started popping out already mid-February, competing with self-proclaimed saviour on a daily basis. It was Tuesday, 2nd of March when it really started to get juicy. Let’s give the voice to both runaways:

Hey, NetSky, fuck off you bitch, don’t ruine our bussiness, wanna start a war?


To netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.


No doubt both sides enjoyed it. Wednesday, 3rd of March:

Skynet AntiVirus – Bagle – you are a looser!!!!


Hey, NetSky, fu** off you bitch!


And there was a Monday, 8th of March. Could it be the end? NetSky author was apparently signing off. Following message was embedded in the .K variant:

We want to destroy malware writers business, including Mydoom and Bagle… This is the last version of our antivirus. The source code is available soon.

At the time, March 2004, the situation was pretty obvious. Scattering of malware writers were disturbing the whole internet. Unpunished. Playing the cat-and-mouse game with all the antivirus world.


Different variants of all three worms were popping out like crazy. More and more machines getting infected every day. Instant reactions for any move made by the greats of antivirus world. This is how Mikko Hyppönen, Chief Research Officer at F-Secure, described it:

Whoever is behind it is sitting around waiting for us to respond. If the target is to exhaust the antivirus people, he’s succeeding at it. My team is really tired. We are working through the night and the weekends.

Mydoom developed into at least 10 different variants. NetSky entertained itself with 31 incarnations. Bagle beat them all. Variants could go through alphabet several times.

Is there anything that could possibly go worse? Well… Sven Jaschar – the author of the NetSky – decided to enter the battlefield once again. No doubt he had a pretty impressive entrance. Firstly observed on 30th of April, Sasser worm was immensely successful in terms of its distribution. Using the LSASS buffer overflow vulnerability Sasser managed to infect millions of machines. The .E variant was the first one to directly attack and annihilate Mydoom and Bagle.

The Worm War started to faded out though. Neither NetSky nor Sasser managed to significantly disturb proliferation of Mydoom and Bagle. In fact, Sasser caused so much damage around the world – including grounding airlines and temporarily shutting down Sampo Bank’s offices – its author was tracked down and brought to court.  

Obviously, all characters of this story outreached their initial intentions. In fact, 15 years later they have still pretty decent record of persistence.


Mydoom took down Google site on 26th of July 2004. For most of the day the site was inaccessible. The code was reused in July 2009 for cyberattacks on South Korea and United States. As reported by Palo Alto Networks one percent of all emails containing malware sent during 2019 have been Mydoom emails.

Bagle worm evolved into the Bagle botnet. Mostly involved into proxy-to-relay email spam. As reported by SC Magazine UK: the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year’s Day.

Something more up to date? In December 2018, the Comodo Group indicated that the very first two variants of the worm, Bagle.A and Bagle.B, still arrive in people’s inboxes.

Mydoom is still considered to be the worst email worm incident in history. The Worm War fueled evolution of the Bagle so heavily, it’s difficult to count its variants anymore. The War itself became the very first immensely impactful playground at the expense of millions of unaware internet users across the world. The dust has settled. Worms, however, remain restless.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used NetSky author signs off, War of the worms turns into war of words, German police arrest Sasser worm suspect from, Virus writers trade insults as e-mail users suffer from, The Stealthy War Between Virus Creators from, Virus writers exchange coded insults from


Einstein’s equation leading towards Manhattan project. Nobel’s dynamite first saving lives of workers, then being yet another killing technique. And how about the one and only Comic Sans font? You do not use it properly people!

Nothing new under the sun. Ideas worth spreading, designed to be on the right side of the history are being purposefully misused. Especially in cyber security.

Check out a brief history of malware pioneers. All having only the best intentions. All being accidental godfathers of one of the most lucrative criminal businesses of the world.



This was the note left by the very first computer virus in history – Creeper – designed as a security test by Bob Thomas from BBN Technologies company in 1971. The objective of the software was to see whether self-replicating program was possible at all. It was.

There was no malicious intent and in the very first version Creeper deleted itself while moving to another host. The second version, enhanced by Ray Tomlison, provided actual replication method. Ladies & Gentlemen, welcome to the whole new world!


Later the same decade John Walker decided to make his life just a bit easier. Back then a text game called ‘Animal’ was very popular. Basically, the game was supposed to guess which animal you have in mind by asking several questions. John had come up with an enhanced version of the game which apparently became of high demand. In 1975 sharing files was somehow… time consuming.

The game was an immediate hit, and many other Univac users asked me to send them copies of the program. This, of course was before the days of worldwide data networks, so this involved writing magnetic tapes and mailing them to each requestor. What a drag.

John Walker – letter to Scientific American Magazine

As a result, Walker created a program called PREVADE. The very first Trojan virus in the history of computation.

When user launched the Animal game, PREVADE examined available directories and then made a copy of Animal wherever it was not already present. The game, along with its hidden Trojan software, was soon to be found on every single computer of a quite large engineering company. Pretty successful, right?


The stereotype of youngsters creating computer viruses for fun had been prevalent for a pretty long time. The story of Elk Cloner could be the origin of this stereotype. All happened in 1982 and is considered to be the very first case of computer virus released in the wild. Which basically means being out of control of a creator.

Richard Skrenta at the time was a 15-year-old who very much enjoyed computer games. Furthermore Richard was fond of making regular digital jokes to his friends. He even earned himself a reputation, which prevented most of his colleagues from accepting anything digital from Richard. In a hindsight, they were probably right.

Nevertheless, Skrenta started circulating Elk Cloner virus among his friends and local computer club in early 1982. He developed what is now known as a boot sector virus. When it boots, or starts up, an infected disk places a copy of the virus in a computer’s memory. Whenever someone inserts a clean disk into a machine and types the command ‘catalog’ for a list of files, a copy gets written onto that disk.

Witty and nifty. Still relatively harmless, though. The most severe consequence was this message, displayed every 50th time someone booted an infected floppy:


The Elk Cloner was written for the Apple II operating system. The rumor says it was seen almost a decade later during the Gulf War on one of an anonymous sailor’s machine. The program got out of a controlled environment and lived his own life. For the first time in history.


This case is probably the most famous one. Announced and praised as the very first computer virus for MS-DOS – Brain.A. Circulated by two Pakistani brothers Amjad and Basit Farooq Alvi in 1986. Both brothers claimed several times they did not mean any harm. Their intention was two folded: firstly, to protect their medical software from illegal copying, and secondly, to prove the MS-DOS platform is not safe enough. Especially comparing to – prevalent at the time – Xenix and Unix operating systems.

Brain affected the IBM PC by replacing the boot sector of a floppy disk with a copy of the virus. The virus basically slowed down the performance of the disk by making a part of memory capacity unavailable to DOS. However, it did not have any actual malicious intent. In fact, contact details of the two creators were provided within the code itself.

Welcome to the Dungeon

© 1986 Basit & Amjad (pvt) Ltd
PHONE :430791,443248,280530.
Beware of this VIRUS…
Contact us for vaccination…………  $# @%$@!!

On the 25th anniversary of the virus, Mikko Hyppönen, Chief Security Officer of F-Secure company, made a trip to Pakistan to pay brothers a visit. Check the minidocumentary out, it’s called Brain: Searching for the first PC virus in Pakistan.


What came out of hands of Robert Tappan Morris in 1988 was groundbreaking for several reasons. Primarily, because it was the very first piece of malware distributed through a network. First in history propagation through internet. Then, it was the very first internet crash widely noticed by media. Finally, Robert Morris became the very first person indicted and sentenced for an adverse activity in the virtual world. All the mess created by something later called The Morris Worm.

Robert Morris stated his intention was to ‘gauge the internet’. To check out how many machines are being interconnected. At the time there were 60 000 of them. Calculations vary indicating that between 10 to 30% were eventually infected by the Morris Worm. The idea was simple: the worm, exploiting two major flaws in TCP and SMTP connections, was moving from one host to another. However, the code itself was surprisingly buggy. The worm went from host to host and back. Infecting particular machines several times.


Internet was at the brink of a total crash. America’s leading universities and government institutions were ARPANET connected at the time. Hence directly affected. Including Pentagon machines. The estimated damages made by the worm are estimated in the range of $100 000 up to $10 000 000.

Robert Tappan Morris was sentenced to 3 years of probation, 400 hours of community service, and a fine of $10 050.


Let’s move almost 20 years forward. It’s 2005 now and we are in one of the offices of the Sony BMG. One of the world’s leading record company which works fiercely on protecting their copyrights. Who would have thought they would follow this path, right? It is an honor to have you on the list, Sony. The creator of the modern rootkit solution.

Their anti-copy-protection piece of code was present on over 22 million CDs, including albums from Ricky Martin and Kylie Minogue. When inserted to a PC, a hidden software was installed. A software which modified the operating system to interfere with CD copying. Without the knowledge of an user whatsoever.

Most people, I think, don’t even know what a rootkit is, so why should they care about it?

Thomas Hesse, President of Sony’s Global Digital Business.

Well, apparently the rootkit was quite buggy. Which means it literally opened the doors wide open for plenty of other malicious programs.

Although there were no explicitly ‘bad intentions’ here, Sony endeavor took rootkits on the whole new level. For the first time in history a rootkit was intentionally distributed through legal channels by one of the world’s biggest entertainment corporations. On purpose and deliberately. All that only to protect artists. Only the best intentions, right?


Security test.

Method of delivering a text game.

Prank joke.


Measuring the size of internet.

Protecting copyrights.

What could possibly go wrong?

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used The First Computer Virus of Bob Thomas from, The 30-year-old prank that became the first computer virus from, A Brief History of Computer Viruses & What the Future Holds and Morris Worm Turns 25 from, The Animal Episode from and Sony BMG Rootkit Scandal: 10 Years Later from