Thirsty adversaries are constantly looming over horizon. There will be a day when cyber reality as we know it falls apart.

Unthinkable disaster will firstly emerge in a body of a messenger. Then this messenger will set a Doomsday. Finally, we will understand potential consequences. And we will panic.

Actually, such a scenario had already happened before. Several times. Would you like to take a closer look?


… with a bow and crown appeared out of nowhere in April 1991. Bearing the name of Michelangelo. This boot sector virus was arriving most frequently through infected floppy disks with software. Its malicious payload was capable of overwriting all data on a hard disk, which basically made any recovery almost impossible. With no back-ups this could be pretty disturbing. However, it was not about to happen immediately. The particular day had to arrive.

The cataclysm date was not a coincidence. Set on 6th of March 1992 was about to bring utter destruction to celebrate great Michelangelo’s birthday.

Mass panic started to gain field in January 1992. One of the computer manufacturers accidentally shipped 500 computers infected with the virus. Then, another one would ship computers with antivirus software preinstalled. Finally, John McAffe told the press that hundreds of thousands of computers may be destroyed by the virus. Another prediction went into millions. Brace yourself!

6th of March arrived peacefully. Although much anticipated, catastrophe did not materialize itself. There was a spike in detections, however, mostly to other than Michelangelo malware. The virus failed to destroy thousands of machines. Cyber reality survived – all in all – untouched.

Apparently, it was not yet the time for the Doomsday.


… and rode a red horse of inflated ego. Known by the name of CIH appeared at the cyber surface in June 1998. It came as a punishment. And as a warning. The warning to the antivirus software developers. Do-not-claim-you-are-so-damn-efficient-or-I-will-prove-you-wrong message.

CIH started its journey at the Tatung University in Taiwan. Then it went into wild. Spreading joyfully was about to bring a calamity on 26th of April 1999. Just enough time to expand satisfyingly.

The virus spread mostly through pirated software. However, couple of legitimate players got caught as well. Naming only 3 European PC gaming magazines shipping infected CD-ROMs, Yamaha delivering an infected version of a firmware update software or IBM releasing their new Aptiva personal computers with the virus preinstalled.

CIH virus went after executable files. After the execution, the virus stayed in memory and infected other programs as they were accessed. When the milk was spilled, CIH overwrote most of the data on the computer. Moreover, it attacked the Flash BIOS chip of the machine. If succeeded, a machine was unable to boot.

Oh, there was a publicity. From conspiracy theory to we-are-doomed statements. On top of that the date itself. 26th of April. The anniversary of the Chernobyl disaster. There could have not been the better date to bring cyber apocalypse.

Well… although we can not underestimate the impact of the virus, its epicenter wound up in Asia. Millions of infections? Sure. Disruptions in productivity? Correct. Pissed off office workers? No doubt.

Unfortunately – with all due respect my friends – this is not enough to qualify for the pledged Armageddon.

Apparently, not yet the time again.


… and rode a black horse. Emerged in January 2003 with an intention to bring absolute catastrophe with the .F variant on 26th of August the same year. Will be remembered by the name of Sobig. Another 26th! Already feeling chills.

Sobig was spreading through email and network shares. Based on its own SMTP engine, was not only spamming itself ferociously, but also downloading a Lala trojan. The trojan which turned infected machines into spamming zombies. For the very first time in history computers were turned into relays so easily.

The third horseman partially learned his lesson. Although payload – which was downloaded on 26th of August – did not make any great entrance, Sobig worm made an everlasting impact on the cyber reality.

Our black character became the fastest spreading worm of its time. Even today still holds the second position, after Mydoom only. At its peak responsible for 2/3 of world’s spam in general! (See also: BRIEF STORY ON HOW TO FINALLY GET PEOPLE NERVOUS ABOUT THIS WHOLE CYBER SECURITY and BATTLE OF WORMS IN 5 ACTS.)

More significantly, Sobig was the very first creator of a spam botnet. As the concept was successfully tried and tested, it opened immense opportunities for the future.

The worm was hugely prosperous. Even though the trigger date did not bring the worst – cyber space survived in a pretty good shape – it opened a whole new chapter. Obviously, the intent was to take advantage, not to kill the milk cow.

Not yet the time.


…and was supposed to force unconditional cyber surrender on 1st of April 2009. The death rider was carrying the name of Conficker.

Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. Furthermore, this deadly threat was one great enigma. From the very beginning no one knew where did it come from and where was it heading.

Since its appearance in November 2008, it was simply an unsolvable mystery. This extremely prolific network worm was made a great use of MS08-067 vulnerability, which forced servers around the globe to incorrectly handle RPC requests. Several methods of infections and applied stealth techniques put Conficker always couple of steps ahead of the good guys (see also: THE GREATEST MYSTERY IN THE HISTORY OF CYBER SECURITY?).

Although the greatest minds of cyber security industry for months worked in a special force called Conficker Working Group – intending to track, annihilate and indict authors of the worm – no one really came to any practical conclusion about neither the adversary, nor the intentions. The world was pretty much kept in the dark.

There was one thing known for certain though. Conficker.C, one of the first major rewrites, was spotted in February 2009. The Doomsday was about to arrive two months later.

On April Fools’ Day 2009, the worm was to connect to its headquarters and download deadly payload. By the time, the worm was practically everywhere.
F-Secure estimated number of infections at around 2.9 million. And raising! The global botnet was to be activated and allegedly there was no person on Earth who could fully fend off the threat.

The publicity was massive. Wall to wall coverage. Newspapers, tv news stations, internet portals, blogs and cyber industry announcements. You could basically follow this upcoming cyber Armageddon from the front row seat. The world held its breath. Are we doomed? Is it finally the time?

Well, we are still here, right? 1st of April arrived and nothing spectacular happened. To be more specific, not only nothing spectacular happened. Actually, nothing happened. Sure, the Conficker Working Group did its job and significantly crippled created botnet, however, millions of infections were still there. The hype did not live up to reality. Again.


Surely, no one can provide definitive answer. However, both cyber security industry and malicious tools & techniques have evolved significantly in recent years. One could assume such evolution would impede any massive cyber Armageddon in the future. No doubt there is a logic in such a statement.

Firstly, if you wish to cash out your infections you can not bring so much attention. People are to be kept in the dark. For as long as possible.

Secondly, if you wish to bring absolute havoc and utter destruction, then again, silence is the key. You should not give time to raise defenses. People should be caught off-guard.

Finally… is it not already a theme of the past? Massive, common destruction of a big chunk of cyber reality? Didn’t former Horsemen of Cyber Apocalypse taught us enough to make it impossible?

We shall see.   

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used blog posts available at archive.f-secure.com/.
Furthermore I used my own research materials.