Friday Specials!

What did you do last Friday?

Get together with friends? Watching movies?
How about running a cyber-attack?

Have you ever noticed that vast part of high-profile cyber attacks takes place on Fridays? Apparently, this is when our defense is slightly down. This is when the danger creeps out of the corner.

I did some digging and came up with my personal TOP 9 of Friday Cyber Attacks. This awfully biased ranking includes shut-down banks, grounded flights, strip clubs, multiple presidents, Netflix and Anna Kournikova.

Would you like to take a look?

No. 1: Wannacry

On Friday, 12th of May 2017 you could have gone to see the story of King Arthur in a rock’n’roll style from Guy Ritchie.

Or you could have witnessed the main outbreak of one of the most famous ransomware attacks in the history. Infected machines got their files encrypted and payment to restore normal use was demanded. Based on EthernalBlue exploit the malware affected 155 countries in just one day.

Hospitals, Police departments, universities, leading manufacturers, and many more across the globe were impacted. Digital society proved to be vulnerable one more time. North Koreans have never been prouder. Lazarus Group says hello!

Top 9 Friday Cyber Attacks Timeline

No. 2: Sasser

It was Friday, 30th of April 2004. Gmail was exactly 30 days old. This is when Delta Air Lines had to cancel several transatlantic flights, whereas Finnish Sampo Bank came to a complete halt forced to close their 130 offices in Finland. Even the satellite communication was blocked for hours! At least this is what happened to Agence France-Presse (AFP).

Sasser was immensely successful in terms of its distribution. Using the LSASS buffer overflow vulnerability within hours spread into millions of infections causing repeated crashes and reboots of systems. BTW, have I already mentioned that Sasser was the very last participant of the Battle of Worms (see Battle of Worms in 5 Acts)?

Grounded flights and closed banks. Because of some cyber thingy. Right after turbulent 2003. There was no longer coming back. Existing status quo was finally deconstructed.

No. 3: CodeRed

That very Friday we were all still amazed by Goran Ivanisevic winning Wimbledon with a wildcard. Right? Except Microsoft. On 13th of July 2001 the giant from Redmont was just about to get some serious bashing.

Memory-resident worm – called CodeRed – was targeting Microsoft’s Internet Information Servers (IIS). They were predominantly used for web servers. The worm used – not surprisingly – a month-earlier published vulnerability called Index Server ISAPI Vulnerability. This vulnerability allowed to conduct a buffer overflow attack, which simply passes more data to a buffer than it could handle.

It was the very first successful large-scale mixed threat attack to target enterprise network. Once in the network, CodeRed was preparing Denial-of-Service (DoS) attack. There were several fixed addresses targeted. One of them was www.whitehouse.gov.

And this is why it’s my number 3. Audacity of the attack. Any intent to take down White House official website deserves a credit. You got yourself to my personal podium CodeRed!

No. 4: Colonial Pipeline

Friday 7th of May 2021. Mother’s Day weekend in the United States. People heading to meet their loved ones. Hackers heading to extort some money. To extort around $ 4.5 million to be more precise. Only several hours after the attack.

Colonial Pipeline is the one responsible for delivering gasoline, diesel, and jet fuel all the way from Texas to New York. According to Wikipedia, 45% of all fuel consumed on the East Coast arrives via this pipeline system. And it all went down. No deliveries. No gasoline. Nothing. For almost the whole week.

DarkSide group must have been proud of themselves. Or petrified. Either of two. At least this how I would feel if President of the United States promised to discuss my case:

I expect that’s one of the topics I’ll be talking about with President Putin.

President Joe Biden, 13th of May, remarks on the Colonial Pipeline incident.

No. 5: Melissa

I genuinely enjoy this story.

David Kwyjibo Smith was an enthusiast of strip clubs. Strip clubs in Florida to be exact. One of his favourite strippers was called Melissa. And this is how he named one of the first successful mass-mailing viruses. Released to the wild on Friday, 26th of March 1999.

This word macro virus was written in Microsoft’s Visual Basic and propagated itself through emails. The whole trick was to lure users to open an attachment. The subject of emails was Important Message From…. The attachment was called list.doc and contained a list of 80 pornographic websites. Once executed, the virus mailed itself to 50 addresses in users’ Address Book.

Given the times, the propagation of the virus was tremendous. It went over 100 000 infections. 300 organizations reported being severely affected, which forced them to shut down their email gateways and caused significant losses in productivity. For the very first time in the modern cyber history such a burden was put on email servers.

While world was eagerly awaiting the Millennium Bug, Mellissa took the stand. With a flair!

No. 6: Mirai

Taking down Netflix?! Well… someone has just crossed the line.

Friday, 21st of October 2016. One of the largest Distributed Denial of Service (DDoS) left Twitter, Netflix, Spotify, BBC, Amazon, GitHub, Guardian, HBO, CNN and many more inaccessible. All due to a crafty botnet code. Released to the wild. Available for everyone with basic skill and willfulness.

Mirai scanned the Internet for IoT devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. If the default username-and-password combo were not changed, Mirai was able to log into the device and infect it. Thousands and thousands of them got caught. And eventually got used to take down a big chunk of internet of the Eastern US.

Easily summoned botnet army to take down internet in its prime time. Sounds impressive to me.

No. 7: Slammer

At Australian Open, on Friday, 25th of January 2003, Serena Williams was winning her 5th Grand Slam title against her older sister Venus. Whereas in the dark corner of the internet emerged unknown and scary Slammer worm.

Slammer needed only 15 minutes to spread worldwide. Simple piece of code, which exploited a vulnerability known for over 6 months (!), affected 90% of all vulnerable hosts within 10 minutes. It took down 5 out of 13 world’s DNS root servers. Another 5 experienced massive packet loss.

Windows XP activation servers in Redmond were taken offline. Continental Airlines had to cancel and delay number of flights. Bank of America ATMs refused to dispense cash. In South Korea the entire internet infrastructure was knocked out.

All of that, even though, the patch for the exposed vulnerability was available at hand… Well-deserved no. 7!

No. 8: Kaseya

On 2nd of July 2021, I was heading downstair to play around with my bike. REvil gang was about to encrypt more than 1 million systems. Couple of hours later the same gang asked for a $ 70 million ransom payment. The payment was to be made by Kaseya, provider of monitoring and management tools for handling networks and endpoints.

Around 1500 medium sized companies were impacted through their managed service providers. Kaseya admitted they were the victim of a sophisticated cyberattack. Even the White House spoke! Basically, warning President Vladimir Putin to deal with problems in his own backyard. Kaseya denied paying anything whatsoever.

Notwithstanding, soon, REvil’s payment site, public domain, helpdesk chat platform and the negotiation portal were taken down. Retired? Scared? Rebranded? We shall see.

No. 9: ANNAKOURNIKOVA

Oh my. January 2001. Wikipedia goes online, George W. Bush becomes the President and Donnie Darko is still in cinemas! On Friday, 12th of January, a promise of nudity started arriving to people’s inboxes around the world. The promise of ANNAKOURNIKOVA naked blew the internet. Almost.

Off-the-shelf Visual Basic Worm Generator, simple social engineering, and several hundreds of infections within hours. Cyber users have not learned a thing from the ILOVEYOU worm. Same schema, same reaction. Although this time just for fun, the worm did not do much harm; it increased CPU utilization and clogged networks.

Jan de Wit creator of the worm even got himself a job at the municipality. No. 9 is yours Smarty-pants!

….

Friday! Finally.

Some try to relax.
Some try to catch us off-guard.

Evidence proves we regularly loose this battle.

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description,
Virus Encyclopedia and Wikipedia. I also used Remarks by President Biden on the Colonial Pipeline Incident. Furthermore I used my own research materials.

BATTLE OF WORMS IN 5 ACTS

PRELUDE: THE WORST EMAIL WORM IN HISTORY

The fastest spreading worm ever emerged from nowhere on Monday, January 26th, 2004. Shortly after its release into the wild it accounted for around 30% of email traffic worldwide. Correct. Almost 30% of the whole email traffic in the world was solely caused by this very worm. The hero of the day was later called Mydoom.

Mydoom spread through email and – popular at the time – Kazaa Peer-To-Peer network. Most of the email subjects suggested transmission errors, mail delivery failures, tests or server reports. The lure was to open an attachment, which, when executed, sent out the worm through user’s address book and network shares.

Opening of the attachment led to two adverse activities. Firstly, any infected machine was used for a DDoS (Distributed Denial of Service) attack on 1st of February 2004 against the SCO Group, American software company. Secondly, a backdoor listening on the first available TCP port between 3127 and 3198 was installed. The latter enabled an adversary to turn an infected machine into a proxy, but also opened the doors for executing any additional malicious pieces of code.

Soon it was not only about the SCO Group. The second variant went bigger targeting Microsoft. Both to-be-victims offered $250 000 for any information leading to the arrest of the worm creator. There was FBI involved and a lot of publicity.  

Despite the overwhelming sense of urgency on the defense side, Mydoom – using over one million machines – managed to take down the SCO domain. It did not work with Microsoft though. They managed to prepare themselves well enough.

Both variants had their expiration date hardcoded. The first one retired on 12th of February. The second one on the 1st of March. Was it supposed to be one-time shot? With a specific purpose, written on demand? There was a clue indicating such a scenario. Take a look:

andy; I’m just doing my job, nothing personal, sorry,

This was the message embedded in the code of the worm. This ‘job’ caused billion dollars’ worth losses around the globe. At the time Mikko Hyppönen described Mydoom as ‘the worst email worm incident in history’. Well… actually the real fun was just about to start.

ACT 1: NETSKY CHASING DOWN MYDOOM

There were just about a bit more than two weeks of peaceful spreading of Mydoom. Almost uninterrupted. Full success leaving thousands of backdoors operating on infected machines. Until there was Monday, 16th of February 2004. Can-you-top-this game started-off.

Out of nowhere emerged a 17-year-old German malware enthusiast Sven Jaschar and his creation – NetSky. Another network-spreading worm, which managed to easily distribute itself worldwide. Another one luring its victims through social engineered emails. With just one difference. NetSky was literally chasing down Mydoom. Its sole purpose was to remove or disable it.

The real playground-style brawl started on Wednesday, 25th of February. This is what was found inside the code of NetSky.C:

We are the skynet – you can’t hide yourself! – we kill malware writers (they have no chance!) – [LaMeRz–>]MyDoom.F is a thief of our idea! SkyNet AV vs. Malware.

Pretty compelling, right?

ACT 2: BAGLE JOINS THE PARTY – WANNA START A WAR?

The more the merrier. NetSky was actually hunting down not only the famous Mydoom. In fact, there was yet another target – Bagle. One more network-spreading worm, with its own SMTP engine, joyfully installing backdoors.

Different variants of Bagle started popping out already mid-February, competing with self-proclaimed saviour on a daily basis. It was Tuesday, 2nd of March when it really started to get juicy. Let’s give the voice to both runaways:

Hey, NetSky, fuck off you bitch, don’t ruine our bussiness, wanna start a war?

Bagle.J

To netsky’s creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app.

MyDoom.G

No doubt both sides enjoyed it. Wednesday, 3rd of March:

Skynet AntiVirus – Bagle – you are a looser!!!!

NetSky.F

Hey, NetSky, fu** off you bitch!

Bagle.J

And there was a Monday, 8th of March. Could it be the end? NetSky author was apparently signing off. Following message was embedded in the .K variant:

We want to destroy malware writers business, including Mydoom and Bagle… This is the last version of our antivirus. The source code is available soon.

At the time, March 2004, the situation was pretty obvious. Scattering of malware writers were disturbing the whole internet. Unpunished. Playing the cat-and-mouse game with all the antivirus world.

ACT 3: NEVER SEEN ANYTHING LIKE THAT BEFORE

Different variants of all three worms were popping out like crazy. More and more machines getting infected every day. Instant reactions for any move made by the greats of antivirus world. This is how Mikko Hyppönen, Chief Research Officer at F-Secure, described it:

Whoever is behind it is sitting around waiting for us to respond. If the target is to exhaust the antivirus people, he’s succeeding at it. My team is really tired. We are working through the night and the weekends.

Mydoom developed into at least 10 different variants. NetSky entertained itself with 31 incarnations. Bagle beat them all. Variants could go through alphabet several times.

Is there anything that could possibly go worse? Well… Sven Jaschar – the author of the NetSky – decided to enter the battlefield once again. No doubt he had a pretty impressive entrance. Firstly observed on 30th of April, Sasser worm was immensely successful in terms of its distribution. Using the LSASS buffer overflow vulnerability Sasser managed to infect millions of machines. The .E variant was the first one to directly attack and annihilate Mydoom and Bagle.

The Worm War started to faded out though. Neither NetSky nor Sasser managed to significantly disturb proliferation of Mydoom and Bagle. In fact, Sasser caused so much damage around the world – including grounding airlines and temporarily shutting down Sampo Bank’s offices – its author was tracked down and brought to court.  

Obviously, all characters of this story outreached their initial intentions. In fact, 15 years later they have still pretty decent record of persistence.

CLOSING: THEY’RE STILL OUT THERE

Mydoom took down Google site on 26th of July 2004. For most of the day the site was inaccessible. The code was reused in July 2009 for cyberattacks on South Korea and United States. As reported by Palo Alto Networks one percent of all emails containing malware sent during 2019 have been Mydoom emails.

Bagle worm evolved into the Bagle botnet. Mostly involved into proxy-to-relay email spam. As reported by SC Magazine UK: the botnet was responsible for about 10.39% of the worldwide spam volume on December 29, 2009, with a surge up to 14% on New Year’s Day.

Something more up to date? In December 2018, the Comodo Group indicated that the very first two variants of the worm, Bagle.A and Bagle.B, still arrive in people’s inboxes.

Mydoom is still considered to be the worst email worm incident in history. The Worm War fueled evolution of the Bagle so heavily, it’s difficult to count its variants anymore. The War itself became the very first immensely impactful playground at the expense of millions of unaware internet users across the world. The dust has settled. Worms, however, remain restless.

Maciej Szulejewski

When creating this article, I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used NetSky author signs off, War of the worms turns into war of words, German police arrest Sasser worm suspect from theregister.com, Virus writers trade insults as e-mail users suffer from nbcnews.com, The Stealthy War Between Virus Creators from abcnews.go.com, Virus writers exchange coded insults from zdnet.com.