If Anna Kournikova and Sircam wasn’t enough, people were also bombarded with a worm known as Code Red. Though there is a bit of a relief with this worm as it attacked computers who were running Microsoft’s IIS web server. Meaning it didn’t affect the average user’s computer unless you were coding websites at the time.

The worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. However it didn’t start causing damage until Riley Hassell came in and discovered a vulnerability that the worm then exploited.

Since this worm wasn’t an email virus like the others, there wasn’t a particular name for this worm. Instead it was named after coincidences. In this instance the group was drinking Code Red Mountain Dew at the time that this worm exploited the vulnerability. Hence the name Code Red Worm.

The worm worked slowly. It was released on July 13th, but it only started to wreak havoc on the 15th of July. The peak of its damage hit on the 19th of July where the infected hosts reached 359,000 computers.

So how was this worm able to really spread? Well, again the virus spread through exploiting a vulnerability in the system and there was a patch for that particular vulnerability made one month before this virus even hit.

In other words, those computers likely didn’t bother downloading that patch and suffered for not doing so.

When the computer was infected, the worm spread itself using a vulnerability tactic known as buffer overflow. This tactic is basically overwhelming an infected system using a long string of arbitrary code. In this case this worm overflowed the buffer with the letter ’N’.

From these causes, the worm would perform a handful of activities. First it would deface the web site it infected. Instead of a typical website you’d get a blank screen and the following message:

HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Other activities the worm did during the month depended on the day.

From the 1st to the 19th, the worm would work to spread itself to IIS servers on the Internet. This was why the peak of it’s infection was hit on the 19th and was then contained before it could cause any further damage.

From the 20th to the 27th, users would get a denial of service attacks on many fixed IP addresses. The IP address of the White House’s web server was among those attacked during that time. This was when they brought in a professional who uncovered all of this information and took steps to prevent any more damage.

From the 28th until the end of the month the worm was sleep and there were no active attacks.

What’s also worth noting is that the Code Red worm was eventually followed up by a variant named Code Red 2. It behaved in a similar fashion but had different end results. I’ll expand on that virus in a future episode.

While this worm was self-contained to web servers, the lesson this worm teaches us is to make sure that we stay updated on our security programs. Remember, every update whether it’s on a WordPress site, an app, or our computer typically tightens up security with more features to protect ourselves from attacks.

2001 didn’t just have the Anna Kournikova virus. They also had a virus known as Sircam, a computer worm that infected emails through Microsoft Windows systems. At the time it only affected Windows 95, 98 and Windows Me (aka Millennium), but it still spread quite quickly.

The idea behind this worm is similar to any other email virus. You’d get a standard message followed by an attachment. The attachment is what would contain the virus and if you opened it the virus would spread.

But what’s interesting is how the virus worked during that process.

First of all, there were eight messages the virus was designed to send. It would pick one of them and send a user the email with one of the following:

• I send you this file in order to have your advice

Looking at it now, detecting this worm is kind of obvious since the phrases all have spelling or grammatical errors in them. Even the Spanish versions were a little off too. But due to a bug within the worm itself users rarely saw any other of the other phrases mentioned there.

Instead most users got the message “I send you this file in order to have your advice.” This in turn became an inside joke amongst those using the Internet and were spammed by this email containing this string of text.

But despite it being a bit of a joke, the virus affected a fair bit of computers.

What was another big tell was that the file that was sent in question likely wasn’t relevant to the receiver of these emails. You see when someone opened the email and got the worm, Sircam would distribute itself and infect document files - typically .doc or .xls - at random. They would then send an email to every email in that persons address book with that particular file.

So ultimately what the worm did was send users an email with a slightly broken phrase and a file that would be utterly irrelevant. However it’s due to that file that many people’s personal or private files were emailed to people who shouldn’t have gotten them.

Despite all of those seemingly obvious warning signs how did this virus become one of the top 10 outbreaks of viruses?

Well not only did it impact those emails, it also could spread to networks. Sircam scanned the network for computers who had shared drives and then copied itself to a machine who had an open drive or directory. Meaning that if any of your drives were on a shared network and wasn’t password protected, Sircam could get in.

What followed was a Remote Procedure Call (RPC) which would go unnoticed to the average user. What an rpc is merely a subroutine procedure that’s conducted in an outside space and without the user being aware. In this case, it’s fair to say that this worm would send more emails to people without the user noticing.

As a result of these two aspects, even after a year of the initial outbreak, Sircam was still one of the top 10 viruses to look out for. No one knows who the original author was or what sort of damage was done.

The ILOVEYOU virus wasn’t the last time people would experience an email virus. Wreaking havoc in the year 2000, one year later people had to face a new threat: Anna Kournikova.

For those keeping up with their sports, the name of this virus is named after the same tennis player Anna Kournikova. And this was made entirely by design. Authored by a 20-year old Dutch student named Jan De Wit who called himself OnTheFly, this worm was sent out to people February 11th 2001.

This was an email virus similar to ILOVEYOU and as the virus name would suggest, the email had a picture of Anna Kournikova. The idea behind this email was to trick people that the famous tennis player Anna Kournikova emailed them.

What happens next is the person would open the email, and open the attached file. If the user was operating a Microsoft Windows computer, the attachment wouldn’t display the picture but rather launch a Visual Basic Script (or vbs) and forward itself to everybody in their address book.

All of this behaviour is similar to the ILOVEYOU virus. Both are an email based virus targeting and spreading through Microsoft Outlook’s platform. The only big difference between these worms was Anna Kournikova didn’t corrupt data. Instead it disrupted numerous email servers across the globe.

But what’s more shocking about this virus is the process in which it was created. Other viruses up to this point took a few days work to create. But that wasn’t the case for this virus. According to De Wit, he downloaded a tool kit to help him make the virus. This cut down the time to make the virus considerably.

What would’ve taken a few days was squeezed into a morning. The virus was made on Sunday February 11th and was sent out the same day at about 3 pm.

As for De Wit himself, he took full responsibility. In fact, when he realized what the worm actually did he turned himself in in his hometown of Sneek on the 14th of February. This was after posting a confession that he created the virus on a website and sent it out to a newsgroup. The post was live on the 13th of February.

This confession also outlined his motivations for creating this virus. First was the fact he felt people hadn’t learned their lesson yet from the ILOVEYOU virus in that their security systems weren’t any better.

But aside admission and the regret of the damage, he also had some external blame for people. He blamed the rate of the infection to do with people who were entranced by the beauty of this tennis player. He explained that it was people’s own fault that they got infected.

For the record, De Wit also had a number of pinups on his website suggesting he was a massive fanboy of Kournikova.

While the damage done overall was little (the US reported damages of US$166,000), this was an example of virus information being readily available to people. And while that toolkit was later removed by the original programmer Buenos Aires, the fact remains that this information was becoming more and more available.

Not to mention more people had growing computer skills and had the ability to make these viruses.

Otherwise known as Chernobyl or Spacefiller, CIH was a Microsoft Windows 9x computer virus. It first emerged by 1998 and was highly destructive to vulnerable systems. From overwriting critical information to infecting system drives, this was the next big splash of a virus after the Morris worm.

Created by Chen Ing-hau, a student at Tatung University in Taiwan, and is the CEO and founder of 8tory (a facebook memory app). At the time, the virus infected roughly sixty million computers internationally and resulted in $1 billion US in commercial damages.

According to Chen, he claimed the virus was written due to bold claims from antivirus software developers that their programs were antiviral efficient. Once Chen got the virus to spread thanks in part to some of his classmates, he apologized to the school and created an antivirus program himself to stop the CIH virus.

Similarly to the Morris worm incident, Chen wasn’t charged with anything because no victims came forward with a lawsuit. Though this event did usher new computer crime legislation in Taiwan.

So how did this virus get the aliases Chernobyl and Spacefiller? Well for Chernobyl, the name was coined that since people knew the virus as CIH during infection. But CIH also was a reference to the payload trigger date in some variants of this virus. This trigger date coincided with the Chernobyl disaster on April 26th.

How the virus got the name Spacefiller was due to the fact that most viruses wrote their code to the end of the infected file. This means that when virus like that infected a file, the file size would inflate dramatically, make it obvious that the file was infected.

CIH behaved differently in that it looked for gaps in the program code and wrote itself into those gaps. As a result, this didn’t increase file size and made it harder to spot the virus.

Getting into specifics of this virus, how it caused damage was by hiding in the shadows and triggering on the aforementioned date.

First, the virus would overwrite the first megabyte of a hard drive with zeroes. This deleted the contents of the partition table and users could see one of two things: the machine hanging on cue, or you’d see the blue screen of death.

It’s because of this particular payload that caused so much disruption and damage. After all, in March 1999, thousands of IBM Aptivas were shipped with this virus all conveniently one month away from when the virus would get activated.

On top of that, Yamaha shipped software updates on December 31st, 1999 with this virus too.

Because of those occurrences, there was a lot of damage done. Thankfully the author of the virus released a fix for this problem.

The same can’t be said though for other variants of this virus. While Chen isn’t behind any of the variants, the variants behave in similar fashions, activating on the 26th of April. Some even activate on the 26th of any given month.

Not to be confused by the famous artist, this is a different kind of masterpiece depending on who you are talking to. First detected on 4th of February 1991 in Australia, the virus was like most other viruses around the time in that it infected the boot sector.

The only thing is that no one knew their disks were infected until a particular day, similar to the Jerusalem virus. Instead of it being the 13th of October, this virus came to life on the 6th of March, the birthday of Michelangelo.

Outside of his birthday, there was no other reference in the virus to the artist. Michelangelo stuck when those researching the virus noticed that it activated only on that particular day. The actual significance of this date to the author is unknown. In fact, it’s hard to know if the author intended the virus to be named Michelangelo.

As for what this virus does upon activation is basically make the data on the disk irretrievable for the the average user. It does this by infecting the disks operating systems and even the master boot record in some cases.

These conditions only apply if the disk inserted was on that particular date but also the PC was an AT or PS/2 computer.

Though the virus was first noticed in 1991, it wasn’t until January 1992 when the virus became more well known. Apparently Intel’s LANSpool print server at the time was infected with this virus. This meant that the few computers that came out were accidentally shipped out.

This resulted in the public unrest as well as expert claims. At the time, one of the biggest people to push the battle against Michelangelo was John McAfee, an anti-virus company founder at the time.

Though these actions seemed to be unnecessary as there were only a few hundred of these faulty computers that were shipped.

As a result, people were warned and given tips to avoid March 6th. From advice to simply not run the computer on that day to changing the clock on the computer to skip March 6th entirely. By 1997, the number of cases of data loss were non-existent. By that point most people forgot about the existence of this virus entirely.

Similar to Jerusalem, no one knows the author’s name, or their intention with this virus. That being said, I’d argue that this virus along with Jerusalem virus were the first iterations of Trojan horses, a virus that would activate during certain circumstances like a date or a specific time of the day. Perhaps trojan horse viruses were first inspired by these particular viruses.

Created in October 1987, this is a virus that has worm-like behaviors but was created a year before the Morris worm ran havoc over the Internet. As such, there’s not really a classification for this virus as it’s behavior was different to worms.

The only similarity it has to worms is that it likes to multiply and create files on disks multiple times. Though how it went about it was unusual.

First of all, Jerusalem was a logic bomb virus. Once it was infected, it sticks to becoming a memory resident. As a result, it takes up 2 kilobytes of memory on a disk. It then starts to infect every executable and COM file that’s run on that disk. Though it avoids any command.com files.

COM files specifically grow by exactly 1,813 bytes. Executable files grow between 1,808 and 1,823 bytes every time they’re infected. They’re then re-infected every time the files are loaded until they are too large to load.

What’s also unusual is what the virus infects. For one, it can’t infect read-only files. So floppy disks are off the table.

But the most unusual aspect about this virus is when it goes off. Out of all the viruses out there this one takes the cake for being really unique. Since this virus is a logic bomb, it goes off when you’ve “lit the fuse” so to speak. And someone lights this fuse when they load a particular disk with this virus on the 13th of October on any given year except for 1987, the year the virus was created.

Once the fuse is lit it deleted any programs that were run that day and infected them.

Because of all of these unusual circumstances, this virus has multiple aliases and variations of it. The name Jerusalem stuck the most because this virus was detected by students who were at Hebrew University of Jerusalem.

Other names for this virus is Friday the 13th, ArabStar, 1808(EXE), 1813(COM), Hebrew University, Saturday 14, amongst others.

But how did this virus get detected in the first place? Well the students spotted a subtle difference. This particular virus didn’t have any clear messaging unlike other viruses, but it did mis-capitalize words.

To this day, no one knows who created this virus, or what the purpose was for it. Some people believe it was created by the Palestine Liberation Organization (PLO) to mark May 13th 1948, the day before Israel Independence Day but it’s still uncertain.

While the Morris worm was one of the biggest main stream virus, there were other viruses made around it’s time. Each one made their own impact in their own way. After all, I listed off a handful of viruses made around the time the Morris worm was around.

Out of them all, the Brain computer virus is likely the most important one. After all the term “Brain” is the industry standard name for any computer virus released in its first form in the late 1980s.

The original Brain computer virus was considered to be the first computer virus of its time. The virus targeted the boot sector of storage media, infecting it and replacing the boot sector with this virus.

In other words if you inserted a floppy disk that was infected  with the virus, you would receive a message instead. The message read:

Welcome to the Dungeon (c) 1986 Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages….$#@%$@!!

There are various versions of this message but the virus always slowed the floppy disk. It also makes seven kilobytes of its memory unavailable, a pretty small amount for floppy disk standards. A floppy disk back then had 1.44 megabytes - or 1440 kilobytes - of storage space.

Similar to the Morris worm, the brain was made by a man with diffferent intentions than what it did. Created by Amjad Farooq Alvi, he lived in Lahore, Pakistan when he made Brain. According to TIME magazine, he had written Brain in order to protect medical software for privacy.

The idea for Brain was to target copyright infringement only and to stop it. Instead it became the virus we know today.

But the Brain virus is a pretty unique one. Compared to the Morris worm and the other viruses made around this time, Brain didn’t hop from infected floppy disk to another one. Brain had cryptic message - like the Welcome to the Dungeon bit which referenced a programming forum back then - but lacked the code for dealing with hard disk partitioning. It also avoids infecting hard disks by checking the bit of the disk inserted. If it’s clear, it doesn’t infect.

That’s unique because the other viruses at the time didn’t have that level of intelligence. For example the Morris worm did check to see if a floppy disk was infected, but it would infect the disk again regardless.

Because of Brain’s behaviour, this virus often went undetected and people wouldn’t pay much attention to the floppy disk having low loading speed.

Still, the Brain became noticeable because amongst those infected, the virus also included a phone number in order for Amjad to be contacted. After a while, Amjad and his brother working with him - I sadly don’t have his name - were swamped with angry phone calls from people who want the virus removed.

Amjad explained to them his intentions weren’t malicious and helped to reverse the virus. After that, the virus ceased to be.

Though one of the brothers decided to keep an homage to the virus in an unusual way. Shahid Farooq Alvi created two business: Brain NET, an internet service provider, and Brain Telecommunication Limited.

Despite the bit of damage Brain did, these two businesses are still operational in Pakistan.

Over the past several episodes I’ve talked a little about computer viruses. From The Morris Worm to the ILOVEYOU virus. But there is another term to describe these types of viruses: Malware. It’s become so common that maybe some of you thought computer virus and malware were perhaps two separate things.

After all, we hardly ever hear the term computer virus being used. It’s mainly malware.

But anyway malware has evolved extensively over the years and I think it’s important to show the highlights and growth of malware over the past few decades.

After all, if we are to better protect ourselves, understanding the development before getting into specifics will help us moving forward.

Malware all started in the 1980s and 1990s. The biggest splash in this area was The Morris Worm. It was the first form of malware to spread across the internet. There were some other ones that are worth bringing up too. There was Brain, Jerusalem, Michelangelo, CIH and the Melissa virus. I’ll talk about those in detail another time.

Getting into the 2000s, we saw an upgrade of malware. They were rapidly growing, effectively doubling every year. The most notable malware was internet and email worms. You had ILOVEYOU but there were others. Examples are Anna Kournikova, Sircam, CodeRed worm, and Nimda. This was also around the time where phishing and other credit card scams emerged.

Since 2010 and over this past decade, malware is still prominent but it’s more so used to leverage compromised systems. Outside of the numerous breaches over the past decade you also had some other notable events. These pushed businesses to have stronger security measures. Some malware that you can look up and I will explore later are the Stuxnet worm, ZeroAccess, a Trojan horse.

Not until 2013 we started to see ransomware. This was malware that locked files on a user’s computer and users had to pay a ransom to get access to that information again. One notable one was CryptoLocker, another Trojan horse. You also had Gameover ZeuS which used keystroke logging to steal login details. Some other notable ones was 2017’s ransomwares WannaCry and Petya.

Lastly there is Thanatos, the ransomware that’s been released and allow hackers to accept Bitcoin payments.

As you can see from the overall history, malware has evolved and has impacted the world on larger scales. Of course there are all kinds of ways we can better protect ourselves. But I find the first step to better protect ourselves is to know exactly what we are up against.

Shopping online is easy and convenient and many people make a point of doing this now. It’s because of this fact that many hackers and scammers have gone to great lengths to create sophisticated and elaborate ways to nab your credit card information.

Fortunately there are all kinds of ways you can take measures to protect yourself. I’ve mentioned in a previous episode about some methods, but I’d like to include other ones that I didn’t bring up in the previous episode.

Some other advice to consider are the following:

First, shop with websites you trust. This means dealing with businesses that you know exist in the real world.

Second, if you do shop at a new store or an unfamiliar site, be sure to have a look around the site. Is the site on social media and do they interact with their customers? Do they have any reviews? What do customers have to say about them? Check their background info with the Better Business Bureau. Make sure they don’t have any complaints about scams or history of scams.

Third, be wary of to good to be true sales. While stores have been jumping on Cyber Monday, Prime Day, Black Friday and other big sales, you want to pay special attention to those prices. Sometimes those prices are way too low. Make a point of comparing the products images and price with other stores selling the exact same thing.

Fourth, avoid giving out too much information. There will never be a store asking you for deep personal information. Typically stores only need an address, and some payment information like credit card number or PayPal information. If the store needs more, contact their customer service and see if you can use alternative information. If not, find someplace else.

Fifth, have a mind for details. When shopping online, make a point of screenshooting the receipt or have it emailed to you. During high sales times things can get lost in the cracks. Sometimes you get the wrong item or won’t get it altogether. This tip leads into the final tip I have to say.

That final tip is if something does happen, take action to ensure something gets done. Try to be helpful which means don’t call the company and start complaining to them. Let them know you’ve been waiting for a longer period of time than usual. Provide transaction numbers or the receipt they gave you.

While the number of cyberattacks increase, there have been some even bolder cyberattacks done now than ever before. For sure there have been massive breaches from various companies, but now cyberattacks are happening to banks.

Cyberattacks on financial institutions have been increasingly linked to nation-states that have been causing a variety of disruptions on many levels. After all, the states that are behind the vast majority of these attacks are countries like Iran, Russia, North Korea, and China.

But what’s disheartening is that the report that was released that outlines these cyberattacks noted that there were only two attacks in 2016 and 2017 that were linked to those countries. That number jumped to six in 2018.

The report also talked about the growing concerns due to the vulnerable state of our financial system to these threats. Tim Maurer, the co-director at Carnegie Endowment for International Pease said:

“Now banks have to defend against not only cyber criminals and politically-motivated disruptions, usually of a temporary nature, but large-scale theft pursued by a nation-state. This evolution of the threat has forced regulators and industry worldwide to shift their attention from mitigating firm-specific risks to increasingly focus on sector- and system-wide risks.”

State-sponsored attacks refer to operations including direct nation-state activity and proxy activity that’s done by so called hacktivists.