Development of cybercrime – part three

The second half of the 2000s was a period of far-reaching changes in the development of cybercrime. On the global stage, the place of the previously popular worms began to be taken by tools created by organized hacking groups that were focused on profit and infecting as many devices as possible. It was also a time of growth for malicious tools hitting critical and industrial infrastructure.

Fortinet specialists present the third part of the study on the history of cybercrime development.

2005: Mytob/Zotob – worm, backdoor and botnet all in one

Before the advent of Mytob, the authors of malware were mostly enthusiasts who created them out of a desire to make a joke or out of sheer curiosity. However, the emergence of the Mytob/Zotob variants changed the world.

Mytob combined the functions of a worm, a backdoor, and a botnet. Infected devices in two ways. In the first, it used contacts from the victim’s address book for automatic distribution – spread in malicious email attachments. In the second, it used protocol vulnerabilities that allowed it to scan the network for vulnerable devices and then replicate to them.

Mytob was also one of the first types of malware that blocked anti-virus software or even worked against it, preventing the victim’s computer from connecting to sites containing updates. It was very effective for its time and had many variants with different functionality. It was constantly at the top of lists of the biggest threats.

The Mytob/Zotob variants caused massive disruption to 100s of companies, including the New York Times newspaper and CNN television station.

The dawn of the era of spyware and search interception

2005: CoolWebSearch and BayRob

CoolWebSearch, commonly known as CWS, was the first tool that allowed cybercriminals to intercept search results from Google and overlay them with “results” from the hackers themselves. CWS was most often spread by downloaded applications or adware. It was so widespread and difficult to remove that volunteers developed programs (such as. CWS Shredder) and managed online forums to help remove it for free.

A similar attack appeared a few years later, in 2007. It resulted in criminals intercepting search results from eBay. It was discovered when a woman in Ohio bought a car for several thousand dollars that never arrived. Authorities determined that the vehicle was not actually for sale, and that the would-be buyer’s computer contained BayRob malware that “injected” fake offers onto her device. The FBI and Symantec waited patiently for years for the cybercriminals to make a mistake, culminating in their arrest in 2016.

Spyware, spy vs. spy and the discovery of cyberweapons used by states

2010: Stuxnet

Beginning of 2010. is when malware used to attack Industrial Control Services (ICS) devices, specifically Control and Data Acquisition (SCADA) devices, was discovered. Stuxnet turned out to be the first malware to target critical infrastructure. In this case, it was industrial centrifuges (especially nuclear centrifuges), where Stuxnet caused them to rotate excessively and lead to a meltdown. It primarily attacked companies in Iran, but soon spread to SCADA systems around the world. Analysis of its code showed that it is not specific to devices used in Iran and can be adapted to any company that uses ICS solutions. An article published in 2012 in the NY Times confirmed that Stuxnet was developed by the United States and Israel.

2011: Regin

Regin was a modular Remote Access Trojan (RAT) that could easily adapt to its target environment. Documents that were exfiltrated were often stored in an encrypted container. Because it was in a single file, it did not raise suspicion among system administrators or anti-virus software. According to Der Spiegel, Regin was a creation of the U.S. NSA and was designed to spy on European Union citizens. This was revealed in the leak of information provided by Edward Snowden.

2012: Flame

At the time of its discovery, Flame was considered the most advanced malware ever found. It had everything: the ability to spread through a LAN, the ability to record and capture screenshots and audio, eavesdrop and record conversations. Flame’s targets were primarily organizations in the Middle East.