Internet worms through the ages — from relatively low risk to highly destructive

Security worm

In recent weeks, information security professionals have been sending out red alerts warning users of rapidly spreading, highly destructive worms. The security experts at DXC Technology are no exception. We are working with customers on a defense in-depth approach with perimeter security, using products with a secure-by-design approach (like recent chipsets from Intel & ARM) and more network segmentation. Vendors are releasing patches more frequently too, and these are being deployed quickly to help eliminate vulnerabilities.

In May 2017, WannaCry hit more than 200,000 computers in 150 countries, taking hostage computers belonging to banks, hospitals, telecommunications companies and more. This ransomware attack demanded bitcoin payments to release the computers. Loss estimates from the attack range from hundreds of millions to several billion dollars.

In June, Petya/NotPetya hit. While similar, both WannaCry and Petya targeted systems running the Microsoft Windows OS only and leveraged common mechanisms to spread, including the EternalBlue exploit. However, NotPetya was masqueraded to appear as Petya utilizing much of its behaviours based on sample code analysed. NotPetya was not about ransom; it was more a wiper malware with intent to destroy systems and data.

It’s been reported that Petya/NotPetya has caused serious disruption at firms in Europe and the United States, from government agencies and hospitals to shipping and oil firms. This code is considerably more sophisticated with multiple spread mechanisms, with the intent to disadvantage infected organizations. Some are labeling it as cyberwarfare, not malware.

These attacks are a long way from the what’s regarded as one of the first pieces of malware to spread via the internet — the Morris worm. The worm, created by graduate student Robert Tappan Morris, was released in November 1988 and quickly got out of hand. It didn’t cause any real destruction but it took days to clean up. More importantly, it spawned the age of malware and forced everyone to take cyber security more seriously.

Blasts from the past

Through the 2000s, there were a series of notable worms. Many seemed to spread uncontrollably. For the most part, their biggest impacts were jamming networks and servers with the load. Some of the more famous include a worm in 2000 that infected about 50 million, spread through an email with the subject line, “I Love You;” the Code Red worm that infected websites, leaving “Hacked By Chinese” on the sites; and Sasser, a worm in 2004 that needed no user intervention because it exploited a vulnerable network port and disrupted businesses.

Automatic replication and spreading creates more impact because it does not require user intervention. Our environments are more connected than ever, whether in our office, home, plant or coffee shops. That expectation of always connected and easy to access is also the foundation of connectivity that worms and malware count on for spreading rapidly.

In the past few years, we haven’t seen that many high-profile worms. There are a number of possible reasons. For one, web servers and other Internet-facing systems have been hardened and are better protected. And large-scale attacks started getting a lot of attention from the media, software companies and security experts. That attention resulted in added security and notoriety since serious attackers don’t typically advertise their activities; they prefer to stay under the radar, which is better for them.

The game has changed

But now, in the last two month we’ve seen WannaCry, Petya and NotPetya. The level of reuse of existing code and focus on known exploits indicates collaboration and more willingness to cooperate to achieve results in the attacker community. And despite the demands for money, the real motives for these two attacks aren’t certain. Whatever the motives, they clearly indicate that the game has changed, and our industry needs to pay more attention to this type of threat.

We need to pay attention to the lessons from the past experiences and integrate that thinking into future security designs. DXC continues to be actively engaged in protecting, detecting and responding to these types of attacks. Our company continues to evolve our services and solutions to these next generation of threats and has a number of solutions to assist clients as they adjust their approach to cyber resilience.

Chris Moyer is chief technology officer for Security at DXC Technology. He has spent more than 25 years building business and technology solutions for clients in several industries across multiple geographies. In previous roles, he has led solutioning, transformation projects and delivery assurance. He is also a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter and LinkedIn.



A month after WannaCry: How do we stop the next threat?

What we now know about “PetrWrap”

Managing enterprise risk in a connected world



  1. […] Internet worms through the ages — from relatively low risk to highly destructive […]

  2. […] Internet worms through the ages — from relatively low risk to highly destructive […]

  3. […] Internet worms through the ages — from relatively low risk to highly destructive […]

  4. […] Internet worms through the ages — from relatively low risk to highly destructive […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.