case study computer viruses in the real world

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Copyright Notice
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

11 infamous malware attacks: The first and the worst

Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet..

Viruses and other malware spreading for sinister or baffling reasons has been a staple of cyberpunk novels and real-life news stories alike for decades. And in truth, there have been computer viruses on the internet since before it was the internet. This article will take a look at some of the most important milestones in the evolution of malware: These entries each represent a novel idea, a lucky break that revealed a gaping security hole, or an attack that turned to be particularly damaging—and sometimes all three.

• Creeper virus (1971)
• Brain virus (1986)
• Morris worm (1988)
• ILOVEYOU worm (2000)
• Mydoom worm (2004)
• Zeus trojan (2007)
• CryptoLocker ransomware (2013)
• Emotet trojan (2014)
• Mirai botnet (2016)
• Petya ransomware/NotPetya wiper (2016/7)
• Clop ransomware (2019-Present)

1. Creeper virus (1971)

Computer pioneer John von Neumann’s posthumous work Theory of Self-Reproducing Automata , which posited the idea of computer code that could reproduce and spread itself, was published in 1966. Five years later, the first known computer virus, called Creeper , was a written by Bob Thomas. Written in PDP-10 assembly language, Creeper could reproduce itself and move from computer to computer across the nascent ARPANET.

Creeper did no harm to the systems it infected—Thomas developed it as a proof of concept, and its only effect was that it caused connected teletype machines to print a message that said “I’M THE CREEPER: CATCH ME IF YOU CAN.” We’re mentioning it here despite its benign nature because it was the first, and set the template for everything that followed. Shortly after Creeper’s release, Ray Tomlinson, best known for implementing the first email program, wrote a rival program called Reaper that spread from computer to computer eliminating Creeper’s code.

2. Brain virus (1986)

Creeper was designed to leap across computer networks, but for most of the 1970s and ’80s that infection vector was in limited simply because most computers operated in isolation. What malware did spread from computer to computer did so via floppy disks. The earliest example is Elk Cloner , which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.

Brain was developed by computer programmers (and brothers) Amjad and Basit Farooq Alvi, who lived in Pakistan and had a business selling medical software. Because their programs were often pirated, they created a virus that could infect the boot sector of pirated disks. It was mostly harmless but included contact information for them and an offer to “disinfect” the software.

Whether they could actually “fix” the problem isn’t clear, but as they explained 25 years later, they soon started receiving phone calls from all over the world , and were shocked by how quickly and how far Brain had spread (and how mad the people who had illegally copied their software were at them, for some reason). Today Brain is widely regarded as the first IBM PC virus, so we’re including it on our list despite its benign nature, and the brothers still have the same address and phone number that they sent out 25 years ago.

3. Morris worm (1988)

1988 saw the advent of a piece of malware called Morris, which could claim a number of firsts. It was the first widespread computer worm , which meant it could reproduce itself without needing another program to piggyback on. It targeted multiple vulnerabilities to help it spread faster and further. While not designed to do harm, it was probably the first malware to do real substantive financial damage, more than earning its place on this list. It spread incredibly swiftly—within 24 hours of its release, it had infected 10 percent of all internet-connected computers —and created multiple copies of itself on each machine, causing many of them to grind to a halt. Estimates of the costs of the attack ranged into the millions.

The worm is named after its creator Robert Morris , who was a Cornell grad student at the time and meant it as a proof-of-concept and demonstration of widespread security flaws. Morris didn’t anticipate that it would spread so quickly or that its ability to infect individual computers multiple times would cause so much trouble, and he tried to help undo the damage, but it was too late. He ended up the unfortunate subject of another first: The first person convicted under the 1986 Computer Fraud and Abuse Act.

4. ILOVEYOU worm (2000)

Unlike the previous malware creators on this list, Onel de Guzman, who was 24 in 2000 and living in the Philippines, crafted his creation with straightforward criminal intent: he couldn’t afford dialup service, so he built a worm that would steal other people’s passwords so he could piggyback off of their accounts. But the malware so cleverly took advantage of a number of flaws in Windows 95—especially the fact that Windows automatically hid the file extensions of email attachments so people didn’t realize they were launching executable files—that it spread like wildfire, and soon millions of infected computers were sending out copies of the worm and beaming passwords back to a Filipino email address . It also erased numerous files on target computers, causing millions of dollars in damage and briefly shutting down the U.K. Parliament’s computer system.

de Guzman was never charged with a crime, because nothing he did was illegal in the Philippines at the time, but he expressed regret in an interview 20 years later , saying he never intended the malware to spread as far as it did. He also ended up being something of a pioneer in social engineering : the worm got its name because it spread with emails with “ILOVEYOU” in the subject line . “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” de Guzman said.

5. Mydoom worm (2004)

Mydoom may be almost 20 year old as of this writing, but as of today still holds a number of records. The Mydoom worm infected computers via email , then took control of the victim computer to email out more copies of itself, and did it so efficiently that at its height it accounted for a quarter of all emails sent worldwide, a feat that’s never been surpassed. The infection ended up doing more than $35 billion in damages, which, adjusted for inflation, has also never been topped.

The creator and ultimate purpose of Mydoom remain mysteries today. In addition to mailing out copies of the worm, infected computers were also used as a botnet to launch DDoS attacks on the SCO Group (a company that aggressively tried to claim intellectual property rights over Linux ) and Microsoft , which led many to suspect some rogue member of the open source community . But nothing specific has ever been proven.  

6. Zeus trojan (2007)

Zeus was first spotted in 2007, at the tail end of the Web 1.0 era, but it showed the way for the future of what malware could be. A Trojan that infects via phishing and drive-by downloads from infected websites, isn’t just one kind of attacker; instead, it acts as a vehicle for all sorts of malicious payloads. Its source code and operating manual leaked in 2011, which helped both security researchers and criminals who wanted to exploit its capabilities .  

You’ll usually hear Zeus referred to as a “banking Trojan,” since that’s where its variants focus much of their energy. A 2014 variant, for instance, manages to interpose itself between a user and their banking website , intercepting passwords, keystrokes, and more. But Zeus goes beyond banks, with another variation slurping up Salesforce.com info .

7. CryptoLocker ransomware (2013)

Zeus could also be used to create botnets of controlled computers held in reserve for some later sinister purpose. The controllers of one such botnet, called Gameover Zeus, infected their bots with CryptoLocker, one of the earliest prominent versions of what became known as ransomware . Ransomware encrypts many of the files on the victim’s machine and demands a payment in cryptocurrency in order to restore access.

CryptoLocker became famous for its rapid spread and its powerful asymmetric encryption that was (at the time) uniquely difficult to break. It also became famous due to something unusual in the malware world: a happy ending. In 2014, the U.S. DoJ and peer agencies overseas managed to take control of the Gameover Zeus botnet , and restore the files of CryptoLocker victims free of charge. Unfortunately, CryptoLocker spread via good old-fashioned phishing as well, and variants are still around.

8. Emotet trojan (2014)

Emotet is another piece of malware whose functionality has shifted and changed of the years that it has remained active. In fact, Emotet is a prime example of what’s known as polymorphic malware , with its code changing slightly every time it’s accessed, the better to avoid recognition by endpoint security programs . Emotet is a Trojan that, like others on this list, primarily spreads via phishing (repeat after us: do not open unknown email attachments ).

Emotet first appeared in 2014, but like Zeus, is now a modular program most often used to deliver other forms of malware, with Trickster and Ryuk being two prominent examples. Emotet is so good at what it does that Arne Schoenbohm, head of the German Federal Office for Information Security, calls it the “king of malware.”

9. Mirai botnet (2016)

All the viruses and other malware we’ve been discussing so far have afflicted what we think of as “computers”—the PCs and laptops that we use for work and play. But in the 21st century, there are millions of devices with more computing power than anything that Creeper could have infected. These internet of things (IoT) devices are omnipresent, ignored, and often go unpatched for years.

The Mirai botnet was actually similar to some of the early malware we discussed because it exploited a previously unknown vulnerability and wreaked far more havoc than its creator intended. In this case, the malware found and took over IoT gadgets (mostly CCTV cameras) that hadn’t had their default passwords changed. Paras Jha, the college student who created the Mirai malware, intended to use the botnets he created for DoS attacks that would help settle scores in the obscure world of Minecraft server hosting, but instead he unleashed an attack that focused on a major DNS provider and cut off much of the U.S. east coast from the internet for the better part of a day.

10. Petya ransomware/NotPetya wiper (2016/7)

The ransomware Trojan dubbed Petra started afflicting computers in 2016. Though it had a clever mechanism for locking down its victims’ data—it encrypts the master file table, which the OS uses to find files—it spread via conventional phishing scams and wasn’t considered particularly virulent.

It would probably be forgotten today if not for what happened the following year. A new self-reproducing worm variant emerged that used the NSA’s leaked EternalBlue and EternalRomance exploits to spread from computer to computer. Originally distributed via a backdoor in a popular Ukrainian accounting software package, the new version— dubbed NotPetya —quickly wreaked havoc across Europe. The worst part? Though NotPetya still looked like ransomware, it was a wiper designed wholly to ruin computers, as the address displayed where users could send their ransom was randomly generated and did no good. Researchers believe that Russian intelligence repurposed the more ordinary Petya malware to use as a cyberweapon against Ukraine—and so, in addition to the massive damage it caused, NotPetya earns its place on this list by illustrating the symbiotic relationship between state sponsored and criminal hackers.

11. Clop ransomware (2019-Present)

Clop (sometimes written Cl0p) is another ransomware variant that emerged on the scene in 2019 and has grown increasingly prevalent since, to the extent that it was dubbed one of the top malware threats of 2022 . In addition to preventing victims from accessing their data, Clop allows the attacker to exfiltrate that data as well. McAfee has a breakdown of the technical details , including a review of ways it can bypass security software.

What makes Clop so interesting and dangerous, however, is not how it’s deployed, but by whom. It’s at the forefront of a trend called Ransomware-as-a-Service , in which a professionalized group of hackers does all the work for whoever will pay them enough (or share in a percentage of the ransomware riches they extract from victims). The earlier entries in this list are from a day when the internet was for hobbyists and lone wolves; today, it seems even cybercrime is largely the province of governments and the professionals.

Related content

Scattered spider arrest in spain unlikely to stop cybercrime group, 9 ways csos lose their jobs, ccsp certification: exam, cost, requirements, training, salary, meta delays launch of meta ai in europe over disagreement with regulators, from our editors straight to your inbox.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

More from this author

Certified ethical hacker (ceh): certification cost, training, and value, whitelisting explained: how it works and where it fits in a security program, download our password managers enterprise buyer’s guide, most popular authors.

• Microsoft Security

Show me more

2024 cso hall of fame honorees.

CSO Awards 2024 showcase world-class security strategies

India faces evolved cyber espionage with novel Discord hack

CSO Executive Sessions India with Hilal Lone, CISO, Razorpay

CSO Executive Sessions: The new realities of the CISO role - whistleblowing and legal liabilities

CSO Executive Sessions India with Pradipta Kumar Patro, Global CISO and Head IT Platform, KEC International

Case Study: The Morris Worm Brings Down the Internet

In 1988, Robert Morris created and released the first computer worm which significantly disrupted the young internet and served as a wakeup call on the importance of cybersecurity. Read our root cause analysis example to learn more about this disaster and the lessons that can be learned from it.

On November 3, 1988, Robert Morris, a graduate student at Cornell, created and released the first computer worm that could spread between computers and copy itself. Morris didn’t have malicious intent and his worm appears to have been more the result of intellectual curiosity rather than a purposefully destructive cyber-attack, but an error in the program led to it propagating much faster than he intended. The worm significantly disrupted the young internet, introduced the world to the concept of a software worm and served as a wakeup call on the importance of cybersecurity.

Build a Cause Map

A Cause Map, a visual root cause analysis, can be used to create a root cause analysis case study and analyze this incident. A Cause Map is built by asking “why” questions and using the answers to visually lay out the causes that contributed to an issue to intuitively show the cause-and-effect relationships . Mapping out all the causes that contributed to an issues ensures that all facets of a problem are well understood and helps facilitate the development of effective, detailed solutions that can be implemented to reduce the risk of a similar issues in the future.

Known flaws

To create his worm, Morris exploited known software bugs and weak passwords that no one had worried about enough to fix. At the time the Morris worm was released, the internet was in its infancy and only used by academics. There was no commercial traffic on the internet, and websites did not exist. Only a small, elite group had access to the internet, so concerns about cybersecurity hadn’t really come up.

What went wrong

Morris was trying to build a harmless worm to highlight security flaws, but an error in the program led to the worm causing a significant amount of disruption. The worm was intended to infect each computer one time, but the worm was designed to duplicate itself every seventh time a computer indicated it had already been infected to make the worm more difficult to remove. The problem was that the speed of propagation was underestimated. Once released, the worm quickly reinfected computers over and over again until they were unable to function, and the internet came crashing down.

The worm did more damage than Morris had expected and once he realized what he had done, he asked a colleague to anonymously apologize for the worm and explain how to update computers to prevent it from spreading. But the warning came too late to prevent massive disruption.

Impacts of the Morris Worm

In the short term, The Morris worm created a mess that took many computer experts days to clean up. One of the lasting impacts from the Morris worm that is hard to quantify, but is the most significant consequence of this incident, is the impact on cybersecurity. If the first “hacker” had malicious intent and came a little later, it's likely that the damage would have been much more severe. The Morris worm highlighted the need to consider cybersecurity relatively early in the development of the internet.

The Morris worm also had a significant impact on its creator, Robert Morris, who became the first person to be indicted under the 1986 Computer Fraud and Abuse Act. He was hit with a $10,050 fine, 400 hours of community service and a three-year probation. After this initial hiccup, Morris went on to have a successful career and now works in the MIT Computer Science and Artificial Intelligence Laboratory.

Download a copy of our Cause Map of the incident. 

Share This Post With A Friend

Similar Posts

Other resources.

• Root Cause Analysis blog archive
• Patient Safety blog archive

READ BY - - - - - - - - - -

Other Resources - - - - - - - - - -

Sign Up For Our eNewsletter

Top Ten Most-Destructive Computer Viruses

Created by underground crime syndicates and government agencies, these powerful viruses have done serious damage to computer networks worldwide

Sharon Weinberger

Computer viruses have come a long way from the early days of personal computers, when teenage hackers competed for bragging rights, creating malware designed for mischief or random mayhem. Now, the hackers have gone professional, and their ambitions have grown; rather than amateurs working out of their parents' basement, malware creators are often part of an underworld criminal gang, or working directly for a foreign government or intelligence agency. As the stakes have grown, so too has the potential damage and destruction brought on by malware.

1) Stuxnet (2009-2010) The arrival of Stuxnet was like a cartoon villain come to life: it was the first computer virus designed specifically to cause damage in the real, as opposed to virtual, world. While previous malware programs may have caused secondary physical problems, Stuxnet was unique in that it targeted software that controls industrial systems. Specifically, Stuxnet was designed to damage machinery at Iran’s uranium enrichment facility in Natanz. Based on the available information, including data from the International Atomic Energy Agency, experts believe Stuxnet caused a large number of Iran’s centrifuges—essentially giant washing machines used to enrich uranium—to spin out of control and self-destruct. Though Stuxnet was discovered in 2010, it is believed to have first infected computers in Iran in 2009.

2) Conficker Virus (2009) In 2009, a new computer worm crawled its way into millions of Windows-based PCs around the world, creating a massive botnet army of remotely controlled computers capable of stealing financial data and other information. Its complexity made it difficult to stop, and the virus prompted the creation of a coalition of experts dedicated to stopping its spread. At its height, the Conficker worm infected millions of computers, leading anti-virus researchers to call it the “super bug,” or “super worm.” But the real mystery of Conficker, which still infects a large number of computers, is that no one knows what it was meant to do: the botnet army was never used for any specific purpose, to the best of anyone’s knowledge. Conficker’s real purpose still confounds security experts.

3) agent.btz (2008) This piece of malware’s claim to fame is that it temporarily forced the Pentagon to issue a blanket ban on thumb drives and even contributed to the creation of an entirely new military department, U.S. Cyber Command. Agent.btz spreads through infected thumb drives, installing malware that steals data. When agent.btz was found on Pentagon computers in 2008, officials suspected the work of foreign spies. Former Deputy Secretary of Defense William Lynne later wrote that agent.btz created “a digital beachhead, from which data could be transferred to servers under foreign control.” Though some anti-virus experts have disputed the contention that the virus was the creation of a foreign intelligence agency, its effect was to make cyber war a formal part of U.S. military strategy.

4) Zeus (2007) There is no shortage of malware kits that target personal information, but Zeus has become the go-to tool for many of today’s cyber criminals and is readily available for sale in the cyber crime underworld. It can be used to pilfer passwords as well as files, helping to create a literal underground economy for compromised identities that can be bought and sold for as little 50 cents. In the age of Internet banking and online shopping, a compromised identity is much more than just a name and social security number: it’s your address, date of birth, mother’s maiden name, and even your secret security questions (your first pet, your favorite teacher, or your best friend from grade school).

5) PoisonIvy (2005) PoisonIvy is a computer security nightmare; it allows the attacker to secretly control the infected user’s computer. Malware like PoisonIvy is known as a “remote access trojan,” because it provides full control to the perpetrator through a backdoor. Once the virus is installed, the perpetrator can activate the controls of the targeted computer to record or manipulate its content or even use the computer’s speaker and webcam to record audio and video. Once thought of as a tool for amateur hackers, PoisonIvy has been used in sophisticated attacks against dozens of Western firms, including those involved in defense and chemical industries, according to a white paper written by Symantec, the computer security firm. The attacks were traced back to China.

6) MyDoom (2004) MyDoom muscled its way into the malware world in 2004, quickly infecting some one million computers and launching a massive distributed denial of service attack, which overwhelms a target by flooding it with information from multiple systems. The virus spread through email as what appeared to be a bounced message. When the unsuspecting victim opened the email, the malicious code downloaded itself and then pilfered the new victim’s Outlook address book. From there, it spread to the victim’s friends, family and colleagues. MyDoom spread faster than any worm seen prior.

7) Fizzer (2003) By 2003, many worms were spreading over e-mail, but Fizzer was an entirely new creature. If earlier worms, like Code Red (see below), were about mischief, Fizzer was all about money. While some initially dismissed the seriousness of the worm because it wasn’t as fast moving as Code Red, Fizzer was more insidious. “What makes Fizzer stand out is that it's the first instance of a worm created for financial gain,” says Roel Schouwenberg, a senior researcher at Kaspersky, an anti-virus company. “Computers infected with Fizzer started sending out pharmacy spam.” In other words, Fizzer didn’t just take over your address book to spread for the sake of spreading, it used your address book to send out the now familiar porn and pills spam. Fizzer was followed by better-known spam-inducing worms, like SoBig, which became threatening enough that Microsoft even offered a $250,000 bounty for information leading to the arrest of its creator.

8) Slammer (2003) In January 2003, the fast-spreading Slammer proved that an Internet worm could disrupt private and public services, a harbinger for future mayhem. Slammer works by releasing a deluge of network packets, units of data transmitted over the Internet, bringing the Internet on many servers to a near screeching halt. Through a classic denial of service attack, Slammer had a quite real effect on key services. Among its list of victims: Bank of America’s ATMs, a 911 emergency response system in Washington State, and perhaps most disturbingly, a nuclear plant in Ohio .

9) Code Red (2001) Compared to modern malware, Code Red seems like an almost kinder, gentler version of a threat. But when it swept across computers worldwide in 2001, it caught security experts off guard by exploiting a flaw in Microsoft Internet Information Server. That allowed the worm to deface and take down some websites. Perhaps most memorably, Code Red successfully brought down the whitehouse.gov website and forced other government agencies to temporarily take down their own public websites as well. Though later worms have since overshadowed Code Red, it’s still remembered by anti-virus experts as a turning point for malware because of its rapid spread.

10) Love Letter/I LOVE YOU (2000) Back in 2000, millions of people made the mistake of opening an innocent looking email attachment labeled simply, “I Love You.” Instead of revealing the heartfelt confession of a secret admirer, as perhaps readers had hoped, the file unleashed a malicious program that overwrote the users’ image files. Then like an old-fashioned chain letter gone nuclear, the virus e-mailed itself to the first 50 contacts in the user’s Windows address book. While by today’s standards, Love Letter is almost quaint, it did cause wide-scale problems for computer users. It only took hours for Love Letter to become a global pandemic, in part because it played on a fundamental human emotion: the desire to be loved. In that sense, Love Letter could be considered the first socially engineered computer virus.

Sharon Weinberger is a national security reporter based in Washington, D.C.

Get the latest Science stories in your inbox.

Help | Advanced Search

Computer Science > Cryptography and Security

Title: hybrid epidemics - a case study on computer worm conficker.

Abstract: Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading, local, neighbourhood and global to capture the worm's spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conifcker epidemic. The model is then used to explore the trade-off between spreading modes in determining the worm's effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.

Submission history

Access paper:.

• Other Formats

References & Citations

• Google Scholar
• Semantic Scholar

DBLP - CS Bibliography

Bibtex formatted citation.

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

• Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

• Computer Science
• Computer Communications (Networks)

Code-Red: a case study on the spread and victims of an Internet worm

• January 2002
• Conference: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement 2002, Marseille, France, November 6-8, 2002
• This person is not on ResearchGate, or hasn't claimed this research yet.

Discover the world's research

• 25+ million members
• 160+ million publication pages
• 2.3+ billion citations

No full-text available

To read the full-text of this research, you can request a copy directly from the authors.

• Tinghao Xie

• Fahad Sameer Alshammari

• Mahsa Rahimian

• T Nkhumeleni

• Zafer ALBAYRAK
• Nelson Ochieng Odunga
• Ronald Waweru Mwangi
• Ismail Ateya Lukandu

• Joshua M. Del Toro
• Krishna Kambhampaty

• Morteza Safaei Pour

• Jeremy Kepner
• Kenjiro Cho
• Peter Michaleas
• Van-Thuan Pham

• Arun Baran Samaddar
• COMPUT NETW

• Guang Cheng

• Yohan Boyer

• Sara Asgari

• Abdullah Abdulhai Alshaher
• Mubarak Mohammad Alkharang
• Adam Jenkins
• Maria K. Wolters

• Mahesh Chandra Govil

• Arash Mahboubi
• Jannatul Ferdous

• Daniel Wagner

• Anja Feldmann

• Yuanchen Gao

• Christian Doerr
• NEUROCOMPUTING

• Michał Choraś

• DeBrae Kennedy-Mayo
• Andrew Bagley
• Christoph Bausewein

• Shigang Chen
• Ryan Williams
• Anthony Gavazzi
• Engin Kirda

• Sirshendu Ganguly

• Andrew John Poulter
• J Venkateswaramma

• COMPUT SECUR
• Amit Sharma
• Brij B. Gupta
• Awadhesh Kumar Singh
• V. K. Saraswat
• Mohamed A. Seifeldin Elsayed

• Elizabeth Stobert

• John F. Shoch
• Jon A. Hupp
• Vern Paxson. Bro

• Vern Paxson
• David Moore
• Colleen Shannon
• Douglas J. Brown
• Stefan Savage
• Cert Coordination
• Digital Eeye
• Security Advisory
• Charles Schmidt
• Cisco Systems
• Securityfocus
• Recruit researchers
• Join for free
• Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here .

Loading metrics

Open Access

Peer-reviewed

Research Article

Hybrid Epidemics—A Case Study on Computer Worm Conficker

* E-mail: [email protected] (CZ); [email protected] (SZ)

Affiliations Department of Computer Science, University College London, London, United Kingdom, Security Science Doctoral Research Training Centre, University College London, London, United Kingdom

Affiliation Department of Computer Science, University College London, London, United Kingdom

Affiliation Division of Infection and Immunity, University College London, London, United Kingdom

• Changwang Zhang, 
• Shi Zhou, 
• Benjamin M. Chain

• Published: May 15, 2015
• https://doi.org/10.1371/journal.pone.0127478
• Reader Comments

Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm’s spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conficker epidemic. The model is then used to explore the tradeoff between spreading modes in determining the worm’s effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.

Citation: Zhang C, Zhou S, Chain BM (2015) Hybrid Epidemics—A Case Study on Computer Worm Conficker. PLoS ONE 10(5): e0127478. https://doi.org/10.1371/journal.pone.0127478

Academic Editor: Gui-Quan Sun, Shanxi University, CHINA

Received: December 12, 2014; Accepted: April 14, 2015; Published: May 15, 2015

Copyright: © 2015 Zhang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited

Data Availability: All relevant data are within the paper.

Funding: This work was supported in part by the Engineering and Physical Sciences Research Council of UK (no. EP/G037264/1), the China Scholarship Council (file no. 2010611089), and the National Natural Science Foundation of China (project no. 60970034, 61170287, 61232016). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Epidemic spreading phenomena exist in a wide range of domains [ 1 , 2 ]. Well-known examples include disease spreading [ 3 – 5 ], computer worm proliferation [ 6 – 8 ], and information propagation [ 9 – 11 ]. Modelling and understanding of such phenomena can have important practical values to predict and control real world epidemics [ 3 – 5 , 12 – 15 ].

Some typical spreading mechanisms have been extensively studied, such as the fully-mixed spreading model and the network spreading model. Many epidemics are hybrid as they spread via two or more different mechanisms simultaneously. Previous work on hybrid epidemics has focused on what we call the non-critically hybrid epidemic, where at least one of the spreading mechanisms alone is able to cause an epidemic outbreak, and a mixture of mechanisms brings no advantage.

We are interested in the critically hybrid epidemic, where each spreading mechanism alone is unable to cause any significant spreading whereas the mixture of such mechanisms leads to a huge epidemic outbreak. Recently we proposed a model that explains the behaviour of critically hybrid epidemics, which incorporates two spreading mechanisms in the setting of a metopopulation [ 16 ]. We demonstrated that it is indeed possible to have a highly contagious epidemic by mixing simple, ineffective spreading mechanisms. The properties of such epidemics are critically determined by the ratio at which the different spreading mechanisms are mixed, and usually there is an optimal ratio that leads to a maximal outbreak size.

In this paper we present a detailed analysis of a real hybrid epidemic—the Internet worm Conficker, which erupted on the Internet in 2008 and infected millions of computers. The worm is a hybrid epidemic as the code analysis [ 17 ] has revealed the worm applied three distinct spreading mechanisms: (1) global random spreading, (2) local network spreading, and (3) neighbourhood spreading. It is a critically hybrid epidemic because the first and second spreading mechanisms are highly ineffective if used alone, and the third mechanism, as we will show later, is most effective when mixed with the other two.

We introduce a mathematical model to describe the spreading behaviour of Conficker. Our study was based on measurement data provided by Center for Applied Internet Data Analysis (CAIDA)’s Network Telescope project [ 18 , 19 ], which monitors Internet traffic anomalies. We proposed algorithms to extract Conficker–related features from the CAIDA data. Then we infer the values of our model’s parameters that characterise the worm.

We evaluated our inference results by comparing theoretical predictions with the actual measurement results. Our predictions closely reproduced the outbreak process of Conficker. We then explored possible spreading scenarios based on simulations using different values of parameters. One of the interesting results was that we showed the worm could spread faster, reach a larger outbreak size or survive for longer time by just revising the ratios at which the worm allocated its time on each of the spreading mechanisms (while keeping everything else the same), which can be easily achieved by changing a few lines in its coding.

This paper’s contributions are two fold. Firstly, we present the first study on a real-life critically hybrid epidemic, where the epidemic’s parameter values are inferred from measurement data. Secondly, we analyse the complex interactions among Conficker’s three spreading mechanisms, and show that the worm can be more contagious if it mixes its three spreading mechanisms in an optimal way.

Epidemic spreading mechanisms

A number of epidemic spreading mechanisms have been extensively studied [ 20 , 21 ]. For example, in the fully-mixed spreading models [ 20 , 22 ], a node is connected to all other nodes in a population, thus an epidemic can potentially spread between any two nodes according to a probability. Whereas in the network spreading models [ 1 , 2 , 20 , 23 ], nodes are connected to their neighbours via a network structure, therefore an epidemic can only spread along the connections among nodes. Recent network-based models considered additional physical properties such as location-specific contact patterns [ 24 , 25 ], human mobility patterns [ 26 – 29 ] and spatial effects [ 30 – 33 ].

Hybrid epidemics

Many epidemics are hybrid in the sense that they spread via two or more spreading mechanisms simultaneously. A hybrid epidemic can use fully-mixed spreading and network spreading, or use fully-mixed spreading but at two or more different levels, e.g. at the global level covering the whole population or at the local level consisting of only a part of the population.

There are many real examples. Mobile phone viruses can spread via Bluetooth communication with any nearby devises (local, fully-mixed spreading) and Multimedia Messaging Service with remote contacts (global, network spreading) [ 27 ]. A computer that is infected by the worm Red Code II spends 1/8 of its time probing any computers on the Internet at random (global, fully-mixed spreading) and the rest of the time probing computers located in local area networks (local, fully-mixed spreading) [ 34 ]. Today information is propagated in society via mass media (TV, newspaper, posters) as well as online social media (Facebook, Twitter and emails). Mass media (global, fully-mixed spreading) can potentially deliver the information to a big audience, but the effectiveness of information transmission at an individual level may be small (for example, its ability to alter the target individuals behaviour). In contrast, social media (local, network spreading) may have little or no access to the majority of people who are not connected to the local group, but they provide rapid penetration of a selected target group with higher effectiveness.

It is clear that hybrid epidemics are much more complex than simple epidemics. Their behaviour is affected not only by multiple spreading mechanisms that they use, but also by the population’s overlaid structure on which they spread. Studying hybrid epidemics may provide crucial clues for better understanding of many real epidemics.

Previous works on hybrid epidemics

Hybrid epidemics were initially studied as two levels of mixing in a population where nodes are mixed at both local and global levels [ 35 ]. Recently hybrid epidemics were studied as two levels of mixing in a network [ 36 – 38 ], in structured populations [ 39 ], in structured households [ 40 – 42 ], and in a meta-population which consists of a number of weakly connected sub-populations[ 43 – 48 ]. Studies of epidemics in clustered networks [ 49 – 51 ] are also relevant to the hybrid epidemics.

These previous works focused on analysing how a network’s structure affects hybrid spreading. And most of them studied the non-critically hybrid epidemics, where at least one of the two spreading mechanisms alone can cause an infection outbreak and therefore the mix of two mechanisms is not a necessary condition for an epidemic outbreak. In this case, a hybrid epidemic using two spreading mechanisms is often less contagious than an epidemic using only one of the mechanisms. [ 36 , 52 ].

Our recent study on critically hybrid epidemics

We are interested in the critically hybrid epidemics, where each of the spreading mechanisms alone is not able to cause any significant infection whereas a combination of the mechanisms can cause an epidemic outbreak. In this case, the mix of different spreading mechanisms is a critically condition for an outbreak (see Fig 1 ).

• PPT PowerPoint slide
• PNG larger image
• TIFF original image

(a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when α = 1 or α = 0). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal α that produces the maximum outbreak.

https://doi.org/10.1371/journal.pone.0127478.g001

Recently we proposed a generic model to study the critically hybrid epidemics [ 16 ]. We considered an epidemic which spreads in a meta-population (consisting of many weakly connected sub-populations ) using a mix of the following two typical spreading mechanisms. (1) Fully-mixed spreading on the global level, i.e. infection between any two nodes in the meta-population. (2) Network (or fully-mixed) spreading on the local level, i.e. infection between nodes within a sub-population where the internal topology of a sub-population is a network (or a fully-connected mesh). Each spreading mechanism has its own infection rate and an infected node recovers at a recovery rate. We define a parameter called the hybrid trade-off, α , as the proportion of time that the epidemic devotes to the first spreading mechanism (or the probability of using the first spreading mechanism in a time unit). Thus the proportion of time spent on the second mechanism is (1 − α ).

Our mathematical analysis and numerical simulations based on the model highlight the following two results. Firstly, it is possible to mix two ineffective spreading mechanisms to produce a highly contagious epidemic, because the mix of the mechanisms can help to overcome the weakness of each mechanisms. Secondly, the threshold and the size of outbreak is critically determined by the hybrid trade-off α . We also provided an analytical prediction of the optimal trade-off for the maximum outbreak size.

Computer Worm Conficker

In this paper we will analyse a critically hybrid epidemic, the computer worm Conficker, based on real measurement data. It is one of the most contagious computer worms on record. It erupted on the Internet on 21 November 2008 and infected millions of computers in just a few days [ 7 ]. The worm’s ability to spread to such a large number of computers in so short a time and the fact [ 53 ] that it is still active on the Internet has caused serious concern.

• Global spreading, where the worm probes computers with random IP addresses on the Internet;
• Local spreading, where the worm on an infected computer probes computers in the same Local Area Network (LAN) with the same IP address prefix;
• Neighbourhood spreading, where it probes computers in ten neighbouring LANs (with smaller consecutive IP address prefixes).

(1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.

https://doi.org/10.1371/journal.pone.0127478.g002

Previous research on Conficker has studied the geographical distribution of infected IP addresses, the distribution of probing packet size [ 7 , 54 , 55 ], and properties of the worm’s global probing [ 56 , 57 ]. The parameters of Conficker’s hybrid spreading and how they affect the epidemic dynamics of the worm can help explain why the worm is so contagious. But they have been hitherto little studied.

Our Model of Conficker

• Global spreading with probability α g , where the worm probes nodes on the Internet at random with the global infection rate β g ∈ [0, 1].
• Local spreading with probability α l , where it probes nodes in the local subnet with the local infection rate β l ∈ [0, 1];
• Neighbourhood spreading with the probability α n , where it probes nodes in ten neighbouring subnets with the neighbourhood infection rate β n ∈ [0, 1];

An infected node is recovered with recovery rate γ ∈ [0, 1]. A recovered node remains recovered and cannot be infected again. Note that for mathematical analysis, the mixing probabilities could be incorporated into the infection rates. But we have treated them as separate parameters, considering that an infection rate reflects inherent properties of a computer worm in the context of a specific target population, whereas mixing probabilities are settings that can be easily modified in the worm’s code. This is also the reason we use the mixing probabilities as controlling parameters in our study below and keep other parameters the same.

Only nodes that can potentially be infected by Conficker are relevant to our study. We call them the relevant nodes. A subnet is relevant if it contains at least one relevant node. Irrelevant nodes include unused IP addresses and those computers that do not have the vulnerabilities that the worm can exploit. Note that although the irrelevant nodes and subnets do not participate in the spreading of Conficker, they will be probed by the worm as the worm does not have the priori knowledge about which nodes are vulnerable.

Let n represent the total number of relevant nodes and N the number of relevant subnets. The average number of relevant nodes in a subnet is n N = n / N . Let N + represent the average number of relevant subnets in ten neighbouring subnets.

At time t , the total number of susceptible, infected, and recovered nodes are S ( t ), I ( t ), and R ( t ), respectively. Then the average number of infected nodes in a subnet is I N ( t ) = I ( t )/ N , and the average number of infected nodes in ten neighbouring subnets is I + ( t ) = I N ( t ) N + . Hence on average a susceptible node can be infected via (1) global probing by I ( t ) infected nodes in the Internet; (2) local probing by I N ( t ) infected nodes in the local subnet; (3) neighbourhood probing by I + ( t ) infected nodes in the neighbouring subnets.

Inferring Conficker Parameters From Data

We infer the parameter values of our Conficker model from the Internet measurement data [ 18 , 19 ] collected by the Center for Applied Internet Data Analysis (CAIDA) in 2008. This is the only publicly available dataset that has captured the initial outbreak process of the worm. The CAIDA Network Telescope project [ 18 , 19 ] monitors Internet traffic sent to a large set of unusable IP addresses, which account for around 1/256 of all addresses. No legitimate traffic should be sent to these monitored addresses because they are not allocated for normal usage [ 58 ]. Thus the traffic data captured by this project provides a good view on various abnormal behaviours on the Internet.

When Conficker spreads on the Internet, its global spreading mechanism sends out probing packets to randomly generated IP addresses, some of which are unused IP addresses and therefore are monitored by the Network Telescope project. Conficke’s probing packets are characterised by the Transmission Control Protocol (TCP) with destination port number 445. This feature can be used to distinguish Conficker packets from other packets in the Network Telescope data.

For each record of Conficker’s probing packet, we are interested in two things: (1) the time when the packet is monitored by the Network Telescope project, and (2) the packet’s source IP address, which gives the location of a Conficker-infected node. We ignore the destination address, as it is a randomly-generated, unused IP address.

We study the Network Telescope project’s daily dataset collected on November 21, 2008, the day when Conficker broke out on the Internet. We use two earlier datasets collected on November 12 and 19, 2008 to filter out background ‘noise’ that has been happening before the outbreak. That is, in the outbreak dataset, we discard packets that were sent from any source address that had already sent packets to any of the unusable addresses in the two earlier datasets. We use the prefix of /24 (i.e. IP address mask of 255.255.255.0) to distinguish different subnets [ 7 ]. Our analysis uses a 10-minute window.

Step One: Inferring node status at a given time

We first infer the status of each node at time t from the CAIDA data. On the day of Conficker outbreak, all relevant nodes were initially susceptible. In the analysis, we assume a node is just infected by the worm when we observe the first Conficker probing packet coming from it; and the node is recovered when we observe its last probing packet before the end of the day. Fig 3 shows the number of susceptible, infected and recovered nodes as observed in a 10-minute window.

Numbers of susceptible nodes S ( t ), infected nodes I ( t ) and recovered nodes R ( t ) as a function of time t , as inferred from CAIDA’s dataset on 21/Nov/2008, the day of Conficker’s outbreak.

https://doi.org/10.1371/journal.pone.0127478.g003

Step Two: Inferring new infections caused by each spreading mechanism

Let dI l ( t ), dI n ( t ) and dI g ( t ) represent the numbers of nodes that are newly infected through local, neighbourhood and global spreading, respectively, at time step t . Our analysis on the data shows that 84% of new infections occurred within already infected subnets or their neighbourhood subnets, i.e. only 16% of new infections appeared outside the reach of local and neighbourhood probing. This agrees with our understanding that local and neighbourhood probing are significantly more effective than global probing [ 7 ]. And 73% of those new infections within the reach of local and neighbourhood probing (i.e. 73%×84% of all new infections) occurred in already infected subnets. This indicates the local probing is more effective than neighbourhood probing. Based on the above analysis we can then approximately identify the probing mechanism that is responsible for a newly infected node by analysing the states of other relevant nodes at the time when the new infection happens.

• IF there is an infected node already in the same subnet, the new infection is caused by that infected node via local spreading.
• ELSE IF there is an infected node in the ten neighbouring subnets, then the new infection is via neighbourhood spreading.
• OTHERWISE, the newly infected node is infected via global spreading.

Fig 4 shows the inferred results, plotting the number of new infections caused by each spreading mechanism as a function of time.

Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker’s outbreak, as inferred from CAIDA’s dataset on 21/Nov/2008.

https://doi.org/10.1371/journal.pone.0127478.g004

Step Three: Inferring parameters of the Conficker model

Inference results and evaluation

The inferred values of the Conficker model parameters are shown in Table 1 , including the mixing probability α and the infection rate β for three spreading mechanisms, the recover rate γ , the recovery time τ = 1/ γ which is the average time it takes for an infected node to recover, and the probing frequency λ . The parameter values are averaged over time windows between 4:00 and 16:00 when the spreading behaviour was stable. Computers are online and offline on a daily basis following a diurnal pattern [ 59 ]. We find that this factor only has a marginal impact on our results.

https://doi.org/10.1371/journal.pone.0127478.t001

We observe in the data that the worm had infected in total n = 430,135 nodes, which were located in N = 92,267 subnets. On average, each subnet has n N = 4.7 relevant nodes, and N + = 4.3 of ten neighbouring subnets are relevant.

With these parameter values, we can use our Conficker model (see Eq 2 ) to theoretically predict the worm’s outbreak process. As measured from the data, the number of nodes in the three statuses were S = 423,899, I = 3,945, and R = 2,291 at 4:00am. Our prediction starts from 4.00am and uses these numbers as the initial condition. As shown in Fig 5 , our model’s predictions closely match the measurement data.

Points are measured from Network Telescope’s dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.

https://doi.org/10.1371/journal.pone.0127478.g005

The inferred parameters are in agreement with our expectations. For example the local spreading has a high infection rate because if a computer is already infected, then other computers in the same subnet are likely to have a similar computer system and thus are also likely to be vulnerable to the worm. By comparison, global spreading has an extremely low infection rate. On average, more than 10 million global probings will produce only a single new infection. On average an infected node retains its status for 2.5 hours (156 mins) before it recovers (e.g. switched off or updated with new anti-virus database). The worm only sends out 8 probing packets per minute. Such a deliberately low probing rate helps the worm to evade a computer’s or network’s security systems.

Analysis on Conficker’s Hybrid Spreading

Mix of two spreading mechanisms.

We run simulations using our Conficker model with the parameter values inferred above. The simulation network has 100k subnets. Each subnet contains 5 relevant nodes and has 4 relevant adjacent subnets. This topology setting resembles Conficker’s spreading network observed in the data. Initially two random nodes are infected. The only controlling parameter is the mixing probabilities of the spreading mechanisms. Simulation results on mix of two spreading mechanisms are shown in Fig 6 .

(a) Mix of global ( α g ) and local (1 − α g ) mechanisms; (b) Mix of global ( α g ) and neighbourhood (1- α g ) mechanisms; (c) Mix of local ( α l ) and neighbourhood (1- α l ) mechanisms. In each case we measure the outbreak size, the total duration of the spreading, and the speed of spreading. The outbreak results include both the final outbreak size (square) and the outbreak size at time step 100 (filled circle). Each data point is averaged over 100 runs of a simulation. Note the y axes are all logarithmic.

https://doi.org/10.1371/journal.pone.0127478.g006

Fig 6a shows that as explained above, global spreading or local spreading alone cannot cause an outbreak, whereas a mixture at a ratio of 0.8 to 0.2 produces a large and rapid outbreak. Fig 6b shows that the neighbourhood spreading alone ( α g = 0) can cause a large, but very slow outbreak, whereas the mix of neighbourhood spreading with just a small amount of global spreading can dramatically accelerate the spreading process. Fig 6c shows that adding local spreading to neighbourhood spreading slows down the spreading process considerably. When they are mixed at the ratio of 0.8 to 0.2, the spreading reaches the same final outbreak size but the whole process lasts for the longest time.

Mix of THREE spreading mechanisms

Simulation results on mixing three spreading mechanisms are shown in Fig 7 . Fig 7a shows it is not difficult to achieve a large final outbreak size when the three mechanisms are all present and neither local spreading nor global spreading is dominant. Fig 7b shows spreading will last for longer time if there is less global probing. Fig 7c shows that the most contagious variation of the worm is a mix of global, local and neighbourhood spreading at the probabilities of 0.4, 0.2 and 0.4 (see circle on the plot), which causes the largest final outbreak with the highest spreading speed.

Spreading properties shown include the final outbreak size, the survival time and the spreading speed (see colour maps) as functions of the mixing probabilities of global spreading α g (x axis) and local spreading α l (y axis), where the mixing probability of neighbourhood spreading is α n = 1 − α g − α l .

https://doi.org/10.1371/journal.pone.0127478.g007

In this study, we infer the epidemic spreading parameters of the Conficker worm from observed data collected during the first few hours of the epidemic. Simulations of worm spreading, based on these parameters, allow us to reach some important conclusions about the worm’s use of hybrid spreading mechanisms.

Advantage of mixing hybrid spreading mechanism

Conficker’s global probing is extremely ineffective. The infection rate of global probing is many orders of magnitude smaller than the recovery rate. This means, if Conficker used only the global probing, it would not have caused any significant infection on the Internet at all.

Local probing has a remarkably high infection rate, β l = 0.32, which means when an infected node conducts only local spreading, a susceptible node in the same subnet has an 1/3 chance of being infected in a step (10-mins). However, local probing is confined within a subnet. If the worm used only the local probing, it would not have infected any other subnet apart from those initially containing infected nodes.

Neighbourhood probing is constrained to a neighbourhood of ten subnets. It has a high infection rate because computers in adjacent IP address blocks often belong to the same organisation and they use similar computer systems and therefore have similar vulnerabilities that can be exploited by the worm. Since different nodes’ neighbourhoods can partially overlap with each other, it is in theory possible for the worm to reach any node in the whole meta-population by using only the neighbourhood probing. Such process, however, would be extraordinarily slow as we have shown in Fig 6b .

In summary, if Conficker used only a single spreading mechanism, it would have vanished on the Internet without causing any significant impact.

Thus the enormous outbreak of the worm lies in its ability to do two things. Firstly it needs to devote great efforts to explore every corner of the Internet to find a new vulnerable computer. Every new victim will open a new colony full of similar vulnerable computers. Secondly it needs to make the most out of each new colony.

This is exactly what Conficker does. It allocates most of its time on global probing with a mixing probability of α = 89%. This in a degree compensates the ineffectiveness of global probing. Although the worm allocates small amounts of time on local and neighbouring probing, their high infection rates allow them to exploit all possible victims in the subnets with efficiency. And all newly infected nodes will join the collective effort to flood the Internet with more global random probes.

In short, the Conficker worm is an example of a critically hybrid epidemic. It can cause an enormous outbreak not because it has an advanced ability to exploit weaknesses of a computer, but because it has remarkable capability to discover all potentially vulnerable computers in the Internet, i.e. it is not the infectivity, but the hybrid spreading that makes Conficker one of the most infectious worms on record.

Implication of critically hybrid epidemics

The analysis of critically hybrid epidemics such as Conficker has important general implications. Firstly, it demonstrates that it is possible to design a high impact epidemic based on mechanisms, each of relatively low efficiency. Indeed our result in Fig 7 suggests that Conficker could have had a larger outbreak with higher speed if it had used a different set of mixing probabilities, which requires change of only a few lines of Conficker’s program code. Hybrid mechanisms may therefore be ideal for rapid efficient penetration of a network, for example in the context of an advertising campaign or in order to promulgate important public health or security information. An interesting example might be the use of media campaigns (global spreading) where the reader or viewer is specifically requested to pass on a message via Twitter or Facebook to their “local” group contacts.

Conversely, malicious hybrid epidemics can be extremely difficult to defend against, and many existing defence strategies may not be effective. For example immunising a selected portion of a local population in order to isolate and hence protect the vulnerable nodes will not be effective, because the vulnerable nodes can still be found by the worm through random global spreading.

Another possible measure is to reduce the average time it takes for an infected node to recover, for example to speed up the release of anti-virus software updates or increase the frequency of security scanning on computers. Our theoretical predictions (using Eq 2 ) in Fig 8 show that the final outbreak size (in terms of total recovered nodes) does not change significantly when the recovery time is reduced from 156 minutes to 140 or 120 minutes. In practice, even achieving such reductions represents a remarkable technical challenge. It is clear from the discussion above that epidemics can spread with extremely low global infection rates (far below individual recovery rates), provided there is efficient local infection. The extremely efficient spreading achieved once a given subnet or set of subnets has been penetrated is therefore obviously a key determinant of the worm’s outbreak [ 7 ]. Thus, defence strategies that focus on security co-operation between nodes with a local network neighbourhood (a “neighbourhood watch” strategy [ 7 ]) may be the key to future prevention of similar outbreaks.

Conficker’s recovery time is 156 minutes.

https://doi.org/10.1371/journal.pone.0127478.g008

Our Conficker model

The Conficker worm can be described as a discrete model or a continuous model. The two modelling approaches should give the same prediction results of the spreading dynamics of the worm. In this work we used a discrete approach to model the Conficker worm for three reasons. Firstly the model’s parameters can be defined with clear physical meanings. Secondly we can directly calculate the parameters’ values from the CAIDA measurement data. Lastly it is more convenient to run simulations with a discrete model. If a continuous model were used, the model parameters would be defined differently with less clear physical meanings, and their values would have to be obtained through iterative data fitting.

In our Conficker model, we set the local and global population as fully mixed, because this is how the Conficker worm perceives the structure of the Internet. We considered more complex network structures in a separate work [ 16 ] where we studied hybrid epidemics in general.

Our study uses data collected during the first day of the Conficker epidemic to parametrise a hybrid model to capture the worm’s spreading behaviour. The study highlights the importance of mixing different modes of spreading in order to achieve large, rapid and sustained epidemics, and suggests that the trade-off between the different modes of spreading will be critical in determining the epidemic outcome.

Author Contributions

Conceived and designed the experiments: CZ SZ BMC. Performed the experiments: CZ. Analyzed the data: CZ SZ BMC. Wrote the paper: SZ BMC CZ.

• View Article
• Google Scholar
• PubMed/NCBI
• 16. Zhang C, Zhou S, Cox IJ, Chain BM. Optimizing Hybrid Spreading in Metapopulations; 2014. Preprint. Available: arXiv:1409.7291. Accessed 10 Feb 2015.
• 17. Chien E. Downadup: Attempts at Smart Network Scanning; 2010. Available: http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning . Accessed Dec 2014.
• 18. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Three Days Of Conficker”; 2008. Available: http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml . Accessed Dec 2014.
• 19. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Two Days in November 2008” Dataset; 2008. Available: http://www.caida.org/data/passive/telescope-2days-2008_dataset.xml . Accessed Dec 2014.
• 20. Newman M. Networks: An Introduction. Oxford University Press, USA; 2010.
• 34. Moore D, Shannon C, Claffy KC. Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. IMW. ACM; 2002. pp. 273–284.
• 53. ESET Virusradar. Win32/Conficker Charts; 2014. Available: http://www.virusradar.com/en/Win32_Conficker/chart/week . Accessed Dec 2014.
• 54. Irwin B. A network telescope perspective of the Conficker outbreak. In: Information Security for South Africa; 2012. pp. 1–8.
• 56. Li R, Gan L, Jia Y. Propagation Model for Botnet Based on Conficker Monitoring. In: International Symposium on Information Science and Engineering; 2009. pp. 185–190.
• 57. Yao Y, Xiang Wl, Guo H, Yu G, Gao FX. Diurnal Forced Models for Worm Propagation Based on Conficker Dataset. In: International Conference on Multimedia Information Networking and Security; 2011. pp. 431–435.
• 58. Aben E. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope; 2009. Available: http://www.caida.org/research/security/ms08-067/conficker.xml . Accessed Dec 2014.
• 59. Dagon D, Zou C, Lee W. Modeling botnet propagation using time zones. In: Annual Network & Distributed System Security Symposium; 2006.

Modeling infection methods of computer malware in the presence of vaccinations using epidemiological models: an analysis of real-world data

• Regular Paper
• Published: 12 June 2020
• Volume 10 , pages 349–358, ( 2020 )

Cite this article

• Nir Levy   ORCID: orcid.org/0000-0002-4256-4934 1 ,
• Amir Rubin   ORCID: orcid.org/0000-0001-5356-6786 2 &
• Elad Yom-Tov   ORCID: orcid.org/0000-0002-2380-4584 3  

437 Accesses

5 Citations

1 Altmetric

Explore all metrics

Computer malware and biological pathogens often use similar infection mechanisms. For this reason, it has been suggested to model malware spread using epidemiological models developed to characterize the spread of biological pathogens. However, to date, most work examining the similarities between malware and pathogens using such methods was based on theoretical analysis and simulation. Here we extend the classical susceptible–infected–recovered epidemiological model to describe two of the most common infection methods used by malware. We fit the proposed model to malware collected between April 2017 and April 2018 from a major anti-malware vendor. We show that by fitting the proposed model it is possible to identify the method of transmission used by the malware, its rate of infection, and the number of machines which will be infected unless blocked by anti-virus software. In a large sample of malware infections, the Spearman correlation between the number of actual and predicted infected machines is \(\rho =0.84\) . Examining cases where an anti-malware “signature” was transmitted to susceptible computers by the anti-virus provider, we show that the time to remove the malware will be short and independent of the number of infected computers if fewer than approximately 60% of susceptible computers have been infected. If more computers were infected, the time to removal will be approximately 3.2 times greater and will depend on the fraction of infected computers. Our results show that the application of epidemiological models of infection to malware can provide anti-virus providers with information on malware spread and its potential damage. We further propose that similarities between computer malware and biological pathogens, the availability of data on the former, and the dearth of data on the latter, make malware an extremely useful model for testing interventions which could later be applied to improve medicine.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Similar content being viewed by others

Identifying the most accurate machine learning classification technique to detect network threats

Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study

An overview of vulnerability assessment and penetration testing techniques.

https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine .

Here we refer to software used to block malware as either anti-virus or anti-malware software interchangeably.

Allen, L.J.: An introduction to stochastic epidemic models. In: van den Driessche, P., Wu, J., Brauer, F. (eds.) Mathematical Epidemiology, pp. 81–130. Springer, Berlin (2008)

Chapter   Google Scholar  

AV-test: Malware statistics and trend reports (2019). https://www.av-test.org/en/statistics/malware/

Balcan, D., Hu, H., Goncalves, B., Bajardi, P., Poletto, C., Ramasco, J.J., Paolotti, D., Perra, N., Tizzoni, M., Van den Broeck, W., et al.: Seasonal transmission potential and activity peaks of the new influenza a (h1n1): a Monte Carlo likelihood analysis based on human mobility. BMC Med. 7 (1), 45 (2009)

Article   Google Scholar  

Berger, N., Borgs, C., Chayes, J.T., Saberi, A.: On the spread of viruses on the internet. In: Proceedings of the Sixteenth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 301–310. Society for Industrial and Applied Mathematics (2005)

Chen, Z., Ji, C.: Spatial-temporal modeling of malware propagation in networks. IEEE Trans. Neural Netw. 16 (5), 1291–1303 (2005)

Feng, L., Liao, X., Han, Q., Li, H.: Dynamical analysis and control strategies on malware propagation model. Appl. Math. Model. 37 (16–17), 8225–8236 (2013)

Article   MathSciNet   Google Scholar  

Garetto, M., Gong, W., Towsley, D.: Modeling malware spreading dynamics. In: IEEE INFOCOM 2003. Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No. 03CH37428), vol. 3, pp. 1869–1879. IEEE (2003)

Gartner: Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016 (2017). https://gtnr.it/2Mcqz56

Goldenberg, J., Shavitt, Y., Shir, E., Solomon, S.: Distributive immunization of networks against viruses using the ‘honey-pot’ architecture. Nat. Phys. 1 (3), 184 (2005)

Hoskin, J., Kiloh, L., Cawte, J.: Epilepsy and guria: the shaking syndromes of new guinea. Soc. Sci. Med. 3 (1), 39–48 (1969)

Hu, H., Myers, S., Colizza, V., Vespignani, A.: Wifi networks and malware epidemiology. Proc. Nat. Acad. Sci. 106 (5), 1318–1323 (2009)

Intelligence, M.S.: Win32/mydoom (2011). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Mydoom&threatId=

Intelligence, M.S.: Backdoor:macos\_x/flashback (2017). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MacOS_X/Flashback&threatId=-2147316808

Intelligence, M.S.: Trojan:js/miner.a (2017). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Miner.A&threatId=-2147429735

Intelligence, M.S.: Trojan:win32/kovter (2017). https://bit.ly/30mS7J9

Intelligence, M.S.: Trojan:win32/zues.a (2017). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Zues.A&threatId=-2147370439

Intelligence, M.S.: Virus:vbs/loveletter (2017). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:VBS/LoveLetter&threatId=-2147428236

Intelligence, M.S.: Ransom:win32/wannacrypt (2018). https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt&threatId=-2147245915

Kephart, J.O., White, S.R.: Directed-graph epidemiological models of computer viruses. In: Huberman, B.A. (ed.) Computation: The Micro and the Macro View, pp. 71–102. World Scientific, Singapore (1992)

Kermack, W.O., McKendrick, A.G.: A contribution to the mathematical theory of epidemics. Proc. R. Soc. Lond. A Math. Phys. Eng. Sci. 115 (772), 700–721 (1927)

MATH   Google Scholar  

Labs, M.: 2019 state of malware (2019). https://bit.ly/2NggKU5

Levy, N., Iv, M., Yom-Tov, E.: Modeling influenza-like illnesses through composite compartmental models. Physica A Stat. Mech. Appl. 494 , 288–293 (2018)

Liu, W., Liu, C., Liu, X., Cui, S., Huang, X.: Modeling the spread of malware with the influence of heterogeneous immunization. Appl. Math. Model. 40 (4), 3141–3152 (2016)

Liu, W., Zhong, S.: Web malware spread modelling and optimal control strategies. Sci. Rep. 7 , 42308 (2017)

Lundberg, S.M., Lee, S.I.: A unified approach to interpreting model predictions. In: Guyon, I., Luxburg, U.V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., Garnett, R. (eds.) Advances in Neural Information Processing Systems, vol. 30, pp. 4765–4774. Curran Associates Inc., Red Hook (2017)

Google Scholar  

McHugh, M.L.: Interrater reliability: the kappa statistic. Biochem. Med. 22 (3), 276–282 (2012)

Merler, S., Ajelli, M.: The role of population heterogeneity and human mobility in the spread of pandemic influenza. Proc. R. Soc. B Biol. Sci. 277 (1681), 557–565 (2009)

Oren, E., Frere, J., Yom-Tov, E., Yom-Tov, E.: Respiratory syncytial virus tracking using internet search engine data. BMC Public Health 18 (1), 445 (2018)

Qu, B., Wang, H.: Sis epidemic spreading with heterogeneous infection rates. IEEE Trans. Netw. Sci. Eng. 4 (3), 177–186 (2017)

Rabiner, L.R., Gold, B.: Theory and Application of Digital Signal Processing. Prentice-Hall Inc., Englewood Cliffs (1975)

Signes-Pont, M.T., Cortés-Castillo, A., Mora-Mora, H., Szymanski, J.: Modelling the malware propagation in mobile computer devices. Comput. Secur. 79 , 80–93 (2018)

Taynitskiy, V., Gubar, E., Zhu, Q.: Optimal impulsive control of epidemic spreading of heterogeneous malware. IFAC-PapersOnLine 50 (1), 15038–15043 (2017)

Waalen, K., Kilander, A., Dudman, S., Krogh, G., Aune, T., Hungnes, O.: High prevalence of antibodies to the 2009 pandemic influenza a (h1n1) virus in the Norwegian population following a major epidemic and a large vaccination campaign in autumn 2009. Eurosurveillance 15 (31), 19633 (2010)

Wang, C., Knight, J.C., Elder, M.C.: On computer viral infection and the effect of immunization. In: Proceedings 16th Annual Computer Security Applications Conference (ACSAC’00), pp. 246–256. IEEE (2000)

Watts, D., Strogatz, S.: Collective dynamics of small-world networks. Nature 393 , 440–441 (1998)

Wired: Everything you need to know about eternalblue—the NSA exploit linked to Petya (2017). https://bit.ly/2P8jzJd

Zaman, G., Kang, Y.H., Jung, I.H.: Stability analysis and optimal vaccination of an sir epidemic model. BioSystems 93 (3), 240–249 (2008)

Zhang, S., Jin, Z., Zhang, J.: The dynamical modeling analysis of the spreading of passive worms in p2p networks. Discrete Dyn. Nat. Soc. (2018). https://doi.org/10.1155/2018/1656907

Article   MathSciNet   MATH   Google Scholar  

Download references

Acknowledgements

The authors would like to thank Prof. Lev Muchnik for enlightening discussions and comments.

Author information

Authors and affiliations.

Microsoft, Herzeliya, Israel

Ben-Gurion University of the Negev, Beersheba, Israel

Microsoft Research, Herzeliya, Israel

Elad Yom-Tov

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Elad Yom-Tov .

Ethics declarations

Conflict of interest.

All authors are employees of Microsoft.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Levy, N., Rubin, A. & Yom-Tov, E. Modeling infection methods of computer malware in the presence of vaccinations using epidemiological models: an analysis of real-world data. Int J Data Sci Anal 10 , 349–358 (2020). https://doi.org/10.1007/s41060-020-00225-1

Download citation

Received : 18 February 2020

Accepted : 20 May 2020

Published : 12 June 2020

Issue Date : October 2020

DOI : https://doi.org/10.1007/s41060-020-00225-1

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Epidemiological model
• Compartmental models
• Vaccination
• Find a journal
• Publish with us
• Track your research

7 real and famous cases of ransomware attacks

• Updated at March 19, 2021
• Threat Research , Blog

Ransomware is a type of malware that hijacks and blocks files or systems, preventing the user from having access to them. Ransomware is a hijacker. Using encryption, it holds files and systems hostage. Theoretically, when the victim pays the ransom amount, he receives the decryption key, releasing blocked files or systems.

We used the word “theoretically” because, in many cases, the victim pays the amount that was required and still doesn’t receive the key . By the way, it’s usually required that the ransom is paid in cryptocurrency, such as, for example, bitcoin and monero. The point is precisely to make it difficult to track the cybercriminal.

Ransomware has been terrifying individuals and, most importantly, companies for about 30 years. The worse is that, over time, they have become more advanced and sophisticated threats. New tactics and technologies are used, either to deceive detection solutions, to encrypt different types of files, or to convince the user to pay the ransom amount.

Both the FBI and Europol point to ransomware as one of the main threats in the digital world. In fact, the European agency says ransomware is a key cybercrime threat for years . The US agency pointed out that, in 2020, about 2,474 ransomware attacks were registered in the world , resulting in losses of more than USD 29 million.

The examples of ransomware attacks listed below show you how these attacks can work, giving an idea of the damage that ransomware do to companies and people. In this article, we’ll cover the following examples of ransomware:

Table of Contents

Check out 7 examples of ransomware attacks

1. ryuk, 2019 and 2020.

Like most infections caused by ransomware, Ryuk is spread mainly via malicious emails , or phishing emails, containing dangerous links and attachments . The ransom amount to be paid to release an entire system can exceed USD 300,000, making Ryuk one of the most expensive ransomware in history, well above the average.

According to the FBI, Ryuk’s attacks have already caused more than USD 60 million in damage worldwide since this type of ransomware gained prominence in 2018 after stopping the operations of major newspapers in the United States. More than 100 companies suffered attacks.

In 2020, for example, EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) suffered incidents involving Ryuk.

An interesting fact is that Ryuk’s ransom notes contain contact emails with the end @protonmail.com or @tutanota.com. The victim needs to send a message to find out how much they must pay for the decryption key.

2. SamSam, 2018

SamSam ransomware was identified a few years ago, more precisely in late 2015. But it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, in the U.S., abruptly stopping services.

In the same year, two Iranian hackers were accused of using SamSam against more than 200 organizations and companies in the U.S. and Canada, including hospitals, municipalities and public institutions. A loss of USD 30 million is estimated as a result of the attacks.

Just the city of Atlanta spent more than USD 2 million to repair the damage. Hancock Health, an Indiana hospital, paid a ransom of USD 55,000. To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols (RDP) and File Transfer Protocol (FTP).

A curious fact about SamSam is that the victim is asked to make a first payment for a first key, which would unlock only a few machines. It would be like a sign of honesty.

“With buying the first key you will find that we are honest”, says the ransomware message. Would you believe that?

Finding this article interesting? So you will probably like this one about 11 real and famous cases of malware attacks . Check it out!

3. WannaCry, 2017

One of the most devastating ransomware attacks in history in terms of loss volume was caused by WannaCry, launched in 2017. The estimated value at the time was USD 4 billion in losses. The amount required to release each machine was around USD 300.

WannaCry spread via email scams, or phishing. Worldwide, more than 200 thousand people and companies were affected, such as, for example, FedEx, Telefonica, Nissan and Renault. WannaCry exploits a vulnerability in Windows.

By the way, even today there are phishing emails claiming that you were infected by WannaCry, demanding ransom payment. But they’re plain emails, with no files. Pay attention!

4. Petya, 2016

Petya is a ransomware that started to be propagated in 2016, via emails with malicious attachments . Since its launch, it’s estimated that different variations of Petya have caused more than USD 10 billion in financial losses.

Petya acts by infecting the boot record of machines that use the Windows system. That is, it blocks the entire operating system. To unlock, you need to pay a ransom of around USD 300 per user.

This type of ransomware affected different organizations in the world, such as banks and companies in the areas of transportation, oil, food and health. Let us cite as an example the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).

5. TeslaCrypt, 2015

Like other types of ransomware, TeslaCrypt has several versions. But the attacks of this one became famous because, in the beginning, it infected game files, blocking maps and user profiles, for example. We’re talking about games like Call of Duty, Minecraft and Warcraft.

The evolved versions of TeslaCrypt were able to encrypt other files, such as PDF and Word, for example.

In any case, the victim was forced to pay at least USD 250 to release the files. But there are cases where the hijacker required USD 500 per machine.

6. CryptoLocker, 2013

The CryptoLocker ransomware has been added to our list because it was a milestone for its time. When it was launched in 2013, CryptoLocker used a large, non-standard encryption key, which has challenged cybersecurity experts.

This type of ransomware is believed to have caused losses of more than USD 3 million, infecting more than 200 thousand Windows-based computers. CryptoLocker was distributed mainly via email, using malicious files.

7. AIDS Trojan or PC Cyborg, 1989

AIDS Trojan, also known as PC Cyborg, is the first registered ransomware in history. That is why its creator, Joseph Popp, a Harvard-trained biologist, can be considered the father of ransomware.

AIDS Trojan was distributed using infected floppy disks. They were sent to participants at the World Health Organization’s international AIDS conference, in Stockholm, Sweden, in 1989.

After hiding file directories and blocking file names, this type of ransomware asked the victim to send USD 189 to a mailbox in Panama. Only then could the data be recovered. But since it had weak encryption, there were no major problems.

This story is also told in our new ebook about Ransomware . Have you seen it? We tell you everything about this type of malware.

Ransomware fighting project: No More Ransom

Have you heard of the No More Ransom (NMR) project? This is a worldwide initiative by Europol and several government agencies and cybersecurity companies to fight ransomware . Gatefy is a partner of the project.

No More Ransom helps victims of infections caused by ransomware to recover blocked data without having to pay the ransom amount. For more information, visit nomoreransom.org .

Email is the primary vector for ransomware attacks: invest in protection

In the case of a ransomware intrusion, the recommendation is to not pay the requested ransom. As seen in the cases and examples of ransomware attacks that we presented, the main form of ransomware delivery are emails. In fact, email is the platform most used by cybercriminals to commit fraud and scams.

To solve this security problem, Gatefy has an email gateway solution that protects companies of all sizes against various types of threats, including ransomware , malware , phishing and BEC (Business Email Compromise) . It’s based on artificial intelligence and machine learning . And it’s compatible with several email providers, such as Office 365 , G Suite , Exchange , and Zimbra .

We also offer a DMARC-based anti-fraud solution , so that you have control and visibility over the use of your business’s domain.

Request a demo or more information .

10 real and famous cases of BEC (Business Email Compromise)

8 reasons to use DMARC in your business

What is mail server?

computer viruses Recently Published Documents

Total documents.

• Latest Documents
• Most Cited Documents
• Contributed Authors
• Related Sources
• Related Keywords

A Study on Hazards of Computer Viruses

Computer use is becoming part of our lives every other day however there have been considerable threats of computer viruses in the recent past. Viruses have had adverse effects on data and programs ranging from formatting hard disks, damaging information infrastructure, suddenly restarting machines, deleting or modifying data and in some cases mild effects such as slowing down machines or producing irritating sounds. Viruses have been a major cause for worry especially with the advances in data processing, storage and movement of information technologically. Many computer users and organizations especially the computer intensive organizations have had to invest heavily in dealing with viruses particularly those organizations running the windows platform. These computer viruses have been defined by their characteristics of entry and multiplication without the user’s notice as well as diverting the normal functioning of the computer. This paper seeks to define a virus and explain its related terms such as malicious software, worms, and Trojan horses. It explains vulnerabilities of operating systems in relation to viruses, it makes an observation on strengths of Linux versus Windows, outline the present state of affairs, apart from using anti-virus software, there are other procedures which can help protect against viruses which are also mentioned, the future of computer viruses and the conclusion that the Internet is serving its purpose of interconnecting computer and hence promoting distribution of viruses then makes some recommendations on viruses.

Comparison, Analysis and Analogy of Biological and Computer Viruses

Correlation of biological and computer viruses through evolutionary game theory, pemodelan matematika terhadap penyebaran virus komputer dengan probabilitas kekebalan.

The increase in the number of computer viruses can be modeled with a mathematical model of the spread of SEIR type of diseases with immunity probability. This study aims to model the pattern of the spread of computer viruses. The method used in this research is the analytical method with the probability of mathematical immunity. Based on the analysis of the model, two equilibrium points free from disease E1 and endemic equilibrium points E2 were obtained. The existence and local stability of the equilibrium point depends on the basic reproduction number R0. Equilibrium points E1 and E2 tend to be locally stable because R0<1 which means there is no spread of disease. While the numerical simulation results shown that the size of the probability of immunity will affect compartment R and the minimum size of a new computer and the spread of computer viruses will affect compartments S and E on the graph of the simulation results. The conclusion obtained by the immune model SEIR successfully shows that increasing the probability of immunity significantly affects the increase in the number of computer hygiene after being exposed to a virus.

Predicting Spread Probability of Learning-Effect Computer Virus

With the rapid development of network technology, computer viruses have developed at a fast pace. The threat of computer viruses persists because of the constant demand for computers and networks. When a computer virus infects a facility, the virus seeks to invade other facilities in the network by exploiting the convenience of the network protocol and the high connectivity of the network. Hence, there is an increasing need for accurate calculation of the probability of computer-virus-infected areas for developing corresponding strategies, for example, based on the possible virus-infected areas, to interrupt the relevant connections between the uninfected and infected computers in time. The spread of the computer virus forms a scale-free network whose node degree follows the power rule. A novel algorithm based on the binary-addition tree algorithm (BAT) is proposed to effectively predict the spread of computer viruses. The proposed BAT utilizes the probability derived from PageRank from the scale-free network together with the consideration of state vectors with both the temporal and learning effects. The performance of the proposed algorithm was verified via numerous experiments.

EVOLUTION OF COMPUTER VIRUSES

The dynamical analysis of computer viruses model with age structure and delay.

This paper deals with the dynamical behaviors for a computer viruses model with age structure, where the loss of the acquired immunity and delay are incorporated. Through some rigorous analyses, an explicit formula for the basic reproduction number of the model is calculated, and some results about stability and instability of equilibria for the model are established. These findings show that the age structure and delay can produce Hopf bifurcation for the computer viruses model. The numerical examples are executed to validate the theoretical results.

A Fractional SAIDR Model in the Frame of Atangana–Baleanu Derivative

It is possible to produce mobile phone worms, which are computer viruses with the ability to command the running of cell phones by taking advantage of their flaws, to be transmitted from one device to the other with increasing numbers. In our day, one of the services to gain currency for circulating these malignant worms is SMS. The distinctions of computers from mobile devices render the existing propagation models of computer worms unable to start operating instantaneously in the mobile network, and this is particularly valid for the SMS framework. The susceptible–affected–infectious–suspended–recovered model with a classical derivative (abbreviated as SAIDR) was coined by Xiao et al., (2017) in order to correctly estimate the spread of worms by means of SMS. This study is the first to implement an Atangana–Baleanu (AB) derivative in association with the fractional SAIDR model, depending upon the SAIDR model. The existence and uniqueness of the drinking model solutions together with the stability analysis are shown through the Banach fixed point theorem. The special solution of the model is investigated using the Laplace transformation and then we present a set of numeric graphics by varying the fractional-order θ with the intention of showing the effectiveness of the fractional derivative.

Information Technology Act 2000 and the Potential Use of Data Analytics in Reducing Cybercrime in India

Cybercrime is increasing rapidly in this digitized world. Be it business, education, shopping, or banking transactions, everything is on cyberspace. Cybercrime covers a wide range of different attacks such as financial cybercrime, spreading computer viruses or malware, internet fraud, pornography cybercrime, intellectual property rights violation, etc. Due to increased cyber-attacks these days, the online users must be aware of these kinds of attacks and need to be cautious with their data online. Each country has their own laws for dealing with cybercrime. The different measures taken by the government of India to combat cybercrime are explained in this chapter. How the potential use of data analytics can help in reducing cybercrime in India is also explained.

Export Citation Format

Share document.

What is cloud computing?

With cloud computing, organizations essentially buy a range of services offered by cloud service providers (CSPs). The CSP’s servers host all the client’s applications. Organizations can enhance their computing power more quickly and cheaply via the cloud than by purchasing, installing, and maintaining their own servers.

The cloud-computing model is helping organizations to scale new digital solutions with greater speed and agility—and to create value more quickly. Developers use cloud services to build and run custom applications and to maintain infrastructure and networks for companies of virtually all sizes—especially large global ones. CSPs offer services, such as analytics, to handle and manipulate vast amounts of data. Time to market accelerates, speeding innovation to deliver better products and services across the world.

What are examples of cloud computing’s uses?

Get to know and directly engage with senior mckinsey experts on cloud computing.

Brant Carson is a senior partner in McKinsey’s Vancouver office; Chandra Gnanasambandam and Anand Swaminathan are senior partners in the Bay Area office; William Forrest is a senior partner in the Chicago office; Leandro Santos is a senior partner in the Atlanta office; Kate Smaje is a senior partner in the London office.

Cloud computing came on the scene well before the global pandemic hit, in 2020, but the ensuing digital dash  helped demonstrate its power and utility. Here are some examples of how businesses and other organizations employ the cloud:

• A fast-casual restaurant chain’s online orders multiplied exponentially during the 2020 pandemic lockdowns, climbing to 400,000 a day, from 50,000. One pleasant surprise? The company’s online-ordering system could handle the volume—because it had already migrated to the cloud . Thanks to this success, the organization’s leadership decided to accelerate its five-year migration plan to less than one year.
• A biotech company harnessed cloud computing to deliver the first clinical batch of a COVID-19 vaccine candidate for Phase I trials in just 42 days—thanks in part to breakthrough innovations using scalable cloud data storage and computing  to facilitate processes ensuring the drug’s safety and efficacy.
• Banks use the cloud for several aspects of customer-service management. They automate transaction calls using voice recognition algorithms and cognitive agents (AI-based online self-service assistants directing customers to helpful information or to a human representative when necessary). In fraud and debt analytics, cloud solutions enhance the predictive power of traditional early-warning systems. To reduce churn, they encourage customer loyalty through holistic retention programs managed entirely in the cloud.
• Automakers are also along for the cloud ride . One company uses a common cloud platform that serves 124 plants, 500 warehouses, and 1,500 suppliers to consolidate real-time data from machines and systems and to track logistics and offer insights on shop floor processes. Use of the cloud could shave 30 percent off factory costs by 2025—and spark innovation at the same time.

That’s not to mention experiences we all take for granted: using apps on a smartphone, streaming shows and movies, participating in videoconferences. All of these things can happen in the cloud.

Learn more about our Cloud by McKinsey , Digital McKinsey , and Technology, Media, & Telecommunications  practices.

How has cloud computing evolved?

Going back a few years, legacy infrastructure dominated IT-hosting budgets. Enterprises planned to move a mere 45 percent of their IT-hosting expenditures to the cloud by 2021. Enter COVID-19, and 65 percent of the decision makers surveyed by McKinsey increased their cloud budgets . An additional 55 percent ended up moving more workloads than initially planned. Having witnessed the cloud’s benefits firsthand, 40 percent of companies expect to pick up the pace of implementation.

The cloud revolution has actually been going on for years—more than 20, if you think the takeoff point was the founding of Salesforce, widely seen as the first software as a service (SaaS) company. Today, the next generation of cloud, including capabilities such as serverless computing, makes it easier for software developers to tweak software functions independently, accelerating the pace of release, and to do so more efficiently. Businesses can therefore serve customers and launch products in a more agile fashion. And the cloud continues to evolve.

Introducing McKinsey Explainers : Direct answers to complex questions

Cost savings are commonly seen as the primary reason for moving to the cloud but managing those costs requires a different and more dynamic approach focused on OpEx rather than CapEx. Financial-operations (or FinOps) capabilities  can indeed enable the continuous management and optimization of cloud costs . But CSPs have developed their offerings so that the cloud’s greatest value opportunity is primarily through business innovation and optimization. In 2020, the top-three CSPs reached $100 billion  in combined revenues—a minor share of the global $2.4 trillion market for enterprise IT services—leaving huge value to be captured. To go beyond merely realizing cost savings, companies must activate three symbiotic rings of cloud value creation : strategy and management, business domain adoption, and foundational capabilities.

What’s the main reason to move to the cloud?

The pandemic demonstrated that the digital transformation can no longer be delayed—and can happen much more quickly than previously imagined. Nothing is more critical to a corporate digital transformation than becoming a cloud-first business. The benefits are faster time to market, simplified innovation and scalability, and reduced risk when effectively managed. The cloud lets companies provide customers with novel digital experiences—in days, not months—and delivers analytics absent on legacy platforms. But to transition to a cloud-first operating model, organizations must make a collective effort that starts at the top. Here are three actions CEOs can take to increase the value their companies get from cloud computing :

• Establish a sustainable funding model.
• Develop a new business technology operating model.
• Set up policies to attract and retain the right engineering talent.

How much value will the cloud create?

Fortune 500 companies adopting the cloud could realize more than $1 trillion in value  by 2030, and not from IT cost reductions alone, according to McKinsey’s analysis of 700 use cases.

For example, the cloud speeds up design, build, and ramp-up, shortening time to market when companies have strong DevOps (the combination of development and operations) processes in place; groups of software developers customize and deploy software for operations that support the business. The cloud’s global infrastructure lets companies scale products almost instantly to reach new customers, geographies, and channels. Finally, digital-first companies use the cloud to adopt emerging technologies and innovate aggressively, using digital capabilities as a competitive differentiator to launch and build businesses .

If companies pursue the cloud’s vast potential in the right ways, they will realize huge value. Companies across diverse industries have implemented the public cloud and seen promising results. The successful ones defined a value-oriented strategy across IT and the business, acquired hands-on experience operating in the cloud, adopted a technology-first approach, and developed a cloud-literate workforce.

Learn more about our Cloud by McKinsey and Digital McKinsey practices.

What is the cloud cost/procurement model?

Some cloud services, such as server space, are leased. Leasing requires much less capital up front than buying, offers greater flexibility to switch and expand the use of services, cuts the basic cost of buying hardware and software upfront, and reduces the difficulties of upkeep and ownership. Organizations pay only for the infrastructure and computing services that meet their evolving needs. But an outsourcing model  is more apt than other analogies: the computing business issues of cloud customers are addressed by third-party providers that deliver innovative computing services on demand to a wide variety of customers, adapt those services to fit specific needs, and work to constantly improve the offering.

What are cloud risks?

The cloud offers huge cost savings and potential for innovation. However, when companies migrate to the cloud, the simple lift-and-shift approach doesn’t reduce costs, so companies must remediate their existing applications to take advantage of cloud services.

For instance, a major financial-services organization  wanted to move more than 50 percent of its applications to the public cloud within five years. Its goals were to improve resiliency, time to market, and productivity. But not all its business units needed to transition at the same pace. The IT leadership therefore defined varying adoption archetypes to meet each unit’s technical, risk, and operating-model needs.

Legacy cybersecurity architectures and operating models can also pose problems when companies shift to the cloud. The resulting problems, however, involve misconfigurations rather than inherent cloud security vulnerabilities. One powerful solution? Securing cloud workloads for speed and agility : automated security architectures and processes enable workloads to be processed at a much faster tempo.

What kind of cloud talent is needed?

The talent demands of the cloud differ from those of legacy IT. While cloud computing can improve the productivity of your technology, it requires specialized and sometimes hard-to-find talent—including full-stack developers, data engineers, cloud-security engineers, identity- and access-management specialists, and cloud engineers. The cloud talent model  should thus be revisited as you move forward.

Six practical actions can help your organization build the cloud talent you need :

• Find engineering talent with broad experience and skills.
• Balance talent maturity levels and the composition of teams.
• Build an extensive and mandatory upskilling program focused on need.
• Build an engineering culture that optimizes the developer experience.
• Consider using partners to accelerate development and assign your best cloud leaders as owners.
• Retain top talent by focusing on what motivates them.

How do different industries use the cloud?

Different industries are expected to see dramatically different benefits from the cloud. High-tech, retail, and healthcare organizations occupy the top end of the value capture continuum. Electronics and semiconductors, consumer-packaged-goods, and media companies make up the middle. Materials, chemicals, and infrastructure organizations cluster at the lower end.

Nevertheless, myriad use cases provide opportunities to unlock value across industries , as the following examples show:

• a retailer enhancing omnichannel  fulfillment, using AI to optimize inventory across channels and to provide a seamless customer experience
• a healthcare organization implementing remote heath monitoring to conduct virtual trials and improve adherence
• a high-tech company using chatbots to provide premier-level support combining phone, email, and chat
• an oil and gas company employing automated forecasting to automate supply-and-demand modeling and reduce the need for manual analysis
• a financial-services organization implementing customer call optimization using real-time voice recognition algorithms to direct customers in distress to experienced representatives for retention offers
• a financial-services provider moving applications in customer-facing business domains to the public cloud to penetrate promising markets more quickly and at minimal cost
• a health insurance carrier accelerating the capture of billions of dollars in new revenues by moving systems to the cloud to interact with providers through easier onboarding

The cloud is evolving  to meet the industry-specific needs of companies. From 2021 to 2024, public-cloud spending on vertical applications (such as warehouse management in retailing and enterprise risk management in banking) is expected to grow by more than 40 percent annually. Spending on horizontal workloads (such as customer relationship management) is expected to grow by 25 percent. Healthcare and manufacturing organizations, for instance, plan to spend around twice as much on vertical applications as on horizontal ones.

Learn more about our Cloud by McKinsey , Digital McKinsey , Financial Services , Healthcare Systems & Services , Retail , and Technology, Media, & Telecommunications  practices.

What are the biggest cloud myths?

Views on cloud computing can be clouded by misconceptions. Here are seven common myths about the cloud —all of which can be debunked:

• The cloud’s value lies primarily in reducing costs.
• Cloud computing costs more than in-house computing.
• On-premises data centers are more secure than the cloud.
• Applications run more slowly in the cloud.
• The cloud eliminates the need for infrastructure.
• The best way to move to the cloud is to focus on applications or data centers.
• You must lift and shift applications as-is or totally refactor them.

How large must my organization be to benefit from the cloud?

Here’s one more huge misconception: the cloud is just for big multinational companies. In fact, cloud can help make small local companies become multinational. A company’s benefits from implementing the cloud are not constrained by its size. In fact, the cloud shifts barrier to entry skill rather than scale, making it possible for a company of any size to compete if it has people with the right skills. With cloud, highly skilled small companies can take on established competitors. To realize the cloud’s immense potential value fully, organizations must take a thoughtful approach, with IT and the businesses working together.

For more in-depth exploration of these topics, see McKinsey’s Cloud Insights collection. Learn more about Cloud by McKinsey —and check out cloud-related job opportunities if you’re interested in working at McKinsey.

Articles referenced include:

• “ Six practical actions for building the cloud talent you need ,” January 19, 2022, Brant Carson , Dorian Gärtner , Keerthi Iyengar, Anand Swaminathan , and Wayne Vest
• “ Cloud-migration opportunity: Business value grows, but missteps abound ,” October 12, 2021, Tara Balakrishnan, Chandra Gnanasambandam , Leandro Santos , and Bhargs Srivathsan
• “ Cloud’s trillion-dollar prize is up for grabs ,” February 26, 2021, Will Forrest , Mark Gu, James Kaplan , Michael Liebow, Raghav Sharma, Kate Smaje , and Steve Van Kuiken
• “ Unlocking value: Four lessons in cloud sourcing and consumption ,” November 2, 2020, Abhi Bhatnagar , Will Forrest , Naufal Khan , and Abdallah Salami
• “ Three actions CEOs can take to get value from cloud computing ,” July 21, 2020, Chhavi Arora , Tanguy Catlin , Will Forrest , James Kaplan , and Lars Vinter

Want to know more about cloud computing?

Related articles.

Cloud’s trillion-dollar prize is up for grabs

The cloud transformation engine

Cloud cost-optimization simulator

Articles on computer virus

Displaying all articles.

Cybersecurity: high costs for companies

Hervé Debar , Télécom SudParis – Institut Mines-Télécom

DNA has gone digital – what could possibly go wrong?

Jenna E. Gallegos , Colorado State University and Jean Peccoud , Colorado State University

An ethical hacker can help you beat a malicious one

Georg Thomas , Charles Sturt University

Explained: why a reboot is the go-to computer fix

Rob Miles , University of Hull

Computer viruses deserve a museum: they’re an art form of their own

Jussi Parikka , University of Southampton

Hack attack on a hospital IT system highlights the risk of still running Windows XP

Robert Merkel , Monash University

Seven easy steps to keep viruses from your devices

Mary Adedayo , University of Pretoria

Human and technical ingenuity will be required to defeat shape-shifting malware

John Walker , Nottingham Trent University

Would you compromise your computer for one cent an hour? This study says you might

Andrew Smith , The Open University

Media shock stories about GameOver Zeus are not helpful

Bill Buchanan , Edinburgh Napier University

Related Topics

• Computer hacking
• Cybersecurity
• Internet security

Top contributors

Senior Lecturer in Networking, The Open University

Lecturer in Software Engineering, Monash University

Head, The Cyber Academy, Edinburgh Napier University

Associate professor, Charles Sturt University

Lecturer in Computer Science, University of Hull

Professor in Technological Culture & Aesthetics, University of Southampton

Visiting Professor, Nottingham Trent University

Lecturer, Department of Computer Science, University of Pretoria

Adjunct Lecturer, Charles Sturt University

Directeur de la Recherche et des Formations Doctorales, Directeur adjoint, Télécom SudParis – Institut Mines-Télécom

Professor, Abell Chair in Synthetic Biology, Colorado State University

Postdoctoral Researcher in Chemical and Biological Engineering, Colorado State University

• X (Twitter)
• Unfollow topic Follow topic