This was the decade which saw the rise of computer attack sophistication and was much more targeted towards its motive and mission.
In early 2000s, the world was devastated with a new form of virus and the way it spread. The virus was dubbed the "ILOVEYOU" virus, which infected millions of computers, and caused the email systems across the world to collapse. The virus started spreading by email attachment with a VBScript code. Anyone who opened that file executed the VBScript. The VBScript was designed to download another payload, which then created various persistence methods by including entries in a registry, and the malware started itself whenever the system was rebooted. This executable also installed other malware to steal passwords, and, at a later stage, sent all the captured password from the system to the attacker via email.
Another subroutine in the malware that helped it to spread across the world was designed in such a way that, the moment the malware was executed, it captured all the email addresses in the mail client address book and sent a copy of itself as an attachment with the subject like ILOVEYOU from the user's address. All the unsuspecting users, thinking it came from a known source, did the same mistake and tried to open the attachment, repeating the whole process. In the days that followed, there were many other variants of this similar modus operandi.
This decade also saw the rise of worms, viruses, and attacks by exploitation of software, OS, and other system vulnerabilities. One of the famous was the SQL Slammer worm that eventually became the fastest spreading worm of that time; it was active for many years, causing massive internet disruption. This worm exploited a vulnerability in the Microsoft SQL Server. This worm was so agile that it spread over close to 100,000 hosts (maybe even more; the exact count is not available) over the first hour of its infection. It used a buffer overflow bug in the SQL Server and Desktop Engine (MSDE) products. This worm generated random IP addresses and then tried to communicate to those IPs over a destination port UDP/1434 (SQL port).
Once it found the host, it exploited the vulnerable SQL server or the MSDE, and sent a copy of itself to the same host, thereby infecting the host. Once this new host was infected, it repeated the same process. Even though the patch to this bug was made available by Microsoft six months before the attack was launched, most of the systems over the internet were not patched. This indicates how important it is to keep the systems updated with the latest patches.
In November 2008, we witnessed yet another massive attack by another worm, which targeted Windows machines (ranging from Win 2000 to Win 7). This worm eventually impacted 10-15 million servers worldwide in over 190 countries, as a rough estimate. The worm impacted governments, military bases and fleets, corporate and home users, and, in fact, practically everyone in its path. Between November 2008 and April 2009, there were five variants that were found, Conficker A, B, C, D, and E. This worm not only created a massive infection around the globe, but it also created one of the biggest botnets of the era. Maybe the motive behind the worm was to create a large botnet to do more serious attacks, but nothing was made conclusive regarding the actual motive to generate an attack of this scale. This worm also used many new techniques that had never been used before this time. This included methods to block disinfection, infections of USB and other removable devices to spread further, along with a few other propagation methods, including files shares, and admins shares. The most innovative was the method to "call home" to the botnet controller via a communication framework based on random domain generation algorithms, later famously known as DGA algorithms, and these became the norm for other malware infections and botnet commands and control infrastructure. This method allowed the worm to generate hundreds and thousands of random domain names every day by a pre-determined algorithm and seed value (usually the date and time).The same algorithm was used proactively by the attacker to register one, or a few, of the domains from the random list for each day. This domain name was used by the malware on the particular day for command and control activities.
By the end of the decade, the industry was taken by surprise with the discovery of a major espionage activity by using a carefully and meticulously created malware, named Stuxnet. This was specially targeted towards a nuclear plant in Iran, with a single purpose of creating disruption in their nuclear programs. To a major extent, this attempt was successful in damaging the nuclear plan in target. This malware brought up some serious issues and concerns within the security fraternity regarding the safety of operational technologies controlling industrial systems, such as SCADA systems, and other similar ones.
In the days to come, the attack sophistication will not only increase but will also be highly targeted, as we have seen in the case of the Bangladesh bank heist where approximately $81 million was siphoned out of the bank in an extremely well-coordinated and planned activity.