The Fastest Spreading Virus of All Time: "Samy"

During this year, we have observed how fast a virus spreads and how effective it is. Viruses that infect computers have just as striking effects. Various types of malware such as Ransomware, Rootkit, Worm, Adware, Scareware can do dozens of things after they enter your computer. Your information can be intercepted and used for malicious purposes, your system files can be changed, your network may slow down. Vulnerabilities can also cause system crashes and could put your data at risk.

Day by day, there is much more development in cybersecurity, much more information flow and we are increasing our measures. 15 years ago, people knew much less about security vulnerabilities than we do now. This caused the precautions not to be taken completely. Until Samy Kamkar wrote the fastest spreading virus code of all time…

MySpace, the most popular website of those times, was like a simple version of Facebook today. People could add each other as friends, send messages, and add information and photos about themselves. Additionally, it provided an open-source to MySpace users. That is, a person could access the code of the site and make additions to it. It was not predictable that the work would come to other dimensions.

Samy Kamkar was a 19-year-old boy who dropped out of high school a few years ago and spent most of his time on the computer. When he saw that MySpace had access to its codes, he realized that he could actually do a lot of things and started adding to the code constantly. For example, normally a MySpace user can add 12 photos to their profile, while Samy has added 13. The reason why MySpace shared its codes in this way was that people made more colorful pages with HTML codes. But no one realized that a virus could spread. Kamkar has added a different code this time.

What does the Samy virus work?

Terminologically, by means of Cross-Site Scripting, in short, XSS, embed a client-based code between HTML codes, allowing the user to run it.

Let’s say X person clicks Samy’s profile and takes a glance at it. Thanks to the code, X person automatically sends a friend request to Samy. He also adds Samy under the heading “Heroes” in the profile of X person and fixes the following text there: “but most of all, Samy is my hero.”

Now, the code written by Samy is added to the X person’s page, and if people Y, Z, W… visit the X person’s page, the same thing happens to them. In other words, they first send a friend request to Samy, and then they add “Samy is my hero.” sentence is being added. Since everyone is looking at each other’s profiles, the number of people who get the virus code continues to increase exponentially.

Kamkar estimated that around 100 people would add him as a friend thanks to this code. When he looked back on the MySpace page the next morning, he saw that there were over 200 friend requests. But this number continued to increase every minute! After hundreds, thousands, tens of thousands, Samy Kamkar faced one million friendship requests. And he hadn’t actually planned any of this. He could not imagine that it would be so effective. Friendship requests continued to come and other users who realized this situation accused Kamkar of hacking themselves.

Realizing that this situation had no end, Samy tried to reach out to the MySpace team and explained the situation, but there was no return. He then wanted to delete his page and closed his account. When he re-entered his page, he received a warning that the page no longer exists. Well ok, at least the whole problem is solved for now. He wanted to access other people’s pages, but they all encountered the same warning. After a moment he refreshed the page and MySpace had crashed.

Samy was also very appalled by this situation because he did not know that it would turn out like this. Some time passed and he was relieved that no one had been able to find or search for him in the process. A few days later, the police came and examined his all electronic devices. As a result of this investigation, Samy was sentenced to serve and to stay away from the internet for 3 years. At certain times of the day, he was doing his job of serving the state, the rest of the time he was surfing on the computer without the internet and allocating time for other activities.

Three years later when his sentence was over, the first thing he did was buy a Mac from the Apple Store and go online.

“Definitely not to MySpace…” – Samy Kamkar

All these events actually revealed a huge security gap and it was understood that the work in this field should be focused. Nobody knew what to do when faced with this situation, according to Anand, MySpace’s Security Director.

Kamkar, on the other hand, was a speaker at the events, founded his own company, and continues his works on cybersecurity. He says that he will not add such a virus (worm) there if he can return to that moment, aside from his current reputation. Samy Kamkar unintentionally created the fastest spreading computer worm of all time, and this was perhaps the beginning of the security becoming such an important issue. After all, “Samy is truly a hero.”


Leave a Reply