case study viruses in the real world (explorer task)

11 real and famous cases of malware attacks

• Updated at June 4, 2021
• Blog , Threat Research

Many cases of famous hacker attacks use malware at some point. For example, first, the cybercriminal can send you a phishing email . No attachment. No links. Text only. After he gains your trust , in a second moment, he can send you a malicious attachment , that is, malware disguised as a legitimate file.

Malware  is a malicious software designed to infect computers and other devices. The intent behind the infection varies. Why? Because the cybercriminal can use malware to make money, to steal secret information that can give strategic advantages, to prevent a business from running or even just to have fun.

Yes, there are hackers who act for pleasure.

In fact, malware is a broad term. It’s like a category. Within this category are different types of threats, such as  virus ,  worm ,  trojan , and  ransomware .

To fight malware delivered via email, here at Gatefy we offer a  secure email gateway solution  and an  anti-fraud solution based on DMARC . You can request a demo or more information .

To get an idea, according to the FBI , damages caused by ransomware amounted to more than USD 29.1 million just in 2020. And one of the most widely used form of malware spreading continues to be via email . As a Verizon report confirmed : 30% of the malware was directly installed by the actor, 23% was sent there by email and 20% was dropped from a web application.

The cases listed below show how malware attacks can work and give you a glimpse of the harm they cause to businesses and individuals.

In this post, we’ll cover the following malware cases:

Table of Contents

Check out 11 real cases of malware attacks

1. covidlock, ransomware, 2020.

Fear in relation to the Coronavirus (COVID-19) has been widely exploited by cybercriminals. CovidLock ransomware is an example. This type of ransomware infects victims via malicious files promising to offer more information about the disease.

The problem is that, once installed, CovidLock encrypts data from Android devices and denies data access to victims. To be granted access, you must pay a ransom of USD 100 per device.

2. LockerGoga, ransomware, 2019

LockerGoga is a ransomware that hit the news in 2019 for infecting large corporations in the world, such as Altran Technologies and Hydro. It’s estimated that it caused millions of dollars in damage in advanced and targeted attacks.

LockerGoga infections involve malicious emails , phishing scams and also credentials theft. LockerGoga is considered a very dangerous threat because it completely blocks victims’ access to the system.

3. Emotet, trojan, 2018

Emotet is a trojan that became famous in 2018 after the U.S. Department of Homeland Security defined it as one of the most dangerous and destructive malware. The reason for so much attention is that Emotet is widely used in cases of financial information theft, such as bank logins and cryptocurrencies.

The main vectors for Emotet’s spread are malicious emails in the form of spam and phishing campaigns . 2 striking examples are the case of the Chilean bank Consorcio, with damages of USD 2 million, and the case of the city of Allentown, Pennsylvania, with losses of USD 1 million.

4. WannaCry, ransomware, 2017

One of the worst ransomware attacks in history goes by the name of WannaCry , introduced via phishing emails in 2017. The threat exploits a vulnerability in Windows.

It’s estimated that more than 200,000 people have been reached worldwide by WannaCry, including hospitals, universities and large companies, such as FedEx, Telefonica, Nissan and Renault. The losses caused by WannaCry exceed USD 4 billion.

By the way, have you seen our article about the 7 real and famous cases of ransomware attacks ?

5. Petya, ransomware, 2016

Unlike most ransomware , Petya acts by blocking the machine’s entire operating system. We mean, Windows system. To release it, the victim has to pay a ransom.

It’s estimated that the losses involving Petya and its more new and destructive variations amount to USD 10 billion since it was released in 2016. Among the victims are banks, airports and oil and shipping companies from different parts of the world.

6. CryptoLocker, ransomware, 2013

The CryptoLocker is one of the most famous ransomware in history because, when it was released in 2013, it used a very large encryption key, which made the experts’ work difficult. It’s believed that it has caused more than USD 3 million in damage, infecting more than 200,000 Windows systems.

This type of ransomware was mainly distributed via emails, through malicious files that looked like PDF files , but, obviously, weren’t.

7. Stuxnet, worm, 2010

The Stuxnet deserves special mention on this list for being used in a political attack, in 2010, on Iran’s nuclear program and for exploiting numerous Windows  zero-day vulnerabilities . This super-sophisticated worm has the ability to infect devices via USB drives, so there is no need for an internet connection.

Once installed, the malware is responsible for taking control of the system. It’s believed that it has been developed at the behest of some government. Read: USA and Israel.

8. Zeus, trojan, 2007

Zeus is a trojan distributed through malicious files hidden in emails and fake websites, in cases involving phishing . It’s well known for propagating quickly and for copying keystrokes, which led it to be widely used in cases of credential and passwords theft, such as email accounts and bank accounts.

The Zeus attacks hit major companies such as Amazon, Bank of America and Cisco. The damage caused by Zeus and its variations is estimated at more than USD 100 million since it was created in 2007.

9. MyDoom, worm, 2004

In 2004, the MyDoom worm became known and famous for trying to hit major technology companies, such as Google and Microsoft. It used to be spread by email using attention-grabbing subjects, such as “Error”, “Test” and “Mail Delivery System”.

MyDoom was used for  DDoS  attacks and as a backdoor to allow remote control. The losses are estimated, according to reports, in millions of dollars.

10. ILOVEYOU, worm, 2000

The ILOVEYOU worm was used to disguise itself as a love letter, received via email. Reports say that it infected more than 45 million people in the 2000s, causing more than USD 15 billion in damages.

ILOVEYOU is also considered as one of the first cases of social engineering used in malware attacks. Once executed, it had the ability to self-replicate using the victim’s email.

Also see 10 real and famous cases of social engineering .

11. Melissa, virus, 1999

The Melissa virus infected thousands of computers worldwide by the end of 1999. The threat was spread by email, using a malicious Word attachment and a catchy subject: “Important Message from (someone’s name)”.

Melissa is considered one of the earliest cases of social engineering in history. The virus had the ability to spread automatically via email. Reports from that time say that it infected many companies and people, causing losses estimated at USD 80 million.

How to fight malware attacks

There are 2 important points or fronts to fight and prevent infections caused by malware.

1. Cybersecurity awareness

The first point is the issue regarding cybersecurity awareness. You need to be aware on the internet. That means: watch out for suspicious websites and emails . And that old tip continues: if you’re not sure what you’re doing, don’t click on the links and don’t open attachments.

2. Technology to fight malware

The second point involves the use of technology . It’s important that you have an anti-malware solution on your computer or device. For end-users, there are several free and good options on the market.

For companies, in addition to this type of solution, we always recommend strengthening the protection of your email network. As already explained, email is the main malware vector. So, an email security solution can rid your business of major headaches.

Here at Gatefy we offer an email gateway solution and a DMARC solution . By the way, you can request a  demo by clicking here  or ask for  more information . Our team of cybersecurity experts will contact you shortly to help.

Latest news

10 real and famous cases of bec (business email compromise), 8 reasons to use dmarc in your business, what is mail server.

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here .

Loading metrics

Open Access

Peer-reviewed

Research Article

Hybrid Epidemics—A Case Study on Computer Worm Conficker

* E-mail: [email protected] (CZ); [email protected] (SZ)

Affiliations Department of Computer Science, University College London, London, United Kingdom, Security Science Doctoral Research Training Centre, University College London, London, United Kingdom

Affiliation Department of Computer Science, University College London, London, United Kingdom

Affiliation Division of Infection and Immunity, University College London, London, United Kingdom

• Changwang Zhang, 
• Shi Zhou, 
• Benjamin M. Chain

• Published: May 15, 2015
• https://doi.org/10.1371/journal.pone.0127478
• Reader Comments

Conficker is a computer worm that erupted on the Internet in 2008. It is unique in combining three different spreading strategies: local probing, neighbourhood probing, and global probing. We propose a mathematical model that combines three modes of spreading: local, neighbourhood, and global, to capture the worm’s spreading behaviour. The parameters of the model are inferred directly from network data obtained during the first day of the Conficker epidemic. The model is then used to explore the tradeoff between spreading modes in determining the worm’s effectiveness. Our results show that the Conficker epidemic is an example of a critically hybrid epidemic, in which the different modes of spreading in isolation do not lead to successful epidemics. Such hybrid spreading strategies may be used beneficially to provide the most effective strategies for promulgating information across a large population. When used maliciously, however, they can present a dangerous challenge to current internet security protocols.

Citation: Zhang C, Zhou S, Chain BM (2015) Hybrid Epidemics—A Case Study on Computer Worm Conficker. PLoS ONE 10(5): e0127478. https://doi.org/10.1371/journal.pone.0127478

Academic Editor: Gui-Quan Sun, Shanxi University, CHINA

Received: December 12, 2014; Accepted: April 14, 2015; Published: May 15, 2015

Copyright: © 2015 Zhang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited

Data Availability: All relevant data are within the paper.

Funding: This work was supported in part by the Engineering and Physical Sciences Research Council of UK (no. EP/G037264/1), the China Scholarship Council (file no. 2010611089), and the National Natural Science Foundation of China (project no. 60970034, 61170287, 61232016). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Epidemic spreading phenomena exist in a wide range of domains [ 1 , 2 ]. Well-known examples include disease spreading [ 3 – 5 ], computer worm proliferation [ 6 – 8 ], and information propagation [ 9 – 11 ]. Modelling and understanding of such phenomena can have important practical values to predict and control real world epidemics [ 3 – 5 , 12 – 15 ].

Some typical spreading mechanisms have been extensively studied, such as the fully-mixed spreading model and the network spreading model. Many epidemics are hybrid as they spread via two or more different mechanisms simultaneously. Previous work on hybrid epidemics has focused on what we call the non-critically hybrid epidemic, where at least one of the spreading mechanisms alone is able to cause an epidemic outbreak, and a mixture of mechanisms brings no advantage.

We are interested in the critically hybrid epidemic, where each spreading mechanism alone is unable to cause any significant spreading whereas the mixture of such mechanisms leads to a huge epidemic outbreak. Recently we proposed a model that explains the behaviour of critically hybrid epidemics, which incorporates two spreading mechanisms in the setting of a metopopulation [ 16 ]. We demonstrated that it is indeed possible to have a highly contagious epidemic by mixing simple, ineffective spreading mechanisms. The properties of such epidemics are critically determined by the ratio at which the different spreading mechanisms are mixed, and usually there is an optimal ratio that leads to a maximal outbreak size.

In this paper we present a detailed analysis of a real hybrid epidemic—the Internet worm Conficker, which erupted on the Internet in 2008 and infected millions of computers. The worm is a hybrid epidemic as the code analysis [ 17 ] has revealed the worm applied three distinct spreading mechanisms: (1) global random spreading, (2) local network spreading, and (3) neighbourhood spreading. It is a critically hybrid epidemic because the first and second spreading mechanisms are highly ineffective if used alone, and the third mechanism, as we will show later, is most effective when mixed with the other two.

We introduce a mathematical model to describe the spreading behaviour of Conficker. Our study was based on measurement data provided by Center for Applied Internet Data Analysis (CAIDA)’s Network Telescope project [ 18 , 19 ], which monitors Internet traffic anomalies. We proposed algorithms to extract Conficker–related features from the CAIDA data. Then we infer the values of our model’s parameters that characterise the worm.

We evaluated our inference results by comparing theoretical predictions with the actual measurement results. Our predictions closely reproduced the outbreak process of Conficker. We then explored possible spreading scenarios based on simulations using different values of parameters. One of the interesting results was that we showed the worm could spread faster, reach a larger outbreak size or survive for longer time by just revising the ratios at which the worm allocated its time on each of the spreading mechanisms (while keeping everything else the same), which can be easily achieved by changing a few lines in its coding.

This paper’s contributions are two fold. Firstly, we present the first study on a real-life critically hybrid epidemic, where the epidemic’s parameter values are inferred from measurement data. Secondly, we analyse the complex interactions among Conficker’s three spreading mechanisms, and show that the worm can be more contagious if it mixes its three spreading mechanisms in an optimal way.

Epidemic spreading mechanisms

A number of epidemic spreading mechanisms have been extensively studied [ 20 , 21 ]. For example, in the fully-mixed spreading models [ 20 , 22 ], a node is connected to all other nodes in a population, thus an epidemic can potentially spread between any two nodes according to a probability. Whereas in the network spreading models [ 1 , 2 , 20 , 23 ], nodes are connected to their neighbours via a network structure, therefore an epidemic can only spread along the connections among nodes. Recent network-based models considered additional physical properties such as location-specific contact patterns [ 24 , 25 ], human mobility patterns [ 26 – 29 ] and spatial effects [ 30 – 33 ].

Hybrid epidemics

Many epidemics are hybrid in the sense that they spread via two or more spreading mechanisms simultaneously. A hybrid epidemic can use fully-mixed spreading and network spreading, or use fully-mixed spreading but at two or more different levels, e.g. at the global level covering the whole population or at the local level consisting of only a part of the population.

There are many real examples. Mobile phone viruses can spread via Bluetooth communication with any nearby devises (local, fully-mixed spreading) and Multimedia Messaging Service with remote contacts (global, network spreading) [ 27 ]. A computer that is infected by the worm Red Code II spends 1/8 of its time probing any computers on the Internet at random (global, fully-mixed spreading) and the rest of the time probing computers located in local area networks (local, fully-mixed spreading) [ 34 ]. Today information is propagated in society via mass media (TV, newspaper, posters) as well as online social media (Facebook, Twitter and emails). Mass media (global, fully-mixed spreading) can potentially deliver the information to a big audience, but the effectiveness of information transmission at an individual level may be small (for example, its ability to alter the target individuals behaviour). In contrast, social media (local, network spreading) may have little or no access to the majority of people who are not connected to the local group, but they provide rapid penetration of a selected target group with higher effectiveness.

It is clear that hybrid epidemics are much more complex than simple epidemics. Their behaviour is affected not only by multiple spreading mechanisms that they use, but also by the population’s overlaid structure on which they spread. Studying hybrid epidemics may provide crucial clues for better understanding of many real epidemics.

Previous works on hybrid epidemics

Hybrid epidemics were initially studied as two levels of mixing in a population where nodes are mixed at both local and global levels [ 35 ]. Recently hybrid epidemics were studied as two levels of mixing in a network [ 36 – 38 ], in structured populations [ 39 ], in structured households [ 40 – 42 ], and in a meta-population which consists of a number of weakly connected sub-populations[ 43 – 48 ]. Studies of epidemics in clustered networks [ 49 – 51 ] are also relevant to the hybrid epidemics.

These previous works focused on analysing how a network’s structure affects hybrid spreading. And most of them studied the non-critically hybrid epidemics, where at least one of the two spreading mechanisms alone can cause an infection outbreak and therefore the mix of two mechanisms is not a necessary condition for an epidemic outbreak. In this case, a hybrid epidemic using two spreading mechanisms is often less contagious than an epidemic using only one of the mechanisms. [ 36 , 52 ].

Our recent study on critically hybrid epidemics

We are interested in the critically hybrid epidemics, where each of the spreading mechanisms alone is not able to cause any significant infection whereas a combination of the mechanisms can cause an epidemic outbreak. In this case, the mix of different spreading mechanisms is a critically condition for an outbreak (see Fig 1 ).

• PPT PowerPoint slide
• PNG larger image
• TIFF original image

(a) Non-critically hybrid epidemic, where at least one of the two mechanisms can cause an outbreak by its own (i.e. when α = 1 or α = 0). (b) critically hybrid epidemics, where each mechanism alone cannot cause any significant infection whereas a mix of them produces an epidemic outbreak. There exists an optimal α that produces the maximum outbreak.

https://doi.org/10.1371/journal.pone.0127478.g001

Recently we proposed a generic model to study the critically hybrid epidemics [ 16 ]. We considered an epidemic which spreads in a meta-population (consisting of many weakly connected sub-populations ) using a mix of the following two typical spreading mechanisms. (1) Fully-mixed spreading on the global level, i.e. infection between any two nodes in the meta-population. (2) Network (or fully-mixed) spreading on the local level, i.e. infection between nodes within a sub-population where the internal topology of a sub-population is a network (or a fully-connected mesh). Each spreading mechanism has its own infection rate and an infected node recovers at a recovery rate. We define a parameter called the hybrid trade-off, α , as the proportion of time that the epidemic devotes to the first spreading mechanism (or the probability of using the first spreading mechanism in a time unit). Thus the proportion of time spent on the second mechanism is (1 − α ).

Our mathematical analysis and numerical simulations based on the model highlight the following two results. Firstly, it is possible to mix two ineffective spreading mechanisms to produce a highly contagious epidemic, because the mix of the mechanisms can help to overcome the weakness of each mechanisms. Secondly, the threshold and the size of outbreak is critically determined by the hybrid trade-off α . We also provided an analytical prediction of the optimal trade-off for the maximum outbreak size.

Computer Worm Conficker

In this paper we will analyse a critically hybrid epidemic, the computer worm Conficker, based on real measurement data. It is one of the most contagious computer worms on record. It erupted on the Internet on 21 November 2008 and infected millions of computers in just a few days [ 7 ]. The worm’s ability to spread to such a large number of computers in so short a time and the fact [ 53 ] that it is still active on the Internet has caused serious concern.

• Global spreading, where the worm probes computers with random IP addresses on the Internet;
• Local spreading, where the worm on an infected computer probes computers in the same Local Area Network (LAN) with the same IP address prefix;
• Neighbourhood spreading, where it probes computers in ten neighbouring LANs (with smaller consecutive IP address prefixes).

(1) global spreading, where it probes any computer on the Internet at random; (2) local spreading, where it probes computers in the same local network; (3) neighbourhood spreading, where it probes computers in ten neighbouring local networks.

https://doi.org/10.1371/journal.pone.0127478.g002

Previous research on Conficker has studied the geographical distribution of infected IP addresses, the distribution of probing packet size [ 7 , 54 , 55 ], and properties of the worm’s global probing [ 56 , 57 ]. The parameters of Conficker’s hybrid spreading and how they affect the epidemic dynamics of the worm can help explain why the worm is so contagious. But they have been hitherto little studied.

Our Model of Conficker

• Global spreading with probability α g , where the worm probes nodes on the Internet at random with the global infection rate β g ∈ [0, 1].
• Local spreading with probability α l , where it probes nodes in the local subnet with the local infection rate β l ∈ [0, 1];
• Neighbourhood spreading with the probability α n , where it probes nodes in ten neighbouring subnets with the neighbourhood infection rate β n ∈ [0, 1];

An infected node is recovered with recovery rate γ ∈ [0, 1]. A recovered node remains recovered and cannot be infected again. Note that for mathematical analysis, the mixing probabilities could be incorporated into the infection rates. But we have treated them as separate parameters, considering that an infection rate reflects inherent properties of a computer worm in the context of a specific target population, whereas mixing probabilities are settings that can be easily modified in the worm’s code. This is also the reason we use the mixing probabilities as controlling parameters in our study below and keep other parameters the same.

Only nodes that can potentially be infected by Conficker are relevant to our study. We call them the relevant nodes. A subnet is relevant if it contains at least one relevant node. Irrelevant nodes include unused IP addresses and those computers that do not have the vulnerabilities that the worm can exploit. Note that although the irrelevant nodes and subnets do not participate in the spreading of Conficker, they will be probed by the worm as the worm does not have the priori knowledge about which nodes are vulnerable.

Let n represent the total number of relevant nodes and N the number of relevant subnets. The average number of relevant nodes in a subnet is n N = n / N . Let N + represent the average number of relevant subnets in ten neighbouring subnets.

At time t , the total number of susceptible, infected, and recovered nodes are S ( t ), I ( t ), and R ( t ), respectively. Then the average number of infected nodes in a subnet is I N ( t ) = I ( t )/ N , and the average number of infected nodes in ten neighbouring subnets is I + ( t ) = I N ( t ) N + . Hence on average a susceptible node can be infected via (1) global probing by I ( t ) infected nodes in the Internet; (2) local probing by I N ( t ) infected nodes in the local subnet; (3) neighbourhood probing by I + ( t ) infected nodes in the neighbouring subnets.

Inferring Conficker Parameters From Data

We infer the parameter values of our Conficker model from the Internet measurement data [ 18 , 19 ] collected by the Center for Applied Internet Data Analysis (CAIDA) in 2008. This is the only publicly available dataset that has captured the initial outbreak process of the worm. The CAIDA Network Telescope project [ 18 , 19 ] monitors Internet traffic sent to a large set of unusable IP addresses, which account for around 1/256 of all addresses. No legitimate traffic should be sent to these monitored addresses because they are not allocated for normal usage [ 58 ]. Thus the traffic data captured by this project provides a good view on various abnormal behaviours on the Internet.

When Conficker spreads on the Internet, its global spreading mechanism sends out probing packets to randomly generated IP addresses, some of which are unused IP addresses and therefore are monitored by the Network Telescope project. Conficke’s probing packets are characterised by the Transmission Control Protocol (TCP) with destination port number 445. This feature can be used to distinguish Conficker packets from other packets in the Network Telescope data.

For each record of Conficker’s probing packet, we are interested in two things: (1) the time when the packet is monitored by the Network Telescope project, and (2) the packet’s source IP address, which gives the location of a Conficker-infected node. We ignore the destination address, as it is a randomly-generated, unused IP address.

We study the Network Telescope project’s daily dataset collected on November 21, 2008, the day when Conficker broke out on the Internet. We use two earlier datasets collected on November 12 and 19, 2008 to filter out background ‘noise’ that has been happening before the outbreak. That is, in the outbreak dataset, we discard packets that were sent from any source address that had already sent packets to any of the unusable addresses in the two earlier datasets. We use the prefix of /24 (i.e. IP address mask of 255.255.255.0) to distinguish different subnets [ 7 ]. Our analysis uses a 10-minute window.

Step One: Inferring node status at a given time

We first infer the status of each node at time t from the CAIDA data. On the day of Conficker outbreak, all relevant nodes were initially susceptible. In the analysis, we assume a node is just infected by the worm when we observe the first Conficker probing packet coming from it; and the node is recovered when we observe its last probing packet before the end of the day. Fig 3 shows the number of susceptible, infected and recovered nodes as observed in a 10-minute window.

Numbers of susceptible nodes S ( t ), infected nodes I ( t ) and recovered nodes R ( t ) as a function of time t , as inferred from CAIDA’s dataset on 21/Nov/2008, the day of Conficker’s outbreak.

https://doi.org/10.1371/journal.pone.0127478.g003

Step Two: Inferring new infections caused by each spreading mechanism

Let dI l ( t ), dI n ( t ) and dI g ( t ) represent the numbers of nodes that are newly infected through local, neighbourhood and global spreading, respectively, at time step t . Our analysis on the data shows that 84% of new infections occurred within already infected subnets or their neighbourhood subnets, i.e. only 16% of new infections appeared outside the reach of local and neighbourhood probing. This agrees with our understanding that local and neighbourhood probing are significantly more effective than global probing [ 7 ]. And 73% of those new infections within the reach of local and neighbourhood probing (i.e. 73%×84% of all new infections) occurred in already infected subnets. This indicates the local probing is more effective than neighbourhood probing. Based on the above analysis we can then approximately identify the probing mechanism that is responsible for a newly infected node by analysing the states of other relevant nodes at the time when the new infection happens.

• IF there is an infected node already in the same subnet, the new infection is caused by that infected node via local spreading.
• ELSE IF there is an infected node in the ten neighbouring subnets, then the new infection is via neighbourhood spreading.
• OTHERWISE, the newly infected node is infected via global spreading.

Fig 4 shows the inferred results, plotting the number of new infections caused by each spreading mechanism as a function of time.

Numbers of nodes newly infected by Conficker via each of the three spreading mechanisms in 10-minute windows on the day of Conficker’s outbreak, as inferred from CAIDA’s dataset on 21/Nov/2008.

https://doi.org/10.1371/journal.pone.0127478.g004

Step Three: Inferring parameters of the Conficker model

Inference results and evaluation

The inferred values of the Conficker model parameters are shown in Table 1 , including the mixing probability α and the infection rate β for three spreading mechanisms, the recover rate γ , the recovery time τ = 1/ γ which is the average time it takes for an infected node to recover, and the probing frequency λ . The parameter values are averaged over time windows between 4:00 and 16:00 when the spreading behaviour was stable. Computers are online and offline on a daily basis following a diurnal pattern [ 59 ]. We find that this factor only has a marginal impact on our results.

https://doi.org/10.1371/journal.pone.0127478.t001

We observe in the data that the worm had infected in total n = 430,135 nodes, which were located in N = 92,267 subnets. On average, each subnet has n N = 4.7 relevant nodes, and N + = 4.3 of ten neighbouring subnets are relevant.

With these parameter values, we can use our Conficker model (see Eq 2 ) to theoretically predict the worm’s outbreak process. As measured from the data, the number of nodes in the three statuses were S = 423,899, I = 3,945, and R = 2,291 at 4:00am. Our prediction starts from 4.00am and uses these numbers as the initial condition. As shown in Fig 5 , our model’s predictions closely match the measurement data.

Points are measured from Network Telescope’s dataset collected on the outbreak day. Curve is theoretical prediction from our Conficker model using the inferred parameters.

https://doi.org/10.1371/journal.pone.0127478.g005

The inferred parameters are in agreement with our expectations. For example the local spreading has a high infection rate because if a computer is already infected, then other computers in the same subnet are likely to have a similar computer system and thus are also likely to be vulnerable to the worm. By comparison, global spreading has an extremely low infection rate. On average, more than 10 million global probings will produce only a single new infection. On average an infected node retains its status for 2.5 hours (156 mins) before it recovers (e.g. switched off or updated with new anti-virus database). The worm only sends out 8 probing packets per minute. Such a deliberately low probing rate helps the worm to evade a computer’s or network’s security systems.

Analysis on Conficker’s Hybrid Spreading

Mix of two spreading mechanisms.

We run simulations using our Conficker model with the parameter values inferred above. The simulation network has 100k subnets. Each subnet contains 5 relevant nodes and has 4 relevant adjacent subnets. This topology setting resembles Conficker’s spreading network observed in the data. Initially two random nodes are infected. The only controlling parameter is the mixing probabilities of the spreading mechanisms. Simulation results on mix of two spreading mechanisms are shown in Fig 6 .

(a) Mix of global ( α g ) and local (1 − α g ) mechanisms; (b) Mix of global ( α g ) and neighbourhood (1- α g ) mechanisms; (c) Mix of local ( α l ) and neighbourhood (1- α l ) mechanisms. In each case we measure the outbreak size, the total duration of the spreading, and the speed of spreading. The outbreak results include both the final outbreak size (square) and the outbreak size at time step 100 (filled circle). Each data point is averaged over 100 runs of a simulation. Note the y axes are all logarithmic.

https://doi.org/10.1371/journal.pone.0127478.g006

Fig 6a shows that as explained above, global spreading or local spreading alone cannot cause an outbreak, whereas a mixture at a ratio of 0.8 to 0.2 produces a large and rapid outbreak. Fig 6b shows that the neighbourhood spreading alone ( α g = 0) can cause a large, but very slow outbreak, whereas the mix of neighbourhood spreading with just a small amount of global spreading can dramatically accelerate the spreading process. Fig 6c shows that adding local spreading to neighbourhood spreading slows down the spreading process considerably. When they are mixed at the ratio of 0.8 to 0.2, the spreading reaches the same final outbreak size but the whole process lasts for the longest time.

Mix of THREE spreading mechanisms

Simulation results on mixing three spreading mechanisms are shown in Fig 7 . Fig 7a shows it is not difficult to achieve a large final outbreak size when the three mechanisms are all present and neither local spreading nor global spreading is dominant. Fig 7b shows spreading will last for longer time if there is less global probing. Fig 7c shows that the most contagious variation of the worm is a mix of global, local and neighbourhood spreading at the probabilities of 0.4, 0.2 and 0.4 (see circle on the plot), which causes the largest final outbreak with the highest spreading speed.

Spreading properties shown include the final outbreak size, the survival time and the spreading speed (see colour maps) as functions of the mixing probabilities of global spreading α g (x axis) and local spreading α l (y axis), where the mixing probability of neighbourhood spreading is α n = 1 − α g − α l .

https://doi.org/10.1371/journal.pone.0127478.g007

In this study, we infer the epidemic spreading parameters of the Conficker worm from observed data collected during the first few hours of the epidemic. Simulations of worm spreading, based on these parameters, allow us to reach some important conclusions about the worm’s use of hybrid spreading mechanisms.

Advantage of mixing hybrid spreading mechanism

Conficker’s global probing is extremely ineffective. The infection rate of global probing is many orders of magnitude smaller than the recovery rate. This means, if Conficker used only the global probing, it would not have caused any significant infection on the Internet at all.

Local probing has a remarkably high infection rate, β l = 0.32, which means when an infected node conducts only local spreading, a susceptible node in the same subnet has an 1/3 chance of being infected in a step (10-mins). However, local probing is confined within a subnet. If the worm used only the local probing, it would not have infected any other subnet apart from those initially containing infected nodes.

Neighbourhood probing is constrained to a neighbourhood of ten subnets. It has a high infection rate because computers in adjacent IP address blocks often belong to the same organisation and they use similar computer systems and therefore have similar vulnerabilities that can be exploited by the worm. Since different nodes’ neighbourhoods can partially overlap with each other, it is in theory possible for the worm to reach any node in the whole meta-population by using only the neighbourhood probing. Such process, however, would be extraordinarily slow as we have shown in Fig 6b .

In summary, if Conficker used only a single spreading mechanism, it would have vanished on the Internet without causing any significant impact.

Thus the enormous outbreak of the worm lies in its ability to do two things. Firstly it needs to devote great efforts to explore every corner of the Internet to find a new vulnerable computer. Every new victim will open a new colony full of similar vulnerable computers. Secondly it needs to make the most out of each new colony.

This is exactly what Conficker does. It allocates most of its time on global probing with a mixing probability of α = 89%. This in a degree compensates the ineffectiveness of global probing. Although the worm allocates small amounts of time on local and neighbouring probing, their high infection rates allow them to exploit all possible victims in the subnets with efficiency. And all newly infected nodes will join the collective effort to flood the Internet with more global random probes.

In short, the Conficker worm is an example of a critically hybrid epidemic. It can cause an enormous outbreak not because it has an advanced ability to exploit weaknesses of a computer, but because it has remarkable capability to discover all potentially vulnerable computers in the Internet, i.e. it is not the infectivity, but the hybrid spreading that makes Conficker one of the most infectious worms on record.

Implication of critically hybrid epidemics

The analysis of critically hybrid epidemics such as Conficker has important general implications. Firstly, it demonstrates that it is possible to design a high impact epidemic based on mechanisms, each of relatively low efficiency. Indeed our result in Fig 7 suggests that Conficker could have had a larger outbreak with higher speed if it had used a different set of mixing probabilities, which requires change of only a few lines of Conficker’s program code. Hybrid mechanisms may therefore be ideal for rapid efficient penetration of a network, for example in the context of an advertising campaign or in order to promulgate important public health or security information. An interesting example might be the use of media campaigns (global spreading) where the reader or viewer is specifically requested to pass on a message via Twitter or Facebook to their “local” group contacts.

Conversely, malicious hybrid epidemics can be extremely difficult to defend against, and many existing defence strategies may not be effective. For example immunising a selected portion of a local population in order to isolate and hence protect the vulnerable nodes will not be effective, because the vulnerable nodes can still be found by the worm through random global spreading.

Another possible measure is to reduce the average time it takes for an infected node to recover, for example to speed up the release of anti-virus software updates or increase the frequency of security scanning on computers. Our theoretical predictions (using Eq 2 ) in Fig 8 show that the final outbreak size (in terms of total recovered nodes) does not change significantly when the recovery time is reduced from 156 minutes to 140 or 120 minutes. In practice, even achieving such reductions represents a remarkable technical challenge. It is clear from the discussion above that epidemics can spread with extremely low global infection rates (far below individual recovery rates), provided there is efficient local infection. The extremely efficient spreading achieved once a given subnet or set of subnets has been penetrated is therefore obviously a key determinant of the worm’s outbreak [ 7 ]. Thus, defence strategies that focus on security co-operation between nodes with a local network neighbourhood (a “neighbourhood watch” strategy [ 7 ]) may be the key to future prevention of similar outbreaks.

Conficker’s recovery time is 156 minutes.

https://doi.org/10.1371/journal.pone.0127478.g008

Our Conficker model

The Conficker worm can be described as a discrete model or a continuous model. The two modelling approaches should give the same prediction results of the spreading dynamics of the worm. In this work we used a discrete approach to model the Conficker worm for three reasons. Firstly the model’s parameters can be defined with clear physical meanings. Secondly we can directly calculate the parameters’ values from the CAIDA measurement data. Lastly it is more convenient to run simulations with a discrete model. If a continuous model were used, the model parameters would be defined differently with less clear physical meanings, and their values would have to be obtained through iterative data fitting.

In our Conficker model, we set the local and global population as fully mixed, because this is how the Conficker worm perceives the structure of the Internet. We considered more complex network structures in a separate work [ 16 ] where we studied hybrid epidemics in general.

Our study uses data collected during the first day of the Conficker epidemic to parametrise a hybrid model to capture the worm’s spreading behaviour. The study highlights the importance of mixing different modes of spreading in order to achieve large, rapid and sustained epidemics, and suggests that the trade-off between the different modes of spreading will be critical in determining the epidemic outcome.

Author Contributions

Conceived and designed the experiments: CZ SZ BMC. Performed the experiments: CZ. Analyzed the data: CZ SZ BMC. Wrote the paper: SZ BMC CZ.

• View Article
• Google Scholar
• PubMed/NCBI
• 16. Zhang C, Zhou S, Cox IJ, Chain BM. Optimizing Hybrid Spreading in Metapopulations; 2014. Preprint. Available: arXiv:1409.7291. Accessed 10 Feb 2015.
• 17. Chien E. Downadup: Attempts at Smart Network Scanning; 2010. Available: http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning . Accessed Dec 2014.
• 18. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Three Days Of Conficker”; 2008. Available: http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml . Accessed Dec 2014.
• 19. Center for Applied Internet Data Analysis. The CAIDA UCSD Network Telescope “Two Days in November 2008” Dataset; 2008. Available: http://www.caida.org/data/passive/telescope-2days-2008_dataset.xml . Accessed Dec 2014.
• 20. Newman M. Networks: An Introduction. Oxford University Press, USA; 2010.
• 34. Moore D, Shannon C, Claffy KC. Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. IMW. ACM; 2002. pp. 273–284.
• 53. ESET Virusradar. Win32/Conficker Charts; 2014. Available: http://www.virusradar.com/en/Win32_Conficker/chart/week . Accessed Dec 2014.
• 54. Irwin B. A network telescope perspective of the Conficker outbreak. In: Information Security for South Africa; 2012. pp. 1–8.
• 56. Li R, Gan L, Jia Y. Propagation Model for Botnet Based on Conficker Monitoring. In: International Symposium on Information Science and Engineering; 2009. pp. 185–190.
• 57. Yao Y, Xiang Wl, Guo H, Yu G, Gao FX. Diurnal Forced Models for Worm Propagation Based on Conficker Dataset. In: International Conference on Multimedia Information Networking and Security; 2011. pp. 431–435.
• 58. Aben E. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope; 2009. Available: http://www.caida.org/research/security/ms08-067/conficker.xml . Accessed Dec 2014.
• 59. Dagon D, Zou C, Lee W. Modeling botnet propagation using time zones. In: Annual Network & Distributed System Security Symposium; 2006.

Teaching Viruses and Epidemiology Online

This playlist can be used to teach about the biology of viruses and epidemiology in an online setting. The topics covered include the structures and transmission mechanisms of viruses, zoonotic diseases, viral outbreaks, viral evolution during an outbreak, and epidemiology.

By completing the resources in this playlist, students will be able to:

• List the ways in which viruses can differ from each other.
• Identify different components and characteristics of viruses and their role in infection.
• Calculate the size of a virus relative to a human cell.
• Use information collected in case studies to distill complex, real-world data, and perform basic calculations to make decisions on the spread of an infectious disease.
• Analyze and interpret data from a scientific figure. 
• Explain the term “zoonotic disease” and discuss some of the global patterns in mammals that carry these diseases.
• Use appropriate scientific terms, including “reservoir” and “spillover,” in describing a disease outbreak.
• Analyze and interpret sequence data to explain how viruses evolve over time during an outbreak.

This playlist can be used in AP/IB Biology and undergraduate college courses. 

Virus Explorer

In this Click & Learn, students explore the diversity of viruses based on structure, genome type, host range, transmission mechanism, and vaccine availability.

To use this resource as part of this playlist, have students explore the Click & Learn and complete the associated worksheet. The extension activity at the end of the worksheet is optional; you may want to assign it if students don’t have a strong understanding of relative size.

Patterns of Zoonotic Disease

In this Data Point activity, students analyze a published scientific figure from a study on the global distribution of zoonotic pathogens and their host species.

To use this resource as part of this playlist, use the questions in the “Educator Materials” to guide a class discussion. The full scientific paper is also available from the “Materials” box of this resource’s webpage; it can be used to give the students an opportunity to practice reading primary literature.

Epidemiology of Nipah Virus

In this activity, students analyze evidence, perform calculations and make predictions based on real-world data about a viral outbreak. Part of the activity involves watching the related video Virus Hunter: Monitoring Nipah Virus in Bat Populations (resource 4 in this playlist).

To use this resource as part of this playlist, have students complete the “Student Handout,” watching the video when instructed.

You can supplement this activity by having students research the COVID-19 outbreak in Wuhan, China using this paper or in another region citing their references. They can write a mini-case study (using Part 1 of this activity as a template) to demonstrate the knowledge they’ve gained.

Virus Hunter: Monitoring Nipah Virus in Bat Populations

This video follows scientists working in Bangladesh as they test fruit bat populations to determine whether they are infected with Nipah virus, a potentially deadly human pathogen.

To use this resource as part of this playlist, refer to the notes accompanying the “Epidemiology of Nipah Virus” activity (resource 3 in this playlist).

Ebola: Disease Detectives

In this activity, students analyze DNA sequences of Ebola viruses to track the virus’s spread during the 2013–2016 Ebola outbreak in West Africa. Part of the activity involves watching the related video Think Like a Scientist: Natural Selection in an Outbreak (resource 6 in this playlist) .

To use this resource as part of this playlist:

• Have students complete up through Part 1 of the “Student Worksheet,” watching the video when instructed. It is recommended to provide this section of the worksheet separately, since Part 2 gives away some answers.
• The worksheet asks students to sort cards of DNA sequences. Students can do this online without printing cards by analyzing the “Sequence Sheet” PDF and writing down the sequence numbers for each grouping.
• After students finish Part 1, have them complete Part 2.

You can supplement this activity by having students compare and contrast methods used to track Ebola, Nipah, and the COVID-19 outbreak they may have researched in resource 3 of this playlist.

Think Like a Scientist: Natural Selection in an Outbreak

This video focuses on the front lines of the 2013–2016 Ebola outbreak in West Africa and explains how scientists monitored the evolution of the virus by analyzing its genome.

To use this resource as part of this playlist, refer to the notes accompanying the “Ebola: Disease Detectives” activity (resource 5 in this playlist).

Age Structure of Ebola Outbreaks

In this Data Point activity, students analyze a published scientific figure from a study that investigated demographic patterns in Ebola outbreaks from the Democratic Republic of the Congo.

To use this resource as part of this playlist, use the questions in the “Educator Materials” to guide a class discussion. The full scientific paper is also available under “Primary Literature” in the “Details” section from this resource’s webpage; it can be used to give the students an opportunity to practice reading primary literature.

You can supplement this activity by having students research demographic patterns in another outbreak, such as COVID-19 or Nipah. Based on their research, they can create a similar figure representing the age structure of the outbreak they chose.

Case Studies: How Top Companies Tackled Malware Threats

by malwarebrains | Oct 31, 2023 | Malware Defense Tactics

Malware case studies are crucial in understanding how top companies combat the ever-growing menace of malware threats. In today’s digital landscape, the consequences of a malware attack can be devastating, ranging from financial loss to compromising sensitive information. By analyzing real-life scenarios where leading organizations successfully dealt with malware, we can glean valuable insights into effective cybersecurity strategies.

Throughout this article, we will delve into several notable case studies involving top companies and their proactive approach to combating malware. By studying their experiences, we can gain invaluable knowledge on how to strengthen our defenses against these malicious software infections.

Stay tuned as we explore compelling stories of resilience, innovation, and strategic decision-making that have helped these companies navigate the complex world of cybersecurity. Together, let’s uncover the secrets behind their success in mitigating malware threats and learn practical tips that can safeguard our digital environments.

CovidLock Ransomware: Exploiting Fear in the Face of COVID-19

CovidLock ransomware emerged during the height of the COVID-19 pandemic, capitalizing on the widespread fear and uncertainty surrounding the virus. This malware specifically targeted Android devices, infecting them through malicious files disguised as sources of vital information about the disease. Once installed, CovidLock encrypted the victims’ data, locking them out of their devices until a ransom of $100 per device was paid.

The case of CovidLock ransomware serves as a stark reminder of the importance of exercising caution when downloading files related to current events, especially during times of heightened anxiety. Cybercriminals often exploit these situations to trick unsuspecting users into installing malicious software. It also highlights the critical need for robust cybersecurity measures to prevent and respond to such attacks effectively.

To safeguard against malware attacks like CovidLock, it is essential to maintain up-to-date antivirus software, regularly back up data in secure locations, and exercise due diligence when downloading files from the internet. Additionally, organizations should prioritize employee education and awareness programs to ensure that individuals are equipped with the knowledge and skills to recognize and mitigate potential cybersecurity threats.

Protecting Against CovidLock Ransomware

• Exercise caution when downloading files related to current events, particularly during times of heightened anxiety.
• Keep antivirus software up-to-date to detect and prevent malware infections.
• Regularly back up data in secure locations to mitigate the impact of a potential ransomware attack.
• Train employees on cybersecurity best practices and raise awareness about the risks of downloading unverified files.

By staying vigilant and implementing comprehensive cybersecurity measures, individuals and organizations can protect themselves from the damaging effects of malware attacks like CovidLock ransomware. By understanding the tactics employed by cybercriminals and taking proactive steps to prevent and respond to such threats, we can create a safer digital environment for all.

LockerGoga: Targeted Attacks on Corporate Giants

LockerGoga ransomware has become synonymous with sophisticated and targeted attacks on major corporations worldwide. Notable victims of this malicious software include Altran Technologies and Hydro, both of which suffered millions of dollars in damages.

Unlike many other ransomware strains that rely on widespread distribution, LockerGoga takes a more strategic approach. It infiltrates corporate networks through various means, including malicious emails, phishing scams, and credential theft. Once inside, it launches devastating attacks that disrupt business operations and hold valuable data hostage until a ransom is paid.

The Impact of LockerGoga

The impact of LockerGoga attacks on corporate giants goes beyond financial losses. It highlights the critical need for organizations to have robust cybersecurity defenses in place. By targeting high-profile companies, LockerGoga demonstrates the potential for significant reputational damage and loss of customer trust.

Furthermore, the success of LockerGoga attacks showcases the importance of employee education and awareness. Phishing scams and credential theft often serve as entry points for this ransomware. Therefore, organizations must invest in comprehensive training programs to empower their workforce in recognizing and combating these threats.

Emotet: Stealing Financial Information through Email

Emotet is a highly dangerous trojan that poses a significant threat to individuals and organizations alike. It is designed to steal financial information, including bank logins and cryptocurrencies, through malicious emails. This trojan has been labeled one of the most destructive malware by the U.S. Department of Homeland Security, and its impact has been felt globally.

Emotet spreads through various means, including spam, phishing campaigns, and malicious email attachments. Once a user unknowingly opens an infected email attachment, Emotet gains access to the victim’s system and starts its insidious operations. It can then steal sensitive financial data, compromising the victim’s financial security.

To protect against Emotet and similar threats, organizations and individuals must prioritize email security. Implementing robust email filtering and authentication mechanisms can help prevent malicious emails from reaching inboxes. Regular security awareness training is also crucial to educate users about the risks of opening suspicious attachments or clicking on malicious links.

By strengthening email security defenses and promoting cybersecurity awareness, individuals and businesses can minimize the risk of falling victim to Emotet and safeguard their financial information.

WannaCry: A Global Ransomware Epidemic

The WannaCry ransomware attack sent shockwaves through the cybersecurity community when it struck in May 2017. This global epidemic exploited a vulnerability in Windows operating systems, impacting over 200,000 individuals and organizations worldwide. Hospitals, universities, and major companies like FedEx and Telefonica were among the victims. The financial losses incurred by this cyber assault exceeded a staggering $4 billion, highlighting the urgent need for robust cyber defenses.

The WannaCry attack was a wake-up call for businesses and individuals alike, underscoring the critical importance of timely patching and vulnerability management. Organizations that had not installed the necessary security updates fell prey to the ransomware, which encrypted their critical data and demanded a ransom in Bitcoin for its release. The malware spread rapidly through networks, exploiting vulnerabilities and causing widespread disruption.

To prevent similar global ransomware epidemics in the future, individuals and organizations must remain vigilant and proactive. Regularly updating and patching operating systems, implementing robust cybersecurity measures, and promoting cybersecurity awareness among employees are essential steps to protect against cyber threats like WannaCry. Additionally, organizations should invest in advanced threat detection and response capabilities to swiftly identify and mitigate potential attacks. By prioritizing these measures, businesses can reduce their vulnerability to ransomware attacks and safeguard their valuable data and systems from the devastating impacts of cybercrime.

Petya: Blocking Operating Systems for Ransom

The Petya ransomware is notorious for its ability to completely block the victim’s operating system, particularly in Windows. Once infected, victims are required to pay a ransom in order to regain access to their systems. This type of attack has caused significant damage, impacting banks, airports, and oil and shipping companies worldwide. The financial losses attributed to Petya and its variants have exceeded $10 billion, emphasizing the severe consequences of ransomware attacks on organizations.

Petya is typically distributed through various means, including malicious emails, phishing campaigns, and compromised software updates. Once it infiltrates a system, Petya encrypts the victim’s files and displays a ransom message demanding payment in exchange for the decryption key. The ransomware not only targets individual users but also aims at larger organizations, taking advantage of their reliance on critical systems to disrupt operations and maximize the likelihood of payment.

To protect against Petya and similar ransomware attacks, organizations should implement robust cybersecurity measures. This includes regularly updating software and operating systems to patch any vulnerabilities that could be exploited. Additionally, strong email security protocols and employee training on identifying and avoiding phishing attempts are crucial. Having a comprehensive backup and recovery strategy in place is also essential to mitigate the impact of a ransomware attack and quickly restore affected systems.

ILOVEYOU: Blending Social Engineering and Malware

The ILOVEYOU worm holds a significant place in the history of malware attacks, as it combined social engineering techniques with malicious software. This notorious worm infected millions of people worldwide and caused a staggering $15 billion in damages. It spread through email, disguising itself as an innocent love letter, capturing the curiosity and trust of unsuspecting victims.

This case emphasizes the importance of cybersecurity awareness among individuals. It serves as a reminder to exercise caution when opening email attachments or clicking on suspicious links. By blending social engineering tactics with malware, cybercriminals exploit human emotions and curiosity, making it crucial for users to remain vigilant and adopt robust email security measures.

The ILOVEYOU worm showcases the need for a multi-layered approach to cybersecurity. Implementing advanced email filtering and antivirus software can help detect and block malicious attachments or URLs. Additionally, educating users about common social engineering tactics and the potential risks associated with opening unsolicited emails can significantly reduce the chances of falling victim to such attacks.

Featured Posts

Advertising

• 281.412.7766
• [email protected]
• Learner Dashboard
• GET YOUR CAUSE MAPPING TEMPLATE

• About Cause Mapping®
• What is Root Cause Analysis?
• Cause Mapping® Method
• Cause Mapping® FAQs
• Why ThinkReliability?
• Online Workshops
• On-Demand Training Catalog
• On-Demand Training Subscription
• Company Case Study
• Upcoming Webinars
• Webinar Archives
• Public Workshops
• Private Workshops
• Cause Mapping Certified Facilitator Program
• Our Services
• Facilitation, Consulting, and Coaching
• Root Cause Analysis Program Development
• Work Process Reliability™
• Cause Mapping® Template
• Root Cause Analysis Examples
• Video Library
• Articles and Downloads
• About ThinkReliability
• Client List
• Testimonials

Case Study: The Morris Worm Brings Down the Internet

In 1988, Robert Morris created and released the first computer worm which significantly disrupted the young internet and served as a wakeup call on the importance of cybersecurity. Read our root cause analysis example to learn more about this disaster and the lessons that can be learned from it.

On November 3, 1988, Robert Morris, a graduate student at Cornell, created and released the first computer worm that could spread between computers and copy itself. Morris didn’t have malicious intent and his worm appears to have been more the result of intellectual curiosity rather than a purposefully destructive cyber-attack, but an error in the program led to it propagating much faster than he intended. The worm significantly disrupted the young internet, introduced the world to the concept of a software worm and served as a wakeup call on the importance of cybersecurity.

Build a Cause Map

A Cause Map, a visual root cause analysis, can be used to create a root cause analysis case study and analyze this incident. A Cause Map is built by asking “why” questions and using the answers to visually lay out the causes that contributed to an issue to intuitively show the cause-and-effect relationships . Mapping out all the causes that contributed to an issues ensures that all facets of a problem are well understood and helps facilitate the development of effective, detailed solutions that can be implemented to reduce the risk of a similar issues in the future.

Known flaws

To create his worm, Morris exploited known software bugs and weak passwords that no one had worried about enough to fix. At the time the Morris worm was released, the internet was in its infancy and only used by academics. There was no commercial traffic on the internet, and websites did not exist. Only a small, elite group had access to the internet, so concerns about cybersecurity hadn’t really come up.

What went wrong

Morris was trying to build a harmless worm to highlight security flaws, but an error in the program led to the worm causing a significant amount of disruption. The worm was intended to infect each computer one time, but the worm was designed to duplicate itself every seventh time a computer indicated it had already been infected to make the worm more difficult to remove. The problem was that the speed of propagation was underestimated. Once released, the worm quickly reinfected computers over and over again until they were unable to function, and the internet came crashing down.

The worm did more damage than Morris had expected and once he realized what he had done, he asked a colleague to anonymously apologize for the worm and explain how to update computers to prevent it from spreading. But the warning came too late to prevent massive disruption.

Impacts of the Morris Worm

In the short term, The Morris worm created a mess that took many computer experts days to clean up. One of the lasting impacts from the Morris worm that is hard to quantify, but is the most significant consequence of this incident, is the impact on cybersecurity. If the first “hacker” had malicious intent and came a little later, it's likely that the damage would have been much more severe. The Morris worm highlighted the need to consider cybersecurity relatively early in the development of the internet.

The Morris worm also had a significant impact on its creator, Robert Morris, who became the first person to be indicted under the 1986 Computer Fraud and Abuse Act. He was hit with a $10,050 fine, 400 hours of community service and a three-year probation. After this initial hiccup, Morris went on to have a successful career and now works in the MIT Computer Science and Artificial Intelligence Laboratory.

Download a copy of our Cause Map of the incident. 

Share This Post With A Friend

Similar Posts

Other resources.

• Root Cause Analysis blog archive
• Patient Safety blog archive

READ BY - - - - - - - - - -

Other Resources - - - - - - - - - -

Sign Up For Our eNewsletter

What a lovely hat

Is it made out of tin foil , paper 2022/1720, red team vs. blue team: a real-world hardware trojan detection case study across four modern cmos technology generations.

Verifying the absence of maliciously inserted Trojans in ICs is a crucial task – especially for security-enabled products. Depending on the concrete threat model, different techniques can be applied for this purpose. Assuming that the original IC layout is benign and free of backdoors, the primary security threats are usually identified as the outsourced manufacturing and transportation. To ensure the absence of Trojans in commissioned chips, one straightforward solution is to compare the received semiconductor devices to the design files that were initially submitted to the foundry. Clearly, conducting such a comparison requires advanced laboratory equipment and qualified experts. Nevertheless, the fundamental techniques to detect Trojans which require evident changes to the silicon layout are nowadays well-understood. Despite this, there is a glaring lack of public case studies describing the process in its entirety while making the underlying datasets publicly available. In this work, we aim to improve upon this state of the art by presenting a public and open hardware Trojan detection case study based on four different digital ICs using a Red Team vs. Blue Team approach. Hereby, the Red Team creates small changes acting as surrogates for inserted Trojans in the layouts of 90 nm, 65 nm, 40 nm, and 28 nm ICs. The quest of the Blue Team is to detect all differences between digital layout and manufactured device by means of a GDSII–vs–SEM-image comparison. Can the Blue Team perform this task efficiently? Our results spark optimism for the Trojan seekers and answer common questions about the efficiency of such techniques for relevant IC sizes. Further, they allow to draw conclusions about the impact of technology scaling on the detection performance.

We use cookies for security purposes, to improve your experience on our site and tailor content for you. Our  Privacy Statement  explains how we use cookies.

The following form allows you to search all of BT.

• Practice management
• Managing your business

Case studies – malware attacks

As our lives increasingly move online, cybersecurity is an important consideration for all businesses, including financial advice businesses. For many financial advisers understanding how to protect sensitive client information from cyber attacks is becoming an important part of sound practice management.

A cyber attack is essentially an attempt by hackers to damage or destroy a computer network or system. One of the ways they can do this, is by installing malware (also known as malicious software)on your computer that allows unauthorised access to your files and can allow your activity to be watched without you knowing. Cyber criminals can then steal personal information and login details for secure websites to commit fraudulent activities.

In this article we discuss steps financial advisers can take to protect themselves from cyber attacks and explore different scenarios that demonstrate what a cyber attack can look like and how it can be prevented.

How can financial advisers improve their cyber security?

• Turn on auto-updates for your business operating system – such as windows or Apple’s ios, and be sure to keep computer security up to date with anti-virus and anti-spyware, as well as a good firewall.
• Back up important data – to an external hard drive, to a USB or a cloud to protect your business from lost data.
• Enable multi-factor authentication – start using two or more proofs of identity such as a PIN, passphrase, card or token, or finger print before access is enabled.
• Implement premissions on a ‘need to know’ basis – your employees don’t need to access everything. Be selective about what permissions are allowed to which staff.
• Conduct regular employee cyber training. Show staff how to ‘recognise, avoid, report, remove and recover’. Your employees can be your defence against cyber crime. Reward staff for their efforts; and
• Always be cautious of the below when receiving emails: - requests for money, especially urgent or overdue - Bank account changes - Attachments, especially from unknown or suspicious email addresses - Requests to check or confirm login details

Case studies - malware attacks

Protect yourself and your business

Cyber security assessment tool

The Department of Industry, Science, Energy and Resources has developed a tool to help you identify your business' cyber security strengths and areas where your business can improve. This tool will ask you a series of questions about how you manage your cyber security risks and based on your answers, you will receive a list of recommendations to action. You can download the recommendations as a PDF and access the tool here.

Scenario 1 – Advisory practices attacked by a trojan virus

Scenario 2 - Adviser subject to a malware attack causing account lock

Scenario 3 - opening email attachment causes all pcs in the office to shutdown, scenario 1 - advisory practices attacked by a trojan virus.

In this scenario, a number of advisory practices were subject to a targeted malware attack via a Trojan virus. This virus helped the cyber criminals access several advisers’ PCs and obtain the login details for systems that had been used.

This attempted fraud took place while the practice was closed over the Christmas holidays.

"We locked up the office that afternoon just before Christmas and went home. We were all looking forward to a nice long break, it’d been a busy year. We wouldn’t be back in the office until the New Year."

Transactions were submitted to the platform over the Christmas period using several advisers’ user IDs.

Direct credit (EFT) bank account details were edited to credit the cyber criminals' ‘mule’ Australian bank account. From this account the cyber criminals would be free to transfer the funds overseas.

Luckily for the practice, the fraud was uncovered before any funds were paid out.

"Even though we were on holiday, we all continued to check our transaction updates via the platform each day. We called the platform right away and they were able to stop the fraudulent payments in time."

Preventing this type of fraud

• Be diligent about checking platform transaction updates sent by email or displayed online. Specifically look out for withdrawal requests, new accounts opened, asset sell downs and changes to contact details.
• When taking annual leave, nominate a colleague to check platform transaction updates on your behalf in your absence.
• Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent further fraudulent transactions.
• Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.   

A Melbourne advisory practice was the target of a malware attack, having found malware on their system which locked their access to the platform. The malware allowed the cyber criminal to gain access to an adviser’s login details for all systems he had used recently.

The cyber criminals now had access to every website or account that required a login. This included personal banking, platform desktop software, Xplan software and Facebook.

The next time the adviser tried to log in to his platform desktop software, he was locked out.

He rang our account executive team to report his access was locked. He couldn’t login, even though he was using his correct user name and password.

The platform reset his password. The next day when the adviser tried again to login, he was locked out of the system again.

It became obvious that the adviser’s user ID had been compromised. At this point, the user ID was deleted.

Where you have had your platform access locked or you suspect fraud or malware on your system call us immediately as part of your reporting response so we can suspend your login ID to attempt to prevent further fraudulent transactions. Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

• Be on the lookout for requests to check and confirm login details.
• Increase the strength of your identifiers and ensure two or more proofs of identity are required before access to company systems is enabled.
• Use virus protection software to prevent hackers from accessing your information and to help protect you if you click on a suspicious link or visit a fake website.
• Schedule regular training for employees so that they can better detect malicious links or avoid downloading content from untrustworthy sources.  

A staff member in an advisory practice opened a file attached to an email received one morning.

It turned out the attachment contained a ‘worm’ that infected not only the staff member’s PC, it also spread to all other PCs in the practice network.

This malware caused all PCs in the office to shut down.

The adviser needed to use the platform software that day to ensure his clients participated in a Corporate Action that was closing the following day.

With help from their Business Development Manager, the office worked through the issue so they were able to log into the platform software to complete this critical work from a home laptop that hadn’t been infected with the virus.

• Never open attachments in emails if you don’t know or trust the source.
• Ensure your office network is protected with up-to-date anti-virus software.
• Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent any further criminal activity.
• Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

Whitepaper: The critical trends impacting the future of US Wealth Advisory

Technology and advice landscapes, the power of perspective.

• What Is Transport Layer Security? A Breakdown of the Secure TLS Encryption Protocol

• How to Set Up SSH Without a Password in Linux

• How to Digitally Sign an Email Using Outlook

• What Is an Outlook Digital Signature (Digital ID)? A 90-Second Overview

• Mitigating Session Data Exposure: Perfect Forward Secrecy Explained

11 WordPress Security Best Practices & Tips to Do on Your Lunch Break

PKI 101: All the PKI Basics You Need to Know in 180 Seconds

The TLS Handshake Explained [A Layman’s Guide]

How to Tell If You’re Using a Secure Connection in Chrome

TLS Handshake Failed? Here’s How to Eliminate This Error in Firefox 

2018 Top 100 Ecommerce Retailers Benchmark Study

5 Ridiculous (But Real) Reasons IoT Security is Critical

Comodo CA is now Sectigo: FAQs

8 Crucial Tips To Secure Your WordPress Website

What is Always on SSL (AOSSL) and Why Do All Websites Need It?

How to Install SSL Certificates on WordPress: The Ultimate Migration Guide

The 7 Biggest Data Breaches of All Time

Hashing vs Encryption — The Big Players of the Cyber Security World

How to Tell If a Website is Legit in 10 Easy Steps

What Is OWASP? What Are the OWASP Top 10 Vulnerabilities?

• Most commented

• Cyber Security
• Web Security
• WordPress Security
• SSL Certificates
• Code Signing
• Email Certificates
• PCI Compliance
• CodeGuard Backup

Spyware Examples: 4 Real Life Examples That Shook 2021

Not sure how spyware works or what damage it can cause want to get up to date with the latest spyware examples and industry trends let’s explore several of the biggest spyware threats that surfaced in 2021.

If you’re looking for spyware examples, you’ve come to the right place. Of course, this means you probably already know that spyware is malicious software used to spy on people — the name gives it away. But do you know that spyware has powers beyond stealing your photos and data?

Spyware is malware that also can be used to:

• Lock your screen,
• Disable antivirus programs,
• Record videos using your phone’s camera, and
• Cause a variety of other issues — sometimes without leaving a trace .

In this article, we’ll look at four spyware real life examples that were discovered or observed in 2021, including how they invade victims’ devices, what damage they cause, and what techniques we can use to treat and prevent these dangerous infections.

Spyware Example 1: PhoneSpy

On Nov. 10, 2021, researchers at Zimperium zLabs published a report about a spyware app they found in South Korea affecting Android devices in the wild. Called PhoneSpy, this malicious program masquerades as a regular application so it can gain access to your infected machine to steal data and remotely control it. This spyware is estimated to have infected more than 1,000 Android devices.

How PhoneSpy Infects Your Device

Unknown. PhoneSpy was found in 23 legitimate-seeming apps like Yoga learning, video streaming, and messaging apps. Because these apps are not in the Google Play Store, zLabs researchers believe that the malware was distributed via other third-party platforms that attackers shared via social engineering and phishing techniques.

What Happens When PhoneSpy Infects Your Device

Not sure what happens when spyware like PhoneSpy gets installed on your device? Here’s a quick overview of what risks are associated with this spyware example and what it can do:

• Steal login credentials, images, contact lists, call logs, and messages
• Record video and take pictures using a device’s front and rear cameras
• Record or transmit your GPS location
• Download files and documents from the hacker-controlled command and control server (C&C server)
• View device information like IMEI (i.e., serial number), brand, device name, and Android version
• Lead victims to phishing websites to trick them into sharing credentials

How to Protect Your Device Against This Spyware Example

PhoneSpy carries out its activities without leaving a trace and conceals itself by hiding the infected app icon from the device menu. Hence, victims aren’t aware that their device has been compromised. There is no information on how much data is stolen or how they are misused.

On Nov. 22, 2021, Zimperium posted that PhoneSpy’s command and control server had been taken down and is no longer active. So, in theory, PhoneSpy should no longer be a threat. It’s possible that this spyware example was used for espionage and the campaign ended when the mission was completed. Nevertheless, you should avoid installing apps from anywhere other than official app stores (Google Play, Apple App Store, etc.) and exercise caution if anyone asks you to do so.

Spyware Example 2: Android/SpyC23.A

Advanced persistent threats (APT) are well-planned, well-organized, multi-staged attacks. They usually target government agencies and corporate giants and are operated by groups of hackers working together. As espionage is one of the main goals for APT attacks, hackers often use innovative spyware to deploy them.

One infamous APT group is ATP-C-23. ATP-C-23 use many types of attack, including Android/SpyC23. On Nov. 23, 2021, Sophos published a report stating that they’d discovered a new, powerful variant of spyware called Android/SpyC23.A. The malicious program is used by an infamous threat actor group known as ATP-C-23. Previous versions of this malware are known as VAMP , FrozenCell , and GnatSpy .

Once installed onto the target device via a compromised app, the spyware tricks the user into granting admin permission to the hackers. This access allows the attacker to:

• View your sensitive files,
• Lock the device,
• Install or uninstall apps, and
• Disable security notifications (so you’re unaware of their activities). 

The new variant has the power to connect to other C&C servers in case the main server is taken down. It also hides notifications coming from security apps and the Android system, which means the victim isn’t alerted of the threat — even if their mobile has already detected the malware.

How Android/SpyC23.A Infects Your Device

Android/SpyC23.A is delivered through infected apps and distributed via SMS or similar mediums. It may be disguised as:

• App updates
• System apps updates
• Android update intelligence

After infecting a device, Android/SpyC23.A changes its display icon and name to another well-known app to disguise itself. Sophos reports that some examples of the apps this spyware commonly impersonates include:

• Google Play

What Happens When Your Device Becomes Infected?

Now that we know what Android/SpyC23.A is and how it infects your device, it’s time to explore its effects:

• Read messages, documents, contacts, and call logs
• Record incoming and outgoing calls
• Take screenshots and pictures
• Record video of the screen
• Read app notifications
• Block notifications from Android and security apps

Only download apps from the App Store or Play store, never from SMS, WhatsApp, or emails. Don’t give admin permissions/superuser/root access to any apps.  We haven’t found any antispyware program claiming yet that they can remove Android/SpyC23.A, so the best way to mitigate the threat is to avoid infection.

Spyware Example 3: Pegasus

It’s safe to say that Israel-based NSO Group’s Pegasus spyware disrupted the world of espionage, making headlines all over the world. Although the company claims that it helps nations fight terrorism and crime, evidence suggests that people are using Pegasus software for their personal agendas. It is used to spy on activists, political rivals, workers, bloggers, media employees − anyone the client wants.

The latest attack, FORCEDENTRY affects targeted Apple users. On Sept. 13, 2021, a scientist at Citizen Lab published a report about a zero-click exploit that exploits a vulnerability in iOS’s CoreGraphics to deliver Pegasus spyware. Along with spying on the victim’s devices, it was deleting the pieces of evidence from the phone’s DataUsage.sqlite file, too.

NSO Group has clients in many countries, including the United States, United Kingdom, Saudi Arabia, United Arab Emirates, Hungary, France, and India. You can see all the latest developments related to Pegasus Spyware on The Guardian ’s website.

How Pegasus Spyware Infects Your Device

Pegasus spyware is distributed via three main methods:

• Spear phishing via text messages or emails
• Zero-click attacks that exploit vulnerabilities in apps and operating systems
• Over a wireless transceiver located near a target

What Happens When Pegasus Gets Onto Your Phone

After infecting a device, Pegasus can:

• View SMS messages, address books, call history, and calendar entries
• Read and tamper with internet browsing history
• Monitor actions and conversations
• Turn on the camera to record in real-time
• Activate the microphone to record conversations
• Track GPS location

Pegasus spyware is used to spy on targeted users and is not currently a threat to most of us. If you think you could be a target of Pegasus spyware, it’s best to get help from a trusted cybersecurity expert. Because this spyware is used in highly sophisticated attacks, you won’t be able to prevent it due to the vulnerabilities that exist on your phone.

However, to avoid infection, be vigilant when opening unknown videos, messages, or links. If you think your device is infected, you can always perform a factory reset to get rid of many types of malware .

Spyware Example 4: Ghost RAT

Ghost RAT (also written as Gh0st RAT) is a trojan horse made for spying. RAT stands for “remote administration tool.” This name is appropriate considering that Ghost RAT’s operators, GhostNet System, use a C&C server to control victims’ devices remotely.

The latest Ghost RAT attack was on NoxPlayer, a free Android game emulator for PC and Mac from a company named BigNox. On Feb. 1, 2021, WeLiveSecurity published a report indicating that attackers breached BigNox’s API infrastructure to host and deliver Ghost RAT and other two types of malware. It targeted users from Taiwan, Hong Kong, and Sri Lanka.

How Ghost RAT Infects Your Device

Attackers use phishing and social engineering scams to trick potential victims into downloading the infected software. Because Ghost RAT is a trojan, the payload doesn’t work until users download, install, and activate the software.

What Happens When Ghost RAT Gets Installed

After a user installs Gh0st RAT, the spyware’s author (i.e., the hacker) can:

• Access the infected device remotely
• Turn on the device’s camera, video recording, and audio recording functions
• Steal their stored data
• Use encrypted TCP channels to avoid detection

The basic steps for protecting your device against Gh0st RAT spyware are the same as with any other malware:

• Install software and apps only from legitimate sources
• Carefully read reviews on the app store if you’re installing an unknown app
• Keep track of the apps on your device
• Uninstall suspicious apps
• Keep your devices updated and patched
• Recognize the difference between fake and legitimate software programs

How to Recognize Legitimate Software to Avoid Spyware (and Other Types of Malware)

Legitimate companies use code signing certificates to validate the authenticity of their software. Organizations that request these publicly trusted digital certificates must first be vetted by a third-party certificate authority (CA). The CA verifies specific types of information about your organization prior to issuing the certificate. This offers a level of trust and validity to both your organization and software by attaching your verified organization information to your software.

But how do you know whether an application is digitally signed? A dialogue box will appear that displays your verified organization’s name in the publisher’s field when a user downloads or tries to install your software.

Compare this to an example of the “unknown publisher” message that displays when a user attempts to install unsigned software:

Code signing certificates come in two varieties: standard validation and extended validation . What’s the difference between the two?

• A standard code signing certificate displays your organization’s verified identity information (as shown in the graphic above).
• Ann EV certificate bypasses the warning altogether because it’s automatically trusted by Windows browsers and operating systems.

Final Words on Spyware Examples in 2021 and What This Means for 2022

There’s a misconception that only influencers and politically active people can become the target of spyware. But spyware operators have many other goals besides espionage, and virtually no one is a potential target. Cybercriminals can use spyware to use as blackmail after stealing your sensitive data. They also can sell the data they gain to advertisers who want to gain a better understanding of your likes, interests, and buying preferences.

To avoid spyware infections, always be vigilant in your downloads and when clicking links or and granting app permissions. Don’t hesitate to take experts’ help if you think your device is infected with spyware. We hope these latest spyware examples provided you with an idea of how the spyware situation was in 2021, and what you can do to protect yourself and your data in 2022.

• #spyware examples

About the author

Medha Mehta

Medha is a regular contributor to InfoSec Insights. She's a tech enthusiast and writes about technology, website security, cryptography, cyber security, and data protection.

You might also like

Years’ Old Unpatched Python Vulnerability Leaves Global Supply Chains at Risk

Search infosec insights, latest articles, recommended posts.

• DevSecOps: A Definition, Explanation & Exploration of DevOps Security

• Personal Support
• Business Support
• Get a Quote
• Contact Press
• Submit Vulnerability
• About Malwarebytes
• News & Press
• MyAccount sign in: manage your personal or Teams subscription >
• Cloud Console sign in: manage your cloud business products >
• Partner Portal sign in: management for Resellers and MSPs >

FEATURED CASE STUDY Featured

Customer Case Study Video

“Among the solutions put in competition, Walden chose ThreatDown for a few reasons. First of all, the solution convinced us from a technical point of view. The implementation went very well as the solution integrated fully and easily with existing security tools. We were also very impressed with the number of attacks stopped, the reduction in false positives, and the responsiveness of the technical team.” – Harold Potier, Chief Information Security Officer (CISO)

Network Computer Systems

“We often tell potential clients, ‘We’ve successfully transitioned numerous customers to this product with remarkable benefits’… That’s our pitch. With Malwarebytes, we can assure customers they won’t become the next headline about systems hijacked or businesses paralyzed by ransomware.” — Brad Harley, CEO of Network Computer Systems

All Industries

Triotech Amusement

“With ThreatDown, powered by Malwabytes, we don’t just get a full-featured EDR product with great price value, we’re getting the whole experience that comes with it — a strong vendor relationship and expert security support.” — Francois Riopel, IT Manager, Triotech Amusement

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With ThreatDown MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulder and making sure it’s all clear.” — Dennis Davis, IT Systems Manager, Drummond

Protecting Sunnyside SD Student and Staff Mac Machines, Wherever They Go

Sunnyside school district.

“Anything our IT team can do remotely makes us more efficient. With Malwarebytes’ cloud console, we can remotely manage endpoint protection and see the state of all the machines in a single view, whether the user’s machine is on or off campus.” — David Peterson, IT Coordinator, Sunnyside School District

Hooton Tech

“I’ve long led my MSP business from the approach that I only sell technology that I believe in and use myself. For endpoint protection, that’s Malwarebytes. Malwarebytes leads the market with its lightweight footprint, ease of use, and steadfast reliability in stopping threats.” — Shane Hooton, Owner, Hooton Tech

Select your language

A World of Viruses

Viruses All Around Us

What comes to mind when you hear the word “virus”? Perhaps the common cold, a cold sore, or maybe even a global pandemic, such as the one we are living in now, caused by a coronavirus that may have originated in bats. 

In fact, viruses are ever-present in the living world, infecting, affecting, and interacting with all organisms, from the minuscule to the gigantic, and can be found in every ecosystem on the planet. They are as ubiquitous and essential to our lives as the air we breathe, the water we drink, and the food we eat. But what, exactly, are they? Are they alive? What do they do, and how do they do it?

Small, but Mighty

Viruses are the smallest of all microbes. It would take 500 million rhinoviruses, the virus known to cause the common cold, to cover the head of a pin. They exist by hijacking the cellular machinery of another living thing in order to reproduce. An individual virus known as a virion does this by injecting its genetic material, packets of nucleic acids known as RNA and/or DNA, into a host cell. They then replicate within, and ultimately explode out of, the cell in the form of new virions ready to infect other cells. These minuscule microbes can pack a powerful punch, infecting us with an array of diseases from chicken pox to AIDS.  To see how a virus enters a host cell, check out this animation.

Viruses are Everywhere

Viruses do not only infect humans. They are, in fact, ever present in our world, occupying nearly all organisms, and found in virtually every type of habitat, even in the air we breathe and the deepest depths of the ocean. They are also ancient, predating some of the earliest forms of life. Scientists believe they are at least as old as the first cells, which emerged around 4 billion years ago, but viruses could be even older, existing in the precellular world as self-replicating entities that subsequently evolved into forms that parasitize other cells.

Coronavirus

COVID-19 is the disease caused by the new coronavirus, seen below, an airborne virus that emerged in China in December 2019, and subsequently led to the global pandemic of 2020. Harvard Medical School created an online learning module on how the human body reacts to viruses like Covid-19. You can find it here.

Are Viruses Alive?

Viruses occupy a space on the tree of life that blurs the line between existence and nonexistence. Life is generally defined as an organism that can live and reproduce autonomously using its own energy-producing biological mechanisms.

Viruses, on the other hand, are essentially parasites that, in order to multiply, must harness a host cell’s replication mechanisms. Because they are unable to do any of this on their own, some argue that they are not among the living. However, other scientists suggest that because viruses are made up of the same building blocks of life, DNA and RNA, they verge on life. It’s an ongoing debate that has remained largely unresolved in the scientific community for the last 100 years.

Viral Shapes

Viruses come in many different shapes and sizes, but all are made of two essential components: a core of genetic material, either DNA or RNA, which is surrounded by a protective protein coat called a capsid. Packaged together, a single virion comes in four different shapes: helical, polyhedral, spherical, and complex.

Viral Assemblies

How can you fight something you can’t see? Viruses like influenza spread so effectively, and as a result can be so deadly, because of their ability to spontaneously self-assemble in large numbers.

Researchers at the Harvard John A. Paulson School of Engineering and Applied Sciences have engineered a new way to observe and track viruses as they assemble. This new method may spot weaknesses in viruses that drug makers can exploit to design drugs that prevent viruses from assembling in the first place.

Studying the Invisible

Virus are extremely tiny, even tinier than bacteria, so how do scientists study them? Hannah Gavin, a microbiologist at Harvard, shows us how she does just that in this video.

Viral Alliances

Though viruses are most often associated with illness, they can be a friend as well as a foe. Scientists have learned to manipulate their unique characteristics as a scientific tool.

Bacteriophages are types of viruses that attack bacteria by attaching to bacterial cells and injecting their genetic material into them. Harnessed correctly, this can stop a bacterial infection in its tracks. In this way, phage therapy has been used to treat bacterial infections in humans by injecting the bacteria causing the infection with bacteriophages that essentially stop it from spreading. Similarly, viruses may ultimately save the American Chestnut, an iconic tree species nearly wiped out by a bacterial infection called Chestnut Blight. Scientists have figured out a way to supercharge a virus that attacks the Blight, preventing infection from spreading throughout the tree.

American Chestnut

The American Chestnut, once considered one of the most important forest trees in North America, was nearly wiped out by Chestnut Blight in the first half of the twentieth century, but may recover with the help of viruses.

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• My Account Login
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 01 February 2024

Simulating real-life scenarios to better understand the spread of diseases under different contexts

• Rafael Blanco 1 ,
• Gustavo Patow 2 &
• Nuria Pelechano 1  

Scientific Reports volume  14 , Article number:  2694 ( 2024 ) Cite this article

758 Accesses

4 Altmetric

Metrics details

• Applied mathematics
• Computer science

Current statistical models to simulate pandemics miss the most relevant information about the close atomic interactions between individuals which is the key aspect of virus spread. Thus, they lack a proper visualization of such interactions and their impact on virus spread. In the field of computer graphics, and more specifically in computer animation, there have been many crowd simulation models to populate virtual environments. However, the focus has typically been to simulate reasonable paths between random or semi-random locations in a map, without any possibility of analyzing specific individual behavior. We propose a crowd simulation framework to accurately simulate the interactions in a city environment at the individual level, with the purpose of recording and analyzing the spread of human diseases. By simulating the whereabouts of agents throughout the day by mimicking the actual activities of a population in their daily routines, we can accurately predict the location and duration of interactions between individuals, thus having a model that can reproduce the spread of the virus due to human-to-human contact. Our results show the potential of our framework to closely simulate the virus spread based on real agent-to-agent contacts. We believe that this could become a powerful tool for policymakers to make informed decisions in future pandemics and to better communicate the impact of such decisions to the general public.

Similar content being viewed by others

Modelling the dynamic relationship between spread of infection and observed crowd movement patterns at large scale events

Crowd flow forecasting via agent-based simulations with sequential latent parameter estimation from aggregate observation

A novel social distance model reveals the sidewall effect at bottlenecks

Introduction.

During the COVID-19 pandemic, there were many attempts to closely simulate the spread of the virus 1 , 2 , 3 and the impact of wearing masks 4 , 5 , respecting social distancing 6 , and forcing total or partial lockdowns in cities 7 . Many of these decisions were based on statistical models 1 , 2 , 8 that tried to simulate the probability of the virus spread based on such decisions. Having an accurate virus spread model 9 , 10 , 11 , 12 , 13 , 14 requires two key elements: (1) fully understanding the virus and how it spreads from person to person, and (2) realistically simulating the interactions between people. The first one was extensively used and updated as new information about the virus’ behavior was discovered by doctors and epidemiologists 3 . However, the second one was not developed in such depth due to the complexity of creating detailed, controllable crowd simulation models that can accurately replicate such behaviors.

Having an accurate crowd simulation model requires modeling agents that can exhibit behaviors close to real people. More specifically, agents should have a home assigned in the environment, go to a specific job every weekday, shop in nearby supermarkets, and sometimes eat out at restaurants. If we can simulate real everyday behavior for many agents, then we can have a more accurate simulation of the virus spread, since we know which agents live in the same house or interact with each other at work. We could also simulate the differences between what happens if the waiter at a restaurant is infected as opposed to a client who spends little time at the restaurant.

In this work, we set out to build a framework of autonomous agents with detailed interactions among themselves (i.e., agent-agent) and with the environment (i.e., agent-environment). These interactions can be traced now up to an unprecedented level of detail, allowing a very detailed analysis of contagion situations. We enhance our system with a further layer of contact tracing taking into account protection factors such as wearing masks and other restrictions, which would enable stakeholders to make difficult decisions much like in the recent Covid-19 pandemic. Since modeling the virus itself is out of the scope of this work, in this paper, we will use a general parameterized virus model that could be adjusted to simulate different viruses. What we are interested in is being able to replicate human interactions to obtain an accurate simulation of virus spread based on contact between infected and healthy individuals. In addition, one of the biggest problems during the last pandemic was the difficulty for the general public to understand the decisions made by policymakers, e.g., the need for the correct wearing of masks. Since the public often had the feeling that these decisions were random, it was difficult to force them to respect the constantly changing rules. Our tool could help simulate and visualize the impact of these decisions so that the general public can better understand why certain restrictions should be imposed.

The main contributions of this work are (1) a modular framework to simulate human whereabouts and interactions (agent-agent and agent-environment) consistently, enabling the simulation of contagion models more accurately; and (2) a visual tool for policymakers to better communicate the impact of their decisions. Our framework can handle the traceability of people to simulate virus propagation based on the duration of exposure to other infected people under different conditions (e.g., distancing or mask usage). In our framework, an agent could be followed through the day or week and its behavior would resemble a real person (e.g., following a timetable, similar routes every day between home and work, and attendance to nearby services based on needs such as doing groceries or eating out). Routines are automatically adjusted based on the state of the world, and new building types or objects could be added with their corresponding interaction details so that the agents would be able to automatically interact with them.

Virus spread models

In recent times, public health decision-makers have relied more and more on mathematical models that can project how infectious diseases progress to show the likely outcome of an epidemic. In general, mathematical models start from a set of basic assumptions, or collected statistics, to find parameters for various infectious diseases, using those parameters to calculate the effects of different interventions, such as population restrictions (e.g., mobility) or mass vaccination programs. The use of these modeling tools can help decide which interventions to avoid and which to try or can predict future growth patterns. In recent years, the literature on these models blossomed due to the COVID-19 pandemic, resulting in hundreds, if not thousands, of new publications each year. One of the most popular approaches is compartmental models, which are a very general modeling technique. In these models, the population is assigned to compartments with labels—for example, S, I, or R, (Susceptible, Infectious, or Recovered) 15 , called the SIR model. People may progress between compartments. The order of the labels usually shows the flow patterns between the compartments; for example, SEIS means susceptible, exposed, infectious, then susceptible again, being one of the most popular models to describe the Covid-19 epidemic. The resulting model can be then solved either by using direct deterministic differential equation solvers 8 , which is by far the most popular and widely used approach; or using the well-known stochastic Doob-Guillespie algorithm 16 , which was originally developed in the context of chemical reactions but that also has been successfully applied to disease propagation 17 . For a comprehensive review of modern developments in the area, we recommend the interested reader refer to the book by Kuhl 3 .

Spread simulation frameworks

However, efforts for modeling these mathematical models in the context of actual populations, considering all their nuances and particularities, are complex and difficult to implement. One of the most relevant works is the one by Silva et al. 18 , who develop a multi-level framework for a simulation of the coupled effects of environment and population, based on the BioClouds framework 19 . BioClouds, in turn, is based on the key idea of simulating aggregation of agents as singular units (a cloud ), providing more accurate simulations taking into account the agent’s (i.e., both individuals and clouds) velocities and densities. To simulate the contagion process, Silva and coauthors used the SIR model mentioned above. However, this system does not exhibit logical whereabouts for individuals, so if we trace a single agent we may notice that it goes to a different home each day of the week, and thus we cannot trace the contagion pattern of individuals.

Examples of remarkably popular simulation environments are Emulsion, GAMA, NetLogo, and Repast. Emulsion 9 is a generic simulation framework, originally developed in the context of animal epidemiology but then extended to humans and their complex interactions, based on multi-level multi-agent modeling. It uses a Domain-Specific Language to let the user define the different components of an epidemiological model, such as assumptions, model structure, or model parameters. In spite of all this flexibility, its implementation is not tailored to controlling the details of the interactions and modeling agent behaviors in a realistic way, as our framework does. On the other hand, GAMA 10 is an open-source modeling and simulation environment for creating spatially explicit agent-based simulations with the flexibility of domain in mind. GAMA has a high degree of openness, which allows the addition of plugins for specific needs, as well as creating multi-level simulations, for instance combining an agent-based simulation for open spaces while using differential equations for building interiors. This framework shares many features with our proposal, but our framework allows a fully individual-based tracking, including not only agent-agent interactions, even at the casual, street-level but also agent-environment interactions through a programmatic interface, thus providing a general simulation environment. NetLogo 11 , 12 is a multi-agent programmable modeling environment, mostly intended for disease spread studies in "open" environments, although a GIS-importing module has been added. It has general programming capabilities, which provide a great deal of flexibility, but not at the level proposed in our framework. Repast 13 , 14 is a set of software tools for agent-based modeling and simulation. The core concept in Recast is the events , which are driven by a discrete-event scheduler in the simulations, associated with concrete time points (ticks). Interactions between agents are controlled, through code snippets, at these discrete time points. Instead, our framework works on a flexible time representation that allows the combination of continuous agent movement with discrete-time interactions. Simulation libraries and platforms dedicated to epidemiological issues are rising, e.g. SimInf 20 , an R library for data-driven compartment-based models; MicroSim 21 , an agent-based platform for several kinds of diseases; or GLEaMviz 22 , a population-oriented platform for simulations at the global level. Finally, Broadwick 23 , is a Java framework that uses Approximate Bayesian Computation (ABC) and Markov Chain Monte Carlo (MCMC) methods for both compartment- and individual-based models. Broadwick also uses interaction networks.

We want to emphasize that, in all these cases, these approaches still require writing large portions of code to derive specific classes and carry out simulations on practical situations, while lacking detailed interaction handling capabilities that are not provided as platform features, which may be added with deep coding and great efforts. Although some of these software packages are quite sophisticated, they do not deal with agent-agent or agent-environment interactions with the level of detailed control that our framework provides.

Crowd simulation models

A virtual city is mainly composed of two elements: the buildings and objects that compose the geometry of the city; and the virtual humanoids that inhabit it. Previous work in this area has presented different ways for creating and authoring the integration of these two components, achieving humanoids that move from one side to another with a certain purpose or activity to pursue.

Authoring trajectories

Early work by Yersin et al. 24 used a semantically augmented navigation graph for defining the different zones of interest and directing, through a GUI, the crowd movement. Recently work from Mathew et al. 25 proposed another authoring tool that uses a sketching language to convert sketching gestures into crowd simulations, where the language allows to refine parameters such as path, thickness, density, and velocity. In another work, Jorgensen and Lamarche 26 worked with agents that construct schedules and agendas with the most appropriate route for performing a set of tasks before reaching an end-point, under spatial, temporal, and personal characteristics constraints.

Framework and approaches to populate an environment

CAROSA framework presented by Allbeck 27 uses Microsoft Outlook’s calendars format as a scheduling interface for task definition, being able to specify the groups or individuals, time, and location related to each activity. This framework was developed considering non-expert users like artists. In another work, De Paiva et al. 28 presented the UEM (Urban Environment Model) that consists of a type of simulation where there are roles with predefined schedules that are assigned to the agents depending on semantics like age. These roles guide the movements and stays of the agents during the simulation. Similarly, Li and Albeck 29 define roles through activities that indicate the place and the way agents should behave according to the simulation time. Furthermore, they implement a role-switching functionality that allows agents to behave differently according to the simulation conditions, like the location, needs, and reactions to other agents.

Actions and descriptions in natural language

Badler et al. 30 defined a model called Parameterized Action Representation (PAR) which was used to translate actions written in natural language into instructions that can be understood and executed by the agents of his system. In addition, he suggests the creation of a structure called Actionary which is a set of PARs with well-known and refined actions. We use the same concept of the PARs to define the interactions in the places of our simulation, with the difference that the format is different and these definitions are not grouped in a general dictionary, but each object keeps its parameters to be used. Similarly, the work of Mainardi et al. 31 allows the creation of a simulation with agents, groups, and crowds, being able to define behaviors that depend on time or location using an interpreter that translates a set of actions written in a scripting language very similar to natural language.

Environments semantically augmented, smart objects

The work of Kallmann and Thalmann 32 demonstrates the potential of defining within the same object all the necessary information needed to interact with it, especially in terms of reusability and decentralization. Another approach in the context of environmental planning by Tabak et al. 33 consisted of the study of human movement in indoor office-building spaces and normal working conditions, comparing the results with empirical data obtained by web-based diaries and radio frequency identification technology. Simulations were defined based on basic standardized activities (called skeleton activities) with interruptions from "intermediate" activities, always defined within the context of the office environment defined. Similarly, Simeone and Kalay 34 proposed the use of AI engines, in particular Finite-State machines, to control agent behavior within a working environment. Schaumann et al. 35 defined narratives (a formalized set of instructions the agent should follow) with possible adaptations to changing conditions in the context of hospital settings, to assess daily movement patterns. Recently, Rogla et al. 36 presented a framework for generating a populated environment using procedural techniques. They employ rule-based grammars to generate agendas for each humanoid; this technique offers the possibility of reusing, modifying, and extending previously generated populations by editing the behaviors’ file, but does not provide the flexibility of the approach presented here, where detailed activities can be defined and used to track interactions among agents. The already commented work by Silva et al. 18 presented LODUS, a framework for the simulation of virtual urban environments with various levels of detail, based on their BioClouds 37 model to run the simulation at the macroscopic level, creating groups of individuals with the same characteristics to move between the different points of interest of the city; then, they perform experiments in a microscopic level of detail for considering other scenarios where the phenomenon studied required a closed view of the crowd interactions like the social distancing and its impact in the COVID-19 contagious process.

The interested reader is referred to the recent survey by Lemonari et al. 38 for an in-depth review of the state-of-the-art literature on authoring crowd simulation.

Crowds and epidemics

Usman et al. 39 evaluated navigational policies within closed environments (e.g., a shopping building) to measure a social safety distancing index. Their approach used pre-defined paths (the navigational policies), tracking possible interactions between subjects when their social spaces (a bounding volume) intersect. Comai et al. 7 studied the re-opening steps as required by Italian protocols and regulations as a preliminary measure for the re-opening of an educational building. They acquired three-dimensional geometry with laser scans, and used crowd simulation software to populate the environment, measuring social distancing. Harweg et al. 40 proposed an agent-based pedestrian simulation to assess their interactions in public places for contact tracing for infectious diseases like COVID-19, gathering insights about the effectiveness of distancing measures. In their implementation, a force-based system was used to move individuals, and interactions were accounted for when the distance between agent centers was below a given threshold. Wang et al. 6 used indoor simulations of randomly moving agents to illustrate COVID-19 and distancing measures for the general public. Rahn et al. 41 used randomized destinations for the agents within a building to analyze their interactions in combination with a virus (COVID-19) spread model to qualitatively assess the risk of exposure. Lv et al. 42 embedded an infection model into a crowd simulator, also to assess COVID-19 transmission on a university campus. Each agent performed a closed-loop trajectory (dorm-class-dorm) using the Dijkstra shortest path algorithm for the trajectories. Interactions were also computed by measuring agent bounding geometry collisions. Comai et al 43 developed a methodology to reorganize spaces in school buildings to allow safe reopening following the COVID-19 pandemic. For this, they developed specific situations such as school entry/exit and lunch break, coded through deterministic rules coded into the Unity game engine. The resulting applications were used by stakeholders to make decisions but also to educate children about the correct behaviors in these pandemic times.

Methods: semantically linked city-crowd framework

We created a simulation framework constituted of a city, agents, and agendas. These agendas are built using the semantics of the city and serve as a link between the two main components, i.e., the city and the crowd. The city contains roads and buildings with apartments, locals, and offices. The agents can navigate the city in the exteriors and interact with the places in their interiors. Our simulator was built with the intention of considering those interactions between the city elements and the virtual agents in a way that cannot be handled by probabilistic models of virus spread. For example, our system can simulate close interactions between agents that share a place for a period of time and how this could lead to contagion. Furthermore, our simulator tries to replicate in detail the movement of the agents inside the city and a set of the activities that they perform every day. The system allows us to observe coherent behaviors, movements, and scenarios; such as agents that are assigned to a household will leave from it at the beginning of their day and come back to it when finishing with all the activities allocated for the day. Likewise, the offices and desks are assigned to the agents and will be persistently maintained throughout the simulation.

Generating semantically augmented cities

The simulator is composed of two main elements: the semantically augmented places and the agents. They were designed and programmed using the Unity 3D game engine 44 , which allowed the use and merge of prefabricated models to build city buildings and agents. In addition, its navigation mesh was used so that the agents could find their way between the different objectives they had assigned on a daily basis. These objectives are provided by their individual agendas, which serve as the link between the city semantics and the agents. The semantics of the elements in the city and the behaviors are expressed by the user. One of the novelties of our semantically augmented model is that part of the semantics of a place includes the algorithms that indicate how the agents must behave inside it. It means that the movements, rotations, animations, and waiting times are organized and stored as the behaviors of the agents that want to interact with the place. The places developed for the experiments are apartments (i.e., households), offices, restaurants, and supermarkets. There are office buildings that contain a set of desks and chairs for agents to sit and work. Restaurants are establishments filled with tables and chairs, a kitchen, and a welcome desk where a set of agents who work in the restaurant, and other agents who will be served, participate and interact. Moreover, supermarkets are spaces with a set of shelves and a cash register where agents walk around in search of the items they wish to purchase. Each of the objects contained in these locations has instructions that the agents consult when interacting with them. Our framework follows a modular design to facilitate re-usability and extensions of existing models with semantics. So for example, when the user wishes to include a new model which should behave in a similar manner to an existing one, it can simply copy the semantics into the new object. This is, for example, the case of the queue formed at the welcome desk of a restaurant and at the cash register of a supermarket. Building a new city or extending an existing one, can be easily achieved by simply replicating these smart objects and/or entire places/buildings/blocks. The virtual agents will then be able to effortlessly interact with them. All the elements in the system can be replicated to further extend or refine their semantics and interaction instructions, which makes our system flexible and extendable.

The second key element of our model, the agents in the crowd, relate to the city and its semantics through agendas that describe their movements around the day. These agendas are generally a list of interaction tasks with places that indicate the hours at which the agent should be moving toward them and the length of time needed to perform each task. The behaviors inside the places are stored within the places themselves and retrieved when the agents need them. Therefore, after an agent arrives at a location and interacts with it, it receives a list of instructions describing movements, waiting, activation of animations, and interactions with other objects within the scope of the location, which will provide another list of instructions to be performed. Agents keep track of their daily activities to guarantee consistency in their behaviors. These agendas are generated automatically at the beginning of the simulation based on the agent’s role within the crowd, and the places available in the city. So we guarantee consistency of the agent’s behaviors throughout the day.

As an illustration of our places that store behaviors, let us take as an example the interactions performed inside a restaurant in our model. When the agent arrives, the first step would be to interact with the welcome desk, which will also have its own behaviors to follow, such as positioning correctly in the queue to wait to be attended to. Next, the agent will move to the table assigned, interact by sitting in a chair, and wait several seconds to call the waiter; then, he will order, wait for the food, eat when the food arrives, and walk to the cash register to pay for the food. This sequence of steps is stored in the restaurant component, and it is also subdivided into independent components; for example, the welcome desk and the cash register are independent components used in the interaction that can be replicated in other situations, like the cash register of a supermarket. Note how our system allows us to accurately follow a simulated agent through the day and keep track of visited locations and the length of time that it is been in close contact with other agents. Also, since we follow consistent agendas driven by the behavior of the places, our agents will consistently meet with the same virtual agents in the office every day, and likely a small group of agents that live in their neighborhood and thus are likely to choose the same restaurants or groceries.

Crowd simulation

As can be seen in Fig.  1 , our system works in two stages: first, crowd simulation, where crucial information about the agents’ whereabouts and interactions is recorded. Then, in a second, independent stage, this information is used, together with epidemiological parameters (e.g., mask usage, type of mask, restrictions, etc.) to assess the spread of the virus among the individuals that were traced in the first stage. This enables the simulation of multiple scenarios in a fraction of the time that would require a full-blown simulation each time.

Overview of the proposed system. On the top, is the first stage where agents are simulated. First, agents are instantiated and activities are defined, e.g., family, work, grocery buying, etc. This information is recorded, tracing individual contacts and individual interactions. Then, this is re-used in a second stage for virus spread assessment, taking into account different epidemiological parameters such as wearing/not wearing masks, type of masks, and social restrictions. Finally, with all the gathered information and analysis, informed decision-making is possible.

Agent instantiation and agenda assignment

The simulation starts by processing the number of apartments added to the map and instantiating an agent in each available space within the apartments. There are 2- and 4-people apartments. Each time an agent is instantiated, it automatically gets an agenda assigned, which it will have to fulfill until the end of the simulation. There are different types of agendas for the different types of workers in the simulation, such as supermarket, office, or restaurant workers. These agendas are converted into a list of interactions to be performed according to the simulation time. As mentioned, agent agendas are randomly initialized with different tasks for each agent, filling its daily activities. These activities include different tasks for working days and weekends and remain unchanged during the simulation time. However, if the simulation is rerun, as agendas are randomly assigned, then agents will behave differently from the previous simulation. Although, in our current implementation, agendas for a given agent have the same activities for working days (but different for different agents), observe that there is no reason an agent could not have different activities for each day, as it is simply a matter of initializing with different structures for each day, the same way we have different activities for working days and weekends.

Activities definition

There is a main clock that will guide the agents as to what action they should be taking at any given moment. Agendas consist of a list of actions that describe an interaction with a place for a period of time. There are actions that are not bounded by time and are performed just after the end of the previous action, for example, trips to the supermarket. There are other actions that have a start and end time, such as work activities. Any interaction can be simulated as a small black box; i.e., without internal structure; or can be decomposed into smaller activity snippets, which could be generated automatically with known algorithmic tools 45 .

Time representation

Our simulation uses a continuous/discrete time model based on Unity’s own game update system. All agents are updated with Unity’s Update() method, which calls each agent, in turn, to represent an instant in the simulation, although nothing prevents parallel execution of the agents on a multi-processor machine. Among other activities, Unity updates agent animations, for visualization purposes only; detects collisions, which are used for agent-agent interactions; and moves forward the main clock mentioned before, triggering agent- and agenda-based events. Then, when an agenda-based event is triggered (e.g., an agent needs to leave work to go and pick children up from school), the agent switches its current activity for the new one and continues behavior as usual.

Agent-agent and agent-environment interactions

Given that our agents have a visual representation, we use capsule colliders not only to detect collisions with other agents but also for obstacle avoidance, as usually done in crowd simulation systems 27 , 31 , 36 . Whenever a collision between two agents is detected, a local timer is activated and, if the collision takes longer than a user-defined threshold, an interaction is recorded for further treatment, see below.

On the other hand, in our system, every agent can interact with its environment not only by colliding with its geometrical elements but also by interacting with objects following a set of instructions provided by the object itself. An example of these detailed interactions is presented below, in “ Case studies ” section and Fig. 5 , where the interactions between agents and a supermarket are described. These interactions are encoded, not in fixed snippets of code within the agents, but are associated with the environment itself (i.e., with the supermarket), being easily configurable by changing the interaction description. Thus, every interaction is decomposed into atomic steps (e.g., go to the shelf, take a product, iterate these first two steps until satisfied, go to the cashier, pay), associated with each location. Thus, agents do not need to know how to interact with any store (or any other environment location), but simply retrieve the operational instructions and follow them. This, of course, will produce more interactions with other agents also interacting simultaneously with the same environment. See the description below.

Recorded information

As the simulation runs, important information for an epidemiology study is collected. The first information collected is the close contact between agents. Close contact happens when the agents are close to each other during a specific length of time, therefore we also record information regarding the time when two agents start a close contact and the time when the contact finishes. Formally speaking, a close contact, C ( A i , A j ) between agent A i and A j happens when the distance between the agents is below a user-defined threshold δ , distance ( A i , A j ) <  δ , during a length of time larger than τ c seconds. In our simulation δ  = 1 . 5 m and τ c  = 5 s.

Secondly, data is collected on the places where the agents are located; the time when they arrive and leave closed places is recorded. We thus keep track of the viral load of an enclosed space due to infected agents visiting it. The viral load V L represents how infectious is the air in an enclosed site, and it will increase based on the number of people infected and the length of time they stay within the site. Therefore:

where N A is the number of agents in the site, A n is a binary number representing whether the agent is infected ( A n  = 1) or not ( A n  = 0), and γ represents the probability of disease transmission (i.e., contagion) for each person in a risk situation, at every simulation step. This value can be defined by the user and thus adjusted to the virus properties. In our simulation, we used γ  = 0 . 05.

Finally, the infection process considers also the percentage p of protection offered by the mask worn by the agent, to lessen the degree of contagion when masks are being used by the agents. The probability of being infected when wearing a mask M p is calculated as:

where p is the protection percentage of the mask divided by 100. So for example a mask offering 95% protection will have M p  = 0 . 05.

If we incorporate the mask protection percentage into Eq. ( 1 ), we have:

This simulation described through records is processed to study how the virus spreads among the agents of the original simulation, the main methods of contagion the close contact between agents, as well as the permanence of an agent in a closed place where there are other infected agents.

Disease simulation

With the results of the crowd simulation, we used the framework developed to run Doob-Guillespie-like disease propagation simulations. By varying the parameters of our model, we can compare results regarding the impact or effectiveness that the different measures taken against COVID-19 had in the spread of the virus. In our model, we contemplated whether citizens were wearing masks or not, or wearing them in the wrong way (e.g. mask below the nose or the chin) just like we could observe in the real world.

The simulation is initiated considering a percentage of the entire population infected, which is 5% for our experiments but it can be varied as needed. There are two ways in which contagion can occur: by direct contact with an infected agent for more than a certain period (5 s for our experiments), or by sharing a closed place with an infected agent. It should be noted that these scenarios initiate a contagion process that will depend on the type of mask used by the agents involved. We also consider the use of different types of masks whose effectiveness against the virus varies between 75 and 98%; this number will thus indicate the agent protection level when wearing such mask, called protection factor (PF) 46 .

It means that when a contagion process is initiated caused by enduring contact or the sharing of a place with other infected agents if the PF is below a uniform random number, the agent will be infected.

To take into account that some people are not easily infected, we assume that agents not wearing masks have a PF against the virus of 10% ( M p  = 0.9). Finally, any agent wearing a mask in the wrong way will have the PF of the mask reduced by 50% 46 . This parameter can be adjusted as needed with the aim of accurately simulating the most realistic scenario.

Therefore, when an agent A i is in close contact with an infected agent A j , we compute the contagion as follows: We first compute a random value between 0 and 99 which will drive the contagion process:

and then the contagion will depend on ρ and the combination of mask protections from both A i and A j :

The other case for an agent to get infected is due to being in a site with infected agents for a period of time longer than τ s (in our simulation we use tau s  = 60 min). So given a random value from 0 to 99:

An agent A i infection process due to being in a site for more than τ s seconds is:

To simplify the model, we have assumed that the mask protection affects equally how it protects the agent wearing it and those in close contact with the agent. However, we could easily extend the model to consider two different types of protection per mask based on whether it is self-protection or protecting others.

Visualization

Unity game engine was used to create the city and the agents that inhabit it. A set of prefabricated objects was used to model the buildings and other components of the city. In the execution of the simulation, we can observe how the agents walk and move between the different points of interest, making contact with other agents. We can also observe how they interact with objects such as chairs, tables, and desks. we avoid using abstract representations of objects and work with figures that look like humans and structures and objects that look like those of a real city as we believe that this can help stakeholders to better visualize the scenarios, allowing them to identify problems and possible measures to solve them.

Our simulation includes parameters that are important for the epidemiological study, such as the use of masks and the identification of infected agents. Visual identification of these epidemiological parameters may be important when making a detailed study of a particular situation. Thus, two types of masks can be observed on the agents: the first is a blue mask (Fig.  2 , agent of the right), which indicates that the mask is well-fitted and offers a high range of protection; this mask covers the nose and mouth of the agent’s figure; the second is a red mask, placed under the chin (Fig.  2 , agent in the middle), which symbolizes a poorly fitted mask. Additionally, an infected agent can be identified because its figure will be highlighted by a yellow to red border (Fig.  2 , agent of the left), which indicates an infection and the viral load of the infection.

Illustration of agent not wearing a mask and infected (left), agent wearing it under the chin (middle), and agent wearing mask correctly.

Performance

In game engines such as Unity, performance is framerate-locked, meaning that if processor computational requirements are lower than the current availability, then the engine simply "waits" until the next frame to maintain a sustained framerate. However, our simulations depend on the number of agents used (i.e., each agent needs to be simulated), and thus they can overpass this limit, rendering simulations slower than the prescribed framerate and producing a visual lag between frames. This is a problem that cannot be avoided, as we are putting more agents in the simulation than what real-time requirement allows, resulting in a non-real-time simulation. This is not a problem for epidemiological studies but can have a negative impact on outreach purposes. In these cases, we recommend recording the simulation and visualizing it as a video.

On the other extreme, framerate-locking can be disabled, thus allowing faster-than-real-time simulations for a more moderate number of agents. All the examples in this manuscript did not reach the locking limitation, thus we were not forced to make any change in the simulation environment (i.e., Unity) settings for visualization purposes. However, 1-to-1 simulations are not desirable when drawing conclusions, e.g., for restriction measures, so we allowed our system to run several simulation steps for each rendered frame, resulting in a much faster simulation, allowing us to perform the whole simulation in a few minutes.

Finally, it must be noted that the simulation records all interactions and contacts between agents, so they can be used to compute disease spreading in different conditions. In our implementation, this has been implemented as a separate library, which runs almost instantaneously for all studied cases. However, it must be noted that this stage still depends on the number of interactions, which in turn depends on the number of agents in the first stage, so there is a dependency on this number, although much lighter in computational requirements.

Results and discussion

Case studies.

For the experiment, we built a little city composed of 9 buildings that contain apartments, restaurants, supermarkets, and offices; there are 5376 agents living and interacting with the elements of the city. Figure  3 illustrates the map built to run the experiments. The three buildings at the top, the three buildings at the bottom, and the central building are 4-story residential buildings, with restaurants and supermarkets on floor 0. The buildings to the right and left of the central row are offices. Figure  4 shows a top view of a restaurant layout (top) and a supermarket layout (bottom). Figure  5 illustrates the view and interactions inside a supermarket; in our simulation, the agents arrive and interact with the supermarket, then it will retrieve five random shelves for the agent interactions, and finally, the agent will arrive to the paying queue in the cash register (these algorithms were copied from the restaurant’s welcome desk and cash register).

Illustration of a city created to run the experiments.

Top view of a restaurant (top) and a supermarket (bottom).

View inside a supermarket with agents interacting with the shelves.

We prepared three scenarios where we varied the agendas followed by the agents. Each scenario represents a measure, ranging from reduced opening hours of night services to remote working and total confinement. On the one hand, we are going to compare the spread of the virus varying parameters like the type of mask used in the same scenario. On the other hand, we are going to make comparisons between the different scenarios that follow agendas that restrict the available activities like going to dinner in restaurants. The objective is to identify whether the measures taken against COVID-19 are conducive to stopping the spread of the virus. It is important to clarify that this model can be easily adapted to study any contagious virus, making variations in the infection parameters.

Unrestricted scenario: The agendas in this scenario are complete with activities outside the houses, we have 4 types of agendas, one for people who work in offices, one for restaurant workers, another one for those who work in supermarkets, and, finally, one type for retired people or unemployed. The workers must follow a schedule and they have the option of having lunch and/or dinner in the available restaurants. Non-supermarket workers have a possible visit to the supermarket in the afternoon after work. Retired people or unemployed can go to restaurants and supermarkets during the day.

Slightly restricted scenario: The agendas in this scenario are a bit restricted. They are very similar to the ones described in the previous scenario but with restrictions on the activities performed at noon, like going to restaurants or supermarkets at noon.

Severely restricted scenario: The agendas in this scenario are very restricted, the agents in this simulation are working from home, and restaurants are not open. The only activity that can be performed by the agents is going to the supermarket.

Nine simulations were run corresponding to the three scenarios described in the previous section combined with three types of mask usage. For the study of mask usage, we first run a simulation with all the agents using masks of 75% to 98% protection. Secondly, the simulation was run with 10% of agents without masks, 25% of agents with masks worn incorrectly, and 65% of agents wearing masks as in the previous scenario; this simulation was called the "real scenario", due to its similarity to the times when the use of masks was mandatory throughout Europe but not all the people will respect the rules. Finally, a third simulation was run in which no agents wore a mask. All simulations had a duration of 5 days and the study with these three types of variations was performed for the three scenarios described in the previous section. Moreover, all scenarios and simulations were executed ten times, taking as a result of the analysis an average of the executions.

Figure  6 a shows for the unrestricted scenario a graph over time whose y-axis represents the percentage of infected agents, and the x-axis the timeline for 5 days of execution. It can be seen that the line representing the unmasked agent simulation (in orange) deviates considerably from the other two samples, indicating a higher percentage of infections. The line representing the real scenario (in green) is lower than the previous one, indicating a considerably lower number of infections; then, the line representing the simulation with all agents using a mask (in blue) shows the lowest number of infections for all three scenarios. If we observe closely this unrestricted scenario, we can see that at the end of the fifth day of the simulation, when no agents are wearing masks, we get 63% of the agents infected, while in the simulation of the real scenario, we get 45% of the agents infected and, in the simulation where all the agents wear masks, only 26% of the agents get infected, which represents almost a 40% difference with respect to the case with most agents infected. Additionally, we can observe the impact of the agents that were in the incubation period and start to be contagious from the third day onward. The graph shows the change in the slope of the cases of contagion after the third day, indicating a higher rate of contagion over time.

Comparison of contagion evolution over time when varying the type of mask usage: ( a ) unrestricted scenario, ( b ) slightly restricted scenario, and ( c ) severely restricted scenario.

Figure  6 b and c show for slightly restricted and severely restricted scenarios a graph over time where the y-axis represents the percentage of infected, and the x-axis the 5 days of execution. The behavior in both situations is very similar to that of the figure described above, the line corresponding to the simulation where the agents were not wearing masks is considerably higher than the other two, representing a higher rate of contagion. The lines representing the simulation with masks and the real scenario behave in a similar way, being slightly above the line of the real scenario again since there is a portion of unprotected agents in it.

All three scenarios show that the line representing the unmasked simulation is far higher than the other two lines. Further- more, it also shows that the slope of the graph on the third day is much steeper for the unmasked simulations. This demonstrates that the use of masks significantly influences the control of virus propagation. If we observe the lines across the three scenarios with increasing mobility restrictions, we can also observe the percentage of infected people decreases as restrictions increase. After making comparisons between the different types of variations within the same scenario, we will now compare the same variation between the different scenarios.

First, we will study how the percentage of infected people behaves in the three scenarios with all agents using masks with 75% to 98% protection. Figure  7 a shows how the infection percentages of the unrestricted scenario and the slightly restricted scenario are very similar, except on the third day when the infection line of the scenario with full activities begins to separate after the new infections go through the incubation period and are able to infect others. In the severely restricted scenario, where activities are limited to remote working and visits to the supermarket, the line remains below the other two, indicating the effectiveness of this scenario against the spread of the virus. At the end of the fifth day, in the unrestricted scenario, there are 26% infected, in the slightly restricted scenario there are 18% infected, and in the severely restricted scenario, there are 14% infected. The difference between the scenario with the most infected and the scenario with the least infected is almost double, which demonstrates the effectiveness of having restrictions. However, the small difference between slightly restricted and severely restricted could indicate that as long as masks are used correctly, it may not be necessary to impose severe mobility restrictions.

Comparison of contagion evolution over time for the three scenarios tested: ( a ) all the agents wearing a mask, ( b ) no agents wearing a mask, and ( c ) agents wearing masks as described in the real scenario.

Secondly, we did the same experiment having no agents wearing masks. From Fig.  7 b can be observed that the general contagion behavior of the three curves is similar. We can also observe that the percentage of the population infected in the severely restricted scenario is lower than in the other two scenarios, with both the curves being very close. If we compare the unrestricted scenario with 63% infected to the severely restricted scenario with 35% infected, the difference is almost twice as large. Finally, for the real scenario, we can observe in the curves from Fig.  7 c that they have almost the same trajectory as the case described above, until the fourth day where the unrestricted scenario shows a higher percentage of infected.

Finally, Fig.  8 shows a comparison, for the slightly restricted scenario shown in Fig.  6 b and the agents wearing masks as described for the "real scenario" case, with the theoretical SIR simulation model 15 (SIR for Susceptible, Infected, Recovered). The three differential equations were integrated using a simple Euler optimization method, with a time step of ∆ t  = 0 . 25 days. The parameters used were fitted to the simulated data by a rough parameter sweep optimization, obtaining the values β  = 0 . 03 and γ  = 0 . 01, matching very closely the results from the literature for the recent COVID-19 pandemic 1 and demonstrating the accuracy of the simulations involved. This not only demonstrates the capability of our micro-simulation framework to accurately represent fine-grained interactions but also shows its match with current state-of-the-art statistical population simulations.

Comparison of the epidemiological simulation vs theoretical results. With I being infected, S being susceptible, and R being recovered.

On the other hand, our results for the different scenarios match quite closely the ones in the scientific literature using variants of the SIR model including/excluding masks and other important factors in virus spread 2 , 4 , 5 , 47 . In particular, if we compare the curves in Figs.  6 and 7 with the ones in the mentioned literature, we can observe an important match in the corresponding outcomes, again demonstrating the feasibility of the micro-simulation-based approach presented here with respect to results obtained at a global scale, and with the further advantage of allowing detailed contact tracing of individuals interactions.

Table 1 presents a slice of the full output of one such simulation. As we can see, at each time point, the system records all agent-agent or agent-place interactions. Possible interactions were reduced to four types: ENTERCOLLIDER _ PLACE , ENTERCOLLIDER _ AGENT , EXITCOLLIDER _ PLACE , EXITCOLLIDER _ AGENT , which allow recognizing entering/exiting spaces, or the start and end of a physical interaction between two agents. When an interaction of an agent with a place is recorded, all the agents inside that place at the moment of the new interaction are also recorded. Of course, using our framework, finer contacts within a building can also be traced by employing the same tools we have described, thus achieving an even greater level of detail. Table 2 , in the Appendix, shows the detailed interaction of a single agent (i.e., agent ID 2243) throughout a normal simulation day. As all the building IDs correspond to modeled 3D buildings, we can reflect this information into a map showing all the interactions and their locations at the corresponding time-stamp. As we can see, this provides extremely detailed information on the whereabouts of a given agent at any moment.

From our experiment, it can be concluded that there is not much difference in contagion between an unrestricted scenario and a scenario where dining out and night shopping are not allowed, therefore, these kinds of measures may not be as needed to stop the spread. Moreover, the severely restricted scenario curves generally remain below the other two, indicating a lower percentage of infected agents and, thus it appears to be a useful measure to contain the spread of the virus and thus obtain better results. Furthermore, considering the results obtained, the number of infected persons almost tripled in all scenarios when comparing wearing masks against no masks, which is to be expected as our framework was written considering that wearing a mask reduces the probability of contagion 46 . This allows us to conclude that the measure that most influenced lowering the contagion rate was enforcing the use of masks with a high level of protection for the entire population.

In this paper, we have presented a framework for the detailed simulation of agent-agent and agent-environment interactions in virtual cities with common components such as restaurants, supermarkets, and offices. Each agent has its own weekly agenda (different for working days and weekends) based on the semantics of the city, which describes the places it should interact with and the times when it should perform different actions. In addition, the semantic information stored within the objects of each location provides specific information for the agents about how they should behave inside those places. Finally, it is worth mentioning the close match between our simulations and the results obtained with the standard SIR theoretical model in the current epidemiology literature, demonstrating that the detailed simulations we propose scale adequately for a whole population simulation. However, we must emphasize that our framework is intended for tracing interactions up to the individual level, not to perform a whole-population statistical simulation.

At this point, we would like to clarify that, in our framework, Unity is merely a sophisticated tool that provides state-of-the- art collision detection and event handling, which are commonplace in video games, and which simplify the implementation burden considerably. On the other hand, it is also important to point out that our framework does not compete , but rather complements other developments such as GAMA, Emulsion, NetLogo, and Repast, as they could easily be extended to incorporate mechanisms for agent-agent or agent-environment interactions such as the ones described here. We aim to improve the state-of-the-art in virus-spread systems with these detailed interactions, which would allow an unprecedented level of contact tracing control at the simulations, gaining further insights into the contagion mechanisms.

A particularity of our tool is that it allows us to identify and register the contacts between agents, as well as their entrances and exits from closed spaces. This information can be used to model the propagation of any contagious virus whose behavior is based on these parameters, especially since we did experiments with parameters corresponding to COVID-19. We ran the system for three scenarios where we started with unrestricted schedules, adding restrictions on opening hours and teleworking; in addition, we considered the correct and incorrect use of the mask to study the impact of both restrictions and correct use of the mask on the spread of the virus. This propagation and simulation model can be useful to identify measures that may or may not be correct and accurate in the fight to reduce the spread of the virus. Again, observe the role of Unity as a practical geometry processing and organizing tool, allowing us to integrate the whole system in a single application. However, nothing prevents users from using other tools with similar geometry-creation/administration capabilities, such as Esri’s CityEngine 48 , at the added cost of forcing constant application switching, with the consequent problem of communicating the applications through files, which is cumbersome and error-prone.

The largest benefit of our framework, besides closely simulating the spread of the virus based on mask usage and mobility restrictions, is that we can track individuals and show information that is not available with other models. For example, we can follow an agent through the day and study the most likely sites where it can get infected. We can also extend the elements in the city by extending the current models and semantics to simulate in detail other sites of the city where agents interact. For example, we could incorporate a school where only kids interact during the day, and the parents meet briefly during pick up/drop off times, together with contagion properties in kids, and study the exact impact of opening schools. We believe that our microscopic agent simulation together with the visualization of the agents’ whereabouts, could become a powerful tool for policymakers to demonstrate the importance of their decisions.

Data availability

Code for this project will be provided by the corresponding author upon reasonable request.

Cooper, I., Mondal, A. & Antonopoulos, C. G. A SIR model assumption for the spread of COVID-19 in different communities. Chaos Solitons Fract. 139 , 110057. https://doi.org/10.1016/j.chaos.2020.110057 (2020).

Article   MathSciNet   Google Scholar  

Geng, X. et al. A kernel-modulated SIR model for covid-19 contagious spread from county to continent. Proc. Natl. Acad. Sci. https://doi.org/10.1073/pnas.2023321118 (2021).

Article   PubMed   PubMed Central   Google Scholar  

Kuhl, E. Computational Epidemiology (Springer, 2021).

Book   Google Scholar  

Eikenberry, S. E. et al. To mask or not to mask: Modeling the potential for face mask use by the general public to curtail the COVID-19 pandemic. Infect. Dis. Model. 5 , 293–308. https://doi.org/10.1016/j.idm.2020.04.001 (2020).

Maged, A., Ahmed, A., Haridy, S., Baker, A. W. & Xie, M. SEIR model to address the impact of face masks amid COVID-19 pandemic. Risk Anal. 43 , 129–143. https://doi.org/10.1111/risa.13958 (2022).

Article   PubMed   Google Scholar  

Wang, Y. et al. Simulation agent-based model to demonstrate the transmission of COVID-19 and effectiveness of different public health strategies. Front. Comput. Sci. https://doi.org/10.3389/fcomp.2021.642321 (2021).

Article   Google Scholar  

Comai, S. et al. indoor mobile mapping system and crowd simulation to support school reopening because of COVID-19: A case study. Int. Arch. Photogramm. Remote Sens. Spatial Inf. Sci. XLIV-3/W1-2020 , 29–36. https://doi.org/10.5194/isprs-archives-xliv-3-w1-2020-29-2020 (2020).

Earn, D. J., Rohani, P., Bolker, B. M. & Grenfell, B. T. A simple model for complex dynamical transitions in epidemics. Science 287 , 667–670 (2000).

Article   CAS   PubMed   ADS   Google Scholar  

Picault, S. et al. EMULSION: Transparent and flexible multiscale stochastic models in human, animal and plant epidemiology. PLoS Comput. Biol. 15 , e1007342. https://doi.org/10.1371/journal.pcbi.1007342 (2019).

Article   CAS   PubMed   PubMed Central   Google Scholar  

Amouroux, E., Desvaux, S. & Drogoul, A. Towards virtual epidemiology: An agent-based approach to the modeling of h5n1 propagation and persistence in north-vietnam. In Intelligent Agents and Multi-Agent Systems , 26–33, https://doi.org/10.1007/978-3-540-89674-6_6 (Springer, 2008).

Grimm, V. et al. The ODD protocol: A review and first update. Ecol. Model. 221 , 2760–2768. https://doi.org/10.1016/j.ecolmodel.2010.08.019 (2010).

Robins, J. et al. Agent-based model for Johne’s disease dynamics in a dairy herd. Vet. Res. https://doi.org/10.1186/s13567-015-0195-y (2015).

Ozik, J., Collier, N. T., Murphy, J. T. & North, M. J. The ReLogo agent-based modeling language. In 2013 Winter Simulations Conference (WSC) , https://doi.org/10.1109/wsc.2013.6721539 (IEEE, 2013).

Collier, N., Ozik, J. & Macal, C. M. Large-scale agent-based modeling with repast HPC: A case study in parallelizing an agent-based model. In Euro-Par 2015: Parallel Processing Workshops , 454–465, https://doi.org/10.1007/978-3-319-27308-2_37 (Springer International Publishing, 2015).

Kermack, W. O. & McKendrick, A. G. A contribution to the mathematical theory of epidemics. Proc. R. Soc. Lond. A Math. Phys. Sci. 115 , 700–721 (1927).

Article   ADS   Google Scholar  

Gillespie, D. T. Exact stochastic simulation of coupled chemical reactions. J. Phys. Chem. 81 , 2340–2361 (1977).

Article   CAS   Google Scholar  

Vestergaard, C. L. & Génois, M. Temporal gillespie algorithm: Fast simulation of contagion processes on time-varying networks. PLoS Comput. Biol. 11 , e1004579 (2015).

Article   PubMed   PubMed Central   ADS   Google Scholar  

Silva, G. F. et al. Lodus: A multi-level framework for simulating environment and population-a contagion experiment on a pandemic world. In 2020 IEEE International Smart Cities Conference (ISC2) , 1–8 (IEEE, 2020).

Da Silva Antonitsch, A., Schaffer, D. H. M., Rockenbach, G. W., Knob, P. & Musse, S. R. BioClouds: A multi-level model to simulate and visualize large crowds. In Advances in Computer Graphics , Lecture notes in computer science, 15–27 (Springer International Publishing, Cham, 2019).

Widgren, S., Bauer, P., Eriksson, R. & Engblom, S. Siminf: An r package for data-driven stochastic disease spread simulations. J. Stat. Softw. https://doi.org/10.18637/jss.v091.i12 (2019).

Cakici, B. & Boman, M. A workflow for software development within computational epidemiology. J. Comput. Sci. 2 , 216–222. https://doi.org/10.1016/j.jocs.2011.05.004 (2011).

den Broeck, W. V. et al. The GLEaMviz computational tool, a publicly available software to explore realistic epidemic spreading scenarios at the global scale. BMC Infect. Dis. https://doi.org/10.1186/1471-2334-11-37 (2011).

O’Hare, A., Lycett, S. J., Doherty, T., Salvador, L. C. M. & Kao, R. R. Broadwick: A framework for computational epidemiology. BMC Bioinform. https://doi.org/10.1186/s12859-016-0903-2 (2016).

Yersin, B., Maïm, J., Ciechomski, P., Schertenleib, S. & Thalmann, D. Steering a virtual crowd based on a semantically augmented navigation graph. In Proc. The First International Workshop on Crowd Simulation (V-CROWDS’05), Lausanne, Switzerland , 169–178 (Citeseer, 2005).

Mathew, C. D. T., Benes, B. & Aliaga, D. Sketching vocabulary for crowd motion. Comput. Graph. Forum https://doi.org/10.1111/cgf.14629 (2022).

Jorgensen, C.-J. & Lamarche, F. Space and time constrained task scheduling for crowd simulation. Tech. Rep., Publications Internes de l’IRISA (2014).

Allbeck, J. M. Carosa: A tool for authoring npcs. In International Conference on Motion in Games , 182–193 (Springer, 2010).

de Paiva, D. C., Vieira, R. & Musse, S. R. Ontology-based crowd simulation for normal life situations. In International 2005 Computer Graphics , 221–226 (IEEE, 2005).

Li, W. & Allbeck, J. M. Populations with purpose. In International Conference on Motion in Games , 132–143 (Springer, 2011).

Badler, N. I., Bindiganavale, R. & Allbeck, J. Parameterized action representation for virtual. Embodied conversational agents 256 (2000).

Mainardi, G., Normoyle, A., Cassol, V., Badler, N. & Musse, S. R. An authoring tool to provide group and crowd animation using natural language scripts. In 2021 20th Brazilian Symposium on Computer Games and Digital Entertainment (SBGames) , 153–161 (IEEE, 2021).

Kallmann, M. & Thalmann, D. Modeling objects for interaction tasks. In Computer Animation and Simulation’98 , 73–86 (Springer, 1999).

Tabak, V., de Vries, B. & Dijkstra, J. Simulation and validation of human movement in building spaces. Environ. Plan. B Plan. Des. 37 , 592–609. https://doi.org/10.1068/b35127 (2010).

Simeone, D. & Kalay, Y. E. An event-based model to simulate human behaviour in built environments. In eCAADe Proceedings , (eCAADe, 2012) https://doi.org/10.52842/conf.ecaade.2012.1.525 .

Schaumann, D., Breslav, S., Goldstein, R., Khan, A. & Kalay, Y. E. Simulating use scenarios in hospitals using multi-agent narratives. J. Build. Perform. Simul. 10 , 636–652. https://doi.org/10.1080/19401493.2017.1332687 (2017).

Rogla, O., Patow, G. A. & Pelechano, N. Procedural crowd generation for semantically augmented virtual cities. Comput. & Graph. 99 , 83–99 (2021).

Silva Antonitsch, A. D., Schaffer, D. H. M., Rockenbach, G. W., Knob, P. & Musse, S. R. Bioclouds: A multi-level model to simulate and visualize large crowds. In Computer Graphics International Conference , 15–27 (Springer, 2019).

Lemonari, M. et al. Authoring virtual crowds: A survey. Comput. Graph. Forum 41 , 677–701 (2022).

Usman, M. et al. A social distancing index: Evaluating navigational policies on human proximity using crowd simulations. In Motion, Interaction and Games , https://doi.org/10.1145/3424636.3426905 (ACM, 2020).

Harweg, T., Bachmann, D. & Weichert, F. Agent-based simulation of pedestrian dynamics for exposure time estimation in epidemic risk assessment. J. Public Health 31 , 221–228. https://doi.org/10.1007/s10389-021-01489-y (2021).

Rahn, S., Gödel, M., Köster, G. & Hofinger, G. Modelling airborne transmission of SARS-CoV-2 at a local scale. PLoS ONE 17 , e0273820. https://doi.org/10.1371/journal.pone.0273820 (2022).

Lv, P. et al. Agent-based campus novel coronavirus infection and control simulation. IEEE Trans. Comput. Soc. Syst. 9 , 688–699. https://doi.org/10.1109/tcss.2021.3114504 (2022).

Comai, S., Simeone, D., Ventura, S. M. & Ciribini, A. L. C. Simulation modelling in a BIM environment: The case of school re-opening during covid-19 pandemic. Proc. Inst. Civ. Eng. Smart Infrastructure Constr. 176 , 12–23. https://doi.org/10.1680/jsmic.21.00026 (2023).

Unity Technologies. Unity game engine (2023).

Li, C. & Yu, L.-F. Generating activity snippets by learning human-scene interactions. ACM Trans. Graph. 42 , 1–15. https://doi.org/10.1145/3592096 (2023).

Leith, D., L’Orange, C. & Volckens, J. Quantitative protection factors for common masks and face coverings. Environ. Sci. Technol. 55 , 3136–3143. https://doi.org/10.1021/acs.est.0c07291 (2021).

Wang, C. & Kavak, H. A general epidemic model and its application to mask design considering different preferences towards masks. Complexity 1–13 , 2022. https://doi.org/10.1155/2022/1626008 (2022).

Esri. Procedural 3D City Generator | 3D City Design for Urban Environments—esri.com. https://www.esri.com/en-us/arcgis/products/arcgis-cityengine/overview (Accessed 11 Jan 2024).

Download references

Acknowledgements

This work has received funding from the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska Curie grant agreement No 860768 (CLIPE project). Also, it was partially funded by grants PID2021-122136OB- C21 and PID2021-122136OB-C22 funded by MCIN/AEI/ https://doi.org/10.13039/501100011033 and by ERDF A way of making Europe.

Author information

Authors and affiliations.

ViRVIG, Universitat Politecnica de Catalunya, 08034, Barcelona, Spain

Rafael Blanco & Nuria Pelechano

ViRVIG, Universitat de Girona, 17003, Girona, Spain

Gustavo Patow

You can also search for this author in PubMed   Google Scholar

Contributions

All authors conceived the experiment(s), R.B. developed the code, and R.B. and G.P. analyzed the results. R.B. and G.P. wrote the initial version of the manuscript. G.P. and N.P. edited the subsequent versions. All authors reviewed the manuscript.

Corresponding authors

Correspondence to Gustavo Patow or Nuria Pelechano .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Blanco, R., Patow, G. & Pelechano, N. Simulating real-life scenarios to better understand the spread of diseases under different contexts. Sci Rep 14 , 2694 (2024). https://doi.org/10.1038/s41598-024-52903-w

Download citation

Received : 12 September 2023

Accepted : 24 January 2024

Published : 01 February 2024

DOI : https://doi.org/10.1038/s41598-024-52903-w

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing: AI and Robotics newsletter — what matters in AI and robotics research, free to your inbox weekly.

Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Adware Examples (2024): The 7 Worst Attacks of All Time

By Tibor Moes / Updated: January 2024

Adware has long been a thorn in the side of internet users, sneaking into devices to disrupt and deceive. This article will explore some of the most notorious adware attacks in history, providing key insights and statistics.

Adware is intrusive software that displays or downloads advertisements to a computer, often without the user’s permission.

• Bonzi Buddy (1999): This adware presented as a friendly virtual assistant but was involved in deceptive advertising. It resulted in a $75,000 fine for violating children’s online privacy.
• Gator / Claria (2002): Known for its aggressive advertising tactics, Gator was installed on millions of PCs without user consent. By mid-2003, it was on an estimated 35 million computers.
• CoolWebSearch (2003): This adware hijacked web browsers to redirect searches and display ads. It generated over $300 million annually for its creators.
• 180 Solutions / Zango (2005-2006): Engaging in deceptive software practices, this adware faced legal action. It had to give up $3 million in ill-gotten gains.
• Superfish (2006): Superfish raised privacy and security concerns with its widespread reach. By 2014, it had over 80 million users.
• Ask Toolbar (2011): Known for being difficult to remove, this toolbar significantly impacted user experience. In 2012, Ask.com reached 100 million global users per month.
• Fireball (2017): This adware took browser hijacking to a new level, infecting a vast number of computers. It had infected over 250 million computers worldwide.

Don’t become a victim of malicious ads. Protect your devices with the best antivirus software and your privacy with the best VPN service .

Adware Examples

1. bonzi buddy (1999).

In the late 1990s, as the internet was blossoming into the vibrant digital ecosystem we know today, a seemingly innocuous virtual pet named Bonzi Buddy appeared on the scene.

Presented as a friendly purple gorilla, Bonzi Buddy offered to assist users with web navigation and email management. However, beneath this charming exterior lurked a more dubious agenda.

Bonzi Software, the creators of this digital companion, were soon embroiled in a legal maelstrom. Accused of deceptive advertising practices, they found themselves at the center of a class-action lawsuit. But the troubles didn’t end there.

The Federal Trade Commission (FTC), as detailed on ftc.gov, intervened, leading to Bonzi Software being ordered to pay $75,000 for violating the Children’s Online Privacy Protection Act.

This incident not only exposed the deceptive practices of some early digital advertisers but also underscored the importance of protecting children’s privacy online, a concern that remains pertinent to this day.

2. Gator / Claria (2002)

As the new millennium unfolded, another digital adversary emerged: Gator, which would later rebrand itself as Claria. This software, masquerading as a helpful tool, was often unwittingly installed by users along with other applications. Its purpose was far from benign, as it tracked user behavior and displayed unsolicited advertisements.

By mid-2003, according to a report from WSJ.com, Gator had found its way onto an estimated 35 million PCs around the globe. This staggering number not only highlighted the pervasive nature of Gator but also painted a clear picture of the adware epidemic that was sweeping through the early internet.

Gator’s widespread installation raised significant concerns regarding user consent and privacy, prompting a broader discussion about the ethics of software distribution and the importance of transparent user agreements.

3. CoolWebSearch (2003)

In 2003, the digital world witnessed the emergence of CoolWebSearch, an adware program that soon became notorious for its intrusive tactics. Unlike conventional software, CoolWebSearch acted more like a digital hijacker, taking over web browsers without the user’s consent.

It redirected internet searches to its own websites, bombarding users with a barrage of advertisements. This strategy was not just a nuisance for users; it was incredibly lucrative for its creators. As reported by InformationWeek.com, CoolWebSearch generated over $300 million annually , a testament to the immense profitability of adware.

This staggering sum underscored the alarming extent to which such invasive software could monetize the everyday online activities of unsuspecting users. CoolWebSearch wasn’t just a software problem; it was a glaring example of how online vulnerabilities could be exploited for enormous financial gain.

4. 180 Solutions / Zango (2005-2006)

The mid-2000s saw the rise of another adware giant, 180 Solutions, which later became known as Zango. This software, often bundled with free downloads, secretly monitored user behavior to display targeted advertisements. The company’s methods, however, crossed legal boundaries.

In a move that highlighted the growing seriousness with which such practices were being treated, the Federal Trade Commission (FTC) stepped in. As stated on FTC.gov, 180 Solutions/Zango was compelled to surrender $3 million in ill-gotten gains. This action represented a significant moment in the fight against invasive adware.

It signaled a growing recognition of the need to protect consumers from covert digital surveillance and underscored the legal consequences for companies that engaged in such deceptive practices.

5. Superfish (2006)

Superfish, a name that became synonymous with one of the most controversial adware stories of the 2000s, began its journey in 2006. Initially, it was marketed as a visual search technology that helped users find and purchase products online. However, as its operations expanded, so did the concerns about its methods.

By 2014, as reported by JewishBusinessNews.com, Superfish products had amassed over 80 million users, a number that highlighted its widespread penetration into the digital marketplace. But beneath this veneer of success lurked a troubling reality.

Superfish was later found to be engaging in practices that compromised user security, notably by injecting ads and potentially intercepting encrypted web traffic. This revelation sparked a significant outcry, drawing attention to the fine line between helpful software enhancements and invasive breaches of user privacy.

Superfish’s story became a cautionary tale about the importance of respecting user trust and maintaining robust digital security standards.

6. Ask Toolbar (2011)

The Ask Toolbar, introduced by Ask.com in 2011, represented another facet of the complex world of adware. Originally designed as a browser add-on to facilitate easier access to Ask.com’s search services, the toolbar quickly found its way onto numerous computers, often bundled with other software downloads.

By 2012, Ask.com had reached a milestone of 100 million global users per month , as stated by SearchEngineLand.com. This impressive user base underscored the toolbar’s reach and influence. However, the Ask Toolbar soon became infamous for its persistence and difficulty to remove, leading to widespread user frustration.

It was frequently criticized for changing browser settings without clear consent and for its tenacity in clinging to users’ systems. This example shed light on the broader issues of software consent and user autonomy in the digital age, emphasizing the need for transparency and respect in software design and distribution.

7. Fireball (2017)

In 2017, the digital world faced a formidable new challenge with the advent of Fireball, an adware strain of unprecedented scale. Fireball distinguished itself not just by its functionality, but by the sheer magnitude of its impact. According to checkpoint.com, Fireball had infected over 250 million computers worldwide , a staggering figure that underscored its global reach.

This adware worked by taking over web browsers to inject ads and manipulate search engines, directing traffic to certain websites. The genius of Fireball lay in its stealth and efficiency; it silently infiltrated systems, often bundled with legitimate software, making its presence unnoticed by the average user.

The story of Fireball is particularly noteworthy because of its potential for more sinister applications. While primarily used for generating ad revenue through search engine manipulation, its ability to execute additional code made it a potent tool for more malicious activities.

This aspect of Fireball raised significant concerns in the cybersecurity community about the evolving nature of adware. It wasn’t just an annoyance; it was a potential backdoor for more harmful cyber threats.

The stories of Bonzi Buddy, Gator, CoolWebSearch, 180 Solutions, Superfish, Ask Toolbar, and Fireball reveal a stark reality in our digital world: adware is not just an annoyance, but a serious threat to online privacy and security.

These examples highlight the evolving nature of adware attacks and the sophistication of their methods. As internet users, staying informed and vigilant is key to navigating the digital landscape safely.

In light of these threats, the importance of robust cybersecurity cannot be overstated. Investing in reliable cybersecurity solutions from trusted brands like Norton , Avast , TotalAV , Bitdefender , McAfee , Panda , and Avira is crucial. These providers offer advanced protection features that guard against the latest adware and other cyber threats.

By choosing a reputable cybersecurity solution, individuals and businesses alike can significantly bolster their defenses against the insidious and evolving threats posed by adware, ensuring safer online experiences and peace of mind.

• informationweek.com
• jewishbusinessnews.com
• searchengineland.com
• checkpoint.com

Author: Tibor Moes

Founder & Chief Editor at SoftwareLab

Tibor has tested 39 antivirus programs and 30 VPN services , and holds a Cybersecurity Graduate Certificate from Stanford University.

He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.

You can find him on LinkedIn or contact him here .

Antivirus Comparisons

Best Antivirus for Windows 11 Best Antivirus for Mac Best Antivirus for Android Best Antivirus for iOS

Antivirus Reviews

Norton 360 Deluxe Bitdefender Total Security TotalAV Antivirus McAfee Total Protection

Logo Left Content

Logo Right Content

Stanford University School of Medicine blog

When your lesson about infectious disease is a case study of the world

Even before COVID-19, our medical school courses on infectious diseases featured videos -- little narratives on make-believe patients.

"She deteriorated quickly, growing less alert with each passing day," explained the springboard video on Clostridium difficile , the bacterium that can cause diarrhea and dangerous inflammation of the colon. "Two weeks later, despite the best effort of her care team, Lydia passed away with her family at her bedside." 

We found these videos compelling. Throughout our six months in these courses, my classmates and I sent texts to each other -- updates on the springboard videos -- as often as the blasé texts we send about pickup basketball: "Hey did you watch this week's videos? Can't believe the kid with hepatitis survives."

Now, keeping up with COVID-19, we're sending similar texts. Only this time we're discussing articles from newspapers and videos from academic sources. This time we don't have -- nor do we need -- a springboard video. Stuck at home like everyone else, we're seeing the virus unfold in real time.

"Just read a NYT article on a nurse in NY whose family came in with the virus and I'm wrecked," I wrote to a classmate just a few days ago. My friend replied, "Did any die?"

As the whole world is affected by this virus, so is our medical education. Preclinical medical students like me are walled up in our apartments or our families' houses, logging in online to video conference classes. The novel coronavirus sent us to hunker down in our homes, and it also became a subject of curriculum in the first week of our spring term.

In a two-and-a-half hour session, modeled after our microbiology course, our professors asked our small groups to compare and contrast the two big players in this infectious disease season -- influenza virus and SARS-CoV-2 .

Rather than having us memorize a bunch of names and facts, they made each disease's life a story with heroes, villains, weapons and people accidentally hurt in the process. These microbes each had a path and a character arc; we were challenged to understand how, like the braided plot of a novel, a patient's story intertwines with the story of an infectious agent.

We also discussed how the microbiology of the novel coronavirus might affect its spread from person to person. Our professor asked: Based on what you know about influenza virus, what would your rationale be about wearing masks for all or a subset of the general population during this pandemic? We went on to have a long discussion led by faculty about the relative protection a mask might provide.

My professor indicated that we don't know that all masks are sufficient, because each type of mask's ability to filter out differently-sized molecules varies. But we think, she explained, that masks can block most droplets and help to slow respiratory droplet spread.

In a time like now -- with extreme uncertainty and frenetic energy -- I find comfort in the familiar: a session, albeit in my pajamas in my apartment, structured just the same as our course on other infections (of which there are many) in which we finish worksheets in small breakout groups. 

The familiarity provides a semblance of normalcy amid the unfamiliar. This time, the infectious disease is not a concept. It's not a picture of what happened years ago. It's a picture of now -- of a virus that took my friend's grandparent, that spared my relative, and that scares people from going to the grocery store.

I feel really lucky to be in the place that I am -- to learn about things that matter to me and aspire to be part of a profession dedicating itself to the healing and dignity of human beings all over the world. 

I'm even luckier to be taught medicine by faculty who start off our online sessions telling us how grateful they are to be teaching us, and share with us their renewed call and passion for practicing medicine during this crisis.

A lot of what's happening around me feels unexpected, but that's also what medical school prepares me for -- breaking down huge problems into smaller questions, one at a time. There are always new circumstances, new patient stories; and we are taught to apply what we know and critically assess a disease presentation with a holistic view of that patient in that time in history.

Stanford Medicine Unplugged is a forum for students to chronicle their experiences in medical school. The student-penned entries appear on Scope once a week during the academic year; the entire blog series can be found in the Stanford Medicine Unplugged  category . 

Lauren Joseph, LoJo, is a second-year medical student from California. She enjoys reading and writing, and her written work has been featured in STAT News. When she's not studying, you can find her running, enjoying the sun, and laughing with friends and family.

Photo by Lauren Joseph

Related posts

Our medical education is on hold, but we’re still finding ways to help

Lessons about medicine and mortality from a pathology class

Popular posts.

Is an increase in penile length cause for concern?

Ask Me Anything: Everything to know about allergy season — and more

Key considerations in the design of real-world studies

Affiliations.

• 1 AbbVie, 1 North Waukegan Rd, North Chicago, IL 60064, United States of America. Electronic address: [email protected].
• 2 AbbVie, 1 North Waukegan Rd, North Chicago, IL 60064, United States of America.
• PMID: 32717351
• DOI: 10.1016/j.cct.2020.106091

Randomized controlled clinical trials (RCTs) are the gold standard for evaluating the safety and efficacy of pharmaceutical drugs, but in many cases their costs, duration, limited generalizability, and ethical or technical feasibility have caused some to look for real-world studies as alternatives. However, real-world studies may be less convincing due to the lack of randomization and blinding. In this article, we discuss some key considerations in the design of real-world studies, which include experimental studies (e.g., hybrid or pragmatic clinical trials and non-randomized single-arm clinical trials with external controls) and non-experimental studies (e.g., cohort studies, cross-sectional studies, and case-control studies). Causal inference plays a critical role in the derivation of robust real-world evidence (RWE) from the analysis of real-world data (RWD). Therefore, we apply the hypothetical strategy, along with the concept of potential outcome, to lay out these key considerations, and we hope these considerations are helpful for the design, conduct, and analysis of real-world studies.

Keywords: Causal inference; Confounding bias; Real-world evidence; Real-world studies; Study design.

Copyright © 2020 Elsevier Inc. All rights reserved.