The History of Computer Viruses; Malware
If you’ve used a computer for more than 5 minutes, you probably know a thing or two about computer viruses and malware. On the modern Internet, malware is a near-constant presence. Whether it’s infected emails stealing employee access credentials or the plague of ransomware that has menaced the business world in recent years, there are a number of ways malware can disrupt your organization.
Though often conflated with one another, malware and computer viruses aren’t necessarily the same thing. While all computer viruses are malware, not all malware are computer viruses. The key difference between computer viruses and other types of malware is that computer viruses function, as the name implies, similar to the way biological viruses function. They begin by attaching themselves to programs or files on a computer then spreading to other computers when those infected programs or files are accessed. Computer viruses can also self-replicate to attach themselves to even more programs and files. This isn’t necessarily true of other types of malware. Ransomware, for example, usually doesn’t self-replicate.
It’s important to learn as much as you can about computer viruses and malware, now more than ever. According to a recent Statista report, there have been 2.8 billion malware attacks worldwide in just the first half of 2022. A 2020 study of pentesting projects from Positive Technologies revealed that external attackers could breach 93% of company networks, with 71% being vulnerable even to novice-level hackers.
Even as we focus on current cybersecurity threats and protections, it can be just as important to take a look at the history of these malicious pieces of software and how their beginnings inform the way they’re used and circulated today. The history of computer viruses and malware goes almost as far back as the history of the field of computer science itself.
Table of Contents
Though they had yet to be named, computer viruses were first conceptualized by Hungarian mathematician John von Neumann, who designed a self-replicating computer program that some consider to be the precursor to computer viruses, even if it was never developed or deployed in the way computer viruses eventually would be. Though this work began in the 1940s, it, along with his other work in the field of self-replication, was eventually compiled and distributed via the 1966 paper “Theory of Self-Reproducing Automata.”
Though von Neumann’s self-replicating program was more or less a thought experiment, computer programmer Bob Thomas developed the Creeper program in 1971, which is often cited as the first computer virus. Named after a character from “Scooby-Doo,” the Creeper was originally intended as a security test for the U.S. Department of Defense’s Advanced Research Projects Agency Network (ARPANET), the precursor of the modern Internet we know, love, and sometimes hate.
As a security test, the Creeper’s effects on infected machines were minimal. It would simply display a message on the computer’s screen: “I’M THE CREEPER. CATCH ME IF YOU CAN!” A polite little virus, the Creeper would also try to remove itself from its host whenever it would infect a new hard drive.
Though polite, the Creeper was still an annoyance to some, and in 1971, Ray Tomlinson developed the first antivirus software, called Reaper. The Reaper would glide across ARPANET, scanning for and removing any instances of the Creeper it found there.
While the Creeper was a relatively benign program, 1974’s Rabbit Virus was one of the first computer viruses developed with malicious intent. Named for how fast it could duplicate itself, the Rabbit Virus would flood infected computers with these copies, slowing down and even crashing machines with relative ease.
1975 saw the creation of a precursor to modern trojan malware. The ANIMAL program, wherein the computer would attempt to guess what animal a human is thinking of via a game similar to Twenty Questions, was popular amongst computer users at the time. John Walker’s version of the program contained a hidden program, called PERVADE, which would search computer directories, find directories without copies of ANIMAL, and distribute copies of ANIMAL into those directories. Like the Creeper, however, this program was relatively benign and took steps to not delete important system files while copying itself everywhere.
University of Southern California graduate student Fred Cohen designed an unnamed piece of malware which could take over a computer’s system operations. He also was the person who first defined the term “computer virus.” Cohen went on to become a pioneer of computer virus defense techniques.
Cohen also believed in the idea of “positive viruses,” beneficial programs which could spread like a computer virus. Cohen designed the compression virus, a virus designed to not damage or delete infected files but instead make them smaller.
In 1986, the first PC computer virus, Brain, was released into the wild. Spread via infected floppy disks, Brain would replace the boot sector of the floppy disk with a copy of the virus. Created by the brothers Amjad Farooq Alvi and Basit Farooq Alvi, the virus was meant to track pirated copies of certain disks. When booted up, it would display a message that varied from copy to copy but usually began with the phrase “Welcome to the Dungeon,” a reference to an early programming forum. The brothers’ names, addresses, and phone numbers were also listed with request that the victim contact them for virus removal. Like many early computer viruses, the Brain was relatively benign and wasn’t designed to be much more than a nuisance.
As the Internet began entering public use, the first computer viruses that could be spread via the Internet followed soon after. One of the most popular early instances of computer viruses is the Morris Worm. Launched on November 2, 1988 and named for its creator, Robert Morris, the Morris Worm was also not intentionally designed to damage infected machines. Instead, it was meant to point out weaknesses present in networks of the time.
However, a coding error resulted in the worm replicating itself regardless of a computer’s infection status, leading to computers being infected with multiple copies of the worm and eventually resulting in the infected machine crashing. Robert Morris ended up becoming the first person convicted of a felony in the U.S. under the 1986 Computer Fraud and Abuse Act.
As malicious viruses became more the norm, countermeasures were being developed to mitigate the damage these viruses caused. One of the first pieces of antivirus software, McAfee’s VirusScan, was released in 1987. It would soon be followed by other antivirus pioneers, such as ESET’s NOD program, G Data’s Anti-Virus Kit, H+BEDV’s Antivir, and Avast Antivirus.
1992’s Michelangelo virus was one of the first computer viruses to garner mainstream attention, as some vendors inadvertently sold hardware and software infected with the virus.
As the Internet grew in popularity, new vectors of infection began popping up. From chain emails to suspicious websites, modern malware techniques began developing as the world approached the 21st century.
Macro viruses — viruses which could infect documents created via programs like Microsoft Word — rose in popularity in the mid-to-late 1990s. One of the most prominent was 1999’s Melissa. Spread via email, the virus would use the subject line “Important Message From [infected user].” Upon opening the email, victims would see the message “Here’s that document you asked for. Don’t show anyone else ;)” along with a Word file titled “list.doc.” The document contained a list of pornographic sites, along with passwords for access to said sites and would then spread itself and its NSFW content by emailing the first 50 people in the victim’s contact list.
Social engineering attacks soon found use in the digital space. One of the first instances was the Love Letter virus of 2000. Though it followed similar patterns to macro viruses like Melissa, Love Letter utilized an infected Visual Basic Script (VBS) file, not a Word file. With a subject line reading “I Love You,” Love Letter would entice victims to click on its VBS file, releasing the virus onto their computer. Once inside a computer, Love Letter would replace and overwrite existing files on the machine with copies of itself.
As the Internet and computers became integral to society’s day-to-day existence, computer viruses and malware exploded in both popularity and potential disruptiveness.
In July 2001, the Code Red Worm attempted to subject the entire Internet to a distributed denial of service (DDoS) attack. Named for the flavor of Mountain Dew its discoverers were drinking at the time, Code Red would disfigure infected websites with text reading “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”
Due to the virus’s name and the above text, many at the time believed the source of the malware to come from China. However, despite claims from U.S. officials at the time that the virus had been traced to China, no evidence has come to light linking Code Red to the nation. In fact, China itself would fall prey to the second iteration of Code Red in August 2001.
At its peak, Code Red had infected over 359,000 computers, according to analysis from the Center for Applied Internet Data Analysis (CAIDA). Eventually, the infected computers were all directed to attempt a DDoS specifically on whitehouse.gov, though the White House managed to sidestep the assault.
In 2003, one of the first pieces of malware designed to make money was discovered. Fizzer was a worm spread via email attachments that, once it found its way onto a machine could perform a number of malicious tasks. It could install a keylogging program, allowing the hacker to gain access to sensitive information like bank account details, passwords, and physical addresses as long as the victim typed that information into their computer at any point. It also would actively shut down antivirus processes to evade detection and removal. Finally, it could even act as a backdoor through which hackers could gain remote access to the infected machine’s resources.
2004 saw the first worm designed to infect cell phones in Cabir. Once it infects a phone, text reading “Caribe” would be displayed whenever the phone was turned on or used. It would then attempt to spread via wireless Bluetooth signals. Phones looking to evade infection by Cabir could do so by turning Bluetooth off or going into invisible mode.
Stuxnet, discovered in 2010, was the first documented attempt by sovereign nations to use malware to attack other sovereign nations. Stuxnet was designed to disrupt Iran’s nuclear facilities, in an apparent attempt to slow the country’s progress on developing an atomic bomb. This attack successfully delayed Iran’s efforts, managing to destroy 1,000 of the 6,000 centrifuges the nation was using to enrich uranium, but it neither stopped nor slowed Iran’s build-up of low-enriched uranium.
Though both governments have formally denied responsibility for the attack, Stuxnet is today commonly known to be the work of a joint effort between Israel and the United States, as reported by both “The New York Times” and “The Washington Post,” among others.
The 2010s and early 2020s have been marked by an increased prevalence in ransomware attacks. Though around for decades, with the first documented instance being 1989’s AIDS Trojan, ransomware has really blossomed on the modern Internet. The advent of untraceable digital payment methods like cryptocurrency was a boon to hackers looking to extort as much money as they could from their targets without being caught.
The CryptoLocker Trojan, launched in 2013, was one of the first major instances of ransomware being used on a large scale, hitting about 250,000 victims and extorting around $27 million in Bitcoin.
Though CryptoLocker was eventually isolated and neutralized by cybersecurity experts, it served as an effective proof-of-concept for ransomware as a business model. Copycat ransomware like TorrentLocker and CryptoWall starting springing up. CryptoWall in particular was enough of a menace for the FBI’s Internet Crime Complaint Center (IC3) to issue an alert warning citizens about the malware.
2015 saw a ransomware group known as Armada Collective hit three Greek banks with DDoS attacks, demanding a ransom paid in Bitcoin from the banks to cease fire. The group also claimed responsibility for a DDoS attack on Swiss email provider ProtonMail. However, DDoS attacks on ProtonMail continued even after the ransom was paid. Armada Collective were not so lucky with the Greek banks, who bolstered their cybersecurity measures and managed to continue operating without much disruption.
In March 2016, the Petya family of ransomware was first discovered. Unlike its predecessors, who would only encrypt files, Petya would replace the computer’s master boot record with a ransom note, effectively rendering the computer unusable until a ransom was paid. It later evolved to also include file encryption. 2017 saw a pirated version of Petya, called “NotPetya,” hit multiple European countries in a major cyber attack, most notably Ukraine and Germany.
Petya was initially developed by a group called Janus Cybercrime Solutions as part of its ransomware-as-a-service (RaaS) platform. Essentially, cyber criminals could pay Janus to use Petya on their targets, with Janus providing a number of additional services to ensure the attack was a success. In exchange, Janus took a cut of the paid ransom. RaaS quickly became a major force in the world of cybercrime thanks to both Petya and other major ransomware like LeakerLocker and WannaCry.
WannaCry is especially notable for both its 2017 attack on users worldwide and its method of propagation. The attack was massive, hitting over 230,000 computers in more than 150 countries in the first day. NHS hospitals in the United Kingdom were among the largest organizations hit by WannaCry. The UK branch of automobile company Nissan was another notable victim.
The way it spread was not through more traditional ransomware vectors like email phishing but instead through EternalBlue, a Windows exploit initially developed by the U.S. National Security Agency (NSA) and subsequently stolen and leaked by hacker group The Shadow Brokers.
GandCrab burst onto the scene in 2018. Though not impressive alone, GandCrab was soon integrated with an info-stealing Trojan named “Vidar,” after the Scandinavian god of vengeance. Thanks to Vidar, GandCrab provided a potent combination of both stealing and locking down victims’ files and rapidly became the most-used RaaS on the market in 2018 and 2019.
A partner of GandCrab, known as “Team Snatch,” helped popularize the practice of publicly leaking victim data to further pressure targets to pay the ransom. This was likely an effort to better extort companies who might sufficiently back up their data to the point where deletion isn’t much of a threat.
One of the first major public ransomware data leaks occurred in November 2019 when ransomware group Maze leaked 700mb of stolen data from American security and janitorial services provider Allied Universal.
Public leaks like Allied Universal’s and major attacks like 2021’s Colonial Pipeline Attack have led to ransomware’s increased prominence and visibility in the public eye. The Colonial Pipeline Attack is also notable for potentially being one of the first known instances of an infection vector coming from a compromised employee password found on the dark web and not an external attack on a company’s systems.
Today, ransomware continues to plague businesses and individuals at all levels of society, provided that level includes regular Internet access. IC3’s 2021 Internet Crime Report found that ransomware inflicted more than $49.2 million in losses in the United States alone, and that’s just the instances of ransomware attacks that were reported to the FBI.
The FBI isn’t the only one with worrying statistics on ransomware. IBM’s 2022 Security X-Force Threat Intelligence Index found that ransomware was the most common type of malware attack the company remediated in 2021, comprising 21% of the total. Around 37% of those attacks could be traced to a specific strain of ransomware known as both “REvil” and “Sodinokibi.”
Second place in IBM’s index belonged to a ransomware strain called “Ryuk,” which made up nearly 20% of attacks by itself. The name “Ryuk” could come from either a romanization of the number 6 in Korean, a romanization of a North Korean surname, a village in Azerbaijan, or a character from popular Japanese media franchise “Death Note.”
Ryuk and REvil are especially notable for how long they have stayed in operation, having first appeared in April 2019 and August 2018, respectively. IBM’s report notes that ransomware operations usually have a lifespan of about 17 months. REvil shut down in October 2021 after 31 months. In January 2022, Russia’s Federal Security Service announced that the group behind REvil had “ceased to exist” and that its information infrastructure had been “neutralised.”
The cybersecurity field as it is probably would not exist without the threat of computer viruses and malware. There would still be a need for cybersecurity, of course. Data leaks, compromised access credentials, theft, and damage to hardware and software are all threats that would still exist if malware weren’t an issue.
However, the spectacle of and fear generated by major malware attacks like the Code Red Worm or the Colonial Pipeline Attack have undoubtedly helped to propel cybersecurity into becoming the over $150 billion industry it was valued as in 2021. The vast array of frameworks, tools, and solutions like zero-trust, SIEM, and IDPS would likely not exist in the forms they do now, with the price tags they do now, without the relevant threat of hackers and malware.
The ongoing development of cybersecurity technology by both businesses and governments alike is maintained with a healthy dose of fear toward the ongoing development of malware technology by both criminal groups and governments alike. As the Internet itself has helped shape our modern world, the evolving threat of computer viruses and malware have helped shape modern cybersecurity.
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.