Viruses and other malware spreading for sinister or baffling reasons has been a staple of cyberpunk novels and real-life news stories alike for decades. And in truth, there have been computer viruses on the internet since before it was the internet. This article will take a look at some of the most important milestones in the evolution of malware: These entries each represent a novel idea, a lucky break that revealed a gaping security hole, or an attack that turned to be particularly damaging—and sometimes all three.
- Creeper virus (1971)
- Brain virus (1986)
- Morris worm (1988)
- ILOVEYOU worm (2000)
- Mydoom worm (2004)
- Zeus trojan (2007)
- CryptoLocker ransomware (2013)
- Emotet trojan (2014)
- Mirai botnet (2016)
- Petya ransomware/NotPetya wiper (2016/7)
- Clop ransomware (2019-Present)
1. Creeper virus (1971)
Computer pioneer John von Neumann’s posthumous work Theory of Self-Reproducing Automata, which posited the idea of computer code that could reproduce and spread itself, was published in 1966. Five years later, the first known computer virus, called Creeper, was a written by Bob Thomas. Written in PDP-10 assembly language, Creeper could reproduce itself and move from computer to computer across the nascent ARPANET.
Creeper did no harm to the systems it infected—Thomas developed it as a proof of concept, and its only effect was that it caused connected teletype machines to print a message that said “I’M THE CREEPER: CATCH ME IF YOU CAN.” We’re mentioning it here despite its benign nature because it was the first, and set the template for everything that followed. Shortly after Creeper’s release, Ray Tomlinson, best known for implementing the first email program, wrote a rival program called Reaper that spread from computer to computer eliminating Creeper’s code.
2. Brain virus (1986)
Creeper was designed to leap across computer networks, but for most of the 1970s and ’80s that infection vector was in limited simply because most computers operated in isolation. What malware did spread from computer to computer did so via floppy disks. The earliest example is Elk Cloner, which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.
Brain was developed by computer programmers (and brothers) Amjad and Basit Farooq Alvi, who lived in Pakistan and had a business selling medical software. Because their programs were often pirated, they created a virus that could infect the boot sector of pirated disks. It was mostly harmless but included contact information for them and an offer to “disinfect” the software.
Whether they could actually “fix” the problem isn’t clear, but as they explained 25 years later, they soon started receiving phone calls from all over the world, and were shocked by how quickly and how far Brain had spread (and how mad the people who had illegally copied their software were at them, for some reason). Today Brain is widely regarded as the first IBM PC virus, so we’re including it on our list despite its benign nature, and the brothers still have the same address and phone number that they sent out 25 years ago.
3. Morris worm (1988)
1988 saw the advent of a piece of malware called Morris, which could claim a number of firsts. It was the first widespread computer worm, which meant it could reproduce itself without needing another program to piggyback on. It targeted multiple vulnerabilities to help it spread faster and further. While not designed to do harm, it was probably the first malware to do real substantive financial damage, more than earning its place on this list. It spread incredibly swiftly—within 24 hours of its release, it had infected 10 percent of all internet-connected computers—and created multiple copies of itself on each machine, causing many of them to grind to a halt. Estimates of the costs of the attack ranged into the millions.
The worm is named after its creator Robert Morris, who was a Cornell grad student at the time and meant it as a proof-of-concept and demonstration of widespread security flaws. Morris didn’t anticipate that it would spread so quickly or that its ability to infect individual computers multiple times would cause so much trouble, and he tried to help undo the damage, but it was too late. He ended up the unfortunate subject of another first: The first person convicted under the 1986 Computer Fraud and Abuse Act.
4. ILOVEYOU worm (2000)
Unlike the previous malware creators on this list, Onel de Guzman, who was 24 in 2000 and living in the Philippines, crafted his creation with straightforward criminal intent: he couldn’t afford dialup service, so he built a worm that would steal other people’s passwords so he could piggyback off of their accounts. But the malware so cleverly took advantage of a number of flaws in Windows 95—especially the fact that Windows automatically hid the file extensions of email attachments so people didn’t realize they were launching executable files—that it spread like wildfire, and soon millions of infected computers were sending out copies of the worm and beaming passwords back to a Filipino email address. It also erased numerous files on target computers, causing millions of dollars in damage and briefly shutting down the U.K. Parliament’s computer system.
de Guzman was never charged with a crime, because nothing he did was illegal in the Philippines at the time, but he expressed regret in an interview 20 years later, saying he never intended the malware to spread as far as it did. He also ended up being something of a pioneer in social engineering: the worm got its name because it spread with emails with “ILOVEYOU” in the subject line. “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” de Guzman said.
5. Mydoom worm (2004)
Mydoom may be almost 20 year old as of this writing, but as of today still holds a number of records. The Mydoom worm infected computers via email, then took control of the victim computer to email out more copies of itself, and did it so efficiently that at its height it accounted for a quarter of all emails sent worldwide, a feat that’s never been surpassed. The infection ended up doing more than $35 billion in damages, which, adjusted for inflation, has also never been topped.
The creator and ultimate purpose of Mydoom remain mysteries today. In addition to mailing out copies of the worm, infected computers were also used as a botnet to launch DDoS attacks on the SCO Group (a company that aggressively tried to claim intellectual property rights over Linux) and Microsoft, which led many to suspect some rogue member of the open source community. But nothing specific has ever been proven.
6. Zeus trojan (2007)
Zeus was first spotted in 2007, at the tail end of the Web 1.0 era, but it showed the way for the future of what malware could be. A Trojan that infects via phishing and drive-by downloads from infected websites, isn’t just one kind of attacker; instead, it acts as a vehicle for all sorts of malicious payloads. Its source code and operating manual leaked in 2011, which helped both security researchers and criminals who wanted to exploit its capabilities.
You’ll usually hear Zeus referred to as a “banking Trojan,” since that’s where its variants focus much of their energy. A 2014 variant, for instance, manages to interpose itself between a user and their banking website, intercepting passwords, keystrokes, and more. But Zeus goes beyond banks, with another variation slurping up Salesforce.com info.
7. CryptoLocker ransomware (2013)
Zeus could also be used to create botnets of controlled computers held in reserve for some later sinister purpose. The controllers of one such botnet, called Gameover Zeus, infected their bots with CryptoLocker, one of the earliest prominent versions of what became known as ransomware. Ransomware encrypts many of the files on the victim’s machine and demands a payment in cryptocurrency in order to restore access.
CryptoLocker became famous for its rapid spread and its powerful asymmetric encryption that was (at the time) uniquely difficult to break. It also became famous due to something unusual in the malware world: a happy ending. In 2014, the U.S. DoJ and peer agencies overseas managed to take control of the Gameover Zeus botnet, and restore the files of CryptoLocker victims free of charge. Unfortunately, CryptoLocker spread via good old-fashioned phishing as well, and variants are still around.
8. Emotet trojan (2014)
Emotet is another piece of malware whose functionality has shifted and changed of the years that it has remained active. In fact, Emotet is a prime example of what’s known as polymorphic malware, with its code changing slightly every time it’s accessed, the better to avoid recognition by endpoint security programs. Emotet is a Trojan that, like others on this list, primarily spreads via phishing (repeat after us: do not open unknown email attachments).
Emotet first appeared in 2014, but like Zeus, is now a modular program most often used to deliver other forms of malware, with Trickster and Ryuk being two prominent examples. Emotet is so good at what it does that Arne Schoenbohm, head of the German Federal Office for Information Security, calls it the “king of malware.”
9. Mirai botnet (2016)
All the viruses and other malware we’ve been discussing so far have afflicted what we think of as “computers”—the PCs and laptops that we use for work and play. But in the 21st century, there are millions of devices with more computing power than anything that Creeper could have infected. These internet of things (IoT) devices are omnipresent, ignored, and often go unpatched for years.
The Mirai botnet was actually similar to some of the early malware we discussed because it exploited a previously unknown vulnerability and wreaked far more havoc than its creator intended. In this case, the malware found and took over IoT gadgets (mostly CCTV cameras) that hadn’t had their default passwords changed. Paras Jha, the college student who created the Mirai malware, intended to use the botnets he created for DoS attacks that would help settle scores in the obscure world of Minecraft server hosting, but instead he unleashed an attack that focused on a major DNS provider and cut off much of the U.S. east coast from the internet for the better part of a day.
10. Petya ransomware/NotPetya wiper (2016/7)
The ransomware Trojan dubbed Petra started afflicting computers in 2016. Though it had a clever mechanism for locking down its victims’ data—it encrypts the master file table, which the OS uses to find files—it spread via conventional phishing scams and wasn’t considered particularly virulent.
It would probably be forgotten today if not for what happened the following year. A new self-reproducing worm variant emerged that used the NSA’s leaked EternalBlue and EternalRomance exploits to spread from computer to computer. Originally distributed via a backdoor in a popular Ukrainian accounting software package, the new version—dubbed NotPetya—quickly wreaked havoc across Europe. The worst part? Though NotPetya still looked like ransomware, it was a wiper designed wholly to ruin computers, as the address displayed where users could send their ransom was randomly generated and did no good. Researchers believe that Russian intelligence repurposed the more ordinary Petya malware to use as a cyberweapon against Ukraine—and so, in addition to the massive damage it caused, NotPetya earns its place on this list by illustrating the symbiotic relationship between state sponsored and criminal hackers.
11. Clop ransomware (2019-Present)
Clop (sometimes written Cl0p) is another ransomware variant that emerged on the scene in 2019 and has grown increasingly prevalent since, to the extent that it was dubbed one of the top malware threats of 2022. In addition to preventing victims from accessing their data, Clop allows the attacker to exfiltrate that data as well. McAfee has a breakdown of the technical details, including a review of ways it can bypass security software.
What makes Clop so interesting and dangerous, however, is not how it’s deployed, but by whom. It’s at the forefront of a trend called Ransomware-as-a-Service, in which a professionalized group of hackers does all the work for whoever will pay them enough (or share in a percentage of the ransomware riches they extract from victims). The earlier entries in this list are from a day when the internet was for hobbyists and lone wolves; today, it seems even cybercrime is largely the province of governments and the professionals.
Copyright © 2022 IDG Communications, Inc.
