The Malware That I Used To Know

The Malware That I Used To Know

Malware, much like all weapons, evolve based upon multiple factors, be it the protections of their intended target, the weapon operator and their organization or the general intent that it was created for.  Unlike most weapons though, malware evolved with a pattern closer to that of a biological disease.  Early variants were created and most of them failed, however useful traits were passed on to new generations of malware and as time went on, only the most stealthy and ruthless malware survived. This blog post is a quick summary of malware through the years, from its early origins in the late 60’s to the “super –malware” we all know and fear today.

How it all started

The concept of the modern day malware all started not with a program, but with an idea.  The mathematician John von Neumann wrote an article about the “Theory of Self-Reproducing Automata” in 1966. The article compared and contrasted the internals of computers to the human nervous system. He then discusses the possibility of self-replicating software using mathematical analysis based upon the self-replication process of organisms found in nature.

Five years later in 1977, Bob Thomas of BBN Technologies built the “Creeper” virus which is generally accepted as the first computer worm. It would spread through the mainframe computer networks and display the message:

“I’m the Creeper, catch me if you can!”

 

Near the same time, in order to combat the Creeper virus, another worm program was created, named “Reaper.” Reaper would also spread through the same mainframe systems but would delete Creeper upon contact. I find it very interesting that only a short time after the creation of the world’s first virus was the world’s first antivirus.

Three years after that, the world’s first Trojan Horse was developed, it was known as “Pervading Animal” and it was written by John Walker to be used on UNIVAC systems (or those really big computers that took up entire rooms).  The Trojan would present the user with a game called ANIMAL where it would ask numerous questions in an attempt to guess what animal the user was thinking of. Meanwhile, another program called PERVADE, would copy both itself and ANIMAL to every directory which the user had access to.

The very late 60’s and early to mid-70’s were the origin years of malware. Computer systems were becoming more and more capable and autonomous and therefore curious programmers could write up all kinds of fun things to play pranks on their friends or just to see what they could do, this is how our modern malware began.

Infecting the home user

You may or may not believe this but some of the very first malware that was written in the early 1980’s was for Apple II systems. So next time you hear about the “Flashback virus”, or something similar to it, and how it is changing the game because it is infecting Apple computers, just remember that malware has been on Apple hardware before. An example of one type of Apple II malware was called “Elk Cloner”, it was created by Richard Skrenta a 15-year-old high school student. It infected the systems using the “boot sector” technique which means that if the user booted up their system from an infected Floppy Disk, a copy of the virus was placed in the memory of the computer. The virus itself was harmless but spread to all disks attached to a system and spread like wildfire, being referred to as the first large-scale computer virus outbreak in history.

From 1983-1986 numerous types of early viruses were developed for IBM PC’s, these viruses had the ability to infect other legitimate files on the operating system, delete other files, and self-replicate. In 1987, as these viruses became more and more prevalent on user systems, IBM developed and released its own commercial antivirus.  Prior to doing this, all antivirus technology was for IBM internal use only. Finally, in 1988, the “Morris worm” was created to infect users using UNIX systems connected to the internet and was considered the first worm to spread “in the wild.”  It was also known as one of first programs to exploit buffer overflow vulnerabilities, a practice which is still used in many of today’s exploits.

It wasn’t until 1989 that malware began to really look like how we see it today. Take for example, the “Lamer Exterminator” virus. It was created for the Commodore Amiga and had the ability to hide itself by hooking into parts of the operating system and sending false data to any process which might detect it.  It also encrypted its own file every time it was replicated.

Malware starts to get scary

Over the last few years we have had multiple types of “scares” as far as malware goes, including the most recent DNSChanger scare, which left millions of people thinking that they were going to lose their access to the internet.  Well it wasn’t the first scare and back in 1992, the “Michelangelo” virus made a name for malware on a large scale.

The mass hysteria that surrounded “Michelangelo” was due to the belief that the virus would wipe all the information off of people’s computers on March 6th.  When the date came and went, the damage was minimal and it turned out that the media had hyped up the story more than it needed to be.

In 1995, new methods of hiding and infecting are created with the first Macro virus known as “Concept”, which turned Microsoft Word documents into weapons. This leads us into the next 5 years of heavy email worms including the “Melissa” worm, “Kak” worm and “ILOVEYOU” worm. In March of 2004, the “Witty” worm exploited holes in several Internal Security Systems (ISS) products and was the first internet worm to carry a destructive payload.

New Frontiers and Advertising

The first half of the 21st century was witness to a shift in the intent and purpose of malware, from  being malicious tools to cause harm and prank people, to tools of espionage where destroying the system was the last thing that the attacker wanted to be done, because it would mean not being able to steal more data. In June of 2004, the “Caribe” worm was found infecting mobile phones which were running the Symbian OS; it is the first case of mobile phone malware and spread to other phones via Bluetooth. Even later that year the “Vundo Trojan” caused popups and advertising for rogue antispyware programs and is one of the earlier versions of a type of malware which is commonly seen today.

The Age of Cyber-crime

In January of 2007, the “Storm Worm” was identified.  It spread fast by using email spamming and gathered infected systems to be used as bots for the “Storm Botnet”. By June it had infected 1.7 million computers and by September between 1 and 10 million.  It was believed to have originated from Russia which means that it was most likely used by cyber-crime organizations.  Nearly all large botnets are run by cyber-criminals who buy and sell bots to other criminals or to would-be criminals to spread spam or steal personal information.

In 2008 a few months before the “Koobface” worm first starts infecting users of Facebook, the “Torpig” Trojan infects users and turns off their antivirus.  It also steals personal information such as log-in credentials and installs subsequent malware on the victims system. Then in November, the “Conficker” worm is discovered and infects anywhere from 9 to 15 million systems. Microsoft puts up a bounty of $250,000 for information leading to the arrest of the creator.  Multiple government agencies and organizations from all over the world come together to find a way to combat “Conficker”, ending with the eventual release of a patch by Microsoft in December, making everyone safe again

World War Malware

It was only a matter of time before malware started being used as government weapons or tools of espionage at a deeper level than any crime organization is capable of.  In 2007, cyber-attacks against Georgia during a conflict with Russia were reported to be coming from infected systems using the Black Energy Botnet.  It targeted government websites and news sources, attempting to cut off communication between the government and the people.

In July of 2009, multiple cyber-attacks were reported in both the United States and South Korea (a lot more than usual anyway), leading to a specific piece of malware known as Dozer. It is suspected that this malware was developed and deployed by the North Koreans but no one knows for sure. In 2010, the Trojan Stuxnet was discovered infecting SCADA systems at Iranian nuclear facilities, the malware disrupted systems and sent information back to the command and control servers, recently announced to be controlled by the U.S.

Finally, this year alone we have seen not only the use of Remote Access Trojans (RATs) like BlackShades and DarkComet being used by the Syrian government to spy on rebels but also the use of the Flame Trojan in Middle Eastern countries, a highly sophisticated piece of espionage malware which targeted government facilities and officials.

Conclusion

When you read the news and hear about horrifying malware that threatens the population, you might not always think that it all started with an idea and a little annoying yet harmless program.  In the same way you don’t often think that a flood which is destroying a town all starts with a single drop of rain.  The people who are using the malware and for what reason will always change and you can never say for sure what is going to happen. One thing is for sure however, Malware will continue to evolve into stealthier, more powerful and more dangerous weaponized software for as long as we integrate computer systems into our lives.

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.