Malware Thru The Ages — 1969–2017

Introduction:

This essay is intended to provide the reader with a history of malware, starting with the famous “Creeper” worm in 1971 and ending with the 2017 WannaCry Ransomware. Malware has evolved throughout the years to meet the demands of more complex computing machines. Progressing from entities that could only be spread via floppy disk to those that come in an emailed download folder, it is important for cybersecurity professionals to understand the history of malware in order to meet potential threats of the future.

1969–1990: ARPANET Years

ARPANET was a packet switching network allowing universities and military networks to talk to one another. It was developed by the Advanced Research Projects Agency (ARPA) under the United States Department of Defense (DoD). The network would eventually evolve into what we know as the Internet. At this stage, personal computers were not widely adopted. Large mainframe and terminal systems were used instead.

1971 — Creeper Worm and Reaper Anti-Virus

Bob Thomas wrote the Creeper Virus in 1991 as a non-malicious experiment to attempt a self-replicating program. It infected DEC PDP-10 computers running the TENEX operating system. It spread via ARPANET and displayed the following message: “I’m the creeper, catch me if you can!” As a result, the first antivirus program would be created, titled Reaper. Written by Ray Tomlinson in 1972, Reaper was specifically designed to remove Creeper from mainframe systems.

Figure A: The message displayed by Creeper Worm

Figure B: The DEC PDP-10 mainframe computer

1974 — Wabbit

Written by an unknown author, Wabbit acted like a fork bomb, constantly replicating itself in system memory until the system became unusable. It only worked on systems that it was installed on and did not replicate over ARPANET.

1982 — Elk Cloner

Elk Cloner was written by 15-year-old Richard Skrenta to target Apple 2 computers. It worked by copying itself to floppy disks and was shared around manually, as users commonly shared floppy disks with software, books, and music. It was the first widespread virus infection outside of its home network. Elk Cloner is popularly considered to be the first “sneaker net” virus.

Figure C: A message displayed by Elk Cloner

1986 — Brain Boot Sector Virus

Written by Amjad Farooq Alvi and Basit Farooq Alvi, the Brain Boot Sector Virus is considered the first IBM Personal Computer (IBM-PC) virus. This was not intended by the authors, as they owned a medical company and made it as an anti-copy protection measure. It can be argued Brain Boot Sector Virus was not a true virus since it did no damage. It only renamed Floppy disks and provided the brothers’ contact information.

Figure D: Brain boot sector message

1986 — PC-Write Trojan

PC-Write Trojan has an unknown author. According to“A Brief Stud of Trojan,”it was the first malicious Trojan. PC-Write was a legitimate shareware program, but a malicious actor uploaded a modified copy of PC-Write with a trojan horse in it. Once a user ran an infected version of PC-Write, they would lose all user files.

1988 — Morris Worm

Written by Robert Tappan Morris while at Cornell University, Morris Worm was a worm that replicated to around 6,000 machines, depriving users of computer resources. As per Morris, the exercise was supposed to be a “pen-test, or non-malicious, that went awry.” (FBI, 2018)The FBI gave a synopsis of the events:

The worm only targeted computers running a specific version of the Unix operating system, but it spread widely because it featured multiple vectors of attack…The worm did not damage or destroy files, but it still packed a punch. Vital military and university functions slowed to a crawl. Emails were delayed for days. The network community labored to figure out how the worm worked and how to remove it. Some institutions wiped their systems; others disconnected their computers from the network for as long as a week. The exact damages were difficult to quantify, but estimates started at $100,000 and soared into the millions. (FBI, 2018)

1991 — Michelangelo Virus

The Michelangelo Virus has an unknown author. It caused the first “mass panic” due to expert speculation and grifters wanting to sell anti-virus software. This was a boot sector virus that was scheduled to run on March 6, 1991. Below is a breakdown of the technical steps the virus took during its cycle.

First, the virus overwrites the first hundred sectors of the hard disk with nulls, provided the PC is an AT or PS/2. It contained a geometry of 256 cylinders, 4 heads, and 17 sectors. In overwriting the hard disk, the virus made the user’s data inaccessible but still present on the machine. The virus moved the boot sector to different sectors, making it difficult for the average user to manage.

The fear of the virus came from two things: the flim-flam man John McAfee attempting to sell his companies anti-virus software (claiming “millions of machines could be infected”) and a few software companies accidently bundling software with the virus. (Morrissey, 2012) At the end of the day, the total infections ranged from 10,000–20,000.

1991 saw the end of ARPANET. Personal computer adoption reached an all-time high, ushering in a new way to communicate. Floppy disks and Bulletin Board Systems (BBS) became more common. MS-DOS and Apple came to dominate the market.

1999 — Melissa Virus

An outlier during a time when personal computing was coming into its own, the Melissa Virus bears mentioning for its impact. Written by David L. Smith, it is considered the first Mass Emailer Virus. The Melissa virus would be sent to unsuspecting users with risqué titles and convince them to open a word document. A macro would then run, which copied their outlook contacts and email them. It caused email servers at over 300 companies to “grind to a halt” and — according to the FBI — caused “millions of dollars in damage.” (FBI, 2019)Smith disputes this claim.

2000–2009: “Wild West Era”

During this timeframe, the web was the “wild west” in terms of malware. Dialup internet was on the way out, and DSL and Cable internet was becoming common most homes that could afford it. Through these years, Limewire, peer to peer sharing, CD burning, and DVD burning became prominent. Various “malware kits” surfaced, allowing script kiddies to develop and deploy malware. With everything interconnected, we start to see massive outbreaks of malware.

2000 –ILOVEYOU Worm

Also known as “lovebug” or the “Love Letter for you” virus, the ILOVEYOU worm was written by Onel de Guzman. This virus was a visual basic script (.VBS) attachment masquerading as a text (.txt) file sent via email. Once a user downloaded the file and ran it, it executed a script. This script would first damage random files on the computer (deleting word documents, excel documents, hide MP3 Files), then would copy the users outlook contact list and re-email itself to unsuspecting users. Per Forbes, this worm caused around $5–8 billion worldwide in damages and cost another $10–20 billion to fully remove the virus due to backups being infected. In several cases, corporations temporarily shut down their email servers to not be infected, notably The Pentagon, CIA, and the British Parliament were among those that shutdown.

2001 — Anna Kournikova Virus

Written by Jan de Wit, this virus was another email attachment virus. It purported to be a nude image of Anna Kournikova, a famous tennis player, which it did not actually possess. When clicked on, it ran a script that forwarded itself to all contact lists. This virus did not have damaging intent, as the author said he created it using a publicly available worm software toolkit to “test the information security industry.” As such, the virus only forwarded itself to contacts and did not maliciously alter anything on the “infected” machines.

2003 — SQL Slammer Worm

Created and discovered by David Litchfield, the SQL Slammer Worm was presented at Black Hat Briefings. This worm worked by sending packets to unpatched Microsoft SQL servers on a specific port (UDP 1434). Once infected, it then targeted random IP addresses (on the same port) looking for vulnerable MS-SQL servers. The interesting thing about this worm is that reinfections were common, since the worm only resided in memory (RAM) and never copied anything to disk. The worm was purported to have infected 75,000 servers in the span of 10 minutes, severely slowing network traffic and causing Denial of Service (DoS) for some website operators.

2004 — Cabir Virus

The Cabir Virus has an unknown author. This “virus” was the first mobile phone malware. It was developed as a proof of concept to show mobile phone malware was possible. It targeted the S Symbian OS and displayed the words “Cabir” at the top of the screen if infected. It also attempted to send itself to other phones using Bluetooth.

2005 — Koobface Virus

As per Facebook researchers, the alleged authors are as follows: Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), and Svyatoslav E. Polichuck (PsViat and PsycoMan). Koobface operated on social media websites and targeted the big three platforms at the time (Mac, Windows, and Linux). Using social media like Facebook, Skype, and advertisement networks, Koobface convinced users to download a malicious program masquerading as legitimate. For example, navigating to a dodgy website to watch a video, the user was informed through a popup that they needed to download XYZ plugin to continue.

Once installed, it gave malicious actors a backdoor into the computer, allowing them to steal passwords, usernames, and financial information. Koobface virus is still a threat today and has had numerous “outbreaks” since its creation in 2005.

Figure E Example of malicious Koobface links.

2008 — Conficker Worm

At this period in malware history, the Conficker Worm was one of the most complex, fastest propagating, and scariest worms in existence. Developed by Ukrainians, they were afraid to use it for any damaging effect. This meant is mainly spread, updated itself, and spread to more and more networks. There were a wide variety of confickers, detailed on sites tracking the different types. All (except for Conficker D) use the NetBIOS as an infection vector and begin upgrading themselves till they reach Conficker E, which then executes the malware. E will eventually remove itself, but D will remain on the machine. Below is a chart written by editors on Wikipedia that illustrates the steps of the Conficker Worm:

Figure F: Retrieved from Wikimedia Foundation. (2022, June 10). Conficker. Wikipedia. Retrieved July 21, 2022, from https://en.wikipedia.org/wiki/Conficker

2010–2017: Cyber Terrorism, Nation state hackers, Advanced persistent threats, and Ransomware

This period will have some selected malware, as having a comprehensive list for this essay is outside the scope of this paper. During these times, more nation states were involved in creating malware. The Stuxnet Worm was the “beginning” of an attitude change when it came to cyber warfare. Instead of just attempting to make money, certain criminal groups attempted to shutdown infrastructure of countries and cause legitimate harm to individuals.

2010 — Stuxnet Worm

Allegedly created as a joint effort between Israel and the United States, Stuxnet was the first Worm to target industrial control systems. Specifically, it was developed to hinder Iran’s nuclear enrichment program. This malware ignored certain targets in favor of other targets and was varied in how it could infect a machine. Due to the sensitive nature of the worm, it is rather hard to find legitimate information on it, since both Israel and the United States deny they created it.

2013 — Cryptolocker

Cryptolocker is an example of early ransomware malware. A user would be infected by downloading a file and running it. Upon running, it would encrypt the hard drive and display a ransom message with a dollar amount attached to getting the data back. Cryptolocker was dangerous for its time, but not the most dangerous in existence. It generated enough fear to reach mainstream audiences.

Figure G Cryptolocker Ransomware Note

2014 — Backoff

Malware that specifically targeted Point of Sale (POS) systems to steal credit card/debit card information. This malware still exists and occasional infects chain POS systems.

2016 — Cerber

Cerber is one of the earliest “Ransomware as a service” malwares. This was a standard cryptocurrency ransomware. The malware was sold to other criminals, they spread it around, then the “Hacking Group” would take a cut. It acted like any other ransomware, giving users time to pay a ransom to retrieve their files.

2017 — WannaCry Ransomware

Created by the so called “Lazarus Group” — a group of North Korean hackers — this ransomware used self-propagation and was developed using exploits that the National Security Agency (NSA) had previously used. The initial attack of this ransomware was so severe, that in approximately 3 hours over 150,0000 computers were infected. This attack was only stopped thanks to a security researcher named Marcus Hutchins (who is falsely attributed to having created the malware). Hutchins found a “kill switch” in the code of the virus and managed to shut it off. As per various economic sources, countries reported billions worth of damages to cyber infrastructure.

Works Cited

13, J., 13, J., 8, J., & 7, J. (2020, October 16). Malware spotlight: Wabbit. Infosec Resources. Retrieved July 20, 2022, from https://resources.infosecinstitute.com/topic/malware-spotlight-wabbit/

Alert (TA14–212A). CISA. (n.d.). Retrieved July 21, 2022, from https://www.cisa.gov/uscert/ncas/alerts/TA14-212A

Awati, R. (2021, December 8). What is Elk Cloner and how did it work? SearchSecurity. Retrieved July 20, 2022, from https://www.techtarget.com/searchsecurity/definition/Elk-Cloner

The Creeper Worm, the first computer virus. The Creeper Worm, the First Computer Virus : History of Information. (n.d.). Retrieved July 20, 2022, from https://www.historyofinformation.com/detail.php?entryid=2860

FBI. (2019, March 25). The Melissa Virus. FBI. Retrieved July 20, 2022, from https://www.fbi.gov/news/stories/melissa-virus-20th-anniversary-032519

FBI. (2018, November 2). The Morris Worm. FBI. Retrieved July 20, 2022, from https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218

Gibian, R. (2019, April 9). How the Melissa virus changed the internet. InsideHook. Retrieved July 20, 2022, from https://www.insidehook.com/article/history/melissa-virus-changed-internet

Jeff Petters Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job., Petters, J., Laffan, K., By, & Englert, K. (n.d.). Cerber ransomware: What you need to know. Varonis. Retrieved July 21, 2022, from https://www.varonis.com/blog/cerber-ransomware

Kaspersky. (2021, January 13). What is the Koobface virus? www.kaspersky.com. Retrieved July 20, 2022, from https://www.kaspersky.com/resource-center/definitions/what-is-the-koobface-virus

Kaspersky. (2022, March 9). Cryptolocker virus definition. usa.kaspersky.com. Retrieved July 21, 2022, from https://usa.kaspersky.com/resource-center/definitions/cryptolocker

Morrissey, Janet. (2012, November 14). Murder in Belize: A guide to the long, strange tale of John McAfee. CNNMoney, Retrieved July 21, 2022 from https://web.archive.org/web/20121218022932/http://tech.fortune.cnn.com/2012/11/14/john-mcafee-murder-belize/.

Pinsent Masons. (2019, May 20). Confession by author of Anna Kournikova virus. Pinsent Masons. Retrieved July 20, 2022, from https://www.pinsentmasons.com/out-law/news/confession-by-author-of-anna-kournikova-virus

Staff, H. C. (2021, October 25). The Complete Guide to Arpanet. History-Computer. Retrieved July 20, 2022, from https://history-computer.com/arpanet-complete-guide/

Tara Seals US/North America News Reporter. (2014, August 26). Backoff malware behind thousands of pos hacks. Infosecurity Magazine. Retrieved July 21, 2022, from https://www.infosecurity-magazine.com/news/backoff-malware-behind-thousands/

Wang, Kunkun, Xiaoyu Chen, and Yesheng Xu. A Brief Study of Trojan. Uppsala University.

What is the Morris Worm? 5 things to know: Security encyclopedia. HYPR. (n.d.). Retrieved July 20, 2022, from https://www.hypr.com/morris-worm/

Wikimedia Foundation. (2021, November 23). Koobface. Wikipedia. Retrieved July 20, 2022, from https://en.wikipedia.org/wiki/Koobface

Wikimedia Foundation. (2022, April 30). Michelangelo (computer virus). Wikipedia. Retrieved July 20, 2022, from https://en.wikipedia.org/wiki/Michelangelo_(computer_virus)

Wikimedia Foundation. (2022, February 23). Cabir (computer worm). Wikipedia. Retrieved July 20, 2022, from https://en.wikipedia.org/wiki/Cabir_(computer_worm)

Wikimedia Foundation. (2022, July 19). WannaCry ransomware attack. Wikipedia. Retrieved July 21, 2022, from https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Wikimedia Foundation. (2022, July 8). Stuxnet. Wikipedia. Retrieved July 21, 2022, from https://en.wikipedia.org/wiki/Stuxnet

Wikimedia Foundation. (2022, June 10). Conficker. Wikipedia. Retrieved July 21, 2022, from https://en.wikipedia.org/wiki/Conficker

Wikimedia Foundation. (2022, March 17). SQL slammer. Wikipedia. Retrieved July 20, 2022, from https://en.wikipedia.org/wiki/SQL_Slammer

Winder, D. (2021, June 30). This 20-year-old virus infected 50 million Windows computers in 10 days: Why the iloveyou pandemic matters in 2020. Forbes. Retrieved July 20, 2022, from https://www.forbes.com/sites/daveywinder/2020/05/04/this-20-year-old-virus-infected-50-million-windows-computers-in-10-days-why-the-iloveyou-pandemic-matters-in-2020/?sh=756011e13c7c

Worm:W32/slammer. F. (n.d.). Retrieved July 20, 2022, from https://www.f-secure.com/v-descs/mssqlm.shtml