The History of Computer Viruses

Table of Contents

Computer viruses evolve rapidly, changing their strategies and improving in the intense competition with security technologies. Here you will learn the dramatic history of computer viruses, how they expand and how they can affect human life in our time.

The future evolution is not easy to predict, but it is possible to trace the evolutionary history of malware to the present day. But first, let’s understand the terms. Ordinary people call any malicious program a virus. For specialists, viruses are a small and irrelevant part of the vast world of harmful programs. For convenience, we will refer to all malicious software as malware.

1970-1989: The progenitor brain and the beginning of the history of computer viruses

The Internet’s progenitor – the ARPANET network – united four American universities in 1969. And in 1971, the predecessor of future malware, capable of crawling over the Web, was born.

Bob Thomas, an employee of Bolt Beranek and Newman who worked on the operating system responsible for remote execution of programs, created Creeper to find out if a self-replicating program was possible in principle. Creeper spread via modem, saved a copy of itself on the infected computer, and tried to delete itself from the previous one.

The baby virus was harmless, had not yet grown teeth, and he was not going to harm anyone – and there was no one in particular.

First virus. The history of computer viruses begins

But in the early 1980s, the production of personal machines was launched, and potential pests had a “food base”. And in 1986, “Brain” appeared – the first widespread virus, the legendary progenitor of all today’s malware.

Its creators just wanted to punish the thieves. Pakistani programmer brothers Amjat and Basit Farooq Alvi developed software, but the insecure web allowed competitors to steal their work. The brothers didn’t like it and wrote Brain.

The program was distributed via floppy disk. The virus did not interfere with working with the device, but if someone decided to steal information, then Brain infected the attacker’s operating system. By 1987, it had spread beyond Pakistan and infected 18,000 computers in the United States.

First worm

A virus is a piece of program code that lives in a file. It does not exist separately from them. Therefore, it seeks to infect more files and gain control over them.

Shortly after the first computer epidemic, in 1989, the first worm was born. Unlike a virus, a worm is always a separate file. It does not need to infect other files. But to spawn your copies – with pleasure. It is easier to detect a worm: it does not hide in the file structure, but it is much stronger than a virus in terms of spreading speed.

Cornell University student Robert Morris made a $96 million mistake. His brainchild was the first malware that caused real financial damage.

The worm created by Morris was a program that collected information about ARPANET users. An error in the code turned it into malware: the program began sending copies of itself to other computers on the network. Approximately 9,000 machines were infected, including computers at the NASA Research Center. All of them were paralyzed for five days.

First Trojan

Another round in the history of computer viruses happened in december of the same 1989. The first epidemic of the Aids Information Diskette Trojan (a diskette with information about AIDS) occurred. Like the Achaeans in Homer’s Iliad who infiltrated the walls of Troy by hiding in a horse, the Trojan program masquerades as harmless files. In this case, the “Trojan horse” was perfect: no one expected a dirty trick from a floppy disk with information about a terrible disease that recently struck humanity.

The AIDS author used real (offline) mail for distribution. After gaining access to the email addresses of PC Business World magazine subscribers and attendees of the WHO AIDS conference, he sent out 20,000 floppy disks containing the virus.

After launch, the trojan was introduced, creating its hidden files and modifying system ones. Later, all files on the hard drive became inaccessible – except for one in which the infection author, Joseph Popp, offered to send him money.

This is how three main types of malware were born: virus, worm, and trojan.

1990-1999: office and mail pests

Malware has evolved along with peaceful programs. So, in the 90s, using macro languages, macro viruses appeared. They were easily moved from one file to another. Most often, they “lived” in MS Word. Once the infected file was opened, the malware-infected more and more new objects. However, not only Word spread the infection. In 1996, the Laroux macro virus damaged MS Excel files on the computers of oil companies in Alaska and South Africa.

By the end of the decade, the malware had learned to wait. They could remain idle for long, remaining invisible to antivirus programs. And then they woke up from hibernation.

So, written in June 1998, Win95.CIH, better known as “Chernobyl,” was activated only on April 26, 1999 – on the day of the 13th anniversary of the Chornobyl accident. Half a million computers were affected. “Chernobyl” became a real predator: it corrupted data on hard drives and BIOS chips on the motherboard.

The nineties ended with the emergence of a new type of virus – Melissa. The infection has learned to navigate by email in the attached file. The user opened it, and the virus sent itself to the first 50 contacts in the Microsoft Outlook address book.

Melissa did not harm the infected computer. But due to the huge flow of new letters, corporate services went down. Damage amounted to $80 million.

2000-2009: arms race and anti-nuclear attack

New Attacks and Propagation Methods

The third millennium began with a declaration of love. It turned out that at least three million users worldwide lacked it. At least they rushed to look at the LOVE-LETTER-FOR-YOU.txt.VBS file attached to the letter without hesitation.

The ILOVEYOU mail worm became the most destructive malware globally, earning it a place in the Guinness Book of Records. Unlike macro viruses, this program was not distributed as an infected Word document but as a VBS file. It erased files on the hard drive, overwrote its copies, and spread further through Outlook Express. Letters to the next users came from familiar addresses. They opened them and the way for the worm at the same time. The damage caused is 10-15 billion dollars.

Security guys vs hackers. The history of the confrontation of computer viruses

Protection technologies in those years were relatively simple. Hackers wrote a new malicious program – it ended up in an antivirus laboratory, where reverse engineers were engaged in reverse programming and updating antivirus databases.

They had to see a new “virus,” recognize something malicious and find some unique piece that would belong only to this infection or this family – an antivirus signature.

In the next round of the arms race, virus writers decided to bypass signature recognition, for which they borrowed something from biology. They began to create polymorphic viruses that copied their code into a new program and completely changed its text, leaving the purpose unchanged.

But antivirus development has not lagged behind either. Each file has an entry point – the place where the program execution starts. And one of the ways to introduce a virus is just related to change the entry point. However, antiviruses have learned to see suspicious code at the entry point and identify the file as dangerous even without detecting an enemy.

Wormy politics

The history of computer viruses simply could not turn into the realm of big politics. A worm called Stuxnet enters the scene. June 17, 2010, was a dark day for information security: the malware was able to destroy the infrastructure physically.

The Israeli and US intelligence agencies developed Stuxnet to counter the Iranian nuclear program. This worm affected the frequency with which centrifuges for uranium enrichment were spinning when launched. At the same time, falsified data on their rotation – the instruments showed that everything was in order. To get to the enrichment station, hackers used vulnerabilities in USB devices. The worm jumped from the flash drive to the flash drive and waited until, with the help of employees, it got to a workstation where it could begin to act. As a result, about a thousand centrifuges were put out of action, and the deadlines for launching the Bushehr nuclear power plant were disrupted.

2010-2014: malicious networks

It’s time for malware to stop pretending to be. There are no useful features, no disguised as legitimate software – just botnets: networks of bots that parasitize infected computers to send spam or other malicious activities.

They were often introduced into browsers using exploits – programs that use vulnerabilities in software to attack a computer system. The user accidentally clicked on some banner where the malware was hiding. It determined the browser version and, if it was vulnerable, executed malicious code on the user’s system.

The author of the botnet got a lot of opportunities when he penetrated a million computers, where his little program with simple functionality appeared. With one click, he could put any site. Or send out a million spam emails a day. Or collect the data that is stored in these computers.

But over time, this practice has faded away. Botnets have not completely disappeared – like most other malware, they lost popularity, giving way to evolutionarily more advanced descendants.

2015-2020: the most advanced and dangerous

APT attacks

An employee of the personnel department of a large bank turned on the computer. She received a letter in the mail, then opened it: “Hello! My name is John Smith. I am interested in the vacancy of a financial consultant. I am attaching my resume. I will be glad to receive feedback. Thank you!”

The employee of the personnel department is a responsible person. According to the job description, she is obliged to review all incoming applications. She opens a regular Word file, and there … There is indeed a resume of John Smith, who dreams of becoming a financial consultant.

But, unfortunately, the vacancy is no longer relevant. The HR employee closes the file and forgets about it forever. Even when money starts to be withdrawn from the bank account in 4-5 hours, she will not remember this resume.

The code was embedded in the Word file. It downloaded the malware and installed it on the computer without the user noticing it. So hackers were able to move within the bank’s network. This is a digital weapon, and it is called APT (Advanced Persistent Threat). APT is a cyber-attack focused on hacking a specific target and prepared based on a long-term collection of information about it.

In the second half of the 2010s, APT attacks became more frequent. And the world was not ready for it. Hackers easily switch from server to server, launch malware, and withdraw money or collect information.

Self-propagating malware

In 2017, it was already possible to catch a virus called WannaCry. You didn’t even have to open your mail, download suspicious attachments and follow dubious links – the virus still worked. The computers of half a million users were encrypted. However, in the end, the ransomware received only 302 transfers worth $126,742. At the same time, the total damage to the attacked companies exceeded one billion dollars.

The authors of WannaCry exploited a vulnerability that Microsoft closed in the MS17-010 update dated March 14, 2017. If the computer was not updated, it turned out to be malware.

Ransomware and miners

On July 23, 2020, millions of runners did not run anywhere. And the cyclists didn’t go anywhere. The one who nevertheless went to training could not share her results. And US civil aviation pilots failed to update their flight charts. After all, athletes and pilots used gadgets and cloud services from Garmin, which suffered from a cyber attack.

The hackers used ransomware to block Garmin services. And this is the most urgent IT threat. Previously, having hacked into a bank, it was still necessary to get to the place where the money was. Now such efforts are useless.

Fraudsters gain or buy access to an organization’s network from colleagues and then encrypt all corporate computers and servers. Well, they demand a ransom for decryption.

These hacker groups even have appraiser departments. Having taken a specific company into development, they calculate its annual revenue and assign an amount. Garmin was fined $10 million. The company was paralyzed using the WastedLocker malware, specially modified to attack this company.

There are fewer cruel solutions – miners. This program infects computers to force them to mine cryptocurrency for their host on the other side of the Internet. For organizations, all this, as a rule, goes unnoticed. After all, the miner will not consume 90% of the machine’s power – it will take only 30. And a negligent system administrator will not notice anything. Buy more servers, and everything will be fine again.

When the history of computer viruses collides with the history of mankind

In 2020, a person died for the first time due to a cyberattack. This happened due to the fault of hackers who encrypted access to 30 servers, and the largest city hospital in the German city of Wuppertal was paralyzed for two weeks. Operations were postponed, appointments were canceled, and they stopped carrying patients. An elderly patient needed an urgent operation at this time, but the medical equipment was simply disabled.

The criminals mistook the object of the attack and later gave the key for data recovery themselves. But it was too late.

Could the mathematician John von Neumann, who described virus programs in 1949, imagine such a thing? Did the computer scientist Fred Cohen, who was the first to apply the term “virus” to code and in 1983 developed a self-replicating program in eight hours to debug it, admit such a possibility?