This year is the 40th anniversary of the first computer virus: Creeper in 1971. Guillaume Lovet, senior manager of the threat response team at Fortinet, looks back at the most intriguing viruses history has hurled our way.
He does so in a post he wrote in the Fortinet blog. Being a history buff, I can't help but share an excerpt.
First, some statistics to give you a sense of how big this thing has become. He writes that the number of malware instances have grown from:
--1,300 in 1990 to
--50,000 in 2000 to
--More than 200 million in 2010.
Here's what Lovet has to say about the various pieces of malware and how they've evolved:
1971: Creeper: Catch me if you can
While theories on self-replicating automatas were developed by genius mathematician Von Neumann in the early 50s, the first real computer virus was released “in lab” in 1971 by an employee of a company working on building ARPANET, the Internet’s ancestor.
Intriguing feature: Creeper looks for a machine on the network, transfers to it, displays the message “I’m the creeper, catch me if you can!” and starts over, thereby hoping from system to system. It was a pure proof of concept that ties the roots of computer viruses to those of the Internet.
1982: Elk Cloner
Written by a 15-year old as a way to booby trap his friends’ Apple II computer systems without physical access to them, Elk Cloner spread via floppy disks. Infected machines displayed a harmless poem, dedicated to the virus’ glory.
Intriguing feature: Elk Cloner was the first virus ever to spread outside of the lab it was created in. Its global impact was negligible and its intent plainly geeky.
First detected in the Hebrew University of Jerusalem, the aptly-named Jerusalem is somewhat deleterious. Each year on Friday the 13th, this virus deleted every single program that’s run on the infected system.
Intriguing feature: Jerusalem is the first example of a destructive virus to have a global impact. Of course, the sheer number of computers back then was infinitesimal, compared to today.
1992: Michelangelo: The sleeper must awaken
The dormant Michelangelo virus was designed to awaken on March 6th (Michelangelo’s birthday – as in the Renaissance artist, not the Ninja Turtle) and erase critical parts of infected computers’ hard drives.
Intriguing feature: The promises of destruction it carried spawned a media frenzy. In the weeks preceding March 6th, media relayed (and some may say amplified) experts’ predictions forecasting 5 million computers going definitively down. Yet, on March 6th, only a few thousand data losses were reported – and public trust in AV companies’ ethics was tainted for a while.
Melissa propagated via infected Microsoft Word documents and mailed itself to Outlook contacts of the contaminated user. It was virulent enough to paralyze some important mailing systems on the Internet. Its author created the bug to honor Melissa, a stripper he’d met in Florida. Whether he conquered her heart this way is somewhat unlikely, but one thing is sure: the malicious code earned him 20 months in jail and a $5,000 fine.
Intriguing feature: Someone created a variant of Melissa that encrypted the infected files and demanded a ransom of $100 to be wired to an offshore account for decryption. The author was traced to the said account. While it remained an isolated case, it is worth noting that 6 years before the malware scene became fully monetized, someone had already started figuring out how to make bucks out of viruses.
2000: I LOVE YOU
At the dawn of the 2Ist century, I LOVE YOU worm infected tens of millions of computers. As a fairly simple worm, I LOVE YOU presented itself as an incoming email with “I love you” in its subject line and infected the machine of users who opened the attachment. It then mailed itself to all of the contacts found on the infected user’s system.
Intriguing feature: While the author’s motivation clearly wasn’t about money, the damages were: When the dust settled, I LOVE YOU had cost companies around the world between $5 and $10 billion. Much of that cost can be attributed to the time spent “cleaning” infected machines.
2001: Code Red
While I LOVE YOU targeted end users, Code Red infected Web servers, where it automatically spread by exploiting a vulnerability in Microsoft IIS servers. In less than one week, nearly 400,000 servers were infected, and the homepage of their hosted Websites was replaced with “Hacked By Chinese!”
Intriguing feature: Code Red had a distinguishing feature designed to flood the White House Website with traffic (from the infected servers), probably making it the first case of documented ‘hacktivism’ on a large scale.
2004 : Sasser
Like Code Red, Sasser spread without anyone’s help; but this time, the virus exploited a vulnerability in Microsoft Windows to propagate, which made it particularly virulent. What’s more, due to a bug in the worm’s code, infected systems turned off every couple of minutes.
Intriguing feature: For the first time, systems whose function isn’t normally related to the Internet (and that mostly existed before the Internet) were severely impacted. More than one million systems were infected, AFP’s communications satellites were interrupted for hours, Delta Airlines was forced to cancel flights, the British coast guard had to go back to print maps, and a hospital had to redirect its emergency room because its radiology department was completely paralyzed by the virus. The damage amount was estimated to be more than $18 billion.
Microsoft placed a $250,000 bounty on the author’s head, who turned out to be an 18-year old German student. When caught, the student admitted that he created the malicious code as a creative way to help his mother to find a job in the computer security industry.
2005: MyTob, the turning point
MyTob appeared in 2005 and was one of first worms to combine the features of a Bot (the infamous “Zombies,” controlled by a remote Botmaster) and a mass-mailer.
Intriguing feature: MyTob marks the entry in the era of Botnets and of cybercrime. Business models designed to “monetize” the many botnets appeared (some of which will count more than 20 million machines): installation of spyware, diffusion of spam, illegal content hosting, interception of banking credentials, blackmail, etc. The revenue generated from these new botnets quickly reached several billion dollars per year; a figure that is growing today.
2007: Storm botnet
By 2007, cybercriminals already had lucrative business models in place. They’re thinking about protecting their money spinners (infected computers). Before 2007, botnets showed a cruel lack of robustness: in neutralizing its unique Control Center, a botnet could be completely neutralized, because Zombies didn’t have anyone to report to (and take commands from) anymore.
Intriguing feature: By implementing a peer-to-peer architecture, Storm became the first Botnet with decentralized command… It is much more robust. At the peak of the epidemic, Storm had infected between 1 and 50 million systems and accounted for 8% of all malware running in the world.
Koobface (an anagram for Facebook) spreads by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player in order to view a video. The update is a copy of the virus.
Intriguing feature: Koobface is the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). Today, it is estimated that at any time, over 500,000 Koobface zombies are online at the same time.
2009 : Conficker
Conficker is a particularly sophisticated virus, as it’s both a worm, much like Sasser, and an ultra-resilient botnet, which implements bleeding-edge defensive techniques. Curiously, it seems that its propagation algorithm is poorly calibrated, causing it to be discovered more frequently. Some networks were so saturated by Conficker, that it caused planes to be grounded, including a number of French Fighter planes. In addition, hospitals and military bases were impacted. In total approximately 7 million systems were infected worldwide.
Intriguing feature: Conficker did not infect Ukrainian IPs, nor machines configured with a Ukrainian keyboard. This suggests the authors were playing by the cybercriminal gold rule, which implicitly states, “Don’t target anything in your own country, and the arm of justice won’t be long enough to reach you.”
2010: Stuxnet, welcome to the Cyber War
According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity. To spread, Stuxnet exploited several critical vulnerabilities in Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a systems autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a management system of an industrial process edited by Siemens. In this particular instance, Stuxnet knew the weak point with a specific controller – perhaps a cooling system – and most likely intended to destroy or neutralize the industrial system.Intriguing feature: For the first time, the target of a virus is the destruction of an industrial system (very probably a nuclear power plant in Iran).
Excellent analysis, Guillaume. Thanks for sharing.
My introduction to malware was Sasser. My first day as a security writer just happened to be a couple days after the outbreak started.
I remember the first hours of covering MyTob and Storm. Storm in particular was one of those cases where you could feel that something new and dangerous was unfolding.
It's been all downhill from there.