Computer viruses have been around just about as long as the personal computer has existed. With the advent of the Internet, the ability of viruses to rapidly spread has increased substantially. Despite this increase in capability to infect large numbers of computers across international borders, the definition of a computer virus has not substantially changed over time. That is, a computer virus continues to be defined as a computer program that when it is run or executed is capable of copying itself into data files, other computer programs, or even the boot sector of a computer’s hard drive. Once the replication process is successful, the targeted computing device is “infected” by the virus. Once delivered, a computer virus may or may not have a payload designed to do any manner of activities to include deleting files, stealing information, or displaying information on the target computer. Although over the history of computer viruses, the definition of the malware has not changed, the techniques and payload delivery has evolved alongside the Internet itself.
Early Beginnings of Computer Viruses
Public computer virus history finds its origins in the early 1980s. The first virus to be publicly discussed was created by Rich Skrenta who was in high school in the United States at the time of creation. The virus was called, “Elk Cloner” and would attach itself to the Apple DOS 3.3 operating system. The virus was designed to be spread via floppy disk and was originally designed as a joke. When a computer became infected by the Elk Cloner, it would copy itself into a video game and would be set off on the 50th play of the game. Once activated, a poem about the virus would be displayed on the computer screen.
The first personal computer (PC) computer virus was created by Basit and Amjad Farooq Alvi and was called “Brain.” The brother’s intentions with the virus were simply to protect their own work from piracy and to target those who infringed on their copyright. In this same timeframe, there was another variant of the source code referred to as the Ashar virus, which may have been authored prior to the Brain malware, but was not publicly documented until later.
How Did Computer Viruses Spread Before the Internet?
Before the Internet was invented and saw widespread use, the majority of computer viruses were spread between computing devices using removable media. In this timeframe, the primary device used to transport information between computers was the floppy disk. The viruses of this timeframe would infect one or more programs stored on the disk or alternatively were inserted into the boot sector of the disk. The boot sector viruses would be activated when the end-user would boot the computer from the disk.
In this timeframe, there was also a significant increase in use of Bulletin Board Systems (BBSs) where computer users would share software. This use allowed computer viruses and Trojan horses to rapidly spread and infect computers of those who were interested in getting hold of the latest software programs. As a result, computer virus authors took significant advantage of the predictable behavior of BBS users and increasingly complex malware was authored and deployed to the “wild.”
By the early-to-mid 1990s, the macro virus was created and deployed. These viruses take advantage of productivity suite documents which allow computer macros to be embedded within the document for advanced calculations or visual effects. Macro virus authors, instead use this capability to infect an end-user’s computer and spread malware to other computers. Early software programs known to be susceptible to getting infected by a Macro virus include Microsoft Word, other Microsoft Office products, and other word processing applications which permit the use of macro programs within documents. When an infected document is opened, the malicious macro is executed without the end-user’s permission, spreads to the target computer, and delivers its payload. Despite the ability of modern antivirus programs to detect macro viruses, they are still commonly encountered today.
How do Macro Viruses Work?
Today, macro viruses are still around. They are able to be spread to new computing devices through infected email attachments, networks, modems, via portable media, and over the Internet. Most of the macro viruses encountered today will automatically start when an infected document is closed or opened. One of the common methods used for infecting the target computer is to replace a normal macro but will execute malicious code when regular commands are run by the macro. This technique helps the macro virus avoid detection since the user is not aware of the virus execution.
When a macro virus is triggered, it will also commonly attempt to embed itself in templates and new documents when they are created. They will also attempt to corrupt additional parts of a computing system depending on what applications can be accessed by the macro. As the end user shares documents with other computing systems or users, the virus will continue to spread to additional computers.
One of the best-known examples of the macro virus was the Melissa Virus that was discovered in 1999. Whenever a document was opened that was infected with Melissa, the local installation of Microsoft Office would then get infected. Melissa would subsequently replicate by sending itself via email to the first 50 email addresses in the Outlook address book. This “feature” of the virus made sure that it spread at a rapid pace. Due to Melissa and other macro viruses targeting an application vice the computer’s operating system, it was able to spread to computers running Microsoft Word on multiple operating systems to include Macintosh computers. The Melissa virus infections of the late 1990s and early 2000s are credited with significantly increasing caution on the part of computer users when opening email attachments and other documents received via email.
Attack of the Worms
The Melissa virus would be the first in a number of viruses in the late 1990s which would create a large amount of damage to computing systems. As a result, industry and home computer users started to significantly increase the rate of antivirus and computer security program installations to help guard against computer virus infection. From 2001 through 2003, there were several computer worms deployed which quickly spread throughout the Internet. The means of distribution of these viruses included being attached to a frequently downloaded image as well as being embedded as an email attachment. Some of the more commonly encountered worms and viruses in this timeframe of computer virus history included the Code Red worm, the Klez worm, and the Nimda computer virus. In 2004, the MyDoom email worm would become the fastest spreading email worm and would infect millions of computers throughout the world by convincing end-users to open the infected email attachment. The first variants of the worm contained the text, “andy; I’m just doing my job, nothing personal, sorry” making some computer security professionals believe that the virus author was paid to create MyDoom. The actual author of the virus has not been named at the time of this writing.
History of Computer Viruses Timeline
The following is a timeline of many of the significant viruses discovered publicly from 1982 to date. Not every virus is listed below, but many of the major outbreaks or changes in virus infection techniques are highlighted.
The first known virus to be released in public was Elk Cloner. The virus author was Rich Skrenta who designed it to spread via floppy disk and targeted Apple DOS 3.3 computers.
The first year that the term computer virus started to be used in public discourse. Fred Cohen from the University of Southern California is credited with coining the term.
The first year that large numbers of computer viruses which targeted personal computers (PCs) started to appear. The Brain virus (authored in Pakistan) was one of the first and most well-known from this timeframe. It is a boot sector virus and would spread to new computers through infected floppy disks.
The virus included the following text in the boot sector of the infected disk:
Welcome to the Dungeon (c) 1986 Basit & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today – Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages….$#@%$@!!
Shortly after the Brain virus had infected a large number of computers around the world, the first file viruses started to appear. Most of these were designed to infect PCs and specifically targeted system files such as command.com. Some of the more well-known file viruses from this timeframe include Jerusalem which infected both .com and .exe files in the DOS operating system (but avoided the command.com file) and the Vienna virus.
Robert Morris authored the ARPANET worm discovered in 1988. This virus was designed to reproduce itself and computer files and then spread to all of the networked computers. The files that were reproduced eventually became large enough to completely fill the computer memories of the networked computers which resulted in approximately 6,000 computers on the network becoming disabled.
The Friday the 13th virus was also first discovered in this year. It was programmed to delete files on infected computers on Friday the 13th and caused a significant amount of damage world-wide.
The first encrypted virus, Cascade, was first discovered.
1989 saw the AIDS Trojan virus first appear which was the first known instance of “ransom ware.” The virus would infect the MS DOS AUTOEXEC.BAT file and would then count the number of times that the computer boots. Once the count reaches 90, the virus proceeds to hide DOS directories and also encrypt all of the file names on the C drive of the computer essentially making the computer unusable. The virus then asked the user to renew their license and to send $189 USD to a P.O . Box in Panama.
In order to address public demand for countermeasures against the growing computer virus threat, the first anti-virus software starts to appear on the market.
Symantec releases Norton Anti-Virus.
The Tequila polymorphic virus is discovered. This was the first known virus with the capability to change the composition of the virus as it spreads to other computers.
By 1992 there are now more than 1,000 known viruses that have been found in public.
One of the first major computer virus hoaxes is released, call the “Good Times” virus. Warnings about the virus quickly spread amongst Internet users in 1994 with the virus supposedly transmitted via an email that used the subject line of “Good Times.” The warning recommended that the computer user should delete any email with the subject line without reading it. Although the virus was never found to exist, the warnings about it become almost virus-like in this timeframe.
Macro viruses started to emerge. The first known “Word” virus discovered in this timeframe was the Concept virus.
The Melissa virus started infected large numbers of computer by sending itself to the first 50 email addresses in the Microsoft Outlook address book. The virus is estimated to have caused more than $80 million in damages and resulted in the virus author being sentenced to jail for 20 months.
The “I Love You” virus was written by a student in the Philippines and would go on to infect several million computers. It worked in a similar fashion to the Melissa virus, but would send passwords over the network and would also overwrite image files on the target computers.
The Code Red worm infected large numbers of Windows NT and Windows 2000 servers starting in July 2001. The worm caused more than $2 billion USD in estimated damages. The worm was able to run entirely in memory and did not leave any files behind.
In January of this year, the Slammer worm spread at the fastest rate seen to date. It would go on to infect large numbers of computers. The worm exploited a buffer overflow bug in the Microsoft SQL Server and Desktop Engine database products and infected more than 75,000 computers in less than 10 minutes.
The Bagle worm was discovered this year. The malware is designed to spread via email attachment and targets all versions of Microsoft Windows. Once installed on a computer, the virus installs a backdoor that allows a remote user to gain control over the infected computer. The virus included its own SMTP engine in order to help mass email the virus as an attachment based on the email address book on the infected computer. Some of the variants of the Bagle virus include the following text:
“Greetz to antivirus companies
In a difficult world,
In a nameless time,
I want to survive,
So, you will be mine!!
— Bagle Author, 29.04.04, Germany.”
The Sasser and MyDoom viruses were also discovered in 2004. MyDoom was responsible for slowing down the global Internet speed by 10 percent and also reduced website access to a number of sites around the world by up to 50 percent.
In March of 2005, the first cell phone virus was discovered and named, Commwarrior-A. The virus is thought to have originated in Russia and spread via text message.
The Conficker worm was discovered this year and the name was based on the words configuration and the German “Ficker” which is a vulgar term in the English language. The worm leverages flaws in Windows software and makes use of a standard dictionary attack to crack administrator passwords to help it spread. Once spread, the worm forms a botnet and has infected millions of computers in more than 200 countries since it was first discovered.
The initial variant of Conficker exploited a vulnerability in network services found in Windows XP, Windows 2000, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. A second variant of the worm was released in December of 2008 that added the capability for the worm to spread over LANs through the ue of network shares and removable media.
The Stuxnet and DuQu viruses were discovered in the 2009/2010 timeframe. They are referred to as the first public cyber super weapons and are alleged to have been created by the Israeli and United States governments. Although designed to attack Iranian nuclear facilities, the virus has since spread beyond the intended targets.
The DuQu computer worm was first discovered in September of 2011 and is believed to be related to the Stuxnet worm. Similar to Stuxnet, DuQu exploits zero-day Windows kernel vulnerabilities and signs its components with stolen digital keys. DuQu is not a destructive virus being focused on gathering information; however, it could be modified to include a special payload in the future. When found on personal computers, DuQu has been known to delete recent information entered onto the computer. The primary point of the DuQu virus appears to be to steal private keys and digital signatures in addition to capturing other critical information on targeted systems.
2012 saw the Flame virus attack computer systems primarily located in the Middle East that run the Windows operating system. Also known as sKyWIper and Flamer, the virus is unique in that it would be loaded into an infected system in parts. The first component of the virus is approximately six megabytes in size and contains approximately six other compressed modules. Once the virus became known publicly, the virus authors sent a module which disabled the virus.