Checklist 46: A Brief History of Malware
On today’s Checklist, we’re cracking open the history books! We’ll be looking at the evolution of malware: from the early days of “joke” viruses to the serious threat it poses today.
Every month brings us more headlines about malware attacks, hacks, and intrusions into businesses — but have you ever wondered how we got to this point? It’s easy to forget we didn’t even talk about it in these terms until the early 90s. Even then, it was about viruses and worms moreso than the term “malware” we use today. The evolution is necessary, though: over the past three decades, malware has gone from being a mild nuisance to a major threat.
Let’s consider how these threats have evolved over time; it can help us gain an appreciation for how far we’ve come and how much work is still left in the fight.
- A look at the earliest computer viruses.
- The 90s: New times, new troubles.
- The emergence of Mac malware.
- Adware, spyware, and more for the new millennium.
- Where do we go from here?
A look at the earliest computer viruses.
We didn’t always have ransomware encrypting our files or Trojan horses tricking us into letting hackers onto our machines. In fact, the average computer user had much less to worry about twenty years ago than they do today. If we go a little further back, that’s even more true for old-time Mac users. We’ll cover the ways malware has touched the Apple platform over the years, but it is true that we see far more Mac-oriented malware today than ever before. So, who started us on this road? It depends on your perspective; the first viruses were written well before we even had Mac or Windows software!
As far back as the end of the 1940s, people were questioning whether it was possible to write a program that could replicate itself without human intervention. A key player in the theory behind viruses was John von Neumann, a pioneer in the age of early computing. Though some researchers experimented with the theories von Neumann wrote about, it wouldn’t be for a couple more decades before the real advances would begin. These early experiments involved programs that competed with one another for system resources, and were the forerunners for what we call viruses today.
When we say “virus,” we mean a program that can copy itself and spread automatically through an infected file — this is the most basic type of malware. In 1971, a program called “Creeper,” written for fun, spread to machines connected to the ARPANET, a precursor to today’s Internet. Its purpose was mundane, and its function was simple: once on a machine, it would use a connected teletype machine to print the words: “I’m the Creeper. Catch me if you can!”
It would then move on to another machine. A later version left behind copies of itself. Interestingly, a program was also written to spread to machines and delete the Creeper program if found. Called Reaper, you might think of it as a proto-antivirus system. Almost ten years later, another program written as a joke, called the Elk Cloner, would wreak havoc on early Apple IIe users.
Boot sector viruses, similar in theory to the Creeper program, popped up through the 80s, often spreading extensively by infecting floppy disks. Viruses first hit the famous IBM PCs in 1986 with software developed in Pakistan called “Brain”. Initially designed as a sort of copy protection method to track pirates, it spread to many other machines. Finding out who made it was easy enough — the brothers responsible included their names and even their telephone numbers right in the code. If only it were so easy to track down malware authors today!
The Jerusalem virus, which appeared in 1987, was not the first destructive virus, but it spawned a huge number of variants that persisted well into the 90s. It copied itself into almost every portion of an MS-DOS operating system, and on Friday the 13th would delete any previously executed program file. Talk about both annoying and destructive. Only a year later, the world would see the birth of the first worm — a program that could independently spread, without the need to infect a file, and then create new copies of itself.
Today, worms can carry with them all kinds of harmful malware payloads to deploy onto infected systems. In 1988, the so-called Morris worm was meant to be an experiment. Instead, a bug in the code caused it to re-infect machines and over and over — grinding them to a complete standstill. Enough computers were infected by the worm to draw substantial media attention. The author was tried and convicted for his role in the attack, ultimately serving three years under probation and paying a fine. It was the first time someone in the US was prosecuted for a malware attack.
These first forays into self-replicating programs that spread and changed other users’ systems were almost universally harmless or benign in intent. Soon, though, that would change — and computers would never be the same. 1989 saw the emergence of the first form of ransomware delivered by a Trojan — but as we know, it would be more than two decades before ransomware would come into its own.
The 90s: New times, new troubles.
Well into the 80s, the number of computer viruses affecting all systems totaled less than 100. Yet by 1992, there would be over a thousand, and more would start to appear every day. By the year 1990, the first “anti-virus” products were coming out, and the idea of viruses was becoming more and more mainstream. What spurred this sudden proliferation and kicked off a virtual arms race between hackers? Well, the booming home computer industry certainly had something to do with it; the IBM PC, the Commodore, Apple’s machines… these all opened the doors for a new generation of coders.
The growth of the Internet, especially in the 90s, contributed as well. Now we had email, and with emails come attachments — and for many users, the idea of computer threats seemed foreign even then. It wouldn’t be long before that changed, and malware was making headlines. One of the first innovations we saw, between about 1989 and 1991, was the development of the “polymorphic” virus. That’s just a fancy way of saying it had the ability to modify itself to avoid detection. Now a whole new world of malicious software could begin to unfold.
With the emergence of Windows 95 and a whole new class of operating system, new problems appeared. Macros — pre-recorded keystroke or action combinations meant to speed up workflow — proved a vulnerability. Macro viruses infected many machines; all one had to do was share an infected file. Throughout the 90s, viruses and worms of various natures caused users no shortage of headaches, deleting personal files or corrupting operating systems by wiping crucial resources.
The story of that decade’s malware is one of disruption, but overall, minimal impact. It wasn’t until the end of the 90s, with the Internet departing its infancy and entering a period of rapid growth, that we saw a new class of destructive malware. One of the most prolific viruses that many may remember was the Melissa virus, which appeared in 1999 and spread by hijacking email contact lists. Mass-mailing viruses were common for several more years, and this was when the public began to learn about rules of thumb such as “Don’t open unknown attachments.”
One notable worm similar to Melissa in its mass-mailing capabilities appeared a year later and earned far more infamy. How many of our listeners remember hearing about the “I LOVE YOU” worm? This worm was perhaps the first destructive malware event on a major scale, and it affected tens of millions of users worldwide. The worm deployed a payload that randomly erased files on the infected machines and sent copies of itself to every entry of a user’s contacts list. Within hours of its release into the wild, ILOVEYOU had spread around the globe, wreaking untold havoc and costing millions of dollars in terms of the damage done.
The emergence of Mac malware.
Where was Apple and its loyal following of Macintosh users during all these developments? It isn’t as though the Apple ecosystem was untouched by the revolution in computer viruses and malware. It has taken a slightly different track through its evolution, though, so it is worth discussing on its own for a few minutes. We can start by looping back around to some software we mentioned earlier: the so-called Elk Cloner. Though it didn’t have real malicious intent behind it, Elk Cloner caused some serious problems for users. We might think of it as some of the first malware for Macs.
Written by a 15-year-old, Elk Cloner spread using infected floppy disks. Whenever a user inserted a floppy with Elk Cloner on it and booted their Apple II, the virus would migrate to the system memory. Every 50 boots after that it would show a short and humorous poem to the user. It would also deposit copies of itself onto any other disks inserted into the machine. By and large, it did no harm — but it was among the first of what we now call a “boot sector” virus, one that saved itself into the computer’s boot-up routine, making sure it was always present when the computer was powered up.
Harmless as it may have been, it was the first in a long line of programs that sought to assault Mac systems. Throughout the 90s, Apple users were a distinct minority regarding market share. That’s often associated with the idea of “security through obscurity.” However, a glance at any timeline of Mac malware will show us that we have had a need to defend against outside threats for some time.
After Elk Cloner in 1982, there were few viruses written for the Macintosh platform for several years. The late 80’s and early 90’s saw a couple of floppy and removable media-based viruses, but nothing very damaging or dangerous in the sense that we would think. It wasn’t until 1995 that Apple computers started suffering from problems caused by Microsoft’s Office for Mac. Macro viruses were widespread and common on both Macs and PCs during this time, though you needed to receive an infected file for it to gain a way inside the machine.
Really, though, the 90s were fairly quiet for Mac malware, especially relative to PC’s. It was this period that instilled in many long-time users a sense of invulnerability; PCs got viruses, but Macs didn’t, or that was the common perception. But looking back, the first antivirus product for Mac (Symantec Anti-Virus) was launched in 1989. Surprisingly, we sometimes find this attitude even persists today — it’s why we spend so much time talking about what a mistaken assumption it is! Everything changed at the turn of the millennium when Apple released a major overhaul with OS X. Now, we would start to see the emergence of the first true “malware” for Macs.
In 2004, we saw a worm-style script called Renepo that would try to throw the door wide open on your Mac for hackers to enter. It did this by doing things like disabling the firewall and remotely downloading tools for attempting to steal user passwords. Its impact, though, was limited. It wasn’t for another two years, in 2006, that the first true threat appeared.
It was called Leap or sometimes referred to as Oompa-Loompa. Whatever the name, it spread on local networks by hijacking iChat and spreading to other machines by offering a Trojan-like file. Though it did little damage, it served as a proof of concept that such attacks could occur. They only grew more sophisticated in the aftermath.
From that point on, we began to see many more attacks on Macs from year to year. By and large, these threats consisted of Trojans that sought to snoop through user files or deposit keyloggers to capture personal data. With more attacks came another threat seeking to capitalize on the new appearance of Mac malware: fake security software. Probably the most infamous of these fake AV programs is MacDefender. What’s an easier way to make money than to tell someone their computer is infected and only you have the solution? These threats, like a precursor to today’s ransomware, always demanded payment in exchange for a “fix” that didn’t exist.
Many Apple users encountered these fake programs over the years. From 2010 onward, we’ve seen a steady onslaught of new threats too; it would take us far too long to cover all of them today, but we’ve discussed many of them in the past. There are always malicious authors out there with the time and desire to try breaking into Apple systems. It’s important to remember that these threats even extend to mobile devices now — a lot has changed since the days of the lighthearted and mischievous Elk Cloner. The stakes are much higher now.
Adware, spyware, and more for the new millennium.
Despite the problems created by the malware we saw in the 90s, both on Mac and PC platforms, the 2000s saw an absolute explosion of problems. Not only did spam emails rise to dominate the Internet for years, but they also served as a potent vehicle for new and changing types of malware. It was also during this time we saw a shift in the methods of malware authors. While some threats had previously used financial motivations as the impetus for their creation, the rapid growth of Internet commerce and advertising made money an even more attractive target.
Suddenly the easiest way to reach the largest audience was through the Internet. Browsing habits on the web were no longer something for private consumption only; companies everywhere wanted data to understand how to target this new pool of consumers. As a result, besides the continued existence of threats like the ILOVEYOU virus, we now had to deal with a whole new class of malware: adware and spyware. Those of us who used the Internet heavily in the mid-2000s certainly remember the bane of pop-up ads. When you started randomly getting pop-ups no matter what you were doing — well, you knew you were infected with something.
Spyware might end up on a machine through browser or Flash vulnerabilities with a “drive-by download.” After installing on a user’s machine, it might log Internet browsing history, capture passwords, and more. Today, spyware like this is no longer as common as it once was; phishing attacks and other methods have supplanted them. Adware, though, remains alive and kicking. There is no shortage of cash to be made through advertising, and no shortage of shady programmers ready to turn to a quick buck either. Nothing is more frustrating than incessant pop-ups!
The mid-2000s saw some of the last major mass-mailing worms, too, with the spread of destructive and extraordinarily virulent worms like My Doom, Blaster, and Sasser. Soon, though, worms for the sake of destruction alone began to fall out of favor. Hackers began to shift their focus to building botnets for sending spam or directing DDOS attacks.
The Storm worm of 2007 built a botnet that rivaled supercomputers of the time in terms of raw processing power, and it pumped out spam for several years before breaking apart. Malware underwent a major shift in the late 2000s and into the early 2010s, with a greater focus on remaining undetected in the face of growing antivirus efforts. Emails ceased being the primary method of infection; now, there were tons of attack vectors possible through the Internet. The existence of multiple variants of Windows with their own unique flaws also encouraged the growth of PC malware to epidemic proportions.
Where do we go from here?
So, all of this more or less brings us up to where we are today. Just this year we’ve seen a major ransomware attack, and bad actors have transitioned to using a mixture of malware and social engineering, like phishing. We are a very long way from the days when viruses were written as friendly jokes to prank other unsuspecting computer users. There’s no telling how much data has been destroyed or time lost over the years to the havoc caused by viruses and other malware unleashed on the world. When we look at story after story about hackers breaking into servers and stealing passwords or even disrupting a major metro transit system recently, it’s easy to feel overwhelmed.
That’s why we have anti-malware solutions, though, and it’s why thousands of security researchers around the world work every day to unpack and understand the latest threats. Breaking them down allows us to analyze their innards and develop countermeasures that work. What about the future of malware? Do we have more to worry about in the future?
It is hard to know exactly what else might be around the corner. Perhaps the best way to guess at the threats of tomorrow, besides peering into a crystal ball, is to look more closely at the threats we’re facing today. We can tell a lot about what we might need to anticipate in the next few years by what’s happening now. Perhaps one of the most concerning problems right now are the ones we don’t know exist.
The release of hacking tools and exploits linked to the NSA has already led to the widely disruptive WannaCry ransomware attack. Will we see more leaks of undisclosed vulnerabilities in the future? We don’t know how many governments have these caches of exploits; hopefully, not very many. WannaCry is, so far, merely the most high-profile attack created by the NSA leaks. There have already been many other attacks based on them. Still, that’s just one small set of vulnerabilities. When these tools fall into the wrong hands, it creates threats that are difficult to mitigate.
Speaking of ransomware, it is hard to see it going away anytime soon, though perhaps we will see it undergo another evolution. With cryptocurrencies like Bitcoin flourishing and the easy availability of strong encryption, all attackers need is an attack vector that works. Macs have been lucky overall to have avoided most attempts at ransomware deployment. That doesn’t give us a guarantee of safety for tomorrow, though. Even when only a few individuals pay up, it gives these scammers more incentive to produce ransomware. We can expect financially motivated malware to continue growing for some time yet.
More specific attacks focusing on hardware flaws could be a thing of the future as well. As a case in point, Microsoft’s security team recently uncovered a method for siphoning data off a machine through its processor. The issue only affects Intel CPUs and requires that users activate a very specific and obscure feature. If this feature is active, though, a hacker could use special malware to exploit the CPU directly. No anti-malware software or firewall would be able to stop it; this is also why chip makers are now looking at incorporating countermeasures at a fundamental hardware level.
One final possibility for the malware of tomorrow: so-called “fileless” technology. These would be threats that exist almost entirely in system memory or elsewhere on the machine, but not on the actual hard disk. Thus, these attacks could be much harder to detect and fight against, especially if they leverage novel exploits. Since the “fileless” malware would disappear from memory after it completed its tasks, analyzing these programs would be more difficult. Fileless malware is definitely one of the big challenges to watch in the anti-malware field in the coming years.
Even a look at the history of malware on its surface reveals that we’ve come a long way from those early computer viruses. Now, we not only have many more threats to guard against, but hackers are always looking to innovate, too. The good news is that those of us in the security sector work hard to innovate and fight back, too. As long as there are computers, there will be someone trying to break into them — we just need to understand the best ways to mitigate those threats.
We hope you’ve enjoyed joining us for a look back in the history books at the ways malware threats have evolved over the past decades. We’ll return again next week with another edition of The Checklist and more in-depth info.