Since the dawn of modern computing, software has been as capable as the programmers who created it. Their intentions became its capabilities, and that’s brought us a world of wondrous and powerful applications across a wide variety of platforms and mediums. Along the way, it’s also lead to the creation of incredibly malicious, and in some cases downright dangerous, software. We are, of course, talking about malware.
We’ve all come across malware at some point. You might’ve been spammed during the heyday of adware and popups, faced off against a nasty trojan that tried to steal your identity, or even dealt with a system-paralyzing piece of blackmailing ransomware. Today, millions upon millions of unique programs are designed to target your system, your files, and your wallet. While they all have different footprints and trajectories, they all have their roots in humble beginnings.
To understand malware, you must return to the digital primordial soup that would one day evolve into the millions of nefarious programs we face off against today. This is the history of malware, and of the techniques used over decades to combat it.
An innocent birth
The modern world faces criminal and nation state hacking that could threaten everyone’s way of life. Yet the early days of malware were free of malice. Back then, the intention was to see what was truly possible with computing, not to harm, steal, or manipulate.
The idea for a virus, or a self-replicating string of code, was first coined by computing visionary John Von Neumman. In 1949, he postulated the potential for a “self-reproducing automata” that would be able to pass along its programming to a new version of itself.
While it seems likely the first self-replicating code and its creator are lost, the first recorded instance of such software is the Creeper Worm, developed by Robert H. Thomas in 1971 at BBN Technologies. Creeper ran on the TENEX operating system and was impressively sophisticated for its time. Unlike many of its successors, which would require physical mediums to spread their payloads, Creeper was able to move between DEC’s PDP-10 mainframe computers over the earliest iteration of the ARPANET, a progenitor network of the internet the world would come to adopt in later years. The first iteration of Creeper couldn’t clone itself, but it was able to move from one system to another. It would then display the message, “I’m the Creeper: Catch me if you can.”
A new version of Creeper was later created by Thomas’ colleague at BBN Technologies, Ray Thomlinson – better known as the inventor of email. It did duplicate itself, leading to an early understanding of the problem such viruses, or worms, could cause. How do you control them once you send them off? In the end, Thomlinson created another program called Reaper, which moved around the network and deleted any copies of Creeper it found. Thomlinson didn’t know it, but he had created the very first piece of anti-virus software, starting an arms race between hackers and security professionals that continues to this day.
Creeper, although mocking in its message, was not designed to cause problems for the system. Indeed, as Thomlinson himself explained to computing historian, Georgei Dalakob, “The creeper application was not exploiting a deficiency of the operating system. The research effort was intended to develop mechanisms for bringing applications to other machines with intention of moving the application to the most efficient computer for its task.”
Peaks and Troughs
In the years that followed the proliferation and subsequent deletion of the Creeper virus from those ancient mainframe systems, a few other pieces of malware appeared and iterated upon the idea. The self-replicating Rabbit virus was created by an unknown – but supposedly, very much fired – programmer in 1974, and was followed shortly afterwards by the Animal virus, which took the form of a quiz game.
Malware creation then went through one of its periodic developmental droughts. But that all changed in 1982, when Elk Cloner made its appearance, and a new wave of viruses began to rise.
“With the invention of the PC, people started writing boot sector viruses that were spread on floppies,” Zone Lab’s Skyler King told Digital Trends. “People who were pirating games or sharing them on floppies [were being infected].”
Elk Cloner was the first to use that attack vector, though it was completely benign, and not thought to have spread far. Its mantle was picked up four years later by the Brain virus. That piece of software was technically an anti-piracy measure created by two Pakistani brothers, though it had the effect of making some infected disks unusable due to timeout errors.
“Those were kind of the first viruses as we would consider them,” King said. “And they were propagating so that if you put in a floppy, they could copy to it, and spread that way.” The change in attack vector was noteworthy, because targeting a system from a different angle would become the hallmark of new malware in the years that followed.
“Things kind of shifted over to the Unix side with the mainstream use of the internet and universities, like the Morris worm in November 1988,” King continued. “That was interesting, because the Morris worm was [written by] the son of the head of the NSA […] He found a flaw in two protocols that were used in Unix. The flaw in SMTP, the mail protocol that allowed you to send email, [was used to] propagate it, and within a day it took down the internet as it existed in 1988.”
The Morris worm was said to be originally designed to map the internet, but it bombarded computers with traffic, and multiple infections could slow them to a crawl. It is ultimately credited with bringing down around 6,000 systems. Robert Morris, the worm’s creator, became the first person ever tried under the Computer Fraud and Abuse Act of 1986. He was sentenced to three years of probation and fined $10,050. Today, Morris is an active researcher of computer network architectures and tenured professor at MIT.
The Morris Worm became the proof of concept for a variety of other pieces of malware from that same period, all of which targeted boot sectors. It started the next wave in virus development. Many variants of that idea were collected under the “Stoned,” label, with notable entries like Whale, Tequila, and the infamous Michelangelo, which annually created panic in organizations with infected systems.
The last days of summer
For the first decades of their existence, even the prolific and damaging viruses were of relatively benign design. “They were just people having fun trying to get street cred in the underground scene to show what they could do,” King told Digital Trends.
Defensive methods were still far behind the virus writers, however. Even simple malware like the ILoveYou Worm — which made its appearance in the year 2000 — could cause unprecedented damage to systems worldwide.
Malwarebytes‘ VP of technology, Pedro Bustamante, remembers it well. “It was a visual basic script that was a mass mailer that would auto-attach a script, and the [anti-virus firms] weren’t ready to do a lot of script based detection back then,” he said.
Filipino programmer Onel de Guzman is most often credited with the worm’s creation, though he has always denied developing its attack vector, and suggests that he may have released the worm by accident. Some rumors suggest the real culprit behind its creation was a friend of his, Michael Buen, who tricked Guzman into releasing it because of a love rivalry. The ILoveYou Worm caused over $15 billion in damage globally.
“We were on lockdown at Panda labs for like three days for that one. People didn’t sleep.”
“We were on lockdown at Panda labs for like three days for that one,” Bustamante continued. “People didn’t sleep. That was the epicenter of that script kiddie movement where anyone could create a script and make a mass mailer and it would have a huge propagation. Massive number of infections. That was typically only possible with an advanced network worm back in the day.”
Zone Labs’ King faced similarly sleepless nights with some other malware spreading across the growing internet during that time, citing the likes of Code Red and SQL Slammer as particularly problematic.
While worms and viruses had security experts pulling their hair out, and company executives scared of the millions or billions of dollars of damage they were doing, nobody knew that the malware wars were only just getting started. They were about to take a dark and dangerous turn.
No longer a game
As internet use grew, advertising networks started to earn money online, and dot-coms raked in investor cash. The internet transformed from a small community known by few into a widespread, mainstream avenue of communication, and a legitimate way to make millions of dollars. The motive for malware followed, shifting from curiosity to greed.
Kaspersky Cyberthreat real-time map shows cyberattacks taking place right now throughout the world.
“When more people started using the internet and people were looking at ads online and companies were out there making money on ad clicks, that’s when you started seeing the rise of adware and spyware,” King continued. “You started to see viruses that ran on individual computers that sent out spam to try and buy into products, or adware that used clickfraud that showed ads for things so that it would simulate you clicking on the link, so they’d make money.”
Organized crime soon realized that clever programmers could make established underground enterprises a lot of money. With that, the malware scene turned several shades darker. Prepackaged malware kits created by criminal organizations began to appear online. Famous ones like MPack were ultimately used to infect everything from individual home systems, to banking mainframes. Their level of sophistication, and link to real-world criminals, up the stakes for security researchers.
“That’s when we started seeing some of the gangs that were behind some of these more modern attacks and malware. It was scary.”
“We discovered MPack at Panda Security, and we did an investigation and a big paper that was all over the news,” Malwarebytes’ Bustamante explained. “That’s when we started seeing some of the gangs that were behind some of these more modern attacks and malware. It was scary. Most researchers at Panda said that they didn’t want their name anywhere near the report.”
But the report was released, and it highlighted how deeply malware and organized criminal gangs had become.
“It was a lot of Russian gangs. We had pictures of their gatherings. It was like a company,” Bustamante said. “They had people doing marketing, executives, company get togethers, competitions for programmers who wrote the best malware, tracking affiliates, they had everything. It was amazing. They were making more money than we were.”
That money was shared with talented programmers, ensuring the organizations attracted the best talent they could. “We started seeing pictures of mafia looking guys from Eastern Europe giving away fancy cars to the programmers, and suitcases full of money,” he said.
The pursuit of profit lead to more sophisticated malware and new attack vectors. The Zeus malware, which appeared in 2006, used basic social engineering to trick people into clicking email links, ultimately letting the creator steal victims’ login information, financial details, PIN codes, and more. It even facilitated so-called “man in the browser,” attacks, where malware can request security information at the point of login, harvesting even more information from victims.
Those creating malware also learned they didn’t have to use the software themselves, and could simply sell it to others. The MPack kit Bustamante came across at Panda Security in the mid ’00s was a perfect example. It was updated month to month since its early creation, and regularly resold. Even the alleged author of Zeus, Russian-born Evgeniy Mikhailovich Bogachev, began to sell his malware, before handing off control of the Zeus malware platform to another programmer. He’s still at large today. The FBI has a bounty on information leading to Bogachev’s arrest, offering as much as $3 million to anyone who can help catch him.
By 2007, more malware was being created every year than had existed in the entire history of malware, and each new mass attack fueled the fire.
Selling pre-packaged malware the way that Bogachev did marked another shift in malware creation. Now that malware could be used to make money, and virus writers could make money selling it as a tool, it became more professional. Malware was crafted into a product, commonly termed an exploit kit.
“It was really sold as a business,” Zone Labs’ King told Digital Trends. “They [offered] support, software updates to the latest exploits, it was pretty amazing.”
By 2007, more malware was being created every year than had existed in the entire history of malware, and mass attacks on the ever-growing number of computers drove business. This spurred the rise of large-scale botnets which were offered for rent to those wishing to conduct denial of service attacks. But end-users could only be tricked into clicking links for so long. As they became more educated, the exploit kits and their authors needed to evolve again.
“[Malware writers] had to come up with a way to install the threat automatically,” MalwareBytes CEO Marcin Kleczynski told Digital Trends. “That’s where the exploit techniques, social engineering, and macros in Powerpoint and Excel started getting way more [sophisticated].”
Fortunately for the malware authors, websites and offline software began to adopt Web 2.0 principles. User interaction and complex content creation were becoming far more prevalent. To adapt malware writers started targeting Internet Explorer, Office applications, and Adobe Reader, among many others.
“The more complex software gets, the more it can do, the more engineers working on it […] the more mistake prone that software is and the more vulnerabilities you’ll find over time,” Kleczynski said. “As software gets more complex and Web 2.0 happened, and Windows kept evolving, it got more complex and more vulnerable to the outside world.”
By 2010, it seemed that not-for-profit malware had all but died out, with for-profit being the near-exclusive motivation for crafting it. That, it turned out, was wrong. The world abruptly learned that organized crime was nothing compared to the most dangerous malware, crafted in secret by nations.
The first example of a nation flexing its military might online was the Aurora attack on Google. The search giant, long standing as one of the world’s most prominent digital entities, found itself under sustained attack at the close of 2009 by hackers with ties to the Chinese Liberation Army. When the rest of the world learned about it in January 2010, it marked a turning point in what experts realized malware, and its authors, were capable of.
The attack targeted dozens of high-level tech firms like Adobe, Rackspace, and Symantec, and were thought to be an attempt to modify the source code of various software suites. Later reports suggested it was a Chinese counterintelligence operation to discover U.S. wiretap targets. As ambitious and impressive as that attack was, however, it was surpassed just months later.
“The cat really came out of the bag with Stuxnet,” Bustamante told Digital Trends. “Before that […] you could see it in certain attacks and in the things like Pakistan, India internet being cut down undersea, [but] Stuxnet is where the shit hit the fan, and everyone started freaking out.”
“Chaining together several zero-day vulnerabilities [in Stuxnet], really advanced targeting of specific nuclear facilities. It’s amazing. It’s the type of stuff that you would only see in a novel.”
Stuxnet was built to sabotage Iran’s nuclear program, and it worked. Even now, eight years after its appearance, security professionals speak of Stuxnet with a tone of awe. “Chaining together several zero-day vulnerabilities, really advanced targeting of specific nuclear facilities. It’s amazing,” Bustamante said. “It’s the type of stuff that you would only see in a novel.”
Kleczynski was just as impressed. “[…] if you look at exploits being used for an offensive cyber-security capability, it was a pretty damn good one. The [way it went after the] Siemens programmable logic computers? It was beautifully architected to destroy the centrifuges.”
Although no one claimed responsibility for Stuxnet in the years that followed, most security researchers think it the work of a combined U.S.-Israeli taskforce. That only seemed more likely when other revelations, like NSA hard drive firmware hacking, showed the true potential of nation state hackers.
The Stuxnet style of attack would soon become commonplace. Exploit kits continued to be a major attack vector in the years that followed, but as Bustamante told us in our interview, zero-day vulnerabilities chained together are now something that Malwarebytes and its contemporaries see every day.
That’s not all they see. There’s a new phenomenon with origins that can be traced almost back to the start of our story. It has caused no end of trouble as of late, and may well do so into the future.
Your money or your files
The very first ransomware attack technically happened as far back as 1989, with the AIDS Trojan. Sent out to AIDS researchers on an infected floppy disc, the malware would wait for the system to be booted 90 times before encrypting files and demanding a payment of $189 in cash, sent to a PO Box address in Panama.
Although that piece of malware was called a trojan at the time, the idea of forcibly obfuscating files, denying a user access to their own system, and demanding some form of payment to return it to normal, became the key components of ransomware. It began to resurface again in the mid-00s, but it was the growth of anonymous cryptocurrency Bitcoin that made ransomware common.
“If you infect someone with ransomware and ask them to deposit into a bank account, that account is going to get closed down pretty quick,” Zone Labs’ King explained. “But if you ask someone to deposit some bitcoin in a wallet, the consumers pay. There’s really no way to stop it.”
Ransomware developers make it easy for victims to purchase cryptocurrency and send it to them.
Considering how difficult it is to regulate bitcoin in everyday functions with legitimate uses, it makes sense that stopping it from being leveraged by criminals is even more so. Especially since people pay the ransoms. Just as with the exploit kits and the corporate structure that backs them, ransomware developers make it as easy as possible for victims to purchase cryptocurrency and send it to them.
But in the latter half of the teen years of the 21st century, we’ve started to see further evolution of these tactics, as once again those writing the malicious software have followed the money.
“What’s surprised me with ransomware is how quickly it went from you and I, to our companies,” Kleczynski said. “A year or two ago it was us who were getting infected, not Malwarebytes, not SAP, Oracle and so on. They’ve clearly seen the money and companies are willing to pay it.”
For most of the experts we spoke to, ransomware continues to be the big threat they’re concerned with. Zone Labs’ King was keen to talk about his company’s new anti-ransomware protections and how businesses needed to be aware of how dangerous the tactic was.
Kleczynski sees it as a hugely profitable model for malware writers, especially when you bring in the rise of infected Internet of Things devices, which have made up some of the largest botnets the world has ever seen.
Timelapse of a DDoS attack that took place in 2015 on Christmas Day.
Using British Airways’ website as an example, he asked the rhetorical question of how much it would be worth it for that company to maintain its online ticketing system if threatened. Would such a company be willing to pay an extorter $50,000 if its website were to go down for even a few hours? Would it pay $10,000 at the mere threat of such an action?
With the potential to lose millions in sales, or even billions in market value should stock prices react to such an attack, it’s not hard to imagine a world where that’s a regular occurrence. To Kleczynski, this is just the old world finally catching up with the new. It’s the organized crime tactics of yesteryear being applied to a modern world.
“Today, it’s ‘would you like to purchase some ransomware insurance? It’d be a shame if your website went down for 24 hours.’”
“This used to just be racketeering. ‘Would you like to purchase some fire insurance? It would be a shame if something happened to your building,’” he said. “Today, it’s ‘would you like to purchase some ransomware insurance? It’d be a shame if your website went down for 24 hours.’”
That criminal involvement still scares MalwareBytes’ Bustamante, who tells us that the company regularly sees threats to its developers hidden in malware code.
As concerned as he and the company are about their own personal safety though, he sees the next wave as something more than just ransomware. He sees it as an assault on our ability to perceive the world around us.
“If you ask me what the next wave is, it’s fake news,” he said. “Malvertising has moved on […] it’s now clickbait and fake news. Disseminating this kind of news is the name of the game and it’s going to be the big next wave.” Considering how involved nation states appear to have been in that practice themselves in recent years, it’s hard to imagine he’s wrong.
As threatening as malware attacks from organized crime, government-sponsored vigilantes, and militarized hackers are, the most reassurance you can take in such a time of uncertainty is that the weakest link in the security chain is almost always the end user. That’s you..
It’s scary, but empowering, too. It means that although the people writing the malware, the attack vectors and the very reason for creating viruses and trojans in the first place may have changed, the best ways of staying safe online are the old ways. Keep strong passwords. Patch your software. And be careful what links you click.
As Malwarebytes Klecyzinski told us after our interview, “If you’re not paranoid, you’re not going to survive.”