The history of malware: A primer on the evolution of cyber threats

Malware, a portmanteau of “malicious software,” refers to any software, code, or computer program intentionally designed to cause harm to a computer system or its users. Virtually every modern cyberattack involves some type of malware. These harmful programs can range in severity from highly destructive and costly (ransomware) to merely annoying, but otherwise innocuous (adware).

Every year, there are billions of malware attacks on businesses and individuals. Malware can infect any type of device or operating system including Windows, Mac, iPhone, and Android.

Cybercriminals develop and use malware to:

• Hold devices, data, or enterprise networks hostage for large sums of money
• Gain unauthorized access to sensitive data or digital assets
• Steal login credentials, credit card numbers, intellectual property, personally identifiable information (PII) or other valuable information
• Disrupt critical systems that businesses and government agencies rely on

While the words are often used interchangeably not all types of malware are necessarily viruses. Malware is the umbrella term describing numerous types of threats such as:

Viruses: A computer virus is defined as a malicious program that cannot replicate without human interaction, either through clicking a link, downloading an attachment, launching a specific application, or various other actions.

Worms: Essentially a self-replicating virus, worms don’t require human interaction to spread, tunneling deep into different computer systems and moving between devices.

Botnets: A network of infected computers under control of a single attacker known as the “bot-herder” working together in unison.

Ransomware: One of the most dangerous types of malware, ransomware attacks take control of critical computer systems or sensitive data, locking users out and requiring exorbitant ransoms in cryptocurrency like Bitcoin in exchange for regained access. Ransomware remains one of the most dangerous types of cyber threats today. 

Multi-extortion ransomware: As if ransomware attacks aren’t threatening enough, multi-extortion ransomware adds additional layers to either cause further damage or add extra pressure for victims to capitulate. In the case of double-extortion ransomware attacks, malware is used to not only encrypt the victim’s data but also exfiltrate sensitive files, such as customer information, which attackers then threaten to release publicly. Triple-extortion attacks go even further, with threats to disrupt critical systems or extend the destructive attack to a victim’s customers or contacts. 

Macro viruses: Macros are command series typically built into larger applications to quickly automate simple tasks. Macro viruses take advantage of programmatic macros by embedding malicious software into application files that will execute when the corresponding program is opened by the user.

Trojans: Named for the famous Trojan Horse, trojans disguise themselves as useful programs or hide within legitimate software to trick users into installing them.

Spyware: Common in digital espionage, spyware hides within an infected system to secretly gather sensitive information and transmit it back to an attacker.

Adware: Considered to be mostly harmless, adware is typically found bundled with free software and spams users with unwanted pop-ups or other ads. However, some adware might harvest personal data or redirect web browsers to malicious websites.

Rootkit: A type of malware package that allows hackers to gain privileged, administrator-level access to a computer’s operating system or other assets. 

Due to the sheer volume and variety, a complete history of malware would be quite lengthy. Instead, here’s a look at a few infamous moments in the evolution of malware.

As the very first modern computers were being built, pioneering mathematician and Manhattan Project contributor John von Neumann was developing the concept of a program that could reproduce and spread itself throughout a system. Published posthumously in 1966, his work, Theory of Self-Reproducing Automata, serves as the theoretical foundation for computer viruses.

Just five years after John von Neumann’s theoretical work was published, a programmer by the name of Bob Thomas created an experimental program called Creeper, designed to move between different computers on the ARPANET, a precursor to the modern Internet. His colleague Ray Tomlinson, considered to be the inventor of email, modified the Creeper program to not only move between computers, but to also copy itself from one to another. Thus the first computer worm was born.

Although Creeper is the first known example of a worm, it is not actually malware. As a proof of concept, Creeper wasn’t made with malicious intent and didn’t damage or disrupt the systems it infected, instead only displaying the whimsical message: “I’M THE CREEPER : CATCH ME IF YOU CAN.” Taking up his own challenge, in the following year Tomlinson also created Reaper, the first antivirus software designed to delete Creeper by similarly moving across the ARPANET.

Developed by Rich Skrenta when he was just 15 years old, the Elk Cloner program was intended as a practical joke. As a member of his high school’s computer club, Skranta was known among his friends to alter the games and other software shared among club members—to the point that many members would refuse to accept a disk from the known prankster.

In an effort to alter the software of disks he couldn’t access directly, Skranta invented the first known virus for Apple computers. What we’d now call a boot sector virus, Elk Cloner spread by infecting the Apple DOS 3.3 operating system and once transferred from an infected floppy disk, would copy itself to the computer’s memory. When an uninfected disk was later inserted into the computer, Elk Cloner would copy itself to that disk, and quickly spread among most of Skranta’s friends. While deliberately malicious, Elk Cloner could inadvertently write over and erase some floppy disks. It also contained a poetic message that read:

ELK CLONER:

THE PROGRAM WITH A PERSONALITY

IT WILL GET ON ALL YOUR DISKS

IT WILL INFILTRATE YOUR CHIPS

YES IT’S CLONER!

IT WILL STICK TO YOU LIKE GLUE

IT WILL MODIFY RAM TOO

SEND IN THE CLONER!

While the Creeper worm was able to move across computers on the ARPANET, prior to the widespread adoption of the Internet most malware was passed along over floppy disks like Elk Cloner. However, while the effects of Elk Cloner were contained to one small computer club, the Brain virus spread worldwide.

Created by Pakistani medical software distributors, and brothers, Amjad and Basit Farooq Alvi, Brain is considered to be the first virus for the IBM Personal Computer and was initially developed to prevent copyright infringement. The virus was intended to prevent users from using copied versions of their software. When installed, Brain would display a message prompting pirates to call the brothers to receive the vaccination. Underestimating just how widespread their piracy problem was, the Alvis received their first call from the United States, followed by many, many more from around the globe.

The Morris worm is another malware precursor that was created not for malicious intent, but as a proof-of-concept. Unfortunately for the creator, MIT student Robert Morris, the worm proved to be much more effective than he had anticipated. At the time, only about 60,000 computers had access to the internet, mostly at universities and within the military. Designed to exploit a backdoor on Unix systems, and to stay hidden, the worm quickly spread, copying itself over and over again and infecting a full 10% of all networked computers.

Because the worm not only copied itself to other computers but also copied itself repeatedly on infected computers, it unintentionally ate up memory and brought multiple PCs to a grinding halt. As the world’s first widespread internet cyberattack, the incident caused damages that some estimates placed in the millions. For his part in it, Robert Morris was the first cybercriminal ever convicted of cyber fraud in the United States.

While not as damaging as the Morris worm, about a decade later Melissa showed how fast malware can spread by email, infesting an estimated one million email accounts and at least 100,000 workplace computers. The fastest spreading worm for its time, it caused major overloads on Microsoft Outlook and Microsoft Exchange email servers resulting in slowdowns at more than 300 corporations and government agencies, including Microsoft, the Pentagon’s Computer Emergency Response Team, and roughly 250 additional organizations.

Necessity being the mother of invention, when 24-year-old Philippines resident Onel de Guzman found himself unable to afford dialup internet service he built a macro virus worm that would steal other people’s passwords, making ILOVEYOU the first significant piece of outright malware. The attack is an early example of social engineering and phishing. De Guzman used psychology to prey on people’s curiosity and manipulate them into downloading malicious email attachments disguised as love letters. “I figured out that many people want a boyfriend, they want each other, they want love,” said de Guzman. 

Once infected, the worm did more than steal passwords, it also deleted files and caused millions in damages, even shutting down the United Kingdom’s Parliament’s computer system for a brief period. Although de Guzman was caught and arrested, all charges were dropped as he hadn’t actually broken any local laws.

Similar to ILOVEYOU, the Mydoom worm also used email to self-replicate and infect systems around the world. Once taking root, Mydoom would hijack a victim’s computer to email out more copies of itself. Astonishingly effective, Mydoom spam once accounted for a full 25% of all emails sent worldwide, a record that’s never been broken, and ended up causing USD 35 billion in damages. Adjusted for inflation, it is still the most monetarily destructive piece of malware ever created.

Besides hijacking email programs to infect as many systems as possible, Mydoom also used infected computers to create a botnet and launch distributed denial-of-service (DDoS) attacks. Despite its impact, the cybercriminals behind Mydoom have never been caught or even identified.

First identified in 2007, Zeus infected personal computers via phishing and drive-by-downloads and demonstrated the dangerous potential of a trojan-style virus that can deliver many different types of malicious software. In 2011, its source code and instruction manual leaked, providing valuable data for both cybersecurity professionals, as well as other hackers.

One of the first instances of ransomware, CryptoLocker is known for its rapid spread and powerful (for its time) asymmetric encryption capabilities. Distributed through rogue botnets captured by the Zeus virus, CryptoLocker systematically encrypts data on infected PCs. If the infected PC is a client in a local network, such as a library or office, any shared resources are targeted first.

In order to regain access to these encrypted resources, the makers of CryptoLocker requested a ransom of two bitcoins, which at the time were valued at roughly 715 USD. Luckily, in 2014 the Department of Justice, working with international agencies, managed to seize control of the malicious botnet and decrypt the hostage data free of charge. Unluckily, the CyrptoLocker program is also spread through basic phishing attacks as well and remains a persistent threat.

Once called the “king of malware” by Arne Schoenbohm, head of the German Office for Information Security, the Emotet trojan is a prime example of what’s known as polymorphic malware making it difficult for information security specialists to ever fully eradicate. Polymorphic malware works by slightly altering its own code every time it reproduces, creating not an exact copy, but a variant that’s just as dangerous. In fact, it’s more dangerous because polymorphic trojans are harder for anti-malware programs to identify and block.

Like the Zeus trojan, Emotet persists as a modular program used to deliver other forms of malware and is often shared through traditional phishing attacks.

As computers continue to evolve, branching out from desktop, to laptops, to mobile devices, and a myriad of networked devices, so does malware. With the rise of the internet of things, smart IoT devices present a vast new wave of vulnerabilities. Created by college student Paras Jha, the Mirai botnet found and took over a massive number of mostly IoT-enabled CCTV cameras with weak security.

Initially designed to target gaming servers for DoS attacks, the Mirai botnet was even more powerful than Jha had anticipated. Setting its sights on a major DNS provider, it effectively cut off huge swathes of the United States’ eastern seaboard from the internet for nearly an entire day.

Although malware had already played a part in cyber warfare for many years, 2017 was a banner year for state-sponsored cyberattacks and virtual espionage, beginning with a relatively unremarkable ransomware called Petya. Although dangerous, the Petya ransomware spread through phishing and was not particularly infectious until it was modified into the NotPetya wiper worm, a program that looked like ransomware, but destroyed user data even if ransom payments were sent. That same year saw the WannaCry ransomware worm strike a number of high-profile targets in Europe, particularly in Britain’s National Health Service.

NotPetya is believed to be tied to Russian intelligence, who may have modified the Petya virus to attack Ukraine, and WannaCry may be connected to similar adversarial sectors of the North Korean government. What do these two malware attacks have in common? Both were enabled by a Microsoft Windows exploit dubbed Eternalblue, which was first discovered by the National Security Agency. Although Microsoft eventually discovered and patched the exploit themselves, they criticized the NSA for not reporting it before hackers were able to capitalize on the vulnerability.

In recent years, ransomware malware has both taken off and tapered off. Yet while the instances of successful ransomware attacks may be decreasing, hackers are targeting more high-profile targets and causing greater damages. Now, ransomware as a service (RaaS) is a troubling trend that’s gained momentum in recent years. Offered on dark web marketplaces, RaaS provides a plug-and-play protocol in which professional hackers conduct ransomware attacks in exchange for a fee. While previous malware attacks required some degree of advanced technical skill, mercenary groups offering RaaS empower anyone with ill intent and money to spend.

The first high-profile double-extortion ransomware attack took place in 2019, when hackers infiltrated security staffing agency Allied Universal, simultaneously encrypting their data while threatening to release the stolen data online. This extra layer meant that even if Allied Universal had been able to decrypt their files, they’d still suffer a damaging data breach. While this attack was noteworthy, the 2021 Colonial Pipeline attack is more notorious for the severity of the implied threat. At the time the Colonial Pipeline was responsible for 45% of the eastern United States’ gasoline and jet fuel. The attack, which lasted for several days, impacted both the public and private sectors along the east coast, and prompted President Biden to declare a temporary state of emergency.

Although ransomware attacks may appear to be declining, highly targeted and effective attacks continue to present a chilling threat. In 2022, Costa Rica suffered a series of ransomware attacks, first crippling the ministry of finance and impacting even civilian import/export businesses. A following attack then took the nation’s healthcare system offline, directly affecting potentially every citizen in the country. As a result, Costa Rica made history as the first country to declare a national state of emergency in response to a cyberattack.