Computer Viruses - Timeline and Evolution

Submitted by TVolpe on Thu, 06/03/2010 - 12:22.

Computer Viruses – Timeline and Evolution
 
This is a brief compilation of information about the history of viruses over the years, to provide information on an often-confusing subject. 
 

1949

  • Theories for self-replicating programs are first developed.

1971

  • The Creeper virus, an experimental self-replicating program, is written by Bob Thomas at BBN. Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was later created to delete Creeper.

1974

  • The Wabbit virus, more a fork bomb than a virus, is written. The Wabbit virus made multiple copies of itself on a single computer (and was named "Wabbit" for the speed at which it did so) until it clogs the system, reducing system performance, before finally reaching a threshold and crashing the computer.

1974/1975

  • ANIMAL is written by John Walker for the UNIVAC 1108. Animal asked a number of questions to the user in an attempt to guess the type of animal that the user was thinking of, while the related program PERVADE would create a copy of itself and ANIMAL in every directory to which the current user had access. It spread across the multi-user UNIVACs when users with overlapping permissions discovered the game, and to other computers when tapes were shared. The program was carefully written to avoid damage to existing file or directory structure, and to not copy itself if permissions did not exist or if damage could result. Its spread was therefore halted by an OS upgrade which changed the format of the file status tables that PERVADE used for safe copying. Though non-malicious, "Pervading Animal" represents the first Trojan "in the wild".

1980

  • Jürgen Kraus wrote his master thesis "Selbstreproduktion bei Programmen" (self-reproduction of programs).

1981

  • A program called Elk Cloner, written for Apple II systems and created by Richard Skrenta. Apple II was seen as particularly vulnerable due to the storage of its operating system on floppy disk. Elk Cloner's design combined with public ignorance about what malware was and how to protect against it led to Elk Cloner being responsible for the first large-scale computer virus outbreak in history.
  • Apple Viruses 1, 2, and 3 are some of the first viruses “in the wild,” or in the public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983

  • The term 'virus' is coined by Frederick Cohen in describing self-replicating computer programs. In 1984 Cohen uses the phrase "computer virus" – as suggested by his teacher Leonard Adleman – to describe the operation of such programs in terms of "infection". He defines a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself."[citation needed]
  • November 10, 1983, at Lehigh University, Cohen demonstrates a virus-like program on a VAX11/750 system. The program was able to install itself to, or infect, other system objects.

1984

  • Ken Thompson publishes "Reflections on Trusting Trust", a theoretical paper which describes how a virus can be inserted into a program's object code, when the virus itself cannot be found in the source code.

1986

  • January: The Brain boot sector virus (aka Pakistani flu) is released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. The virus is also known as Lahore, Pakistani, Pakistani Brain, as it was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.
  • December 1986: Ralf Burger presented the Virdem model of programs at a meeting of the underground Chaos Computer Club in Germany. The Virdem model represented the first programs that could replicate themselves via addition of their code to executable DOS files in COM format.

1987

  • Appearance of the Vienna virus, which was subsequently neutralized—the first time this had happened on the IBM platform.
  • The Lehigh virus, one of the first file viruses, infects command.com files.
  • Appearance of Lehigh virus, boot sector viruses such as Yale from USA, Stoned from New Zealand, Ping Pong from Italy, and appearance of first self-encrypting file virus, Cascade. Lehigh was stopped on campus before it spread to the wild, and has never been found elsewhere as a result. A subsequent infection of Cascade in the offices of IBM Belgium led to IBM responding with its own antivirus product development. Prior to this, antivirus solutions developed at IBM were intended for staff use only.
  • October: The Jerusalem virus, part of the (at that time unknown) Suriv family, is detected in the city of Jerusalem. Jerusalem destroys all executable files on infected machines upon every occurrence of Friday the 13th (except Friday 13 November 1987 making its first trigger date May 13, 1988). Jerusalem caused a worldwide epidemic in 1988.
  • November: The SCA virus, a boot sector virus for Amigas appears, immediately creating a pandemic virus-writer storm. A short time later, SCA releases another, considerably more destructive virus, the Byte Bandit.
  • December: Christmas Tree EXEC was the first widely disruptive replicating network program, which paralysed several international computer networks in December 1987.

1988

1989

1990

  • Mark Washburn working on an analysis of the Vienna and Cascade viruses with Ralf Burger develops the first family of polymorphic virus: the Chameleon family. Chameleon series debuted with the release of 1260.
  • Symantec launches Norton AntiVirus, one of the first antivirus programs developed by a large company.

1991

  • Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection

1992

  • Michelangelo was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus. Later assessments of the damage showed the aftermath to be minimal.

1993

  • "Leandro & Kelly" and "Freddy Krueger" spread quickly due to popularity of BBS and shareware distribution.
  • 1300 viruses are in existence, an increase of 420% from December of 1990.
  • The Dark Avenger Mutation Engine (DAME) is created. It is a toolkit that turns ordinary viruses into polymorphic viruses. The Virus Creation Laboratory (VCL) is also made available. It is the first actual virus creation kit.

1995

  • The first Macro virus, called "Concept," is created. It attacked Microsoft Word documents.

1996

  • "Ply" - DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine.
  • Baza, Laroux (a macro virus), and Staog viruses are the first to infect Windows95 files, Excel, and Linux respectively.

 
1998

  • June 2: The first version of the CIH virus appears.
  • Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.
  • The Chernobyl virus spreads quickly via .exe files. As the notoriety attached to its name would suggest, the virus is quite destructive, attacking not only files but also a certain chip within infected computers.
  • Two California teenagers infiltrate and take control of more than 500 military, government, and private sector computer systems.

1999

  • Jan 20: The Happy99 worm invisibly attached itself to emails. Displayed fireworks to hide changes being made and wished you a happy new year. Modified system files related to Outlook Express and Internet Explorer (IE) on Windows 95 and Windows 98.
  • March 26: The Melissa worm is released, targeting Microsoft Word and Outlook-based systems, and creating considerable network traffic.  The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any previous virus, infecting an estimated 1 million PCs.
  • June 6: The ExploreZip worm, which destroys Microsoft Office documents, is first detected.
  • December 16: Sub7, or SubSeven, is the name of a popular backdoor program. It is mainly used for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. However, it can also be used for more serious criminal applications, such as stealing credit card details with a keystroke logger.
  • Bubble Boy is the first worm that does not depend on the recipient opening an attachment in order for infection to occur. As soon as the user opens the email, Bubble Boy sets to work.
  • Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files.

2000

  • May: The ILOVEYOU worm appears. As of 2004[update] this was the most costly virus to businesses, causing upwards of 5.5 to 10 billion dollars in damage. The backdoor trojan to the worm, Barok, was created by Filipino programmer Onel de Guzman; it is not known who created the attack vector or who (inadvertently?) unleashed it; de Guzman himself denies being behind the outbreak although he suggests he may have been duped by someone using his own Barok code as a payload.
  • W97M.Resume.A, a new variation of the Melissa virus, is determined to be in the wild. The “resume” virus acts much like Melissa, using a Word macro to infect Outlook and spread itself.
  • The “Stages” virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike most previous viruses, Stages is hidden in an attachment with a false “.txt” extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume that text files are safe.
  • “Distributed denial-of-service” attacks by hackers knock Yahoo, eBay, Amazon, and other high profile web sites offline for several hours.

2001

  • February 11: The Anna Kournikova virus hits e-mail servers hard by sending e-mail to contacts in the Microsoft Outlook addressbook.[13] The creator of it, a Dutchman so-called OnTheFly, has been sentenced to 150 hours of community service.  The “Anna Kournikova” virus, which mails itself to persons listed in the victim's Microsoft Outlook address book, worries analysts who believe the relatively harmless virus was written with a “tool kit” that would allow even the most inexperienced programmers to create viruses
  • May 8: The Sadmind worm spreads by exploiting holes in both Sun Solaris and Microsoft IIS.
  • July: The Sircam worm is released, spreading through Microsoft systems via e-mail and unprotected network shares.  Sircam spreads personal documents over the Internet through email. CodeRed attacks vulnerable webpages, and was expected to eventually reroute its attack to the White House homepage. It infected approximately 359,000 hosts in the first twelve hours.
  • July 13: The Code Red worm attacking the Index Server ISAPI Extension in Microsoft Internet Information Services is released.
  • August 4: A complete re-write of the Code Red worm, Code Red II begins aggressively spreading onto Microsoft systems, primarily in China.
  • September 18: The Nimda worm is discovered and spreads through a variety of means including vulnerabilities in Microsoft Windows and backdoors left by Code Red II and Sadmind worm.
  • October 26: The Klez worm is first identified.
  • Shortly after the September 11th attacks, the Nimda virus infects hundreds of thousands of computers in the world. The virus is one of the most sophisticated to date with as many as five different methods of replicating and infecting systems.. Worms increase in prevalence with Sircam, CodeRed, and BadTrans creating the most problems. BadTrans is designed to capture passwords and credit card information.

2002

  • Beast is a windows based backdoor trojan horse, more commonly known in the underground cracker community as a RAT (Remote Administration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written in Delphi and Released first by its author Tataye in 2002, its most current version was released October 3, 2004
  • August 30: Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K.
  • Author of the Melissa virus, David L. Smith, is sentenced to 20 months in federal prison. The LFM-926 virus appears in early January, displaying the message “Loading.Flash.Movie” as it infects Shockwave Flash (.swf) files.
  • Celebrity named viruses continue with the “Shakira,” “Britney Spears,” and “Jennifer Lopez” viruses emerging.
  • The Klez worm, an example of the increasing trend of worms that spread through email, overwrites files (its payload fills files with zeroes), creates hidden copies of the originals, and attempts to disable common anti-virus products.
  • The Bugbear worm also makes it first appearance in September. It is a complex worm with many methods of infecting systems.

2003

  • April 2: Graybird is a Trojan also known as Backdoor.Graybird.
  • June 13: ProRat is a Turkish-made Microsoft Windows based backdoor trojan horse, more commonly known as a RAT (Remote Administration Tool).
  • August 12: The Blaster worm, aka the Lovesan worm, rapidly spreads by exploiting a vulnerability in system services present on Windows computers.
  • August 18: The Welchia (Nachi) worm is discovered. The worm tries to remove the blaster worm and patch Windows.
  • August 19: The Sobig worm (technically the Sobig.F worm) spreads rapidly through Microsoft systems via mail and network shares.
  • October 24: The Sober worm is first seen on Microsoft systems and maintains its presence until 2005 with many new variants. The simultaneous attacks on network weakpoints by the Blaster and Sobig worms cause massive amounts of damage.
  • January 24: The SQL slammer worm, aka Sapphire worm, Helkern and other names, attacks vulnerabilities in Microsoft SQL Server and MSDE and causes widespread problems on the Internet. The relatively benign “Slammer” (Sapphire) worm becomes the fastest spreading worm to date, infecting 75,000 computers in approximately ten minutes, doubling its numbers every 8.5 seconds in its first minute of infection. The Sobig worm becomes the one of the first to join the spam community. Infected computer systems have the potential to become spam relay points and spamming techniques are used to mass-mail copies of the worm to potential victims.

2004

  • Late January: MyDoom emerges, and currently holds the record for the fastest-spreading mass mailer worm.  MyDoom or Novarg, spreads through emails and file-sharing software faster than any previous virus or worm. MyDoom entices email recipients to open an attachment that allows hackers to access the hard drive of the infected computer. The intended goal is a “denial of service attack” on the SCO Group, a company that is suing various groups for using an open-source version of its Unix programming language. SCO offers a $250,000 reward to anyone giving information that leads to the arrest and conviction of the people who wrote the worm.
  • March 19: The Witty worm is a record-breaking worm in many regards. It exploited holes in several Internet Security Systems (ISS) products. It was the fastest disclosure to worm, it was the first internet worm to carry a destructive payload and it spread rapidly using a pre-populated list of ground-zero hosts.
  • May 1: The Sasser worm emerges by exploiting a vulnerability in LSASS and causes problems in networks, while removing MyDoom and Bagle variants, even interrupting business. An estimated one million computers running Windows are affected by the fast-spreading Sasser computer worm. Victims include businesses, such as British Airways, banks, and government offices, including Britain's Coast Guard. The worm does not cause irreparable harm to computers or data, but it does slow computers and cause some to quit or reboot without explanation. The Sasser worm is different than other viruses in that users do not have to open a file attachment to be affected by it. Instead, the worm seeks out computers with a security flaw and then sabotages them. An 18-year-old German high school student confessed to creating the worm. He's suspected of releasing another version of the virus.
  • August 16: Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor Trojan Horse that infects Windows NT family systems (Windows 2000, XP, 2003).
  • August 20: Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.
  • October 12, 2004: Bifrost, also known as Bifrose, is a backdoor trojan which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attack.
  • December: Santy, the first known "webworm" is launched. It exploited a vulnerability in phpBB and used Google in order to find new targets. It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading.

2005

  • October 13: The Samy XSS worm becomes the fastest spreading virus by some definitions as of 2006[update].
  • Late 2005: The Zlob Trojan, also known as Trojan.Zlob, is a trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005.
  • 2005: Bandook or Bandook Rat (Bandook Remote Administration Tool) is a backdoor trojan horse that infects the Windows family. It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the Internet.
  • March saw the world's first cell phone virus: Commwarrior-A. The virus probably originated in Russia, and it spread via text message. In the final analysis, Commwarrior-A only infected 60 phones, but it raised the specter of many more—and more effective—cell phone viruses.

2006

  • January 20: The Nyxem worm was discovered. It spread by mass-mailing. Its payload, which activates on the third of every month, starting on February 3, attempts to disable security-related and file sharing software, and destroy files of certain types, such as Microsoft Office files.
  • February 16: discovery of the first-ever malware for Mac OS X, a low-threat trojan-horse known as OSX/Leap-A or OSX/Oompa-A, is announced.
  • Late September: Stration or Warezov worm first discovered.

2007

  • January 17: Storm Worm identified as a fast spreading email spamming threat to Microsoft systems. It begins gathering infected computers into the Storm botnet. By around June 30 it had infected 1.7 million computers, comprised between 1 and 10 million computers by September. Thought to have originated from Russia, it disguises itself as a news email containing a film about bogus news stories asking you to download the attachment which it claims is a film.

2008

  • February 17: Mocmex is a trojan, which was found in a digital photo frame in February 2008. It was the first serious computer virus on a digital photo frame. The virus was traced back to a group in China.
  • March 3: Torpig, also known as Sinowal and Mebroot, is a Trojan horse which affects Windows, turning off anti-virus applications. It allows others to access the computer, modifies data, steals confidential information (such as user passwords and other sensitive data) and installs more malware on the victim's computer.
  • May 6: Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been detected on Microsoft systems and analyzed, having been in the wild and undetected since October 2007 at the very least.
  • July 6: Bohmini.A is a configurable remote access tool or trojan that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2.
  • July 31: The Koobface computer worm targets users of Facebook and Myspace.
  • November 21: Computer worm Conficker infects anywhere from 9 to 15 million Microsoft server systems running everything from Windows 2000 to the Windows 7 Beta. The French Navy, UK Ministry of Defence (including Royal Navy warships and submarines), Sheffield Hospital network, German Bundeswehr and Norwegian Police were all affected. Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author(s).. Five main variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.

2009

2010

  • February 18: Microsoft announced that a BSoD problem on some windows machines which was triggered by a batch of Patch Tuesday updates was caused by the Alureon Trojan.