A Brief History Of Viral Time

From simple viruses that spread via floppy disk, to worms that hitch a ride on the Internet, to today's back-door Trojans and spyware, the past 20 years of malware have

July 5, 2006

17 Min Read
Network Computing logo

For about 20 years now we've been using the term computer viruses to describe self-replicating programs. Although such programs had previously been found on Apple computers, viruses entered the PC world in early 1986 with the Brain virus.

Created by two programmers named Basit and Amjad, Brain was a boot virus that ran when a computer was booted up with an infected floppy diskette in the A: drive. (Remember when floppy disks were actually floppy?) Once a machine was infected, it would infect all subsequent floppies put in the drive.

Brain, a.k.a. (C)Brain, was also the first stealth virus, meaning that the boot sectors of infected diskettes would appear uninfected to users. The Brain virus didn't spread very quickly, nor was it particularly harmful -- but it ushered in an era of increasingly destructive viruses, worms, and other malware.

Computer viruses have changed a great deal since then. It has generally been an evolutionary change: mostly small developments that, when looked at cumulatively, can be viewed as rather spectacular. In this story we'll look at overall trends in the history of PC viruses; also see the timeline below and to the left (requires Flash) for more information about specific virus events.

Virus Or Worm?

In this piece we use the term virus generically to mean any self-replicating software. Technically, though, a virus uses a computer's storage media -- hard disk, floppy disk, flash memory stick, etc. -- as its transfer medium, whereas a worm uses external resources, such as an Internet connection or a network server. Additionally, viruses usually need some form of user interaction to spread, while worms may spread with no user assistance.

The term malware refers to any kind of malicious software, including viruses, worms, Trojans, spyware, rootkits, and so on. We'll get to these other nasties later in the piece.

The Early Years

Once Brain showed the way, many derivative PC viruses followed in the late 1980s. With no built-in protection, Microsoft's DOS operating system made it easy. Before long, there were about 100 known computer viruses. (Today there are about 300,000, according to some estimates.)

Click on any year to see its major virus events, then mouse over an event on theright to read more about it.

The Lehigh virus, discovered at Lehigh University in 1987, was the first to attack an executable file, specifically COMMAND.COM. The Jerusalem virus (1987), which infected both .EXE and .COM files, was the first to trigger its payload (the subroutine within a virus or worm that actually does the damage) on a specific date -- Friday the 13th. Several other Friday the 13th viruses would follow. The Cascade virus (1988) was the first encrypted virus, which made it difficult to alter or remove.

The first worm to spread widely over the Internet was the Morris worm, released in 1988 by Robert T. Morris, then a graduate student at Cornell University and now an MIT professor. Morris claimed to have created the worm as an intellectual exercise to measure the size of the Internet; however, it spread farther than intended, and many machines were infected multiple times. Infected computers -- Unix machines rather than PCs -- slowed down so much that they became unusable.In the early 1990s, the computing world saw its first mass-generated computer viruses as virus creation libraries (VCLs) were uploaded to renegade BBSes known as VX Exchange Boards. Here, members of hacker clubs could download virus source code, personalize it, and release their own virus with little effort or true knowledge of programming. Fortunately, VCLs tended to create viruses -- such as Kinison, Donatello, Earthday, Genocide, and Venom -- that were too buggy to ever spread far or cause much concern.

A number of the VCL viruses were append-class viruses, appending their infective code to the target program. Some were companion-class viruses, leaving the target untouched but using the MS-DOS execute order so that the virus was run instead of the target program. Some VCL viruses had payloads that would attempt to erase the boot sector. Others overwrote target executables.

Viruses Get Smarter

One of the more interesting virus "enhancements," now dealt with exceedingly well, but initially not dealt with at all, was the self-mutating (also known as polymorphic) virus. Antivirus scanners look for small, recognizable snippets of known computer viruses, so self-mutating viruses try to change recognizable patterns to unrecognizable ones each time they replicate, thereby thwarting simplistic scanner software. Self-mutators based on DAME (Dark Avenger's Mutating Engine) and MtE (Mutating Engine -- also by Dark Avenger) were prevalent in the 1991-1992 timeframe.

To deal with this threat, the scanner authors had merely to remember that even small fragments of code reveal identifiable characteristics inherent in each virus. A new antivirus methodology made polymorphic viruses toothless and easily detected: the emulator program.

This program acts as if it's executing at least the initial part of a program -- usually the decryption portion of the virus -- but really intercepts the code and writes to a safe "sandbox" that exists only in memory. Thus, the decrypted virus can be identified without actually being executed.

And thus began what many antivirus researchers thought of as the "Spy Versus Spy" era. In essence, with each move forward by the virus writers, then countered by the antivirus community, viruses became ever more complex, and therefore more fragile and buggy. (It seems that finding beta testers for computer viruses before their release is rather difficult.) This, in turn, had the side effect of viruses doing unexpected and unintended things. Even with viruses, bugs are bugs.

In 1992, the first virus that caught the attention of the wider public hit the computing world -- the dreaded Michelangelo virus. Set to strike on March 6, the Renaissance painter's birthday, the virus was played up by the media as an urgent threat that would spread massively, erasing the hard drives of all in its path. It turned out to be fairly widespread, but far below most predictions. Some experts hold, however, that the media hoopla caused many organizations to scan for and isolate the virus before it could spread.

Regardless, Michelangelo did surmount the multiple-floppy-disk-format problem suffered by most viruses to this point. Early viruses could write only to diskettes of the same format -- 360K, 720K, and so on -- that the source virus started on. Multiple-format viruses were a new trick.

Virus Hoaxes

As awareness of PC viruses grew among the general public, pranksters began to prey upon users' concern by circulating e-mails warning of viruses that didn't exist. The most famous of these, the Good Times virus hoax, read in part, "There is a virus on America Online being sent by E-Mail. If you get anything called 'Good Times', DON'T read it or download it. It is a virus that will erase your hard drive." Naturally, the e-mail ended with the admonition, "Forward this to all your friends. It may help them a lot."

First seen in November 1994, the Good Times hoax and its variants circulated for years afterward as unwitting users sought to protect their friends from the nonexistent danger. A host of imitators began to spread as well. For a time in the mid-90s it seemed as if every other e-mail message was a false virus warning from a well-intentioned but clueless friend, making these messages nearly as bothersome as viruses themselves.

In response to the slew of virus hoaxes, the Bad Times parody hoax was created, with such outrageous claims of what the virus could do -- including deleting any data on disks within 20 feet of your computer, drinking all your beer, and leaving the toilet seat up -- that nobody could possibly believe it. Security vendors, however, do not appear to be amused. "Some users are still concerned by the message," warns Sophos, and Trend Micro adds, "It plays on the insatiable need of people to forward any warning they get via e-mail, without paying much attention to the actual content."

-- Valerie Potter

Enter The Internet

As floppy disks became close to extinct, so did viruses using floppies as a medium of transport; the Internet became the medium of choice. Internet access was becoming ubiquitous -- everyone was getting a modem.

Even relatively unsophisticated computer users had access to online playgrounds such as AOL, CompuServe, MSN, and GEnie, along with the e-mail and downloading hazards they presented. None of these services initially had any adequate virus-checking or scanning measures in place, so downloading software was dangerous.

Around 1995, macro viruses started being written to take advantage of programming languages inherent in applications as diverse as Lotus 1-2-3 and Microsoft Word. One of the most prevalent macro viruses was the simple Concept virus. It removed all macros in infected files and disabled some of Word's menus, but was otherwise not destructive. Concept was most prevalent in 1995-1997.

Even worse, many of these new viruses took advantage of e-mail/SMTP capabilities in Windows systems by mass-mailing infected files to recipients listed in the address books of popular e-mail programs such as Microsoft Outlook. A good history of macro viruses can be found in Dr. Alan Solomon's seminal paper "Introduction to Macro Viruses" -- a must-read for anyone interested in virus history.

As we leave the decade, don't forget that 1999 gave us the virus of the century: Melissa, a combination macro virus and worm. Among other payloads, Melissa inserted quotes from the animated television series The Simpsons in Word documents. But what was devastating was how Melissa spread: by forwarding the infected Word document as an e-mail attachment to 50 people in the computer's Outlook address book.

Melissa propagated more rapidly than any previous virus, infecting an estimated 1 million PCs. The antivirus world was initially not prepared to handle this kind of quick-spreading threat, but came up with solutions very rapidly. Melissa was a wakeup call -- malware wasn't done with computer users by a long shot.The current decade has seen increasingly sophisticated and fast-spreading worms, including ILOVEYOU (2000), which used the promise of a love letter to fuel its massive spread; Nimda (2001), notable for its sophisticated infection and replication techniques; Code Red (2001), which infected hundreds of thousands of Web pages; MyDoom (2004), the fastest-spreading worm to date; and Sasser (2004), which caused disruptions to satellite communications, airlines, financial services, and more across the globe.

One worm that had an unexpected positive effect was 2003's SQL Slammer (a.k.a. Sapphire). Finding security holes in computers running Microsoft's SQL Server or SQL Server Desktop Engine (MSDE), it infected a huge number of machines very rapidly -- 75,000 computers in 10 minutes -- causing massive slowdowns and server crashes across the Internet. Now for the good news: Because only non-updated systems were vulnerable to SQL Slammer, Microsoft reports, substantially more people are keeping their Windows systems up to date since this worm hit.

Today's Malware

The Spy Versus Spy game goes on: More sophisticated, armored and encrypted viruses breed more sophisticated scanners and antivirus apps to counter them. Not all viruses can be removed from infected programs -- sometimes the infection overwrites the original program, requiring reinstallation of the programs or even the whole operating system.

And today we have to deal with a lot more than just viruses and worms, including:

Trojans: Named after the Trojan Horse of Greek legend, programs that appear legitimate but actually perform some malicious activity, such as opening a back door to give a remote user control of the computer.Bots: Small programs on computers infected by Trojans that communicate with the controlling attacker, often searching out other networked machines with vulnerabilities. Vast networks of bot-infected machines are called botnets. Often the owners of these compromised computers -- sometimes called zombies -- are unaware that their machines are being controlled remotely and used in this manner.

Distributed Denial of Service (DDoS) attacks: Attacks in which thousands of machines (often in a botnet) flood a target machine or domain simultaneously in an attempt to bring it down. Microsoft.com, for example, is a frequent target of DDoS attacks.

Spyware: As its name suggests, software that spies on the user in some way, such as tracking Web-surfing habits or logging keystrokes as the user types a password.

Rootkits: Spyware or other malware programs that, when run, attempt to gain administrative-level access to the computer. In Unix-based systems, such access is usually restricted to those with "root" access -- hence the name rootkit.

Malicious Downloads: Seemingly innocent downloads that, when executed, turn out to be some type of malware. Unlike Trojans, which typically hide within a program for some time without the user's knowledge, malicious downloads are usually more immediate -- for example, a program that purports to defragment your hard disk but immediately reformats it instead.Drive-By Downloads: Spyware or other malware that requires no user interaction to install -- in other words, you might download such programs without realizing it, simply by visiting certain Web sites.

Phishing: Identity-theft schemes that use official-looking e-mails to lead users to official-looking Web sites that ask users to enter personal information.

And the list goes on. Word on the street is that organized crime is the source of much of this "nastyware," which takes away any charm virus writing may once have had. It's odd to wax nostalgic over the ethics of virus writing, but once it was done mostly for hacker pride -- unique ideas and elegance in design were the whole point. Now the field has reduced itself to causing destruction, stealing money and personal information, even extortion -- things no self-respecting hacker would stoop to.

Blame It On Spam

Although devious Web sites and file-sharing services are often the culprits these days, most malware is still delivered by unsolicited e-mail, also known as spam. Corporate users are generally fairly well protected by heavy-duty anti-spam measures put in place by their IT departments, and for home users, better e-mail and anti-spam scanners are but a click away. I like SpamPal myself.

Even the best anti-spam scanner won't filter out all the spam heading your way, though, so it pays to be on your guard. Your mother was right: Don't open e-mail from strangers!

What does the future hold for malware? It's not going away anytime soon. Next year -- and likely 10 years from now -- you will have to update and regularly run your scanners, anti-spyware, anti-virus, and anti-spam software. And don't forget to make sure your backups are current, something you should do regardless of what happens on the malware front. Hardware is never forever!

Ross M. Greenberg has been active on the anti-malware front since the late 1980s, when the Wizop of the CompuServe PC-based forums -- now a friend -- stated that there was no such thing as a computer virus. Ha! Greenberg was right, and the Wizop was wrong. NyahNyahNyah!

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights