Science Flashback

Probing the history of viruses, worms and Trojans

The computer virus wasn’t always a dangerous entity — many early incarnations were simply playful experiments. How did the virus evolve from its innocent beginnings into a tool for cyber criminals?

Since the dawn of computers, we have been dealing with malicious code in one form or another. Like their biological counterparts, computer viruses have evolved from their humble origins into newer, more complex forms. The study of malicious code is akin to studying our own fossil record; it’s useful to divide up the timeline into stages when specific characteristics emerged.

The age of discovery — 1949 to 1986

In 1949, the study of what would eventually become malicious code was kicked off by mathematician John von Neumann through a series of lectures on the concept of “complicated automata,” or self-replicating machines that could pass on programming to their offspring. Von Neumann was the first to formalize this concept, but he did not see the mutation of his idea that would result in self-replicating malicious code. Bell Labs ran with this idea in creating programs that battled each other to assume control of a computer in the “Darwin” game during the 1960s and the “Core Wars” game in the 1970s.

In the early 1970s, the program Creeper, created by American engineer Bob Thomas, lived up to its name by creeping around ARPANET, the core network that eventually became the Internet. Thomas’s Creeper was the first self-replicating program, and its construction and release were an experiment and proof of concept to von Neumann’s work. With the evolution of the self-replicating program came the creation of the first anti-virus program, Reaper, which searched out and deleted instances of Creeper.

Some nine years later the first “wild” virus, called Elk Cloner, was created by ninth-grade prankster Richard Skrenta. While Creeper was limited to a very specific network, Elk Cloner travelled from computer to computer on floppy disks and displayed a short poem about itself on every 50th boot:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!

It will stick to you like glue
It will modify ram too
Send in the Cloner!

Again, this virus was an experiment and proof of concept, and the payload was non malicious. That is, if you consider bad doggerel poetry non-malicious.

The age of explosion — 1986 to 1995

Prior to this point, virus development was an experiment and the code simple. But between 1986 and 1995, not unlike the Cambrian explosion in Earth’s fossil record, almost all of the traits of the modern computer virus emerged. This is when the “malicious” was inserted into malicious code. Viruses like Brain targeted specific software, and code like Stoned leapt from computer to computer by writing itself onto any floppy disk it encountered. Viruses started exhibiting destructive behavior, deleting files and latching in lamprey-like fashion to the operating system. Modems and electronic bulletin board systems allowed viruses to move not only from computer to computer, but from city to city.

Timeline

Polymorphism emerged as a virus trait, with the viral code written so that it modified itself slightly after each infection in order to delay detection by the emerging anti-virus programs. Macro viruses, which use the ability of word processors and spreadsheets to run strings of user commands, were developed; this also included viruses that targeted the programming languages (JAVA and Adobe Flash) used by Web Browsers to run enhanced content such as games.

This age also saw the emergence of the first virus construction kits, which are software packages that allow users to create their own malicious code with a few keystrokes. This development led to the spawning of numerous “script-kiddies”: users without the technical skill to write code or discover new exploits, but still capable of creating new viral threats.

Last but not least of the developments of this age was a new category called the Hoax virus: an email message warning of a highly destructive virus and carrying potentially harmful instructions for dealing with the non-existent threat.

The age of mass infectors — 1994-2010

With the Internet becoming established as a mechanism for the transfer of information, and more and more businesses connecting their own networks to it, it was only a matter of time before virus writers started taking advantage of it as a means to infect not just local users, but the whole world.

Leading the charge was Melissa, a simple macro virus that, when executed, sent itself to all contacts in the victim’s address book, while simultaneously infecting and distributing Word documents. Melissa was followed by I Love You, Nimbda, Sapphire, Mydoom and Sasser — each one reaching further and faster than its predecessor. In 2004, an unpatched Windows system placed on the Internet would be infected within 20 minutes; these days it is down to four minutes.

The age of enterprise — today

And now here we are in 2012. Malicious code is in the hands of cyber criminals. No longer the bailiwick of people trying to prove how clever they are, viruses are now being used to generate illicit income. Botnets, which are networks consisting of millions of compromised computers, are being used to send out commercial spam or relay personal financial information to an interested third party, and fake anti-virus scams are generating hundreds of millions of dollars annually. With this focus on revenue, virus writers are now employing trained software engineers and security experts to create new infections that are tougher to identify, isolate and remove.

So what comes next? Where is the next evolution of malicious code going to emerge? Are you reading this on a smartphone or tablet…?

ISSN 1927-0275 = Dimensions (Ottawa. Online)