Mon, Apr
7 New Articles

The history of malware: A primer on the evolution of cyber threats

Security News
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Malware, a portmanteau of “malicious software,” refers to any software, code, or computer program intentionally designed to cause harm to a computer system or its users. Virtually every modern cyberattack involves some type of malware. These harmful programs can range in severity from highly destructive and costly (ransomware) to merely annoying, but otherwise innocuous (adware).

Every year, there are billions of malware attacks on businesses and individuals. Malware can infect any type of device or operating system including Windows, Mac, iPhone, and Android.

Cybercriminals develop and use malware to:

  • Hold devices, data, or enterprise networks hostage for large sums of money
  • Gain unauthorized access to sensitive data or digital assets
  • Steal login credentials, credit card numbers, intellectual property, personally identifiable information (PII) or other valuable information
  • Disrupt critical systems that businesses and government agencies rely on

While the words are often used interchangeably not all types of malware are necessarily viruses. Malware is the umbrella term describing numerous types of threats such as:

Viruses: A computer virus is defined as a malicious program that cannot replicate without human interaction, either through clicking a link, downloading an attachment, launching a specific application, or various other actions.

Worms: Essentially a self-replicating virus, worms don’t require human interaction to spread, tunneling deep into different computer systems and moving between devices.

Botnets: A network of infected computers under control of a single attacker known as the “bot-herder” working together in unison.

Ransomware: One of the most dangerous types of malware, ransomware attacks take control of critical computer systems or sensitive data, locking users out and requiring exorbitant ransoms in cryptocurrency like Bitcoin in exchange for regained access. Ransomware remains one of the most dangerous types of cyber threats today. 

Multi-extortion ransomware: As if ransomware attacks aren’t threatening enough, multi-extortion ransomware adds additional layers to either cause further damage or add extra pressure for victims to capitulate. In the case of double-extortion ransomware attacks, malware is used to not only encrypt the victim’s data but also exfiltrate sensitive files, such as customer information, which attackers then threaten to release publicly. Triple-extortion attacks go even further, with threats to disrupt critical systems or extend the destructive attack to a victim’s customers or contacts. 

Macro viruses: Macros are command series typically built into larger applications to quickly automate simple tasks. Macro viruses take advantage of programmatic macros by embedding malicious software into application files that will execute when the corresponding program is opened by the user.

Trojans: Named for the famous Trojan Horse, trojans disguise themselves as useful programs or hide within legitimate software to trick users into installing them.

Spyware: Common in digital espionage, spyware hides within an infected system to secretly gather sensitive information and transmit it back to an attacker.

Adware: Considered to be mostly harmless, adware is typically found bundled with free software and spams users with unwanted pop-ups or other ads. However, some adware might harvest personal data or redirect web browsers to malicious websites.

Rootkit: A type of malware package that allows hackers to gain privileged, administrator-level access to a computer’s operating system or other assets. 

Milestones in malware 

Due to the sheer volume and variety, a complete history of malware would be quite lengthy. Instead, here’s a look at a few infamous moments in the evolution of malware.

1966: Theoretical malware

As the very first modern computers were being built, pioneering mathematician and Manhattan Project contributor John von Neumann was developing the concept of a program that could reproduce and spread itself throughout a system. Published posthumously in 1966, his work, Theory of Self-Reproducing Automata, serves as the theoretical foundation for computer viruses.

1971: Creeper worm

Just five years after John von Neumann’s theoretical work was published, a programmer by the name of Bob Thomas created an experimental program called Creeper, designed to move between different computers on the ARPANET, a precursor to the modern Internet. His colleague Ray Tomlinson, considered to be the inventor of email, modified the Creeper program to not only move between computers, but to also copy itself from one to another. Thus the first computer worm was born.

Although Creeper is the first known example of a worm, it is not actually malware. As a proof of concept, Creeper wasn’t made with malicious intent and didn’t damage or disrupt the systems it infected, instead only displaying the whimsical message: “I’M THE CREEPER : CATCH ME IF YOU CAN.” Taking up his own challenge, in the following year Tomlinson also created Reaper, the first antivirus software designed to delete Creeper by similarly moving across the ARPANET.

1982: Elk Cloner virus

Developed by Rich Skrenta when he was just 15 years old, the Elk Cloner program was intended as a practical joke. As a member of his high school’s computer club, Skranta was known among his friends to alter the games and other software shared among club members—to the point that many members would refuse to accept a disk from the known prankster.

In an effort to alter the software of disks he couldn’t access directly, Skranta invented the first known virus for Apple computers. What we’d now call a boot sector virus, Elk Cloner spread by infecting the Apple DOS 3.3 operating system and once transferred from an infected floppy disk, would copy itself to the computer’s memory. When an uninfected disk was later inserted into the computer, Elk Cloner would copy itself to that disk, and quickly spread among most of Skranta’s friends. While deliberately malicious, Elk Cloner could inadvertently write over and erase some floppy disks. It also contained a poetic message that read:









1986: Brain virus

While the Creeper worm was able to move across computers on the ARPANET, prior to the widespread adoption of the Internet most malware was passed along over floppy disks like Elk Cloner. However, while the effects of Elk Cloner were contained to one small computer club, the Brain virus spread worldwide.

Created by Pakistani medical software distributors, and brothers, Amjad and Basit Farooq Alvi, Brain is considered to be the first virus for the IBM Personal Computer and was initially developed to prevent copyright infringement. The virus was intended to prevent users from using copied versions of their software. When installed, Brain would display a message prompting pirates to call the brothers to receive the vaccination. Underestimating just how widespread their piracy problem was, the Alvis received their first call from the United States, followed by many, many more from around the globe.

1988: Morris worm

The Morris worm is another malware precursor that was created not for malicious intent, but as a proof-of-concept. Unfortunately for the creator, MIT student Robert Morris, the worm proved to be much more effective than he had anticipated. At the time, only about 60,000 computers had access to the internet, mostly at universities and within the military. Designed to exploit a backdoor on Unix systems, and to stay hidden, the worm quickly spread, copying itself over and over again and infecting a full 10% of all networked computers.

Because the worm not only copied itself to other computers but also copied itself repeatedly on infected computers, it unintentionally ate up memory and brought multiple PCs to a grinding halt. As the world’s first widespread internet cyberattack, the incident caused damages that some estimates placed in the millions. For his part in it, Robert Morris was the first cybercriminal ever convicted of cyber fraud in the United States. 

1999: Melissa worm

While not as damaging as the Morris worm, about a decade later Melissa showed how fast malware can spread by email, infesting an estimated one million email accounts and at least 100,000 workplace computers. The fastest spreading worm for its time, it caused major overloads on Microsoft Outlook and Microsoft Exchange email servers resulting in slowdowns at more than 300 corporations and government agencies, including Microsoft, the Pentagon’s Computer Emergency Response Team, and roughly 250 additional organizations.

2000: ILOVEYOU virus 

Necessity being the mother of invention, when 24-year-old Philippines resident Onel de Guzman found himself unable to afford dialup internet service he built a macro virus worm that would steal other people’s passwords, making ILOVEYOU the first significant piece of outright malware. The attack is an early example of social engineering and phishing. De Guzman used psychology to prey on people’s curiosity and manipulate them into downloading malicious email attachments disguised as love letters. “I figured out that many people want a boyfriend, they want each other, they want love,” said de Guzman. 

Once infected, the worm did more than steal passwords, it also deleted files and caused millions in damages, even shutting down the United Kingdom’s Parliament’s computer system for a brief period. Although de Guzman was caught and arrested, all charges were dropped as he hadn’t actually broken any local laws.

2004: Mydoom worm

Similar to ILOVEYOU, the Mydoom worm also used email to self-replicate and infect systems around the world. Once taking root, Mydoom would hijack a victim’s computer to email out more copies of itself. Astonishingly effective, Mydoom spam once accounted for a full 25% of all emails sent worldwide, a record that’s never been broken, and ended up causing $35 billion in damages. Adjusted for inflation, it is still the most monetarily destructive piece of malware ever created.

Besides hijacking email programs to infect as many systems as possible, Mydoom also used infected computers to create a botnet and launch distributed denial-of-service (DDoS) attacks. Despite its impact, the cybercriminals behind Mydoom have never been caught or even identified. 

2007: Zeus virus

First identified in 2007, Zeus infected personal computers via phishing and drive-by-downloads and demonstrated the dangerous potential of a trojan-style virus that can deliver many different types of malicious software. In 2011, its source code and instruction manual leaked, providing valuable data for both cybersecurity professionals, as well as other hackers.

2013: CryptoLocker ransomware 

One of the first instances of ransomware, CryptoLocker is known for its rapid spread and powerful (for its time) asymmetric encryption capabilities. Distributed through rogue botnets captured by the Zeus virus, CryptoLocker systematically encrypts data on infected PCs. If the infected PC is a client in a local network, such as a library or office, any shared resources are targeted first.

In order to regain access to these encrypted resources, the makers of CryptoLocker requested a ransom of two bitcoins, which at the time were valued at roughly $715 USD. Luckily, in 2014 the Department of Justice, working with international agencies, managed to seize control of the malicious botnet and decrypt the hostage data free of charge. Unluckily, the CyrptoLocker program is also spread through basic phishing attacks as well and remains a persistent threat.

2014: Emotet trojan

Once called the “king of malware” by Arne Schoenbohm, head of the German Office for Information Security, the Emotet trojan is a prime example of what’s known as polymorphic malware making it difficult for information security specialists to ever fully eradicate. Polymorphic malware works by slightly altering its own code every time it reproduces, creating not an exact copy, but a variant that’s just as dangerous. In fact, it’s more dangerous because polymorphic trojans are harder for anti-malware programs to identify and block.

Like the Zeus trojan, Emotet persists as a modular program used to deliver other forms of malware and is often shared through traditional phishing attacks.

2016: Mirai botnet 

As computers continue to evolve, branching out from desktop, to laptops, to mobile devices, and a myriad of networked devices, so does malware. With the rise of the internet of things, smart IoT devices present a vast new wave of vulnerabilities. Created by college student Paras Jha, the Mirai botnet found and took over a massive number of mostly IoT-enabled CCTV cameras with weak security.

Initially designed to target gaming servers for DoS attacks, the Mirai botnet was even more powerful than Jha had anticipated. Setting its sights on a major DNS provider, it effectively cut off huge swathes of the United States’ eastern seaboard from the internet for nearly an entire day.

2017: Cyber espionage 

Although malware had already played a part in cyber warfare for many years, 2017 was a banner year for state-sponsored cyberattacks and virtual espionage, beginning with a relatively unremarkable ransomware called Petya. Although dangerous, the Petya ransomware spread through phishing and was not particularly infectious until it was modified into the NotPetya wiper worm, a program that looked like ransomware, but destroyed user data even if ransom payments were sent. That same year saw the WannaCry ransomware worm strike a number of high-profile targets in Europe, particularly in Britain’s National Health Service. 

NotPetya is believed to be tied to Russian intelligence, who may have modified the Petya virus to attack Ukraine, and WannaCry may be connected to similar adversarial sectors of the North Korean government. What do these two malware attacks have in common? Both were enabled by a Microsoft Windows exploit dubbed Eternalblue, which was first discovered by the National Security Agency. Although Microsoft eventually discovered and patched the exploit themselves, they criticized the NSA for not reporting it before hackers were able to capitalize on the vulnerability.

2019: Ransomware-as-a-Service (RaaS)

In recent years, ransomware malware has both taken off and tapered off. Yet while the instances of successful ransomware attacks may be decreasing, hackers are targeting more high-profile targets and causing greater damages. Now, Ransomware-as-a-Service is a troubling trend that’s gained momentum in recent years. Offered on dark web marketplaces, RaaS provides a plug-and-play protocol in which professional hackers conduct ransomware attacks in exchange for a fee. While previous malware attacks required some degree of advanced technical skill, mercenary groups offering RaaS empower anyone with ill intent and money to spend.

2021: A state of emergency

The first high-profile double-extortion ransomware attack took place in 2019, when hackers infiltrated security staffing agency Allied Universal, simultaneously encrypting their data while threatening to release the stolen data online. This extra layer meant that even if Allied Universal had been able to decrypt their files, they’d still suffer a damaging data breach. While this attack was noteworthy, the 2021 Colonial Pipeline attack is more notorious for the severity of the implied threat. At the time the Colonial Pipeline was responsible for 45% of the eastern United States’ gasoline and jet fuel. The attack, which lasted for several days, impacted both the public and private sectors along the east coast, and prompted President Biden to declare a temporary state of emergency.

2022: A national emergency

Although ransomware attacks may appear to be declining, highly targeted and effective attacks continue to present a chilling threat. In 2022, Costa Rica suffered a series of ransomware attacks, first crippling the ministry of finance and impacting even civilian import/export businesses. A following attack then took the nation’s healthcare system offline, directly affecting potentially every citizen in the country. As a result, Costa Rica made history as the first country to declare a national state of emergency in response to a cyberattack.

IBM is a leading global hybrid cloud and AI, and business services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM's hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM's breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM's legendary commitment to trust, transparency, responsibility, inclusivity, and service.

For more information, visit: www.ibm.com.



Support MC Press Online

$0.00 Raised:

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: