Narrative histories of the early years by Dr. Alan Solomon and Robert M. Slade are available. Below is an expanded summary.
1981 - The First Virus In The Wild
As described in Robert Slade's history, the first virus in the wild actually predated the experimental work that defined current-day viruses. It was spread on Apple II floppy disks (which contained the operating system) and reputed to have spread from Texas A&M. [Side note: Thanks to a pointer from anti-virus pioneer Fridrik Skulason we know the virus was named Elk Cloner and displayed a little rhyme on the screen:
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
For more info on Elk Cloner see http://www.skrenta.com/cloner/
1983 - The First Documented Experimental Virus
Fred Cohen's seminal paper Computer Viruses - Theory and Experiments from 1984 defines a computer virus and describes the experiments he and others performed to prove that the concept of a computer virus was viable. From the paper...
On November 3, 1983, the first virus was conceived of as an experiment to be presented at a weekly seminar on computer security. The concept was first introduced in this seminar by the author, and the name 'virus' was thought of by Len Adleman. After 8 hours of expert work on a heavily loaded VAX 11/750 system running Unix, the first virus was completed and ready for demonstration. Within a week, permission was obtained to perform experiments, and 5 experiments were performed. On November 10, the virus was demonstrated to the security seminar.
1986 - Brain, PC-Write Trojan, & Virdem
The common story is that two brothers from Pakistan analyzed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed "Brain" (the origin is generally accepted but not absolutely). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen's experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write. Some reports say Virdem was also found this year; it is often called the first file virus.
1987 - File Infectors, Lehigh, & Christmas Worm
The first file viruses started to appear. Most concentrated on COM files; COMMAND.COM in particular. The first of these to infect COMMAND.COM is typically reported to be the Lehigh virus. At this time other work was done to create the first EXE infector: Suriv-02 (Suriv = Virus backward). (This virus evolved into the Jerusalem virus.) A fast-spreading (500,000 replications per hour) worm hit IBM mainframes during this year: the IBM Christmas Worm.
1988 - MacMag, Scores, & Internet Worm
MacMag, a Hypercard stack virus on the Macintosh is generally considered the first Macintosh virus and the Scores virus was the source of the first major Macintosh outbreak. The Internet Worm (Robert Morris' creation in November) causes the first Internet crisis and shut down many computers. CERT is created to respond to such attacks.
1989 - AIDS Trojan
This Trojan is famous for holding data hostage. The Trojan was sent out under the guise of an AIDS information program. When run it encrypted the user's hard drive and demanded payment for the decryption key.
1990 - VX BBS & Little Black Book (AT&T Attack)
The first virus exchange (VX) BBS went online in Bulgaria. Here virus authors could trade code and exchange ideas. Also, in 1990, Mark Ludwig's book on virus writing (The Little Black Book of Computer Viruses) was published. While there is no proof, hackers are suspected of taking down the AT&T long-distance switching system.
1991 - Tequila
Tequila was the first polymorphic virus; it came out of Switzerland and changed itself in an attempt to avoid detection.
1992 - Michelangelo, DAME, & VCL
Michelangelo was the first media darling. A wordwide alert went out with claims of massive damage predicted. Actually, little happened. The same year the Dark Avenger Mutation Engine (DAME) became the first toolkit that could be used to turn any virus into a polymorphic virus. Also that year the Virus Creation Laboratory (VCL) became the first actual virus creation kit. It had pull-down menus and selectable payloads (though it's reported to not have worked very well).
1993 - Stealth_boot PMBS
Stealth_boot PMBS used a unique technique to operate. You caught it by booting from an infected floppy disk. Once installed, Stealth_Boot would install itself in extended memory, switched the computer into protected mode, and then ran a virtual V86 machine which DOS and programs would use. Basically, the virus existed between the operating system and the hardware.
1995 - Year of the Hacker
Hackers attacked Griffith Air Force Base, the Korean Atomic Research Institute, NASA, Goddard Space Flight Center, and the Jet Propulsion Laboratory. GE, IBM, Pipeline and other companies were all hit by the "Internet Liberation Front" on Thanksgiving.
1995 - Concept
The first macro virus to attack Word, Concept, is developed.
1996 - Boza, Laroux, & Staog
Boza is the first virus designed specifically for Windows 95 files. Laroux is the first Excel macro virus. And, Staog is the first Linux virus (written by the same group that wrote Boza).
1998 - Strange Brew & Back Orifice; JetDB
Strange Brew is the first Java virus. Back Orifice is the first Trojan designed to be a remote administration tool that allows others to take over a remote computer via the Internet. Access macro viruses start to appear (JetDB).
1999 - Melissa, Corner, Win95.SK, Tristate, Infis, & Bubbleboy
Melissa is the first combination Word macro virus and worm to use the Outlook and Outlook Express address book to send itself to others via E-mail. It arrived in March. Corner is the first virus to infect MS Project files. Win95.SK, in April 1999, is believed to be the first viral HLP file infector. Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files. Infis installs itself as an NT driver and then takes over some undocumented functions. Bubbleboy is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment necessary. Bubbleboy was the proof of concept; Kak spread widely using this technique.
2000 - DDoS, Love Letter, Timofonica, Liberty (Palm), Stream, & Pirus
The first major distributed denial of service attacks shut down major sites such as Yahoo!, Amazon.com, and others. In May the Love Letter worm became the fastest-spreading worm (to that time); shutting down E-mail systems around the world. June 2000 saw the first attack against a telephone system. The Visual Basic Script worm Timofonica tries to send messages to Internet-enabled phones in the Spanish telephone network (later in 2000 another Trojan attacked the Japanese emergency phone system). August 2000 saw the first Trojan developed for the Palm PDA. Called Liberty and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread. Stream became the first proof of concept NTFS Alternate Data Stream (ADS) virus in early September. As a proof of concept, Stream has not circulated in the wild (as of this writing) but as in all such cases a circulating virus based on the model is expected. Pirus is another proof of concept for malware written in the PHP scripting language. It attempts to add itself to HTML or PHP files. Pirus was discovered 9 Nov 2000.
2001 - Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons Worm, PeachyPDF-A, Nimda
Gnuman (Mandragore) showed up the end of February. This worm cloaked itself from the Gnutella file-sharing system (the first to specifically attack a peer-to-peer communications system) and pretended to be an MP3 file to download. In March a proof of concept virus designed to infect both Windows and Linux (and cross between them) was released. Winux (or Lindose depending on who you talk to) is buggy and reported to have come from the Czech Republic. On 9 April a proof of concept Logo Worm was released which attacked the Logotron SuperLogo language. The LogoLogic-A worm spreads via MIRC chat and E-mail. May saw the first AppleScript worm. It uses Outlook Express or Entourage on the Macintosh to spread via E-mail to address book entries. Early August, the PeachyPDF-A worm became the first to spread using Adobe's PDF software. Only the full version, not the free PDF reader, was capable of spreading the worm so it did not go far. September, the Nimda worm demonstrated significant flexibility in its ability to spread and used several firsts. While not new in concept, a couple of worms created a fair amount of havoc during the year: Sircam (July), CodeRed (July & August), and BadTrans (November & December).
2002 - LFM-926, Donut, Sharp-A, SQLSpider, Benjamin, Perrun, Scalper
Early in January LFM-926 showed up as the first virus to infect Shockwave Flash (.SWF) files. It was named for the message it displays while it's infecting: "Loading.Flash.Movie...". It drops a Debug script that produces a .COM file which infects other .SWF files. Also in early January Donut showed up as the first worm directed at .NET services. In March, the first native .NET worm written in C#, Sharp-A was announced. Sharp-A was also unique in that it was one of the few malware programs reportedly written by a woman. Late May the Javascript worm SQLSpider was released. It was unique in that it attacked installations running Microsoft SQL Server (and programs that use SQL Server technology). Also in late May the Benjamin appeared. Benjamin is unique in that it uses the KaZaa peer-to-peer network to spread. Mid-June the press went wild over the proof-of-concept Perrun virus because a portion of the virus attached itself to JPEG image files. Despite the hype, JPEG files are still safe as you must have a stripper program running on your system in order to strip the virus file off the image file (see 2004 for another JPEG attack). On 28 June the Scalper worm was discovered attacking FreeBSD/Apache Web servers. The worm is designed to set up a flood net (stable of zombies which could be used to overwhelm one or more systems).
2003 - Sobig, Slammer, Lovgate, Fizzer, Blaster/Welchia/Mimail
Sobig, a worm that carried its own SMTP mail program and used Windows network shares to spread started the year. Sobig variants continued to multiply throughout the year. Slammer, exploiting vulnerabilities in Microsoft's SQL 2000 servers, hit Super Bowl weekend. Its spreading technique worked so well that for some period of time all of South Korea was effectively eliminated from the Internet (obscured). It received significant media coverage. The unique entry that February saw was Lovgate. This was unique as it was a combination of a Trojan and a worm; two pieces of malware that generally don't get combined. Starting in early May Fizzer spread via usual E-mail methods but also used the KaZaa peer-to-peer network to spread. While generally not unique types, August is (in)famous for a combination of Sobig.F, Blaster (also known as Lovsan and MSBlast), Welchia (or Nachi), and Mimail; all spreading rapidly through a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. 2003 also saw what appeared to be a use of worm-like techniques used in the spreading of spam. Sobig dropped a component that could later be used by spammers to send mail through infected machines. The social engineering techniques used by virus/worm writers improved dramatically as well. Some of the malware this year was accompanied by very realistic graphics and links in an attempt to make you think the mail actually came from the likes of Microsoft or Paypal.
2004 - Trojan.Xombe, Randex, Bizex, Witty, MP3Concept, Sasser, Mac OS X, W64.Rugrat.3344, Symb/Cabir-A, JS/Scob-A, WCE/Duts-A, W32/Amus-A, WinCE/Brador-A, JPEG Weakness, SH/Renepo-A, Bofra/IFrame, Santy
Year 2004 started where 2003 left off with social engineering taking the lead in propagation techniques. Trojan.Xombe was sent out to a wide audience. It posed as a message from Microsoft Windows Update asking you to run the attached revision to XP Service Pack 1. (This, and like messages that "phish" for personal information, are expected to take a lead role in 2004 -- and, yes, phish is the correct term for a message designed to "fish" for personal information; the technique is called phishing.) In February it was demonstrated that virus writers were starting to ply their craft for money. A German magazine managed to buy a list of infected IP addresses from a distributor of the virus Randex. These IP addresses were for sale to spammers who could use the infected machines as mail zombies. The end of February saw Bizex go after ICQ users through an HTML link that downloaded an infected SCM (Sound Compressed Sound Scheme) file. The weekend of 20/21 March introduced Witty, the first worm to attack security software directly (some Internet Security Systems' RealSecure, Proventia and BlackICE versions). The worm was malicious in that it erased portions of the hard drive while sending itself out. A Mac OS X scare in the form of MP3Concept was announced 8 April. Said to be a benign Trojan, MP3Concept turned out to be nothing more than a bad proof-of-concept that never made it into the wild. The end of April saw the Sasser worm which is the first to effectively use the LSASS Windows vulnerability; a vulnerability that allowed the worm to spread via an open FTP port instead of through E-mail (even though Microsoft had already issued a patch for the vulnerability -- yet another example of people not paying attention to operating system security updates). Toward the end of May Apple issued critical patches to OS X when a vulnerability that could spread via E-mail and mal-formed Web pages was found. The vulnerability would allow AppleScript scripts to run unchecked; even to the point of deleting the home directory. The proof-of-concept Worm W64.Rugrat.3344 showed up the end of May. This is claimed to be the first malware that specifically attacks 64-bit Windows files only (it ignores 32-bit and 16-bit files). It was created using IA64 (Intel Architecture) assembly code. In June Symb/Cabir-A appeared to infect Nokia Series 60 mobile phones. The worm is designed to spread to nearby Bluetooth-enabled devices. JS/Scob-A appeared in the last half of June. It was special in that it used Javascript to infect Microsoft's IIS Server HTML files through an unpatched vulnerability. User's visiting infected sites were then infected via a download from a Russian site (which was quickly closed down) using an unpatched vulnerability in the IE browser. Mid-July WCE/Duts-A showed up. This was another crude proof-of-concept virus relating to the PocketPC. The virus writer was apparently trying for attention as this text is in the virus: "This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ..." Early September saw W32/Amus-A show up. The only thing that qualified this beast to even be mentioned here was that it uses the Microsoft Speech engine in Windows to read out loud: "hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." where "Gule" is Turkish for "Bye" and "Hamsi" is a small fish found in the Black Sea. August saw WinCE/Brador-A, a backdoor for PocketPC devices. On 14 September that paragon of virus-free file type, the JPEG image, came under attack. To be accurate, the image file itself is not so much to blame as a Microsoft common .DLL file that processes the image file type and has a buffer overrun error that could allow someone to add malicious code to a JPEG image which can then open holes in an attacked system. Shortly after, some Trojan exploits started to appear. In Mid-October SH/Renepo-A showed up on Macintosh OS X systems. This is a shell script worm that installs itself to /System/Library/StartupItems and other sites and can make files on the system vulnerable to further exploitation. Bofra/IFrame made history over the 20/21 November weekend by becoming the first malware to be placed into Internet ads. It is a MyDoom variant that made its way into AdSolution ad serving software. A hacker broke into the system and inserted the malware into served ads until it was noticed and shut down after about 12 hours. Just before Christmas the Santy worm showed up. The unique thing about this beast was that it used Google to find its victims. The worm used a phpBB vulnerability to deface vulnerable sites running that popular bulletin board software and queried Google to find the sites. The worm was of no danger to users of the sites; it just defaced the sites.
2005 - Bropia, Troj/BankAsh, Commwarrior, Chod, PSPBrick, DSTahen, MSIL/Idonus, Troj/Stinx-E
In 2005 the end of January saw the Bropia Worm which targets MSN Messenger for spreading. A bit later the "F" version of this worm became popular because of the sexy.jpg file that spread with it. The 9th of February then saw Troj/BankAsh, the first Trojan to attack the new (still in beta) Microsoft AntiSpyware product. This Trojan also was reported to go after various British on-line banking services. The start of March saw distribution of another mobile phone worm: Commwarrior, which spread via MMS messaging. The end of March/start of April saw variants of Chod appear. This is a sophisticated worm that spreads via E-mail and the MSN Messaging client. Its messages are very close to what a real user would send and, for the first time, attempts to spoof the return address as being from an anti-virus company (Trend or Symantec, and Microsoft, although coming from Microsoft has been a social engineering ploy for some time now). 6 Oct brought the first Playstation Portable Trojan, PSPBrick. This malware does not spread by itself but comes disguised as a MOD for the PSP. When placed on the PSP the MOD erases a number of system files that prevent the PSP from being restarted and basically turns it into a brick; thus the name. And, not to be outdone, on 12 Oct the Trojan DSTahen showed up which basically does the same thing for the Nintendo DS system. Install the Trojan and you end up with a brick. 14 Oct saw MSIL/Idonus which the maker wanted to be the first Vista virus but because it uses NET 2.0 and other systems that can be installed on earlier operating systems it wasn't; but it is unique none-the-less. The 10th of November Troj/Stinx-E Trojan horse appeared with a trick that hid itself beneath the Sony DRM software on systems with that software installed. The DRM software is designed to protect copyrighted audio but, in hiding itself, it provided an opportunity for malware to hide behind that software in the hope to avoid detection. Not something new but just to note that during the year Creative Labs shipped 3,700 Zen MP3 players carrying the Wullik-B virus.
2006 - OSX/Leap-A, OSX/Inqtana.A, Redbrowser.A, Icabdi.A, SubVirt, Bagoly, Yhoo32.explr, Stardust.A, Yamanner.A, W32.Chamb, OSX/Macarena, Grey Goo Attack, iAdware, JS/Quickspace.A
The first beast of 2006 that uses a previously unused attack vector appeared mid-February. OSX/Leap-A attacks the Macintosh OS/X system instead of Windows. The worm spreads via the iChat instant messaging system, forwarding itself as a file called LATESTPICS.TGZ to contacts on the infected users' buddy list. The executable inside is disguised by a JPEG image icon to trick people into clicking on the executable file. The very next day (17 Feb) another new Mac worm appeared: OSX/Inqtana.A. This is a proof-of-concept worm that uses a Bluetooth OBEX Push transfer to move between machines. 28 Feb saw Redbrowser.A. While a Trojan, this appears to be the first J2ME (Java 2 Mobile Edition) malware and the first mobile malware that tries to steal money. Initial releases targeted only Russian users. On 7 March Icabdi.A became the first virus to infect a Microsoft Infopath .XSN file. As usual with firsts, this was a proof-of-concept beast that is a Trojan dropper. Mid-March Microsoft, of all people, along with the University of Michigan developed the proof-of-concept SubVirt rootkit. SubVirt would live as a virtualization layer between the hardware and the "real" operating system and present its own operating system to the user; effectively taking over the computer. They developed the software to better understand how to attack their own software in order to better defend it [eWeek article]. On 22 April f-secure announced a proof of concept virus called Bagoly that infects MATLAB m-file source files. The code is prepended to the start of the m-file. Around 19 May a unique Yahoo! IM malware called yhoo32.explr appeared. The unique thing this beast does is to install its own Web browser (called "Safety Browser") which has an icon that looks like IE. This browser takes people to sites that load the system with other malware. The end of May a proof of concept macro virus called Stardust.A appeared. The unique thing about this macro virus was that it was directed toward attacking StarOffice/OpenOffice documents instead of Word documents. This is the first known attack on this alternate office suite. The 12th of June the Yamanner.A Javascript worm appeared as the first known exploit of the Yahoo! E-mail system. This was a zero-day exploit of the Yahoo! system and the worm spread automatically if you simply opened an infected message using Internet Explorer. No attachment was necessary. August 1st Symantec reported the appearance of W32.Chamb, a proof of concept infector of .CHM help files. 31 October saw the appearance of OSX/Macarena, the first infector of Macintosh OS X Mach-O files. Macarena was able to directly infect the program code and did not need to rely on a resource fork like Leap before it. Around 19 November a bunch of self-replicators appeared in Second Life, the multiplayer game. These were rings scripted with the Linden Scripting Language and, in general, called a Grey Goo attack. Late November saw the introduction of iAdware, the first spyware program for Mac OS X. It was proof-of-concept but indicates some attention is being given to the Macintosh platform. On 2 December there were reports of a Quicktime exploit affecting Myspace profiles. Called JS/Quickspace.A, the infected MOV file contains Javascript that will download a Javascript file which will modify your Myspace profile so that all who visit your Myspace profile will get infected as well. More on that here. Of interest, but maybe not really historic, in November Spybot.ACYR showed up to exploit Symantec's Anti-Virus program. It used a hole discovered and patched some six months earlier but still managed to spread via careless users and other methods built into the malware. The distribution of malware with products continued into 2006 when McDonald's in Japan gave out MP3 players containing the QQpass spyware Trojan and Apple sent out some video iPods with the RavMonE.exe virus on them. Google also distributed some E-mails to the Google Video Blog group containing W32/Kapser.A@mm; a mass mailing worm. Finally, on 29 December an unnamed proof-of-concept exploit against region tags in MMS SMIL which are vulnerable to buffer overflow causing arbitrary code execution was published. The IPAQ 6315 and i-mate PDA2k are affected and it's unknown if patches are available at the time of this writing.
2007 - Agent.BKY, iPod Linux Virus, TI.Tigraa.a, SB.Badbunny, WH/Vred.A, Zhelatin/Storm, IM-Worm:W32/Skipi.A, MSN Trojan
March 30th brought an animated cursor vulnerability which, two days later, was exploited by the Trojan downloader worm Agent.BKY. This beast infects HTML and other similar files and these, when viewed, download other malicious software. April 5th brought the announcement of a proof-of-concept (very buggy and unnamed) virus for the iPod; specifically for the iPod Linux operating system. On 29 May Viruslist.com posted the proof of concept TI.Tigraa.a memory resident 492 byte Trojan for the TI-89 graphing calculator line. It won't spread but introduces another device to malware. SB.Badbunny was reported out by Symantec on 7 June. The thing that makes this beast interesting is the fact that it's spreads over multiple operating systems (including the Macintosh) using multiple languages (JavaScript on Windows, Ruby on the Mac, and Python on Linux) and OpenOffice macros while it attempts to spread via Instant Messaging. The middle of June F-Secure announced WH/Vred.A which is a proof-of-concept virus infecting WinHex scripts; the first to do so. While not new, the social engineering of the Zhelatin/Storm Trojan series was quite effective. As an example, in August the gang started sending messages indicating the receiver had applied to various sites and their temporary login name/password were included along with a link. At the link the well-designed page said a sign-in applet had to be downloaded. That applet contained the Trojan which then infected the machine. The messages were quite convincing to many. September saw the introduction of a Skype worm called IM-Worm:W32/Skipi.A. It spread via Skype's instant messaging and pointed people to what looked like a JPEG image but, instead, was a page with a malicious automatic download and just an image from a standard Windows screensaver. October saw a number of Trojan exploits of a PDF vulnerability. While a patch was available for the vulnerability, many were affected because they did not update their PDF reading software and Microsoft delayed getting a Windows patch out. November 18th a new MSN IM Trojan surfaced which was unique in its scan for VNC (Virtual Network Computing) instances. In December a Trojan that hijacks Google ads on Web pages was report. One example would be Trojan.Qhost.WU. The Trojan is not on the Website but, instead, on your computer and intercepts requests for Google ads and serves ads from other sources where the Trojan writer can get the income. It's also possible the sites directed to will also contain malware to further infect your computer.
No comments:
Post a Comment