The history of viruses
For the first time the term "virus" describing a computer program was mentioned in science fiction short story "The Scarred Man" by Gregory Benford in 1970. In his story he mentioned the first virus-like software written by him in the FORTRAN language in 1969.
However, John von Neumann suggested working examples of programs with self-replicating mechanism in 1951.
In 1957 the Nature journal published the description of two-dimensional model structures able to get activated and capture. Basing on materials stated in the article F. G. Stahl had programmed a model of creatures that were able to move and "feed" with nonzero words. When the quantity of words reached the certain number the creature was able to multiply and its "children" had also a capability to mutate. If the creature had not received any "food" during some time it perished.
In 1961 Bell Telephone Laboratories released a video game called Darwin. Every player could create programs called organisms and upload them to the computer memory. One player's "organisms" deleted other player's ones thus invading "new territory". Player whose organisms captured the whole computer memory or received the highest score became the winner.
The term "computer virus" was used in its modern meaning in science fiction Westwood movie in 1973.
Definition of the term was changed several times. For example, in 1975 in the ANIMAL program virus was called a variable responsible for spreading the program over the disk.
According one of the earliest versions in the ARPANET network a virus was detected in 1973 called Creeper. It was able to penetrate into the network and transferred its copy to a remote system displaying a message about its presence. However, there is no accurate information about this incident.
As to another legend the Rabbit software appeared in 1974. It copied itself, consumed computer resources thus decreasing system performance coefficient, which resulted in system failures. But Rabbit was a local event and could not be transmitted to other systems. A video game called Pervading Animal was written specially for the Univac system. A user thought of an animal and the game was supposed to guess it by asking various questions. Self-learning feature was also available – if the game was not able to guess the animal, user could add new questions themselves. A new changed game version was written over the old one and was copied to other directories to be available for other gamers. Some time later, the game copies were stored on every directory of the disk. This fact was not planned by the engineers so they released a new program version called Hunter. It was aimed at replacing all program copies with own ones and then it self-destructed.
Virus 1,2,3 and Elk Cloner viruses for Apple II though having similar functions appeared independently of each other in 1981. The Elk Cloner virus has all rights to be called the first officially documented virus. It was placed into the installation catalogue of a floppy disk and then after penetrating into a computer it rotated images, distorted text and displayed messages about its presence.
In 1983 F. Cohen demonstrated a virus program able to get into other objects. A year later he provided scientific reasoning for the term "computer virus" that is "a program able to infect other programs implanting its copies in them and thus changing their source code".
In 1986 the first global epidemic of Brain virus occurred. Like Elk Cloner it infected the disk boot sector. The epidemic spread like wildfire and very soon involved the whole world for users were not aware of it and had no antivirus software. Brain did not distort information it just changed floppy disk marks. But nevertheless in can be considered to be the first stealth virus. It replaced infected boot sector with the original file.
R. Burger created a program making replicas of itself by adding own code to the MS DOS executive files of COM format. In 1987 he examined a new virus called Vienna which also infected MS DOS files. All his results he published in book "Computer Viruses: A High Tech Disease" where he tried to explain how and what for viruses were created. Later thousands of viruses were written based on the book.
The Lehign virus appeared infecting only COMMAND.COM file. A number of other viruses appeared as well infecting only COM format – Surviv-1 and Surviv-2. Surviv-3 was able to infect even EXE files. The Cascade virus was known to be the first self-encrypting virus. The Yale, Stoned and PingPong boot viruses were also among them.
The same year an epidemic of the Christmas Tree network virus happened. It was spreading an image of a Christmas tree to all available addresses. A few days later it practically paralyzed the whole network. The first antivirus software appeared as well such as VACCINE and SWEEP scanner.
The next epidemic took place in 1988. Surviv-3 (Jerusalem) started its attack on Friday, May 15. It deleted all files used by people on their computers. Such numerous incidents were happening all over the world.
New companies start developing antivirus software which usually was amateur. They were simple scanners used for searching for a unique code peculiar to viruses. Also so-called immunizers were written which changed programs so that viruses detected them as infected ones and did nothing. Of course, with the lapse of time when the number of viruses had grown significantly the immunizers lost their popularity for they could not handle new viruses that were constantly developing.
The first network worm appeared. It was called Morris's Worm. It used breaches in the Unix security system (buffer overflow). Like Christmas Tree it was sending its multiple copies, launch them overloading all network resources. Initially the worm was written to secretly penetrate into computers of the ARPANET network and stay there unnoticed. Also it hacked passwords to get access to the system. Because of some code bugs the virus was detected and started replicating itself uncontrollably infected over 10 percent of all servers connected to the network.
In 1989 the Ghostball virus was detected which was one of the first multipartite viruses was detected. The Datacrime virus launched the formatting of boot sector of the hard drive thus causing mass panic in the USA. The WANK Worm replaced system messages with its own ones and changed user's password for a random character set.
The DATACRIME viruses were spreading unbelievably quickly. In the beginning they had been just copying themselves and since October 12 they started destroying the file system. The first Trojan horse called AIDS appeared on floppy disks containing a virus. It penetrated into the system, created own files, changed system data and after 90 OS reboots it blocked access to any information stored on the hard drive. The virus displayed a message demanding sending a 189 or 378 dollars check to the specified address. The same year a new virus was released called The Dark Angel. That was the first virus able to buck antivirus software at the same time infecting new files while antivirus scanned the hard drive.
In early 1990 a new class of polymorphic viruses appeared the first of which being Chameleon. It was developed on the basis of earlier virus versions, namely Vienna and Cascade. Its body was enciphered with every infected file containing different cipher key and code. A number of Bulgarian viruses were released like Murphy, Nomenclatura etc. The first BBS allowed a user to download any virus from the list they liked in exchange for their virus. The Disk Killer wiped all files stored on the disk spreading via the PC Today. Then invisible viruses Frodo and Whale (with the size of 9Kb it was one of the largest viruses of that time) were released having several encipher levels and sophisticated masquerade schemes.
The next epidemic of polymorphic viruses called Tequila and Amoeba broke off in 1991 and the Dir II was using link technology for infecting objects.
Since 1992 file downloading viruses for the most popular operating system MS DOS have appeared because of quick development of the Internet. The network viruses started losing their popularity. The MtE polymorph-generator provided a basis for new viruses with a detailed description. An epidemic of the Michelangelo (March6) took place. It was the first time when antivirus software developers caused mass hysteria to turn users' attention to their programs and thus increase profits. VCL and PS-MPC were planned to be virus constructors giving everyone a possibility to write own virus just in a couple mouse clicks. The malware was detected in Windows 3.x capable of infecting Win.Vir_1_4 files. The viruses started active fighting the antivirus software. Thus, the Peach virus wiped the Central Point Antivirus database.
Since 1993 brand new viruses have appeared in addition to the existing ones. They use rather unusual ways of data infecting, penetrating and masquerading. PMBS virus seemed to be able to exist even in the protected processor mode (Intel 80386); invisible Strange was masquerading in the system.
The problem of 1994 lied in the numerous viruses stored on extremely popular CDs. The mass media were panic stricken with two complex polymorphic viruses (SMEG.Pathogen and SMEG.Queeg). The Shifter virus infected OBJ files and SrcVir was one of the viruses infecting the source codes of the programs written in C and Pascal. OneHalf caused an epidemic in 1994. It penetrated into the installation file and then encrypted data from the hard disk. When the files were accessed it decrypted them and sent. Then a message appeared reading that the half of the disk is encrypted. Deleting the virus caused data loss for system was not able to use encrypted partitions of the disk. The virus also encrypted the boot disk sector so that the operating system was not able to start. As a result all information stored on the disk was unavailable.
In 1995 the first macro virus was detected. Also such dangerous monsters as NightFall, Nostradamus and Nutcracer were noticed. Rather unusual hermaphrodite RMNS infected data only in case two virus parts met, that was female and male ones. The disk with Windows 95 demo version contained the boot Form virus. Even word processor MS Word had its virus called Concept which spread all over the world.
The first virus for Windows 95, Boza was released in January 1996. Later an epidemic of Tentacle (for Windows 3.x) broke off. This type of viruses used to be hidden by the developers. OS2.AEP was the first virus able to successfully infect EXE files of OS/2. Macros written in Visual Basic were included not only into MS Word but into MS Excel as well, which caused appearance of Laroux virus for MS Excel. Another incident happened at Microsoft. Macro virus Wazzu was found in one of the Word documents. Later it appeared on the company's disks at an exhibition. In whole, the year 1996 marked the era of viruses for 32 bit operating systems.
The first virus for Linux appeared in 1997 was the Bliss. The ShareFun marked a new level of development of micro viruses for MS Office 97. This virus was able to spread via email. The network worm Homer used the FTP protocol for the first time. Viruses start using Internet technologies more and more actively. An Internet warm family called Relay Chat appeared.
Apart from viruses Trojan programs start appearing which steal various passwords and applications for hidden administering (Backdoor). In early 1998 invasion of DeTroie viruses not only infected Windows files but also passed transferred information about infected computers to the developer. A new class of viruses for Excel programs called Paix appeared. It was not micros but formulas containing the self-reproducing code it used. Later first polymorphic viruses for Windows appeared. AccessiV being the first virus for MS Access didn't spread considerable panic. The first multi-platform macro virus called Cross was able to infect both Word and Access applications, which resulted into appearance of a new micro virus family transplanting their code from one MS Office application into another (Tristate). RedTeam virus was infecting Windows EXE files and spreading via email.
CIH (Chernobyl) provoked the most destructive epidemic in history. It wiped Flash BIOS so that users had to change the memory board and sometimes even the motherboard. The virus also deleted information stored on the hard disks. BackOffice utility allowed remote administering of computers and networks. StangeBrew infected Java exe files showing that viruses were able to infect even web server applications. The Rabbit was infecting VBS files, which impelled hackers to writing the first HTML virus called Internal. In the end of 1998 several viruses for MS Power Point (Attach, ShapeShift etc.) were written.
1999 was rich of worm viruses. Happy99 (Ska) was spreading via Outlook. Caligula macro virus scanned the system registry and on finding PGP program encoding keys copied the base and sent it to the specified FTP server. SK virus became the first virus able to infect HLP files. Mellisa was a symbiosis of a MS Word macro virus and an Internet worm. After infecting it started sending its copies to every found address thus generating huge Internet traffic and crippling the whole emailing system. Gala virus infected CorelDRAW graphic program and other applications of the sort. A worm called ExploreZip was masquerading as Windows source files and wiped program texts and MS Office data. Infis could penetrate into system driver area and was invulnerable to any anti-virus software. One more object infecting MS Project appeared. A new class of worms spreading via email without attachments appeared. It infected a computer immediately after reading the letter (Bubbleboy, KakWorm). Babylonia performed remote updating synchronizing with the server and receiving updated modules from it. Some months later Sonic and Hybris took up this technology.
In early 2000 Windows 2000 and Visio were suffering attacks by Intra, Radiant and Unstable viruses. Script virus "I love you" became the most harmful in history causing 10 billion dollars in damages. It wiped data from disks and was invisibly spreading to all addresses found in Outlook. This virus was even mentioned in Guinness World Records. Timonica was called the cell virus for it was sending messages to random telephone numbers. The Star appeared in summer and caused infecting of AutoCAD. Dilber virus had codes of five viruses simultaneously so it launched procedures for different components for infecting. Jer worm got into a computer via a web site and where it had been placed beforehand and then the site was promoted to attract more users. The first Trojan for PalmOS called Liberty wiped all files but didn't spread further. Unlike Liberty Phage not only deleted EXE files but also placed its own ones. Stream hid its code in "NTFS additional streams" while Fable hid in PIF files (information files). Pirus is known to be the first virus written in the PHP language. For implanting the Hybris virus an electronic conference was used due to which it was able to update its modules.
In 2001 the first worm for RedHat Linux called Ramen appeared. It infected remote systems, spreading and causing "buffer overflow" error. Also it changed home pages on infected computers. The Mandragore worm was propagating via P2P networks in a very interesting way. It masqueraded as a server and in reply to any request it sent its own copy. The Lee (Kournikova) mail worm acted like real information about the tennis player and was sending emails in her name. An epidemic of extremely complex polymorphic virus called Magistr broke off. It infected network folders and EXE files. Eurosol Trojan several times attacked WebMoney. The CodeRed epidemic let to thousands of infected computers with Windows 2000 all over the world. CodeRed didn't create any data on disks, it transmitted own data via the network and launched itself. The worm was located in the main memory. The absence of a firewall was the reason the virus had spread so quickly. It also intercepted users' addressing the site and displayed own message instead of the site content. Moreover, every month it attempted to attack the site of the White House. Soon after analogous worms appeared, namely, BlueCode, CodeGreen and SirCam. The latter spread classified confidential data like bank agreement, commercial information via email. Nimda worm was propagating via the Internet using sites, its copies on the open resources and email.
The Myparty email virus was hiding under the link to the site using popular domain ".com". Windows executive files have the same filename extension. New and new viruses appear (Tanatos, Lentin, Zircon and Benjamin). Malware called Klez became the leader among other viruses. Spida infected SQL servers. Scalper, a network worm attacking the FreeBSD system, was spreading like wild fire.
In February 2003 the Slammer network virus increased by 25 percent the load on the Internet with some networks being paralyzed. Serious damages were inflicted by a worm called Lovesan which attack concurred with global blackouts in the US largest cities. Welchia was a worm causing system failures but at the same time it cured computers infected with Lovesan. Mail virus Sobig spammed computers with its countless copies and faked sender's address to hide itself. Mimail intercepted personal data of E-gold users and sent it to specified emails.
In early 2004 a new class of worms appeared. One of its representatives called Bagle could create a proxy server with a Trojan and send spam. Mydoom decreased performance of mail servers of many companies. Like Bagle, the worm installed a proxy server and sent spam. Besides, a backdoor Trojan was installed on the infected computers performing DDoS attack. Doomjuice was spreading on computers infected by Mydoom. The global Sasser epidemic crippled thousands of computers in the whole world, several banks were closed. Rugrat became the first virus capable to infect data of 64 bit Windows OS. Rather unusual virus Cabir used Bluetooth connection to infect smartphones on the Symbian platform. Duts used the same principle though it infected Windows Mobile devices. It was followed by Brador, a backdoor Trojan for these devices.
Zotob worm attacked some mass media in 2005 in such a way attracting much attention towards itself. 2006 marked the appearance of the first virus for RFID marks. Nyxem was a worm propagating by email. It got activated on the third day of every month and crippled all programs responsible for security and file sharing. Also it destroyed MS Office files.
The first worm for MacOS X called Leap appeared in 2006. It infected files and spread own copies through the networks. RedBrowser is known to be the first Trojan executing Java applications and sending SMSs to paid services.
In the beginning of 2007 the Storm created a whole network bearing the same name covering over 10 million computers.
In summer 2008 new GPCode enciphered user's information stored on the hard drive (.doc, .xls, .pdf, .txt, .cpp, .png, .jpg and other files) using a 1024-bit key. For the time being it is impossible to decipher this information. To decipher this algorithm one would need a cluster comprising 15*106 computers and working during 12 months.
The Induc appeared one year later. It was able to infect Delphi work files. As a result, any program compiled in such infected Delphi environment already contained the virus code.
Today the number and types of viruses are increasing dramatically. They are being developed in various directions and have a wide range of features.