Introduction:

I have, for as long as I remember, had a keen interest in computer viruses and how they work. This has often sent me on a journey of reading many lines of code (to begin with it was mostly ASM) and looking at how each different virus found its attack surface and hit it. Today I have taken a step back and instead looked a bit on the history of computer viruses to see what we can learn from this.

The history of computer viruses is a gripping tale that spans several decades, reflecting the constant cat-and-mouse game between malicious actors and cybersecurity experts. From the early days of experimentation to the sophisticated threats we face today, this blog post delves into the fascinating evolution of computer viruses, examining the impact on society, infection statistics, and providing a glimpse into the code of some early viruses.

The Genesis of Computer Viruses

The concept of computer viruses emerged in the early 1970s, coinciding with the rise of personal computers. The term “computer virus” was first coined by computer scientist Fred Cohen in 1983. Initially, viruses were simple, self-replicating programs that aimed to disrupt computer systems, spread to other machines, and in some cases, display a message or image.

Early Infections and Impact on Society

The Creeper virus, developed in 1971, is considered one of the earliest computer viruses. It infected DEC PDP-10 computers running the TENEX operating system, displaying the message “I’m the creeper, catch me if you can!” as it replicated. While Creeper had a limited impact due to the isolated nature of the computer systems at the time, it laid the groundwork for future, more destructive viruses.

One of the early landmarks in the world of computer viruses was the emergence of the Brain virus in 1986. Created by two Pakistani brothers, Basit and Amjad Farooq Alvi, the Brain virus is widely regarded as the first PC virus to infect IBM-compatible personal computers.

The Brain virus, also known as the Lahore or Pakistani flu, spread through infected floppy disks, a popular means of data exchange during that era. Upon infection, the virus would display a message containing the contact information of its creators, indicating a more benign intent compared to later, more destructive viruses.

A hex editor view of the boot sector of a floppy that was infected by the Brain virus.

The Brain virus marked a shift in the perception of computer viruses from mere experiments to potential threats. Its relatively benign nature, displaying contact information rather than causing significant harm, served as a harbinger of the ethical debates surrounding computer security and hacking culture.

While the Brain virus did not cause widespread damage, it raised awareness about the vulnerability of personal computers to malicious code. Users who fell victim to the Brain virus experienced system slowdowns and, in some cases, data corruption. The relatively low impact of the Brain virus, however, contrasts sharply with the more destructive viruses that would follow in the years to come.

Morris Worm: Unleashing Chaos on the Internet

The Morris Worm, unleashed on November 2, 1988, by Robert Tappan Morris, a graduate student at Cornell University, is infamous for its unintended impact on the nascent Internet. Morris aimed to measure the size of the internet by creating a self-replicating program that would spread across connected computers. However, a coding error resulted in the worm spreading much more aggressively than intended.

A funny picture of an internet worm

The Morris Worm targeted Unix-based systems, exploiting vulnerabilities in common utilities such as Sendmail, Finger, and the rsh/rexec services. Once infected, a system would become a host for the worm, which then sought out and infected other vulnerable systems. The rapid and uncontrolled spread of the worm led to a significant degradation of system performance, causing widespread disruption.

An interesting paper on the Morris Worm can be found here https://spaf.cerias.purdue.edu/tech-reps/823.pdf

The Morris Worm’s unintended consequences were profound. It infected an estimated 6,000 computers, which represented a significant portion of the Internet at the time. The worm’s relentless replication and consumption of system resources caused widespread network congestion and service disruptions.

The total cost of the Morris Worm incident, including the time and resources spent on containment and recovery, was estimated to be between $100,000 and $10 million. This event underscored the potential economic impact of malicious software and prompted a heightened awareness of the need for improved cybersecurity measures.

I Love You and the awakening of the internet viruses

The “I Love You” virus, also known as the Love Bug, made headlines in May 2000 as one of the most devastating and widespread malware attacks in the early days of the internet. Originating in the Philippines, the virus propagated through infected email attachments with the subject line “ILOVEYOU.” Once opened, the attachment contained a malicious script that overwrote files and sent copies of itself to the victim’s email contacts.

The Love Bug’s success was attributed to its clever use of social engineering, preying on users’ emotions with a seemingly harmless and intriguing subject line. The virus quickly spread globally, infecting millions of computers within hours and causing an estimated $5.5 to $8.7 billion in damages. Its impact was felt across businesses, government agencies, and individual users, highlighting the effectiveness of social engineering tactics in cyberattacks. To this day, you can still find remains of the guards against this virus in anti-spam/virus software like ClamAV and SpamAssassin.

Melissa Virus and Macro Malware

In March 1999, the Melissa virus emerged, demonstrating a new method of spreading malware by targeting Microsoft Word macros. The virus was distributed through infected Word documents attached to emails with enticing subject lines. Once opened, the document executed a macro that replicated the virus and sent itself to the first 50 contacts in the user’s Microsoft Outlook address book.

The Melissa virus quickly became one of the fastest-spreading viruses of its time, infecting thousands of systems and causing widespread disruptions. Its success paved the way for the evolution of macro malware, prompting increased awareness of the dangers associated with enabling macros in office documents.

example of the melissa virus email. credit: heise.de

Microsoft has tried many things to prevent MS Office macros from being abused for malware, but has not yet succeeded. In 2023, they added support for writing macros in Python language, and many computer security experts expect this to escalate the use of macros for malware again.

Code Red and the Rise of Internet-Wide Threats

In July 2001, the Code Red worm exploited a vulnerability in Microsoft Internet Information Services (IIS) servers, illustrating the potential for internet-wide threats. Code Red defaced websites with the message “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!” and then proceeded to target other vulnerable servers.

All it took to infect the server was an overly long request like below:

GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0

Code Red’s ability to spread rapidly, combined with its defacement capabilities, showcased the power of worms to compromise internet infrastructure. The worm infected hundreds of thousands of servers worldwide and led to significant downtime and disruptions. This incident emphasized the importance of prompt software patching and the need for robust security practices to protect against emerging threats.

Even with the rise of viruses like Code Red, it still took several years before companies had finally patched all the servers vulnerable to the attack used by the virus.

SQL Slammer: A Rapid and Disruptive Worm:

In January 2003, the SQL Slammer (also known as SQL Hell or Sapphire) worm exploited a vulnerability in Microsoft SQL Server, causing widespread internet outages within minutes of its release. The worm’s compact code allowed it to spread at an unprecedented rate, infecting over 75,000 servers in just a few hours. The below map shows the spread around the world just 30 minutes after the first encounter of the virus.

SQL Slammer’s impact demonstrated once again the critical importance of promptly applying security patches, as the worm exploited a vulnerability for which a patch had been available for six months. The incident underscored the need for proactive security measures and highlighted the potential for rapid and disruptive internet-scale attacks.

Societal Costs and conclusion

Quantifying the exact cost of computer viruses on society is challenging, as it involves not only direct financial losses but also the indirect costs associated with system downtime, data loss, and the efforts to mitigate and prevent future infections. According to some estimates, the global cost of cybercrime reached $1 trillion in 2020, with viruses (in the form of malware/ransomware) playing a significant role in this economic impact.

In tracing the evolution of computer viruses from their modest beginnings to the present day, I have embarked on a journey that unveiled the relentless push and pull between cybersecurity innovations and the ingenuity of malicious actors. From the pioneering days of the Creeper virus and the Brain virus, which marked the dawn of computer viruses, to the unintended chaos caused by the Morris Worm and the socially engineered devastation of the “I Love You” virus, each chapter in this narrative underscores the ever-present threat that looms over our interconnected digital world.

The 1990s witnessed an escalation in both the sophistication and scale of cyber threats, with viruses like Melissa, Code Red, and SQL Slammer exploiting vulnerabilities in software and challenging the resilience of the emerging internet infrastructure. These incidents not only disrupted businesses and individuals but also catalyzed a paradigm shift in how society perceives and combats cyber threats.

As we transition into the 21st century, the threat landscape continues to evolve with the emergence of ransomware, advanced persistent threats (APTs), and sophisticated nation-state-sponsored attacks. The battle between cyber defenders and adversaries has become more complex, necessitating continuous innovation in cybersecurity practices, threat intelligence, and collaborative efforts across the global community.

The lessons learned from the history of computer viruses serve as a guiding light for contemporary cybersecurity strategies. We’ve witnessed the importance of proactive measures such as timely software patching, user education to thwart social engineering tactics, and the imperative of a collective, global response to combat the ever-adapting tactics of cybercriminals.

While the story of computer viruses has been marked by challenges and disruptions, it also reflects the resilience and adaptability of the cybersecurity community. From the early pioneers who grappled with the Creeper and Brain viruses to the modern defenders facing advanced and persistent threats, the pursuit of a secure digital environment remains a collective endeavor.

As we navigate the evolving landscape of cybersecurity, the lessons gleaned from the history of computer viruses serve as a foundation upon which we build our defenses, fostering a future where technology and security coexist harmoniously. The ongoing commitment to innovation, education, and collaboration will be the key to securing our digital world against the ever-present threat of malicious actors.