A Brief History of Malware

Malicious Software Has Been Around as Long as Computers

A malicious software (malware) program is any application that has a malicious intent. While most programs you install, or files you download, are completely free of viruses, some have hidden agendas that seek to destroy files, steal information from you, or even just annoy you.

This has been happening for a long time. The first computer virus was called Elk Cloner and was found on a Mac in 1982. January of 2011 saw the very first PC-based malware turn 25 - named Brian.

For reference, the first mass-marketed PC (the HP 9100A) came out in 1968.

Malware in the 1900's

In 1986, most viruses were found in universities and propagation was primarily due to infected floppy disks. Notable malware included Brain (1986), Lehigh, Stoned, Jerusalem (1987), the Morris worm (1988), and Michelangelo (1991).

By the mid-90s, businesses were equally impacted, which was due in large part to macro viruses. This meant that propagation had moved to the network.

Notable malware for this period includes DMV, the first proof of concept macro virus, in 1994. There was also Cap.A in 1997, which turned out to be the first high-risk macro virus, and CIH (aka Chernobyl) in 1998, the first virus to damage hardware.

By the latter part of the 90s, viruses had begun impacting home users as well, with email propagation ramping up. Notable malware in 1999 included Melissa, the first widespread email worm, and Kak, the first and one of the very few true email viruses.

21st Century Malware

At the start of the new millennium, internet and email worms were making headlines across the globe.

  • May 2000: Loveletter was the first high-profile profit-motivate malware
  • February 2001: The Anna Kournikova email worm
  • March 2001: The Magistr, like the CIH before it, also impacted hardware
  • July 2001: The Sircam email worm harvested files from the My Documents folder
  • August 2001: The CodeRed worm
  • September 2001: Nimda, a web, email, and network worm.

As the decade progressed, malware almost exclusively became a profit motivated tool. Throughout 2002 and 2003, web surfers were plagued by out-of-control popups and other Javascript bombs.

FriendGreetings ushered in manually driven socially engineered worms in October 2002 and SoBig began surreptitiously installing spam proxies on victim's computers. Phishing and other credit card scams also took off during this period, along with notable internet worms called Blaster and Slammer.

  • January 2004: An email worm war broke out between the authors of MyDoom, Bagle and Netsky. Ironically, this led to improved email scanning and higher adoption rates of email filtering, which eventually spelled a near demise of mass-spreading email worms.
  • November 2005: The discovery and disclosure of the now infamous Sony rootkit led to the eventual inclusion of rootkits in most modern day malware.
  • 2006: Pump & Dump and money mule job scams joined the growing numbers of Nigerian 419 scams, phishing, and lottery scams in 2006. Though not directly malware-related, such scams were a continuation of the theme of profit-motivated criminal activity launched via the internet.
  • 2007: Website compromises escalated in 2007 due in large part to the discovery and disclosure of MPack, a crimeware kit used to deliver exploits via the web. Compromises included the Miami Dolphins stadium site, Tom's Hardware, The Sun, MySpace, Bebo, Photobucket, and The India Times website.

    By the end of 2007, SQL injection attacks had begun to ramp up, netting victim sites such as the popular Cute Overload and IKEA websites.
  • January 2008: By now, web attackers were employing stolen FTP credentials and leveraging weak configurations to inject IFrames on tens of thousands of mom & pop style websites, the so-called long tail of the web.

    In June 2008, the Asprox botnet facilitated automated SQL injection attacks, claiming Walmart as one of its victims. Advanced persistent threats emerged during this same period as attackers began segregating victim computers and delivering custom configuration files to those of highest interest.
  • 2009:In early 2009, Gumblar, the first dual botnet, emerged. Gumblar not only dropped a backdoor on infected PCs and used it to steal FTP credentials, it used those credentials to hide a backdoor on compromised websites as well. This development was quickly adopted by other attackers.

    The result: today's website compromises no longer track back to a handful of malicious domain hosts. Instead, any of the thousands of compromised sites can interchangeably play the role of malware host.
  • 2010:¬†Industrial computer systems were targets of the 2010 Stuxnet worm. This malicious tool targeted programmable logic controllers in order to control machinery on factory assembly lines. It was so damaging that it's thought to have been the cause of the destruction of several hundred of Iran's uranium enriching centrifuges.
  • 2011: A Microsoft-specific Tojan horse called ZeroAccess downloads malware on computers via botnets. It's mostly hidden from the OS using rootkits, and is propagated by bitcoin mining tools.

Malware Volume and Antivirus Vendor Revenues

The volume of malware is merely a by-product of distribution and purpose. This can best be seen by tracking the number of known samples based on the era in which it occurred.

For example, during the late 80s most malicious programs were simple boot sector and file infectors spread via floppy disk. With limited distribution and less focused purpose, unique malware samples recorded in 1990 by AV-TEST numbered just 9,044.

As computer network adoption and expansion continued through the first half of the 90s, distribution of malware became easier, so volume increased. Just four years later, in 1994, AV-TEST reported a 300% increase, putting the unique malware samples at 28,613 (based on MD5).

As technologies standardized, certain types of malware were able to gain ground. Macro viruses that exploited Microsoft Office products not only achieved greater distribution via email, they also gained a distribution boost by the increased adoption of email. In 1999, AV-TEST recorded 98,428 unique malware samples, which was a 344% bump from five years prior.

As broadband internet adoption increased, worms became more viable. Distribution was further accelerated by increased use of the web and the adoption of so-called Web 2.0 technologies, which fostered a more favorable malware environment. In 2005, 333,425 unique malware samples were recorded by AV-TEST. That's 338% more than 1999.

Increased awareness in web-based exploit kits led to an explosion of web-delivered malware throughout the latter part of the millennium's first decade. In 2006, the year MPack was discovered, AV-TEST recorded 972,606 unique malware samples, which is 291% higher than just seven years before.

As automated SQL injection and other forms of mass website compromises increased distribution capabilities in 2007, malware volume made its most dramatic jump, with 5,490,960 unique samples recorded by AV-TEST in that year. That's a whopping 564% increase in just one year.

Since 2007, the number of unique malware has continued exponential growth, doubling or more each year since. Currently, vendors estimates of new malware samples range from 30k to over 50k per day. Put another way, the current monthly volume of new malware samples is greater than the total volume of all malware from 2006 and previous years.

Antivirus/Security Revenue
During the "sneakernet" era in the late 80s and early 90s, antivirus vendor revenues were collectively less than $1B USD. By 2000, antivirus revenues had increased to around $1.5B.

  • 2001 - $1.8
  • 2002 - $2.06B
  • 2003 - $2.7B
  • 2004 - $3.5B
  • 2005 - $7.4B
  • 2006 - $8.6B
  • 2007- $11.3B
  • 2008 - $13.5B
  • 2009 $14.8B
  • 2010 - $16.5B

While some may point to the increasing antivirus and security vendor revenues as "proof" that antivirus vendors profit from (and thus create) malware, the math itself does not bear out this conspiracy theory.

In 2007, for example, antivirus revenues grew by 131% but malware volumes increased 564% that year. Additionally, antivirus revenue increases are also the result of new companies and expanding technologies, like security appliances and cloud-based security developments.