A Brief History of Malware

Malicious software has been around as long as computers

Fingers typing on computer keyboard

 Frank Chen / Getty Images

A malicious software (malware) program is an application whose developer or sender has malicious intent. While most programs and files you install or download are completely harmless, some are designed to further hidden agendas, such as destroying your files, stealing your information, or extracting a payment.

Scammers have been using a variety of methods to get malware onto as many computers as possible for a long time. The first computer virus, called Elk Cloner, was discovered on a Mac in 1982. In 1986, the first PC-based malware, known as Brain, was released.

Malware in the 1980s and 1990s

During the late 1980s, the most malicious programs were simple boot sector and file infectors spread via floppy disk. As computer network adoption and expansion continued through the first half of the 1990s, malware distribution became easier, so volume increased.

As technologies standardized, certain types of malware proliferated. Macro viruses (which enable malware to be spread via email attachment) that exploited Microsoft Office products gained a distribution boost by the increased adoption of email. By the mid-1990s, businesses became increasingly affected, due in large part to macro viruses, meaning propagation had become network-driven.

Distribution was further accelerated by an increase in internet use and the adoption of Web 2.0 technologies, which fostered a more favorable malware environment. By the late 1990s, viruses had begun impacting home users, with email propagation ramping up. Below is a sampling of some specific viruses that were released during this time:

  • Brain was the first "stealth" virus, i.e. one that included means to hide its existence.
  • Jerusalem was a DOS virus discovered in 1987.
  • The Morris Worm, released in 1988, was the first known to be distributed via the internet.
  • Michelangelo, discovered in 1991, was designed to infect DOS-based systems.
  • CIH was a Microsoft Windows 9x virus that was released in 1998.
  • Melissa was a macro virus discovered in 1999.

Malware in the 21st Century

An increase in the use of exploit kits (programs used by cybercriminals to exploit system vulnerabilities) led to an explosion of malware delivered online during the 2000s. Automated SQL injection (a technique used to attack data-driven applications) and other forms of mass website compromises increased distribution capabilities in 2007. Since then, the number of malware attacks has grown exponentially, doubling or more each year.

At the start of the new millennium, internet and email worms made headlines across the globe:

  • ILOVEYOU attacked tens of millions of Windows-based computers in 2000.
  • The Anna Kournikova email worm, launched in 2001, caused problems in email servers around the world.
  • Sircam, which was active in 2001, spread itself through email on Windows-based systems.
  • The CodeRed worm spread in 2001 by taking advantage of a buffer overflow vulnerability.
  • Nimda, which also appeared in 2001, affected computers running various versions of Windows.

Throughout 2002 and 2003, internet users were plagued by out-of-control popups and other Javascript bombs. Around this time, socially engineered worms and spam proxies began to appear. Phishing and other credit card scams also took off during this period, along with notable internet worms like Blaster and Slammer. Slammer, released in 2003, caused a denial of service (DoS) on some internet hosts and slowed internet traffic. Below are some other notable malware incidents from this time:

  • 2004: An email worm war broke out between the authors of MyDoom, Bagle, and Netsky. Ironically, this feud led to improved email scanning and higher adoption rates of email filtering, which eventually nearly eliminated mass-spreading email worms.
  • 2005: The discovery and disclosure of the now-infamous Sony rootkit led to the inclusion of rootkits in most modern-day malware.
  • 2006: Various financial scams, Nigerian 419 scams, phishing, and lottery scams were prevalent at this time. Though not directly malware-related, such scams continued the profit-motivated criminal activity made possible by the internet.
  • 2007: Website compromises escalated due in large part to the discovery and disclosure of MPack, a crimeware kit used to deliver exploits online. Compromises included the Miami Dolphins stadium site, Tom's Hardware, The Sun, MySpace, Bebo, Photobucket, and The India Times website. By the end of 2007, SQL injection attacks had begun to ramp up; victims included the popular Cute Overload and IKEA websites.
  • 2008: By now, attackers were employing stolen FTP credentials and leveraging weak configurations to inject IFrames on tens of thousands of smaller websites. In June 2008, the Asprox botnet facilitated automated SQL injection attacks, claiming Walmart as one of its victims.
  • 2009: In early 2009, Gumblar emerged, infecting systems running older versions of Windows. Its methodology was quickly adopted by other attackers, leading to botnets that are harder to detect.

Malware Since 2010

In the last decade or so, attacks have taken advantage of new technologies, including cryptocurrency and the Internet of Things (IoT).

  • 2010: Industrial computer systems were targets of the 2010 Stuxnet worm. This malicious tool targeted machinery on factory assembly lines. It was so damaging that it's thought to have caused the destruction of several hundred of Iran's uranium-enriching centrifuges.
  • 2011: A Microsoft-specific Trojan horse called ZeroAccess downloaded malware on computers via botnets. It was mostly hidden from the operating system using rootkits and was propagated by Bitcoin mining tools.
  • 2012: As part of a worrying trend, Shamoon targeted computers in the energy sector. Cited by cybersecurity lab CrySyS as "the most complex malware ever found," Flame was used for cyber espionage in the Middle East.
  • 2013: An early instance of ransomware, CryptoLocker was a Trojan horse that locked the files on a user's computer, prompting them to pay a ransom for the decryption key. Gameover ZeuS used keystroke logging to steal users' login details from financial transaction sites.
  • 2014: The Trojan horse known as Regin was thought to have been developed in the U.S. and U.K. for espionage and mass surveillance purposes.
  • 2016: Locky infected several million computers in Europe, including over 5,000 computers per hour just in Germany. Mirai launched highly disruptive distributed DoS (DDoS) attacks on several prominent websites and infected the IoT.
  • 2017: The global WannaCry ransomware attack was halted when a cybersecurity researcher found a "kill switch" within the ransomware code. Petya, another instance of ransomware, was also released, using a similar exploit to the one used by WannaCry.
  • 2018: As cryptocurrency started to gain traction, Thanatos became the first ransomware to accept payments in Bitcoin.