A Brief History of Malware

The First 25 Years

In January 2011, Brain - the first PC-based malware - turned 25 years old. (It's worth noting that the first computer virus was actually a Mac virus, Elk Cloner, in 1982). Following is a brief history of the first 25 years of malware evolution.

In 1986, most viruses were found in universities and propagation was primarily via infected floppy disks. Notable malware included Brain (1986), Lehigh, Stoned, and Jerusalem (1987), the Morris worm (1988), and Michelangelo - the first headline grabber - in 1991.

By the mid-90s, businesses were equally impacted (in large part due to macro viruses) and propagation had moved to the network. Notable malware for the period included DMV - the first proof of concept macro virus - in 1994, Cap.A - the first high risk macro virus - in 1997, CIH (aka Chernobyl) - the first virus to damage hardware - in 1998.

By the latter part of the 90s, viruses had begun impacting home users as well and email propagation was ramping up. Notable malware included Melissa (the first widespread email worm) and Kak - the first and one of the very few true email viruses - both in 1999.

At the start of the new millennium, Internet and email worms were making headlines across the globe. Notables included Loveletter - the first high-profile profit-motivate malware (May 2000), the Anna Kournikova email worm (Feb 2001), the March 2001 Magistr (which, like CIH before it, also impacted hardware), the Sircam email worm in July 2001 which harvested files from the My Documents folder, the CodeRed Internet worm in August 2001, and Nimda - a Web, email and network worm - in September 2001.

As the decade progressed, malware almost exclusively became a profit motivated tool. Throughout 2002 and 2003, Web surfers were plagued by out-of-control popups and other Javascript bombs. FriendGreetings ushered in manually driven socially engineered worms in October 2002 and SoBig began surreptitiously installing spam proxies on victim computers.

Phishing and other credit card scams also took off during the period. Other notable threats for the period included the Blaster and Slammer Internet worms.

In January 2004, an email worm war broke out between the authors of MyDoom, Bagle and Netsky. Ironically, this led to improved email scanning and higher adoption rates of email filtering, which eventually spelled a near demise of mass-spreading email worms.

The November 2005 discovery and disclosure of the now infamous Sony rootkit led to the eventual inclusion of rootkits in most modern day malware. Pump & Dump and money mule job scams joined the growing numbers of Nigerian 419 scams, phishing, and lottery scams in 2006. Though not directly malware-related, such scams were a continuation of the theme of profit-motivated criminal activity launched via the Internet.

Website compromises escalated in 2007 due in large part to the discovery and disclosure of MPack, a crimeware kit used to deliver exploits via the Web. Notable compromises included the Miami Dolphins stadium site, Tomshardware.com, TheSun, MySpace, Bebo, Photobucket and The India Times websites.

By the end of 2007, SQL injection attacks had begun to ramp up, netting victim sites such as the popular cuteoverload.com and Ikea websites.

By January 2008, Web attackers were employing stolen FTP credentials and leveraging weak configurations to inject iframes on tens of thousands of mom & pop style websites, the so-called long tail of the Web. In June 2008, the Asprox botnet facilitated automated SQL injection attacks, claiming walmart.com as one of its victims.

Advanced persistent threats emerged during this same period as attackers began segregating victim computers and delivering custom configuration files to those of highest interest. In early 2009, Gumblar - the first dual botnet - emerged. Gumblar not only dropped a backdoor on infected PCs and used it to steal FTP credentials, it used those credentials to hide a backdoor on compromised websites as well.

This development was quickly adopted by other Web attackers. The result: today's website compromises no longer track back to a handful of malicious domain hosts - instead any of the thousands of compromised sites can interchangeably play the role of malware host.

The volume of malware is merely a by-product of distribution and purpose. This can best be seen by tracking the number of known samples based on the era in which it occurred. For example, during the late 80s most malware were simple boot sector and file infectors spread via floppy disk. With limited distribution and less focused purpose, unique malware samples recorded in 1990 by AV-Test.org numbered just 9,044.

As computer network adoption and expansion continued through the first half of the 90s, distribution of malware became easier and malware volume increasd. In 1994, AV-Test.org reported 28,613 unique malware samples (based on MD5).

As technologies standardized, certain types of malware were able to gain ground. Macro viruses which exploited Microsoft Office products not only achieved greater distribution via email, they also gained a distribution boost by the increased adoption of email. In 1999, AV-Test.org recorded 98,428 unique malware samples.

As broadband Internet adoption increased, Internet worms became more viable. Distribution was further accelerated by increased use of the Web and the adoption of so-called Web 2.0 technologies which fostered a more favorable malware environment. In 2005, AV-Test.org recorded 333,425 unique malware samples.

Increased awareness in Web-based exploit kits led to an explosion of Web-delivered malware throughout the latter part of the millennium's first decade.

In 2006, the year MPack was discovered, AV-Test.org recorded 972,606 unique malware samples. As automated SQL injection and other forms of mass website compromises increased distribution capabilities in 2007, malware volume made its most dramatic jump, with 5,490,960 unique samples recorded by AV-Test.org in that year.

Since 2007, the number of unique malware has continued exponential growth, doubling or more each year since. Currently, vendors estimates of new malware samples range from 30k to over 50k per day. Put another way, the current monthly volume of new malware samples is greater than the total volume of all malware from 2006 and previous years.

Antivirus / Security Revenue
During the "sneakernet" era in the late 80s and early 90s, antivirus vendor revenues were collectively less than $1B USD. By 2000, antivirus revenues had increased to ~ $1.5B.

While some may point to the increasing antivirus/security vendor revenues as "proof" that antivirus vendors profit from (and thus create) malware, the math itself does not bear out this conspiracy theory. In 2007, for example, antivirus revenues grew by 131% - but malware volumes increased 565% that year. Additionally, antivirus revenue increases are also the result of new companies and expanding technologies (for example, security appliances and cloud-based security developments).