Timeline of Computer Viruses

1949

John von Neumann's article on the "Theory of self-reproducing automata" is published. Because he understood that computer programs could become self-replicating, von Neumann is considered to be the theoretical "father" of computer virology

The Rabbit (or Wabbit) virus is written.

Wabbit was a self-replicating program, that made multiple copies of itself on a computer until it bogged down the system to such an extend that system performance was zero and the computer eventually crashed.

This virus was named rabbit/wabbit because of the speed at which it was able to replicate.

Richard Skrenta in 2009

Elk Cloner

In 1981, high school student Richard Skrenta, wrote a program called Elk Cloner for Apple II systems as a prank. The Apple II was vulnerable because its operating system was stored on a floppy disk. The virus's design combined with public naivté about malware made it the first large-scale computer virus outbreak in history

The term "virus" is coined

Frederick Cohen defines a "virus" as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." In other words, a virus can self-replicate.

Cohen demonstrates a virus-like program at Lehigh University.

Beware of the Brain!

Brain was the first widespread virus to infect IBM PCs. It was written by 19-year-old Pakistani Basit Farooq Alvi and his brother Amjad intending to track and punish anyone who illegally pirated the medical software they developed. Like Elk Cloner, Brain didn’t destroy any data. It just slowed down the computer of anyone who pirated Alvi's software.

Somewhat like today’s ransomware, it displayed a message encouraging the victim to contact the Alvi brothers for “vaccination,” or removal of the virus.

The Christmas Tree Worm

Christmas Tree EXEC was the first widely disruptive computer worm. It paralyzed several international computer networks in December 1987.

Written by a student at the Clausthal University of Technology (in Germany) it drew a Christmas tree as text graphics, then sent itself to each entry in the recipient's email contacts file. In this way it spread onto the European Academic Research Network, BITNET, and IBM's worldwide VNET. On all of these systems it caused massive disruption.

How is a Worm Different From a Virus?

Viruses almost always corrupt or modify files on a targeted computer. They are a malicious code or program made to change the way a computer operates. They spread from one computer to another by people when they:

(1) infect removable media; (2) download off the Internet; or (3) e-mail attachments.

A worm is a standalone computer program that can propagate without human interference (not the same as replicate) in order to spread to other computers. Often, it uses a computer network to spread itself.

Worms cause at least some harm to the network--even if only by consuming bandwidth. Many worms are designed only to spread, and do not attempt to change the systems they pass through.

Flash forward

The Christmas Tree worm of 1987 worked just like the ILOVEYOU worm of 2000, though the latter ran on PCs rather than mainframes and was spread over a different network.

Sony BMG Scandal

In 2005, Sony BMG published CDs with software created by an outside company. The software included a music player but covertly installed a rootkit also which limited the user's ability to copy the CD and created unrelated vulnerabilities for the 22 million users.

A software engineer discovered the rootkit. The scandal raised public awareness of rootkits. Sony BMG was sued and paid hundreds of thousands of dollars as well as suffering damage to their brand image.

What is a Rootkit?

A rootkit is a group of tools that hackers use to mask an intrusion and get administator-level acess to a computer or a network. The intruder installs a rootkit on a computer (by exploiting a vulnerability or cracking a password), then the rootkit collects iser IDs and passwords to other machines on the network or may do such things as:

• Monitor network traffic and keystrokes

• create a back-door into the system for the hacker to use

• Alter log files

• Attack other machines on the network

• Alter existing system tools to avoid detection.

The Troj/Inov-Zip

This is a classic worm/Trojan horse that appeared in mid-2010. It was transmitted as a zip file attached to an email claiming that the zip file contained information such as an invoice, tax issue, or other urgent paperwork. (Notice coersion tactics of fear, urgency and authority to get people to continue.)

When the recipient opened the attachment, it installed spyware on his/her machine that would disable the firewall and then try to gather information (including financial data) and take screenshots of the user's desktop.

How Do Trojan Horses Work?

Cryptolocker Ransomware

Above is an image of the screen you would get if you were a victim of this ransomware

One of the best known examples of ransomware, Cryptolocker was discovered in 2013. Cryptolocker uses asymmetric encryption to lock user files then hold them for ransom until $$ was paid to decrypt them.

Gameover ZeuS Botnet

Gameover ZeuS is a virus that creates a peer-to-peer botnet.

It establishes encrypted communication between infected computers and a command & control computer. This allows the attacker to control the various infected computers.

What is a botnet?

A botnet is a logical computer network of "zombies" under the control of an attacker. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a combination of the words "robot" and "network".

Rombertik

In 2015, Rombertik spyware came on the scene. It was designed to steal confidential information from targets using Internet Explorer, Firefox, or Chrome running on Windows computers. Promoted via spam and phishing emails, once Rombertik was installed, it injected code into running processes of Internet Explorer, Firefox, and Chrome. The injected code intercepted web data before it was encrypted by the browser, and forwarded it to a remote server.

It could also overwrite the master boot record on the hard drive (making the machine unbootable) or begin encrypting files in the user's home directory.