Malware Timeline

Mathematician John von Neumann delivered lectures at the University of Illinois at Urbana-Champaign on The Theory of Self-Reproducing Automata. In these lectures von Neumann showed that in theory a program could reproduce itself. The lectures were completed and edited by A. W. Burks and published by the University of Illinois Press in 1966.

Years later one application of this plausibility result in computability theory was the development of what came to be known as malware.

The Creeper worm,  an experimental self-replicating program written by Bob Thomas at BBN Technologies, Cambridge, Massachusetts (originally Bolt Beranek and Newman), is generally considered the first computer virus.

"Creeper infected DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper" (Wikipedia article on Creeper virus, accessed 01-18-2010).

Researchers at Xerox PARC wrote a computer worm program that searched out other computer hosts, then copied itself and self destructs after a programmed interval.

"A program called 'Elk Cloner' is credited with being the first computer virus to appear 'in the wild'—that is, outside the single computer or lab where it was created." Written by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.

At Lehigh University, Bethlehem, Pennsylvania, Frederick Cohen demonstrated a virus-like program on a VAX11/750 system. The program was able to install itself to, or infect, other system objects.

In 1984 Cohen used the phrase "computer virus" – as suggested by his teacher Leonard Adleman – to describe the operation of such programs in terms of "infection". He defined a 'virus' as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself.”

The Brain boot sector virus (aka Pakistani flu) was released. Brain is considered the first IBM PC compatible virus, and the program responsible for the first IBM PC compatible virus epidemic. Also known as Lahore, Pakistani, Pakistani Brain, the virus was created in Lahore, Pakistan by 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother, Amjad Farooq Alvi.

The first computer worm to attract wide attention, the Morris worm or Internet worm, written by Robert Tappan Morris, a graduate student at Cornell, quickly infected a great number of computers on the Internet.

"It propagated through a number of bugs in BSD Unix and its derivatives. Morris himself was convicted under the US Computer Crime and Abuse Act and received three years probation, community service and a fine in excess of $10,000."

United States District Court, District of Massachusetts in Boston indicted Albert Gonzalez,  a/k/a cumbajohny, a/k/a cj, a/k/a UIN 20167996, a/k/a UIN 476747, a/ak/a soupnazi, a/k/a segvec, a/k/a klngchilli, a/k/a stanozololz, for masterminding a crime ring to use malware to steal and sell more than 170,000,000 credit card and ATM numbers from retail stores during 2005 to 2007. 

"On August 28, 2009, his [Gonzalez's] attorney filed papers with the United States District Court for the District of Massachusetts in Boston indicating that he would plead guilty to all 19 charges in the U.S. v. Albert Gonzalez, 08-CR-10223, case (the TJ Maxx case). According to reports this plea bargain would "resolve" issues with the New York case of U.S. v. Yastremskiy, 08-CR-00160 in United States District Court for the Eastern District of New York (the Dave and Busters case).

"Gonzalez could serve a term of 15 years to 25 years. He would forfeit more than $1.65 million, a condominium in Miami, a blue 2006 BMW 330i automobile, IBM and Toshiba laptop computers, a Glock 27 firearm, a Nokia cell phone, a Tiffany diamond ring and three Rolex watches. "

"His sentence would run concurrent with whatever comes out of the case in the United States District Court for the District of New Jersey (meaning that he would serve the longest of the sentences he receives)" (Wikipedia article on Albert Gonzalez, accessed 01-18-2010).

On March 26, 2010 U.S. District Court Judge Douglas P. Woodcock sentenced Gonzalez to twenty years in prison with three twenty year sentences running concurrently.

"The sentence imposed by U.S. District Court Judge Douglas P. Woodlock was for Gonzalez's role in a hacking ring that broke into computer networks of Heartland Payment Systems, which processed credit and debit card transactions for Visa and American Express, Hannaford Supermarkets and 7-Eleven. The sentence is actually 20 years and one day, owing to the need to deal with peculiarities in sentencing statutes, because Woodlock had to take into account that Gonzalez was on pretrial release for an unrelated crime when he took up with the international network of hackers responsible for the security breaches. He was at the time supposed to be serving as an informant for the U.S. Secret Service, but he double-crossed the agency, supplying a co-conspirator with information obtained as part of those investigations" (http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2010/03/26/urnidgns852573C400693880002576EF004839D0.DTL, accessed 03-27-2010).

"Exploit code for the zero-day hole in Internet Explorer linked to the China-based attacks on Google and other companies has been released on the Internet, Microsoft and McAfee warned on Friday.

"Meanwhile, the German federal security agency issued a statement on Friday urging its citizens to use an alternative browser to IE until a patch arrives.  

" 'We still only see limited targeted attacks affecting Internet Explorer 6,' Jerry Bryant, senior security program manager lead at the Microsoft Security Response Center, said in a statement. 'While newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult.'

"McAfee researchers have seen references to the code on mailing lists and confirmed that it has been published on at least one Web site, the company's Chief Technology Officer George Kurtz wrote in his blog. 'The exploit code is the same code that McAfee Labs had been investigating and shared with Microsoft earlier this week,' he said.

" 'The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability,' Kurtz wrote. 'The now-public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems. Popular penetration testing tools are already being updated to include this exploit.' Microsoft issued a warning on Thursday about the new hole and said it was working on a patch. The vulnerability affects IE 6, 7 and 8 on all the modern versions of Windows, including Windows 7, according to Microsoft's advisory. Microsoft said IE 6 was the browser version being used on the computers that were targeted in the attacks. Google disclosed the attacks targeting it and other U.S. companies on Tuesday and said the attacks originated in China. Human rights activists who use Gmail also were targeted, Google said.

"The company said it discovered the attacks in mid-December and while it did not specifically implicate the Chinese government, it says that as a result of the incidents, it may withdraw from doing business in China. Sources familiar with the attack code say the attacks are similar to previous attacks on U.S. corporations that were linked to the Chinese government or proxies operating for the government. Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.

"McAfee says references in the IE-related attack code it analyzed indicate that the attackers called the operation 'Aurora' and that the attack was extremely sophisticated" (http://news.cnet.com/8301-27080_3-10436083-245.html, accessed 01-16-2010).

In June 2010 the Stuxnet computer worm, the first malware that spied on and subverted industrial systems, was discovered.  Stuxnet was also the first malware to include a programmable logic controller (PLC) rootkit. 

"The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.

"Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran; Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran. Siemens stated on 29 November that the worm has not caused any damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured secretly, has been damaged by Stuxnet. Kaspersky Lab concluded that the sophisticated attack could only have been conducted "with nation-state support". This was further supported by the F-Secure's chief researcher Mikko Hyppönen who commented in a Stuxnet FAQ, 'That's what it would look like, yes'. It has been speculated that Israel and the United States may have been involved. . . .

"Experts believe that Stuxnet required the largest and costliest development effort in malware history. Its many capabilities would have required a team of people to program, in-depth knowledge of industrial processes, and an interest in attacking industrial infrastructure. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years. Symantec estimates that the group developing Stuxnet would have consisted of anywhere from five to thirty people, and would have taken six months to prepare. The Guardian, the BBC and The New York Times all claimed that (unnamed) experts studying Stuxnet believe the complexity of the code indicates that only a nation-state would have the capabilities to produce it. The self-destruct and other safeguards within the code imply that a Western government was responsible, with lawyers evaluating the worm's ramifications. Software security expert Bruce Schneier condemned the 2010 news coverage of Stuxnet as hype, however, stating that it was almost entirely based on speculation. But after subsequent research, Schneier stated in 2012 that 'we can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran' " (Wikipedia article on Stuxnet, accessed 05-30-2012).

On May 28, 2012 the MAHER Center of the Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab headquartered in Moscow, and Cry SyS Lab (Laboratory of Cryptography and National Security) of the Budapest University of Technology and Economics announced the discovery of Flame malware that attacked computers running the Microsoft Windows operating system.  A virus that collected information, it was arguably the most complex malware ever found.

"According to estimates by Kaspersky, Flame has infected approximately 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. As of May 2012, the countries most affected are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. . . .

"According to Kaspersky, Flame has been operating in the wild since at least February 2010. CrySyS reports that the file name of the main component had been observed as early as December 2007. However, its creation date cannot be determined directly, as the creation dates for the malware's modules are falsely set to dates as early as 1994. Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet. At the time the Iranian Students News Agency referred to the malware that caused the attack as "Wiper", a name given to it by the malware's creator. However, Kaspersky Lab believes that Flame may be 'a separate infection entirely' from the Wiper malware. Due to the size and complexity of the program—described as "twenty times" more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years. On 28 May, Iran's CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to 'select organizations' for several weeks " (Wikipedia article on Flame (malware) accessed 05-30-2012).