Brief History of Malware

A Malicious Software Program (Malware) is any application that has a malicious intent. While most of the programs it installs, or the files it downloads, are completely free of viruses, some have hidden agendas that seek to destroy files, steal information or even bother you.

This has been going on for a long time. The first computer virus was called Elk Cloner and was found on a Mac in 1982. In January 2011, the first PC-based malware turned 25, named Brian. For reference, the first PC sold in bulk (the HP 9100A) came out in 1968.

Malware in the 1900s.

In 1986, most viruses were found in universities and the spread was mainly due to infected floppy disks. Notable malware includes Brain (1986), Lehigh, Stoned, Jerusalem (1987), the Morris worm (1988) and Michelangelo (1991).

In the mid-1990s, companies were also affected, which was largely due to macro viruses. This meant that the spread had moved to the network.

Among the notable malicious programs for this period is the DMV, the first test of the macro virus concept, in 1994. There was also Cap.A in 1997, which turned out to be the first high-risk macro virus, and CIH (also known as Chernobyl) in 1998 The first virus to damage hardware.

In the latter part of the 1990s, viruses had also begun to affect domestic users, with the spread of e-mail on the rise. Notable malicious programs in 1999 include Melissa, the first widespread email worm, and Kak, the first and one of the few true email viruses.

21st Century Malware

At the beginning of the new millennium, Internet and email worms were in the headlines around the world.

• May 2000: Loveletter was the first high-profile, for-profit malware.
• February 2001: The email worm Anna Kournikova.
• March 2001: The Magistr, like the CIH before, also affected the hardware.
• July 2001: The Sircam email worm collected files from the My Documents folder.
• August 2001: The CodeRed worm.
• September 2001: Nimda, a network worm, email and web.

As the decade progressed, malware became almost exclusively a tool for profit. Throughout 2002 and 2003, Internet users were affected by out-of-control pop-ups and other Javascript bombs.

FriendGreetings ushered in socially engineered worms manually in October 2002 and SoBig began installing hidden spam proxies on victims’ computers. Phishing scams and other credit cards also took off during this period, along with the notable Internet worms called Blaster and Slammer.

• January 2004: An email worm war broke out between the authors of MyDoom, Bagle and Netsky. Ironically, this led to better e-mail scanning and higher rates of adoption of e-mail filtering, which eventually led to an almost total disappearance of mass-circulation e-mail worms.
• November 2005: The discovery and disclosure of the now infamous Sony rootkit led to the eventual inclusion of rootkits in most current malware.
• 2006: Pump & Dump and money mule work scams joined the growing number of 419 scams, phishing and lotteries in Nigeria. Although not directly related to malware, these scams were a continuation of the topic of criminal activity for profit launched The Internet.
• 2007: Website commitments intensified in 2007 largely due to the discovery and disclosure of MPack, a crimeware kit used to deliver exploits through the web. The commitments included the site of the Miami Dolphins stadium, Tom’s Hardware, The Sun, MySpace, Bebo, Photobucket and the website The India Times.
  By the end of 2007, SQL injection attacks had begun to increase, and they obtained networks of victim sites, such as the famous Cute Overload and IKEA sites.
• January 2008: Until now, web attackers were using stolen FTP credentials and taking advantage of weak configurations to inject IFrames into tens of thousands of pop and pop websites, the so-called long tail of the web. In June 2008, the Asprox bot network facilitated automated SQL injection attacks, claiming that Walmart was one of its victims. Advanced persistent threats emerged during this same period when attackers began to segregate victims’ computers and delivered customized configuration files to those of greatest interest.
• 2009: At the beginning of 2009, Gumblar emerged, the first dual botnet. Gumblar not only dropped a back door on infected PCs and used it to steal FTP credentials, but he also used those credentials to hide a backdoor on compromised websites. This development was quickly adopted by other attackers. The result: today’s website compromises no longer track a handful of malicious domain hosts. Instead, any of the thousands of compromised sites can indistinctly play the role of malware host.
• 2010: Industrial computer systems were targeted by the Stuxnet 2010 worm. This malicious tool targeted programmable logic controllers to control machinery on the factory’s assembly lines. It was so damaging that it is believed that it was the cause of the destruction of several hundred centrifuges that enrich uranium in Iran.
• 2011: A specific Microsoft Trojan horse named ZeroAccess downloads malware to computers through botnets. It is mostly hidden from the operating system by rootkits and propagated by bitcoin mining tools.

 

Volume of Malware and the Revenue of the Antivirus Provider

Malware volume is simply a byproduct of distribution and purpose. This can be better seen by tracking the number of known samples according to the time it occurred.

For example, in the late 1980s, most malicious programs were simple boot sectors and file infectors that propagated through a floppy disk. With a limited distribution and a less specific purpose, the unique malware samples registered in 1990 by AV-TEST were numbered with only 9,044.

As the adoption and expansion of the computer network continued during the first half of the 90s, the distribution of malware became easier, so the volume increased. Just four years later, in 1994, AV-TEST reported an increase of 300%, placing the unique malware samples at 28,613 (based on MD5).

Like standardized technologies, certain types of malware could gain ground. The macro viruses that exploited Microsoft Office products not only achieved greater distribution through e-mail, but also gained momentum in distribution due to the increased adoption of e-mail. In 1999, AV-TEST recorded 98,428 unique malware samples, representing an increase of 344% compared to the previous five years.

As the adoption of broadband internet increased, worms became more viable. The distribution was further accelerated by the increased use of the web and the adoption of so-called Web 2.0 technologies, which fostered a more favorable malware environment. In 2005, 333,425 unique malware samples were recorded by AV-TEST. That’s 338% more than in 1999.

Increased awareness in web-based exploitation kits led to an explosion of malware delivered to the web during the latter part of the first decade of the millennium. In 2006, the year that MPack was discovered, AV-TEST recorded 972,606 unique malware samples, which is 291% higher than just seven years earlier.

As the automated injection of SQL and other forms of massive websites compromised the increase of distribution capabilities in 2007, the volume of malware made its most dramatic jump, with 5,490,960 unique samples recorded by AV-TEST that year. That’s a huge increase of 564% in just one year.

Since 2007, the amount of unique malware has continued to grow exponentially, doubling or more every year since then. Currently, the estimates of the providers of new malware samples vary from 30k to more than 50k per day. In other words, the current monthly volume of new malware samples is greater than the total volume of all malware from 2006 and previous years.

Antivirus / Security Revenue

During the “sneakernet” era in the late 80s and early 90s, the revenues of antivirus vendors were collectively less than $ 1B USD. By the year 2000, antivirus revenues had increased to around $ 1,500 million.

1. 2001 – $ 1.8
2. 2002 – $ 2.06 B
3. 2003 – $ 2.7B
4. 2004 – $ 3.5B
5. 2005 – $ 7.4b
6. 2006 – $ 8.6 B
7. 2007- $ 11.3B
8. 2008 – $ 13.5B
9. 2009 – $ 14.8B
10. 2010 – $ 16.5b

While some may point to increased revenue from antivirus and security vendors as “proof” that antivirus vendors benefit (and therefore create) malware, mathematics itself does not confirm this theory of conspiracy.

In 2007, for example, antivirus revenues increased by 131%, but malware volumes increased by 564% that year. In addition, increases in revenue from antivirus are also the result of new companies and expanding technologies, such as security devices and cloud-based security developments.