Evolution Of Computer Viruses History Of Viruses

Part 1: 
Like any other field in computer science, viruses have evolved -a great deal indeed- 
over the years. In the series of press releases which start today, we will look at the
origins and evolution of malicious code since it first appeared up to the present.
Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann
described self-replicating programs which could resemble computer viruses as they are 
known today. However, it was not until the 60s that we find the predecessor of current 
viruses. In that decade, a group of programmers developed a game called Core Wars, which
could reproduce every time it was run, and even saturate the memory of other players’ 
computers. The creators of this peculiar game also created the first antivirus, an 
application named Reeper, which could destroy copies created by Core Wars.However, it 
was only in 1983 that one of these programmers announced the existence of Core Wars, 
which was described the following year in a prestigious scientific magazine: this was 
actually the starting point of what we call computer viruses today.At that time, a still young
MS-DOS was starting to become the preeminent operating system worldwide. This was a 
system with great prospects, but still many deficiencies as well, which arose from 
software developments and the lack of many hardware elements known today. Even like 
this, this new operating system became the target of a virus in 1986: Brain, a malicious 
code created in Pakistan which infected boot sectors of disks so that their contents 
could not be accessed. That year also saw the birth of the first Trojan: an application 
called PC-Write.Shortly after, virus writers realized that infecting files could be 
even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected 
COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However,
the worst was still to come: 1988 set the date when the “Morris worm” appeared, infecting 
6,000 computers.From that date up to 1995 the types of malicious codes that are known today 
started being developed: the first macro viruses appeared, polymorphic viruses … Some of 
these even triggered epidemics, such as MichaelAngelo. However, there was an event that 
changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by 
little, viruses started adapting to this new situation until the appearance, in 1999, of 
Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for 
computer viruses.

Part 2: 
This second installment of ‘The evolution of viruses’ will look at how malicious code 
used to spread before use of the Internet and e-mail became as commonplace as it is today, 
and the main objectives of the creators of those earlier viruses.Until the worldwide web 
and e-mail were adopted as a standard means of communication the world over, the main 
mediums through which viruses spread were floppy disks, removable drives, CDs, etc.,
containing files that were already infected or with the virus code in an executable 
boot sector.When a virus entered a system it could go memory resident, infecting other 
files as they were opened, or it could start to reproduce immediately, also infecting 
other files on the system. The virus code could also be triggered by a certain event, 
for example when the system clock reached a certain date or time. In this case, the 
virus creator would calculate the time necessary for the virus to spread and then set 
a date –often with some particular significance- for the virus to activate. In this 
way, the virus would have an incubation period during which it didn’t visibly affect 
computers, but just spread from one system to another waiting for ‘D-day’ to launch 
its payload. This incubation period would be vital to the virus successfully infecting 
as many computers as possible.One classic example of a destructive virus that lay low 
before releasing its payload was CIH, also known as Chernobyl. The most damaging version 
of this malicious code activated on April 26, when it would try to overwrite the flash-BIOS,
the memory which includes the code needed to control PC devices. This virus, which first 
appeared in June 1998, had a serious impact for over two years and still continues to infect 
computers today.Because of the way in which they propagate, these viruses spread very slowly,
especially in comparison to the speed of today’s malicious code. Towards the end of the 
Eighties, for example, the Friday 13th (or Jerusalem) virus needed a long time to actually 
spread and continued to infect computers for some years. In contrast, experts reckon that in 
January 2003, SQLSlammer took just ten minutes to cause global communication problems across 
the Internet.Notoriety versus stealthFor the most part, in the past, the activation of a 
malicious code triggered a series of on screen messages or images, or caused sounds to be 
to catch the user’s attention. Such was the case with the Ping Pong virus, which displayed
a ball bouncing from one side of the screen to another. This kind of elaborate display was 
used by the creator of the virus to gain as much notoriety as possible. Nowadays however, 
the opposite is the norm, with virus authors trying to make malicious code as discreet as 
possible, infecting users’ systems without them noticing that anything is amiss.

Part 3: 
This third installment of ‘The evolution of viruses’ will look at how the Internet 
and e-mail changed the propagation techniques used by computer viruses.Internet and 
e-mail revolutionized communications. However, as expected, virus creators didn’t take 
long to realize that along with this new means of communication, an excellent way of 
spreading their creations far and wide had also dawned. Therefore, they quickly changed 
their aim from infecting a few computers while drawing as much attention to themselves 
as possible, to damaging as many computers as possible, as quickly as possible. 
This change in strategy resulted in the first global virus epidemic, which was caused 
by the Melissa worm.With the appearance of Melissa, the economic impact of a virus started
to become an issue. As a result, users -above all companies- started to become seriously
concerned about the consequences of viruses on the security of their computers. This is 
how users discovered antivirus programs, which started to be installed widely. However,
this also brought about a new challenge for virus writers, how to slip past this 
protection and how to persuade users to run infected files.The answer to which of these
virus strategies was the most effective came in the form of a new worm: Love Letter, 
which used a simple but effective ruse that could be considered an early type of social
engineering. This strategy involves inserting false messages that trick users into 
thinking that the message includes anything, except a virus. This worm’s bait was simple;
it led users to believe that they had received a love letter.This technique is still the 
most widely used. However, it is closely followed by another tactic that has been the 
center of attention lately: exploiting vulnerabilities in commonly used software. This 
strategy offers a range of possibilities depending on the security hole exploited. The 
first malicious code to use this method –and quite successfully- were the BubbleBoy and 
Kakworm worms. These worms exploited a vulnerability in Internet Explorer by inserting 
HTML code in the body of the e-mail message, which allowed them to run automatically, 
without needing the user to do a thing.Vulnerabilities allow many different types of 
actions to be carried out. For example, they allow viruses to be dropped on computers 
directly from the Internet -such as the Blaster worm-. In fact, the effects of the 
virus depend on the vulnerability that the virus author tries to exploit.

Part 4: 
In the early days of computers, there were relatively few PCs likely to contain
“sensitive” information, such as credit card numbers or other financial data, and 
these were generally limited to large companies that had already incorporated computers 
into working processes.In any event, information stored in computers was not likely 
to be compromised, unless the computer was connected to a network through which the 
information could be transmitted. Of course, there were exceptions to this and there 
were cases in which hackers perpetrated frauds using data stored in IT systems. 
However, this was achieved through typical hacking activities, with no viruses involved.
The advent of the Internet however caused virus creators to change their objectives, 
and, from that moment on, they tried to infect as many computers as possible in the 
shortest time. Also, the introduction of Internet services -like e-banking or online 
shopping- brought in another change. Some virus creators started writing malicious 
codes not to infect computers, but, to steal confidential data associated to those 
services. Evidently, to achieve this, they needed viruses that could infect many 
computers silently.Their malicious labor was finally rewarded with the appearance, 
in 1986, of a new breed of malicious code generically called “Trojan Horse”, or 
simply “Trojan”. This first Trojan was called PC-Write and tried to pass itself off 
as the shareware version of a text processor. When run, the Trojan displayed a 
functional text processor on screen. The problem was that, while the user wrote, 
PC-Write deleted and corrupted files on the computers’ hard disk.After PC-Write, 
this type of malicious code evolved very quickly to reach the stage of present-day 
Trojans. Today, many of the people who design Trojans to steal data cannot be 
considered virus writers but simply thieves who, instead of using blowtorches or 
dynamite have turned to viruses to commit their crimes. Ldpinch.W or the Bancos or 
Tolger families of Trojans are examples of this

Part 5: 
Even though none of them can be left aside, some particular fields of computer 
science have played a more determinant role than others with regard to the evolution 
of viruses. One of the most influential fields has been the development of programming 
languages.These languages are basically a means of communication with computers in 
order to tell them what to do. Even though each of them has its own specific development 
and formulation rules, computers in fact understand only one language called "machine 
code".Programming languages act as an interpreter between the programmer and the computer. 
Obviously, the more directly you can communicate with the computer, the better it will 
understand you, and more complex actions you can ask it to perform.According to this, 
programming languages can be divided into "low and high level" languages, depending on 
whether their syntax is more understandable for programmers or for computers. A "high 
level" language uses expressions that are easily understandable for most programmers, 
but not so much for computers. Visual Basic and C are good examples of this type of 
language.On the contrary, expressions used by "low level" languages are closer to 
machine code, but are very difficult to understand for someone who has not been involved 
in the programming process. One of the most powerful, most widely used examples of this 
type of language is "assembler".In order to explain the use of programming languages 
through virus history, it is necessary to refer to hardware evolution. It is not 
difficult to understand that an old 8-bit processor does not have the power of modern
64-bit processors, and this of course, has had an impact on the programming languages
used.In this and the next installments of this series, we will look at the different 
programming languages used by virus creators through computer history:- Virus antecessors:
Core WarsAs was already explained in the first chapter of this series, a group of programs
called Core Wars, developed by engineers at an important telecommunications company, are
considered the antecessors of current-day viruses. Computer science was still in the early
stages and programming languages had hardly developed. For this reason, authors of these
proto-viruses used a language that was almost equal to machine code to program 
them.Curiously enough, it seems that one of the Core Wars programmers was Robert Thomas 
Morris, whose son programmed -years later- the "Morris worm". This malicious code became 
extraordinarily famous since it managed to infect 6,000 computers, an impressive figure 
for 1988.- The new gurus of the 8-bits and the assembler language.The names Altair, IMSAI
and Apple in USA and Sinclair, Atari and Commodore in Europe, bring memories of times 
gone by, when a new generation of computer enthusiasts "fought" to establish their place
in the programming world. To be the best, programmers needed to have profound knowledge 
of machine code and assembler, as interpreters of high-level languages used too much run 
time. BASIC, for example, was a relatively easy to learn language which allowed users to 
develop programs simply and quickly. It had however, many limitations.This caused the 
appearance of two groups of programmers: those who used assembler and those who turned to
high-level languages (BASIC and PASCAL, mainly).Computer aficionados of the time enjoyed 
themselves more by programming useful software than malware. However, 1981 saw the birth of
what can be considered the first 8-bit virus. Its name was "Elk Cloner", and was 
programmed in machine code. This virus could infect Apple II systems and displayed a 
message when it infected a computer.

Part 6: 
Computer viruses evolve in much the same way as in other areas of IT. Two of the most
important factors in understanding how viruses have reached their current level are 
the development of programming languages and the appearance of increasingly powerful 
hardware.In 1981, almost at the same time as Elk Kloner (the first virus for 8-bit 
processors) made its appearance, a new operating system was growing in popularity. 
Its full name was Microsoft Disk Operating System, although computer buffs throughout 
the world would soon refer to it simply as DOS.DOS virusesThe development of MS DOS 
systems occurred in parallel to the appearance of new, more powerful hardware. Personal 
computers were gradually establishing themselves as tools that people could use in their 
everyday lives, and the result was that the number of PCs users grew substantially. 
Perhaps inevitably, more users also started creating viruses. Gradually, we witnessed 
the appearance of the first viruses and Trojans for DOS, written in assembler language 
and demonstrating a degree of skill on the part of their authors.Far less programmers 
know assembler language than are familiar with high-level languages that are far easier 
to learn. Malicious code written in Fortran, Basic, Cobol, C or Pascal soon began to 
appear. The last two languages, which are well established and very powerful, are the 
most widely used, particularly in their TurboC and Turbo Pascal versions. This ultimately 
led to the appearance of “virus families”: that is, viruses that are followed by a vast 
number of related viruses which are slightly modified forms of the original code.Other 
users took the less ‘artistic’ approach of creating destructive viruses that did not 
require any great knowledge of programming. As a result, batch processing file viruses 
or BAT viruses began to appear.Win16 virusesThe development of 16-bit processors led 
to a new era in computing. The first consequence was the birth of Windows, which, at 
the time, was just an application to make it easier to handle DOS using a graphic 
interface.The structure of Windows 3.xx files is rather difficult to understand, and 
the assembler language code is very complicated, as a result of which few programmers 
initially attempted to develop viruses for this platform. But this problem was soon 
solved thanks to the development of programming tools for high-level languages, above 
all Visual Basic. This application is so effective that many virus creators adopted 
it as their ‘daily working tool’. This meant that writing a virus had become a very 
straightforward task, and viruses soon appeared in their hundreds. This development 
was accompanied by the appearance of the first Trojans able to steal passwords. As a 
result, more than 500 variants of the AOL Trojan family -designed to steal personal 
information from infected computers- were identified.

Part 7: 
This seventh edition on the history of computer viruses will look at how the development
of Windows and Visual Basic has influenced the evolution of viruses, as with the 
development of these, worldwide epidemics also evolved such as the first one caused 
by Melissa in 1999.While Windows changed from being an application designed to make 
DOS easier to manage to a 32-bit platform and operating system in its own right, 
virus creators went back to using assembler as the main language for programming 
viruses.Versions 5 and 6 of Visual Basic (VB) were developed, making it the preferred 
tool, along with Borland Delphi (the Pascal development for the Windows environment), 
for Trojan and worm writers. Then, Visual C, a powerful environment developed in C for 
Windows, was adopted for creating viruses, Trojans and worms. This last type of malware 
gained unusual strength, taking over almost all other types of viruses. Even though the 
characteristics of worms have changed over time, they all have the same objective: to 
spread to as many computers as possible, as quickly as possible.With time, Visual Basic 
became extremely popular and Microsoft implemented part of the functionality of this 
language as an interpreter capable of running script files with a similar syntax.At 
the same time as the Win32 platform was implemented, the first script viruses also 
appeared: malware inside a simple text file. These demonstrated that not only 
executable files (.EXE and .COM files) could carry viruses. As already seen with 
BAT viruses, there are also other means of propagation, proving the saying "anything 
that can be executed directly or through a interpreter can contain malware." To be 
specific, the first viruses that infected the macros included in Microsoft Office 
emerged. As a result, Word, Excel, Access and PowerPoint become ways of spreading 
‘lethal weapons’, which destroyed information when the user simply opened a document.
Melissa and self-executing wormsThe powerful script interpreters in Microsoft Office 
allowed virus authors to arm their creations with the characteristics of worms. 
A clear example is Melissa, a Word macro virus with the characteristics of a worm that 
infects Word 97 and 2000 documents. This worm automatically sends itself out as an 
attachment to an e-mail message to the first 50 contacts in the Outlook address book 
on the affected computer. This technique, which has unfortunately become very popular 
nowadays, was first used in this virus which, in 1999, caused one of the largest 
epidemics in computer history in just a few days. In fact, companies like Microsoft, 
Intel or Lucent Technologies had to block their connections to the Internet due to the
actions of Melissa.The technique started by Melissa was developed in 1999 by viruses 
like VBS/Freelink, which unlike its predecessor sent itself out to all the contacts 
in the address book on the infected PC. This started a new wave of worms capable of 
sending themselves out to all the contacts in the Outlook address book on the infected 
computer. Of these, the worm that most stands out from the rest is VBS/LoveLetter, 
more commonly known as ‘I love You’, which emerged in May 2000 and caused an epidemic 
that caused damage estimated at 10,000 million euros. In order to get the user’s 
attention and help it to spread, this worm sent itself out in an e-mail message with 
the subject ‘ILOVEYOU’ and an attached file called ‘LOVE-LETTER-FOR-YOU.TXT.VBS’. 
When the user opened this attachment, the computer was infected.As well as Melissa, 
in 1999 another type of virus emerged that also marked a milestone in virus history. 
In November of that year, VBS/BubbleBoy appeared, a new type of Internet worm written 
in VB Script. VBS/BubbleBoy was automatically run without the user needing to click on 
an attached file, as it exploited a vulnerability in Internet Explorer 5 to automatically 
run when the message was opened or viewed. This worm was followed in 2000 by JS/Kak.
Worm, which spread by hiding behind Java Script in the auto-signature in Microsoft 
Outlook Express, allowing it to infect computers without the user needing to run an 
attached file. These were the first samples of a series of worms, which were joined 
later on by worms capable of attacking computers when the user is browsing the Internet.