Malware analysis

A History of Malware: Part One, 1949-1988

These days, malware is an everyday concern, even among ordinary end users. A countless amount of money is lost every year worldwide due to malware, possibly in the hundreds of billions, but it's difficult to accurately quantify.

The money lost has causes ranging from lost hours of office productivity, to financial malware like what hit Target, to hardware that needs to be replaced due to infected firmware.

What might amaze you is that malware has existed since at least 1971, and has been theorized as early as 1949. For the record, Microsoft didn't exist until 1975.

And it all started so innocently...

"Self-Reproducing Automata"

John Von Neumann was a revolutionary Hungarian-born mathemetician who immigrated to the United States in 1933.

In 1948, Von Neumann started to talk about "cellular automata," a complex mathemetical model for elementary biological functions. By 1949, those ideas evolved into his series of lectures on "self-reproducing automata," given at the University of Illinois. Arthur W. Burks compiled those 1949 lectures into a paper that was first published in 1966. Von Neumann's theories were astoundingly ahead of his time. His "cellular automata" ideas applied to microbes, such as biological viruses. From there, partly based on his experience with ENIAC, he imagined "self-reproducing automata" that could be an entity of those brand new "computing machines."

"Anybody who looks at living organisms knows perfectly well that they can produce other organisms like themselves. This is their normal function, they wouldn't exist if they didn't do this... The other line of argument... arises from looking at artificial automata... Appealing to the organic, living world does not help us greatly, because we do not understand well enough about how natural organisms function. We will stick to automata which we know completely because we made them... It is possible in this domain to describe automata which can reproduce themselves."

"I'm the Creeper. Catch me if you can!"

Computers made by Digital Equipment Corporation played a crucial role in how computing evolved from the 1950s to the 1970s. MIT (the Massachusetts Institute of Technology) got their first PDP series computers in the 1950s. Timesharing programs had to be used so that MIT's very first computer science students and professors could experiment with them. Some of the earliest breakthroughs in computer programming started there, back when it was done with punch cards.

Elsewhere in Cambridge, Massachusetts, in 1971, Bob Thomas was a computer programmer. He worked on a timesharing program called TENEX, which ran on a PDP-10.

Thomas wanted to see if a self-replicating program could be written. His machine was connected to ARPAnet, the very first packet-switched network, which was the father of the Internet. His program was called Creeper.

In Thomas' words, he was disappointed because it "didn't install multiple instances of itself on several targets." But Creeper spread through ARPAnet, nonetheless. Affected machines would print at the command line, "I'm the Creeper. Catch me if you can!" So, the string displayed on ARPAnet connected computers, even if it didn't reproduce. Many computer scientists consider Creeper to be the very first computer virus.

In fact, it wasn't long until the very first antivirus program was created, specifically to remove Creeper... It was called Reaper.

The First Worm

In 1975, science fiction writer John Brunner theorized computer worms in The Shockwave Rider.

In 1978, John Shock and Jon Hepps worked at the Xerox Palo Alto Research Center. I couldn't verify whether or not they've read Brunner's novel. It's likely that they did, though, because they wrote what many consider to be the very first computer worm.

They wrote five different versions, all designed to improve computer efficiency by exploring a network to find underused processors. But a bug in their programs caused computers to crash. Oops!

Brain

In 1986 in Pakistan, Basit Farooq Alvi and his brother Amjad Farooq Alvi were computer programmers.

Some computer scientists consider their program, Brain, to be the very first computer virus, because Thomas' Creeper didn't self-replicate.

Brain was an innocent experiment and nothing more. It spread via 5 1/4 inch floppies only, targetting the boot sector in PC-DOS and IBM-DOS based machines. Like Shock and Hepps' worm, the Alvi brothers wrote different versions of Brain.

Brain was relatively benign, because it basically just contained the code to self-replicate and copyrighted messages such as these:

Welcome to the Dungeon

(c) 198Welcome to the Dungeon

(c) 1986 Basit & Amjad (pvt) Ltd.

BRAIN COMPUTER SERVICES

730 NIZAB BLOCK ALLAMA IQBAL TOWN

LAHORE-PAKISTAN PHONE :430791,443248,280530.

Beware of this VIRUS....

Contact us for vaccination............ $#@%$@!!

Welcome to the Dungeon

(c) 1986 Brain & Amjads (pvt) Ltd.

VIRUS_SHOE RECORD v9.0

Dedicated to the dynamic memories

of millions of virus who are no longer with us today -

Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching

program follows after these messeges..... $#@%$@!!

It seemed that the different versions of Brain really didn't get people's attention until 1988.

Morris' Worm

Robert Morris was a doctoral student at Cornell University. On November 2^nd, 1988, his worm was released. Like in Creeper versus Brain, some computer scientists consider Morris' program to be the first worm, instead of Shock and Hepps', a decade prior.

But like in the other programs I've mentioned, the intent was experimental, not malicious. What was novel about Morris' worm is that it did spread through the modern Internet, as it existed in the late 1980s.

But like Shock and Hepps' worm, a bug in Morris' worm caused it to behave in a harmful way not intended by its creator.

Five days later, on November 7^th, Bob Page of the University of Lowell wrote:

"Here's the scoop on the 'Internet Worm.' Actually it's not a virus -

a virus is a piece of code that adds itself to other programs,

including operating systems. It cannot run independently, but rather

requires that its 'host' program be run to activate it. As such, it

has a clear analog to biologic viruses -- those viruses are not

considered live, but they invade host cells and take them over, making

them produce new viruses.

A worm is a program that can run by itself and can propagate a fully

working version of itself to other machines. As such, what was loosed

on the Internet was clearly a worm."

Page was likely the first computer scientist to properly describe the difference between a worm and a virus.

Within 24 hours of the Internet debut of Morris' worm, it infected approximately 5,000 computers. The United States General Accounting Officeestimated that between $100,000 and $10,000,000 worth of productivity was lost, due to computers being unable to access the Internet.

The earliest viruses and worms were simply experiments with unintended consequences. But by the 1990s, personal computing exploded. Soon, nearly all offices and a large percentage of households had PCs. That coincided with the first true malware, programs with actual malicious intent. That was concurrent with personal computers and the Internet becoming a part of the everyday lives of ordinary people. I'll explore that in my next article. Stay tuned!

References

Theory of Self-Replicating Automata

John Von Neumann, complied by Arthur W. Burks

University of Illinois Press

Time Magazine – John Von Neumann
http://content.time.com/time/magazine/article/0,9171,21839,00.html

Computer Viruses: From Theory to Applications

Eric Filliol

Springer

First Computer Virus, Creeper, Was No Bug
http://news.discovery.com/tech/first-computer-virus-creeper-was-no-bug-110316.htm

A short history of hacks, worms, and cyberterror
http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror

The Internet Worm... Don't Get Hooked!
http://www.newinternetsecurity.com/worm.html

The history of worm like programs
https://snowplow.org/tom/worm/history.html

About Brain
http://campaigns.f-secure.com/brain/virus.html

The History and Evolution of Computer Viruses: 1986-1991
http://privacy-pc.com/articles/the-history-and-the-evolution-of-computer-viruses-1986-1991.html

braininf.vir
http://www.textfiles.com/virus/braininf.vir

Going Viral: How Two Pakistani Brothers Created The First PC Virus
http://mentalfloss.com/article/12462/going-viral-how-two-pakistani-brothers-created-first-pc-virus

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

A Report on the Internet Worm – Bob Page
http://ftp.cerias.purdue.edu/pub/doc/morris_worm/worm.paper