Unlucky 13: The Most Significant Computer Viruses Of The Last 40 Years

The Computer Virus Turns 40

A lot has changed in 40 years, since the first computer virus emerged in 1971 as a proof of concept on an early iteration of the Internet. From the sheer volume in the number of viruses, which grew from about 1,300 in 1990 to 200 million by 2010, to their intent, which evolved from jokes, nuisances and proofs of concept to monetization, spying and attacks; the proliferation of computer viruses over the last 40 years has been significant, to say the least.

The computer virus also sparked an industry unto itself, creating opportunities for solution providers and vendors to offer products and tools to thwart viruses and stop security threats dead in their tracks.

CRN caught up with Guillaume Lovet, the head of Fortinet's FortiGuard security research team, to discuss some of the most significant computer viruses of the last 40 years. Here are his insights.

Creeper

Making its debut in 1971, Creeper is considered the first real computer virus. It was released "in lab" by an employee of a company that was working on building Internet ancestor ARPANET. According to Lovet, Creeper looked for a machine on the network, transferred to it and displayed the message "I'm the creeper, catch me if you can!" Then the process starts over, hopping from system to system. Lovet said Creeper is significant in that it ties the roots of computer viruses to those of the Internet.

Elk Cloner

Eleven years after Creeper first crept, a 15-year-old created the first virus to spread outside of the lab in which it was created. Elk Cloner made its debut in 1982 and was a way for the creator to booby trap his friends' Apple II computer systems without physical access. According to Lovet, Elk Cloner spread via floppy disks and infected machines displayed a harmless poem dedicated to the virus' glory. Floppy disks, Lovet said, were a common medium with which to spread early viruses, as the Internet was not yet widespread. And the virus' ability to be spread outside of its lab of origin was a significant milestone in the 40-year history of computer viruses.

Jerusalem

Heralded as the first destructive virus, 1987's Jerusalem was first detected at the Hebrew University of Jerusalem and would delete every program that runs on an infected machine. Lovet said it's significant in that it was the first to destroy data, setting the stage for future viruses with more damaging destructive capabilities.

Michelangelo

Michelangelo may have been the first computer virus to be overblown by media hype. The 1992 virus was designed to awaken on Renaissance artist Michelangelo's birthday (March 6) and erase critical parts of infected computers' hard drives. Lovet noted that word of Michelangelo sparked a media frenzy with some experts predicting 5 million computers would be taken down by the data-destroying demon. But when March 6 dawned, only a few thousand data losses were reported.

Melissa

Named in honor of a Floridian exotic dancer, Melissa propagated via Microsoft Word documents and mailed itself to the Outlook contacts of the contaminated users. Melissa paralyzed some mailing systems on the Internet and netted its author 20 months in jail and a $5,000 fine for writing the malicious code.

Melissa is also a significant stepping stone in computer virus history, Lovet said, because a copycat created a variant of the Melissa virus that encrypted infected files and held them for ransom. Lovet said the encrypted files would be decrypted after the victim wired $100 to an off-shore account. The ransomware marked the first the beginning of profiting off of viruses, though the true monetization of malware was still a few years away.

I Love You

The virus community rang in the new millennium with the I Love You worm, which infected tens of millions of computers. Victims would receive an incoming e-mail with "I love you" in the subject line. The e-mail contained an attachment that, when opened, infected a user's machine and e-mailed itself to all of the contacts found on the victim's system. Lovet said the I Love You virus cost companies between $5 billion and $10 billion, most of which was cleaning up infected machines.

Code Red

In 2004 Code Red targeted Web servers and it would automatically spread by exploiting a vulnerability in Microsoft IIS servers. It took less than a week for more than 400,000 servers to be infected by Code Red. For infected companies, the home page of their hosted Web sites was replaced with "Hacked By Chinese!" Code Red was significant in that it had a feature designed to flood White House Web site traffic from the infected servers, marking it as the first large scale case of "hacktivism."

Sasser

Fortinet's Lovet said 2004's Sasser virus spread without anyone's help and exploited a vulnerability in Microsoft Windows. A bug in the worm's code also caused it to shut down infected systems every couple of minutes. Lovet said Sasser marked a turning point for viruses, in that it was the first time systems that don't normally have a function relating to the Internet were severely impacted. He said more than one million systems were infected, AFP's communication satellites were interrupted and Delta Airlines was forced to cancel flights. Additionally, the British coast guard had to use print maps and one hospital's emergency room had to redirect patients because its radiology department was taken out. The damage caused by Sasser was estimated at more than $18 billion.

And Microsoft wanted answers, offering a $250,000 bounty for Sasser's author, who turned out to be an 18-year-old German student who said he created the virus as a way to help his mother find a job in computer security. Lovet said Sasser was the first virus to really attract attention from the traditional press.

MyTob

MyTob was a mass-mailed worm that included its own SMTP engine to spread itself to other PCs after hijacking addresses from an infected system. It also included a backdoor component which let hackers send additional commands and/or files to the compromised computer to turn it into a spam-spewing zombie, or to load spyware for snapping up usernames and passwords. The MyTob virus marked the emergence of cybercrime in computer viruses. Appearing in 2005, MyTob combined features of a bot and a mass-mailer. Along with heralding the era of cybercrime MyTob also introduced the botnet. Since then, many botnets appeared to install spyware, diffuse spam, intercept bank credentials and more, making cybercrime a multi-billion dollar business, Lovet said.

Storm

The Storm botnet launched in 2007 and took what seemed like ages to get under control. Storm left a legacy as one of the most destructive bots in history, infecting millions of computers around the world in its wake. Affected computers are at the mercy of Trojans and keystroke loggers that can silently transmit passwords, bank account numbers and other valuable information from an unsuspecting user's computer into the hands of criminals. The Storm botent implemented a peer-to-peer architecture and was the first botnet with a decentralized command. Before Storm, botnets weren't nearly as far reaching and could be neutralized easily. At its height, Strom infected between 1 million and 50 million systems and accounted for 8 percent of all malware.

Koobface

With the advances of social networking platforms, it was only due time before they were exploited. Koobface, an anagram for Facebook, spread by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player to view a video. Koobface, launched in 2008, marked the first botnet to recruit its Zombie computers across various social networks, including Facebook, MySpace, hi5, Bebo and more. Currently, it is estimated that at any time more than 500,000 Koobface zombies are online simultaneously.

Conficker

Conficker is both a worm and a super-resilient botnet, with defensive techniques that had not yet been found in viruses. In 2009, Conficker targeted the Microsoft Windows OS and used Windows flaws and Dictionary attacks on admin passwords to co-opt machines and link them to a computer that can be commanded remotely by the authors. Some networks were so saturated with Conficker that it caused planes to be grounded, including a number of French fighter planes. Some hospitals and military bases were also impacted and it's estimated that roughly 7 million systems were infected globally. Oddly enough, no Ukrainian IPs or machines were infected by Conficker, suggesting that the authors were not targeting their own country.

Stuxnet

To many, Stuxnet is considered the first shot fired in a cyber war that will soon emerge. Stuxnet exploited several critical Windows vulnerabilities, one of which guaranteed its execution when inserting an infected USB key into the target system. According to Lovet, only governments have the resources to design and implement a virus as complex as Stuxnet. When a system was infected, Stuxnet would spread into an internal network until it reached its target and leveraged a weak point to destroy the industrial system. With Stuxnet targeting nuclear plants, Lovet said the virus landscape is changing dramatically. Stuxnet first emerged on the public radar in September 2010 when researchers found traces of code on Siemens industrial software systems that operate Iran's Bushehr nuclear reactor.