Industry Trends


By Michael Perna | February 12, 2016

Valentine’s day is just around the corner and it would not be fair to let the occasion pass us by without reflecting on the colorful, charming, amorous, sometimes exotic world of malware. In this blog we explore some of the milestone threats that have courted many a user over the years, proving only that there are, in fact, other (meaner) fish in the sea.

1971: The Creeper Virus

In 1949, the visionary mathematician John von Neumann conceived the idea of self-replicating automata, even before the existence of the modern computer. Little did he know, in 1971 Bob Thomas of BBN would create a self-replicating program capable of passing along code to its progeny, making von Neumann’s vision a reality (kind of). The computer virus was created as a simple proof of concept for the TENEX operating system. However, the nature of Creeper foreshadowed modern malware in many ways, most notably, the fact that it did not simply self-replicate but rather “jumped” from system to system, uninstalling itself as it left one system and reinstalling itself on another.  In 2015, FortiGuard Labs predicted the emergence of “Ghostware,” malware that covers its tracks as it infects and then exfiltrates data from a system. Ghostware has already been seen in the wild this year.

1988: The Morris Worm

The Internet, on November 2, 1988 was still a tight-knit group of academics and engineers. It was all very…collegial. And, in that spirit, Robert Morris of Cornell University let loose the eponymous “Morris” worm, one of the very first pieces of malware. For good measure, he launched the program on a computer at MIT.  The purpose of the malware was simply to propagate itself endlessly from system to system; it had no malicious intent. Unfortunately, an error in its code did cause it to crash certain systems, eventually tagging Morris himself with the first conviction under the then new Computer Fraud and Abuse Act. It is still debated about how far the worm actually spread but since basically everyone on the Internet at the time had heard of it, we can reasonably assume it was fairly widespread.

1989: AIDS (PC Cyborg Trojan)

Montreal, June 1989, the 5th International Conference on AIDS drew over 12,000 delegates on just the first day of the 5-day event. In addition to the historical “Montreal Manifesto” delivered at the conference, an inconspicuous biologist, Joseph Popp, handed out over 20,000 floppy disks labeled “AIDS Information – Introductory Diskette”. The floppies came with a small leaflet that explained,

            If you install on a microcomputer…

Then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs…

In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg corporation and to use program mechanisms to ensure termination of your use…

These program mechanisms will adversely affect other program applications…

You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life…

And your [PC] will stop functioning normally…

You are strictly prohibited from sharing with others…

The program on the floppies certainly knew how to commit; encrypting the files on a system’s C: drive. The Trojan would then ask users to send $189 ransom to PC Cyborg Corporation in Panama to release the files. Once identified, Popp was arrested and charged with eleven counts of blackmail. AIDS is an early example of what we now call “ransomware”. 

1991: Michelangelo

Early 1992, the press had much ado about the impending Michelangelo computer virus, discovered just one year earlier. The virus was just another boot sector virus, infecting a PC’s Master Boot Record. It would load itself onto your PC from an infected floppy, infect all future writable floppies you put into your machine, and would simply sit there…

until the 6th of March when it celebrated its namesake’s birthday, when it would proceed to erase the first 17 sectors (heads zero to four) on your hard disk, possibly making space to paint its own Sistine ceiling.


An inconspicuous email, subject line “ILOVEYOU,” contained only a single attachment: LOVE-LETTER-FOR-YOU.txt. The attachment was actually a .vbs file or visual basic script file. By default, Windows operating systems of the time hid the “.vbs” file extension, making the attachment appear to be a benign text file. Unsuspecting victims of this phishing scheme would inadvertently run the script, which would automatically send an identical copy of the original email to every single entry in the machine’s Windows Address Book and overwrite a number of files in its wake. For a brief moment in time, ILOVEYOU took the world in its warm embrace, causing an estimated USD$5.5-8.7 billion in damages. Proving only that you “Can’t Buy Me Love.” Despite tracing the origin of the virus (within the first 24 hours of its release) to a programing duo in the Philippines, the pair walked away without charges due to the inexistence of any local law prohibiting malware authorship at the time.

2001: Anna Kournikova

“Here you have, ;0)” was the subject line and attached was a file, “AnnaKournikova.jpg[.vbs]”.  Proof that lightning can, in fact, strike the same place twice, the visual basic script file would send an identical copy of the original email to a user’s entire address book. The Anna Kournikova virus was actually generated in just a few minutes using a widely available tool called “Visual Basic Worm Generator”.  Before really knowing what he had created with the tool, Jan de Wit of the Netherlands let the virus loose. Taking advice from his parents, Jan turned himself in on February 14th, 2001.

2003: Slammer & Blaster

This would not be a Valentine’s Day themed post without another love letter virus. In 2003, the Blaster worm took advantage of an RPC bug in Microsoft Windows 2000 and XP. The worm loaded a malicious .exe file onto the system, which would signal the machine to DDoS every time the system was booted. The message, “I just want to say LOVE YOU SAN!” appeared in the code within the executable. Following this note was another:

“billy gates why do you make this possible ? Stop making money and fix your software!!”

How endearing…

Another variant of this malware called “SQL Slammer” emerged at the same time, taking advantage of the same vulnerability in Microsoft systems. The creator of SQL Slammer left no such love letter. How rude.

2008: Conficker

Also innocently know as the Kido Worm, Conficker took advantage of another RPC vulnerability on Microsoft systems to cause a buffer overflow and inject code. The malware used a number of advanced techniques to feed a growing botnet. Infected systems would phone home for periodic updates as the attackers squashed bugs in Conficker’s code. The final version of the malware even had the ability to block certain DNS lookups, disable a system’s auto updater, and kill the process of anti-malware programs. To say the least, Conficker was a little clingy.

2011: ZeroAccess

The ZeroAccess rootkit began infecting systems in 2011, ensnaring systems in its botnet. It is estimated that ZeroAccess reached over 9 million systems in its tenure. The rootkit spread using a number of different attack strategies including social engineering schemes, affiliate programs, and ad networks. Once entangled in its web, the command and control network would take advantage of unsuspecting hosts to commit click fraud. Microsoft allegedly took down the botnet in 2013. However, some activity from apparent command and control systems was seen early 2015. 

2013: CryptoLocker

CryptoLocker started infecting systems in the later half of 2013. The loving trojan had a thing for holding onto your stuff, even if you sent a friend to retrieve it. Using RSA public-key cryptography, CrytoLocker would encrypt certain types of files on your system and display a message asking you to send bitcoin or pre-paid cash vouchers by a certain deadline. Mid-2014, CryptoLocker stopped its rampage when the Gameover ZeuS botnet met its demise. The botnet was the primary way CryptoLocker was distributed. The vengeful trojan managed to extort over USD$3 million from victims.

2014: Moon Worm

Jumping from router to router, TheMoon worm used the Home Network Administration Protocol (HNAP) as a way to identify the model number on certain consumer home routers. It would then proceed to use a specifically tailored executable to bypass authentication and infect the device. Once the device is infected, the malware would scan open ports for more devices to latch onto. 

2015: Moose

Not using any specific vulnerability, the Moose worm infects Linux based routers with unfortunately simple login credentials. Once it has infected a router, Moose proceeds to commit social media fraud; hijacking Internet connections to view, like, and follow various accounts. Interestingly, there is no persistence on infected routers, so a simple reboot will awaken the device without the malware.


We have seen a number of interesting viruses, worms, and botnets over the years but what is next? Malicious actors have gotten pretty suave when it comes to making their way into our systems. With the proliferation of “headless” connected devices, commonly referred to IoT, the savviest of malware in the near future will likely make use of this exponentially growing attack surface. Everything everywhere is about to be connected in ways we never thought possible.

For more information on what might be coming in 2016 check out our report on the Evolving Threat Landscape