The First Malicious Code
Interestingly, in 1985, the early Internet was brought to its knees on October 27 because of an accidentally-propagated status-message virus. This was not the first virus, however. As early as 1949, self-replicating programs were being developed, and in 1981, several viruses were infecting the Apple world.
Computer "worms" were first considered as a means of automating network management tasks. Experiments were performed at Xerox Palo Alto Research Center in 1982. The key problem noted was controlling the propagation of these programs. This became especially apparent to a young Robert Morris, a 23-year-old doctoral student at Cornell University. Morris unleashed a worm on the Internet, not realizing that he had drastically miscalculated the rate of propagation and the impact it would have on compromised systems. The worm spread at a phenomenal rate, must faster than originally intended. Morris realized his worm was spreading faster than he anticipated and tried to post removal instructions. Unfortunately, these instructions were not received because most administrators had removed themselves from the Internet.
The worm infected more than 6,000 machines across the country. The infection cost between $100,000 and $10 million due to lost access to the Internet at an infected host (according to the United States General Accounting Office). Morris was sentenced to three years of probation, 400 hours of community service, $10,050 in fines plus the cost of his supervision.
Much has changed since those early days. The first computer viruses were simple because the computing capability was so limited. Most early viruses would simply copy themselves to a new location, then progress from there. Eventually, as more computing power became available, more complex viruses were developed. This included the addition of code to be executed once the virus had replicated itself to a new disk or computer. The worm era really seemed to take off in the late 1990s. There was a sharp increase in the frequency and number of worms as well as the damage they caused. A very short list of the most memorable worms includes:
- Melissa in 1999
- Code Red, Nimda, and Ramen in 2001
- Slammer and Blaster in 2003
Along with the increasing number of worms, there is a disturbing trend—a reduced time between the discovery of vulnerability to the time of active propagating code. Code Red raised security community awareness in that it was able to infect more than 359,000 computers connected to the Internet in less than 14 hours. The cost of damages incurred by Code Red and its subsequent strains was estimated to be in excess of $2.6 billion! The rapid spread of Code Red led to the hypothesis of a faster spreading worm which came to be called a Warhol Worm. A Warhol Worm would be capable of infecting all vulnerable hosts on the Internet in approximately 15 minutes to an hour. The theory stated that this would be accomplished "by using optimized scanning routines, a hit list scanning for initial propagation, and permutation scanning for complete, self-coordinated coverage.”
Theory became reality on Friday, March 19, 2004, at approximately 8:45 p.m. Pacific Standard Time (PST). The Witty Worm began its spread, but this attack was unlike anything seen previously. It started in an organized manner, spreading from an initial “seed” of about 110 hosts, and reached its peak (supposedly infecting all vulnerable machines on the Internet) in about 45 minutes.