The history of malware,Trojans and worms (part 3)

Thursday, March 17th, 2016

Two weeks ago we explored lesser known malware, Trojans and worms, after 1985. This time around, we look at more recent threats, starting with zombies…

2003 Zombie, Phishing
The Sobig worm gave control of the PC to hackers, so that it became a “zombie,” which could be used to send spam. The Mimail worm posed as an email from Paypal, asking users to confirm credit card information.

2004 IRC bots
Malicious IRC (Internet Relay Chat) bots were developed. Trojans could place the bot on a computer, where it would connect to an IRC channel without the user’s knowledge and give control of the computer to hackers.

2005 Rootkits
Sony’s DRM copy protection system, included on music CDs, installed a “rootkit” on users’ PCs, hiding files so that they could not be duplicated. Hackers wrote Trojans to exploit this security weakness and installed a hidden “back door.”

2006 Share price scams
Spam mail hyping shares in small companies (“pump-and-dump” spam) became common.

2006 Ransomware
The Zippo and Archiveus Trojan horse programs, which encrypted users’ files and demanded payment in exchange for the password, were early examples of ransomware.

2006 First advanced persistent threat (APT) identified 
First coined by the U.S. Air Force in 2006 and functionally defined by Alexandria, Virginia security firm Mandiant in 2008 as a group of sophisticated, determined and coordinated attackers. APTs are equipped with both the capability and the intent to persistently and effectively target a specific entity. Recognized attack vectors include infected media, supply chain compromise and social engineering.

2008 Fake antivirus software
Scaremongering tactics encourage people to hand over credit card details for fake antivirus products like AntiVirus 2008.

2008 First iPhone malware
The US Computer Emergency Response Team (US-CERT) issues a warning that a fraudulent iPhone upgrade, “iPhone firmware 1.1.3 prep,” is making its way around the Internet and users should not be fooled into installing it. When a user installs the Trojan, other application components are altered. If the Trojan is uninstalled, the affected applications may also be removed.

2009 Conficker hits the headlines
Conficker, a worm that initially infects via unpatched machines, creates a media storm across the world.

2009 Polymorphic viruses rise again
Complex viruses return with a vengeance, including Scribble, a virus which mutates its appearance on each infection and used multiple vectors of attack.

2009 First Android malware
Android FakePlayerAndroid/FakePlayer.A is a Trojan that sends SMS messages to premium rate phone numbers. The Trojan penetrates Android-based smartphones disguised as an ordinary application. Users are prompted to install a small file of around 13 KB that has the standard Android extension .APK. But once the “app” is installed on the device, the Trojan bundled with it begins texting premium rate phone numbers (those that charge). The criminals are the ones operating these numbers, so they end up collecting charges to the victims’ accounts.

2010 Stuxnet
Discovered in June 2010 the Stuxnet worm initially spreads indiscriminately, but is later found to contain a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems configured to control and monitor specific industrial processes. Stuxnet’s most prominent target is widely believed to be uranium enrichment infrastructure in Iran.

2012 First drive-by Android malware
The first Android drive-by malware is discovered, a Trojan called NotCompatible that poses as a system update but acts as a proxy redirect. The site checks the victim’s browser’s user-agent string to confirm that it is an Android visiting, then automatically installs the Trojan. A device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.

2013 Ransomware is back
Ransomware emerges as one of the top malware threats. With some variants using advanced encryption that makes recovering locked files nearly impossible, ransomware replaces fake antivirus as malicious actors’ money-soliciting threat of choice.

Take note that information below is an extract from the Sophos Threatsaurus, compiled by Sophos, a security software and hardware company.

History of malware, Trojans and worms (Part 2)

Thursday, March 3rd, 2016

Last time we explored the more unknown viruses, Trojans and worms, up to 1985. Now we start off in 1986, where most histories do, with the first PC virus.

1986 The first virus for PCs
The first virus for IBM PCs, Brain, was allegedly written by two brothers in Pakistan, when they noticed that people were copying their software. The virus put a copy of itself and a copyright message on any floppy disk copies their customers made.

1987 The Christmas tree worm
This was an email Christmas card that included program code. If the user ran it, it drew a Christmas tree as promised, but also forwarded itself to everyone in the user’s address book. The traffic paralyzed the IBM worldwide network.

1988 The Internet Worm
Robert Morris, a 23-year-old student, released a worm on the US DARPA Internet. It spread to thousands of computers and, due to an error, kept re-infecting computers many times, causing them to crash.

1989 Trojan demands ransom
The AIDS Trojan horse came on a floppy disk that offered information about AIDS and HIV. The Trojan encrypted the computer’s hard disk and demanded payment in exchange for the password.

1991 The first polymorphic virus
Tequila was the first widespread polymorphic virus. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection.

1992 The Michelangelo panic
The Michelangelo virus was designed to erase computer hard disks each year on March 6 (Michelangelo’s birthday). After two companies accidentally distributed infected disks and PCs, there was worldwide panic, but few computers were infected.

1994 The first email virus hoax
The first email hoax warned of a malicious virus that would erase an entire hard drive just by opening an email with the subject line “Good Times.”

1995 The first document virus
The first document or “macro” virus, Concept, appeared. It spread by exploiting the macros in Microsoft Word.

1998 The first virus to affect hardware
CIH or Chernobyl became the first virus to paralyze computer hardware. The virus attacked the BIOS, which is needed to boot up the computer.

1999 Email viruses
Melissa, a virus that forwards itself by email, spread worldwide. Bubbleboy, the first virus to infect a computer when email is viewed, appeared.

2000 Denial-of-service attacks
“Distributed denial-of-service” attacks by hackers put Yahoo!, eBay, Amazon and other high profile websites offline for several hours. Love Bug became the most successful email virus yet.

2000 Palm virus
The first virus appeared for the Palm operating system, although no users were infected.

2001 Viruses spread via websites or network shares
Malicious programs began to exploit vulnerabilities in software, so that they could spread without user intervention. Nimda infected users who simply browsed a website. Sircam used its own email program to spread, and also spread via network shares.

If this history timeline hasn’t satisfied your curiosity, the recently launched Malware Museum might peak your interest. 

Take note that information below is an extract from the Sophos Threatsaurus, compiled by Sophos, a security software and hardware company.

History of malware, Trojans and worms (Part 1)

Wednesday, February 17th, 2016

We’re always warning you against phishing, viruses and other nasty software which might harm your PC and data. For a change, let’s look at the history of these nasties. Where do they come from? How long have they been around for? Are they a recent phenomenon?

It seems not. Viruses have been doing the rounds for more than 50 years.

1949 Self-reproducing “cellular automata”
John von Neumann, the father of cybernetics, published a paper suggesting that a computer program could reproduce itself.

1959 Core Wars
H Douglas McIlroy, Victor Vysottsky, and Robert P Morris of Bell Labs developed a computer game called Core Wars, in which programs called organisms competed for computer processing time.

1960 “Rabbit” programs
Programmers began to write placeholders for mainframe computers. If no jobs were waiting, these programs added a copy of themselves to the end of the queue. They were nicknamed “rabbits” because they multiplied, using up system resources.

1971 The first worm
Bob Thomas, a developer working on ARPANET, a precursor to the Internet, wrote a program called Creeper that passed from computer to computer, displaying a message.

1975 Replicating code
A K Dewdney wrote Pervade as a sub-routine for a game run on computers using the UNIVAC 1100 system. When any user played the game, it silently copied the latest version of itself into every accessible directory, including shared directories, consequently spreading throughout the network.

1978 The Vampire worm
John Shoch and Jon Hupp at Xerox PARC began experimenting with worms designed to perform helpful tasks. The Vampire worm was idle during the day, but at night it assigned tasks to under-used computers.

1981 Apple virus
Joe Dellinger, a student at Texas A&M University, modified the operating system on Apple II diskettes so that it would behave as a virus. As the virus had unintended side-effects, it was never released, but further versions were written and allowed to spread.

1982 Apple virus with side effects
Rich Skrenta, a 15-year-old, wrote Elk Cloner for the Apple II operating system. Elk Cloner ran whenever a computer was started from an infected floppy disk, and would infect any other floppy put into the disk drive. It displayed a message every 50 times the computer was started.

1985 Mail Trojan
The EGABTR Trojan horse was distributed via mailboxes, posing as a program designed to improve graphics display. However, once run, it deleted all files on the hard disk and displayed a message.

Take note that information above is an extract from the Sophos Threatsaurus, compiled by Sophos, a security software and hardware company.

Vaccinate your pc

Friday, November 9th, 2012

Every year you have to go to your doctor to get an anti-flu injection. You have to get one every year because the influenza virus mutates and adapts every year into a new strain. Computer viruses are exactly the same!

Here are a few handy tips and hints to ensure the whole process is as painless as possible. But first things first –

  • Use an AntiVirus Software – It is very important that your computer has an antivirus software running on your machine. By having an antivirus program running, files and emails will be scanned as you use them, download them, or open them. If a virus is found in one of the items you are about to use, the antivirus program will stop you from being able to run that program and therefore infect yourself.

See this link for a listing of some online/stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software –  There is no point running an antivirus program if you do not make sure it has all the latest updates available to it. If you do not update the software, it will not know about any new viruses, trojans, worms, etc that have been released into the wild since you installed the program. Then if a new infection appears in your computer, the antivirus program will not know that it is bad, and not alert you when you run it and become infected. Therefore it is imperative that you update your Antivirus software at least once a week (Even more if you wish) so that you are protected from all the latest threats. If you are lucky then you will have an anti-virus product that will update itself automatically via the internet, but never blindly trust this. A large number of the more virulent viruses and trojans can deactivate your anti-virus software’s updating functions.
  • Install an Anti-Spyware Program – Just as you installed and use an antivirus program, it is essential these days to use a Spyware protection and removal program. These programs can be used to scan your computer for spyware, dialers, browser hijackers, and other programs that are malicious in nature. The 4 program that I recommend are SuperAnti-SpywareSpybot – Search and Destroy, andLavasoft’s Ad-Aware, and Windows Defender.A tutorial on using some of these programs can be found below:

Using Spybot – Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Commercial Spyware Removal/Protection Programs – If you feel more comfortable installing a commercial Spyware removal program then I recommend WebRoot’s Spysweeper or Lavasoft’s Ad-Aware Professional. Both are fair products and a worthy addition to the arsenal of software protecting your computer.

Spysweeper Product Information

  • Occasionally Run Online Virus Scans – Unfortunately not all antivirus programs are created equal. Each program may find infections that other antivirus programs do not and vice-versa. It is therefore recommended that you occasionally run some free online antivirus scanners to make sure that you are not infected with items that your particular antivirus program does not know how to find. Three online scanners that we recommend are:

Every once in a while, maybe once every 2 weeks, run one or both of these scanners to see if they find anything that may have been missed by your locally installed antivirus software. Believe me, you will not regret it!


For regular updates on the latest spam, malware and ransonware threats, please check or blog regularly.

Spyware infected mail – USPS Shipment e-mail

Thursday, May 17th, 2012

Since this morning (Thursday 17 May) a number of e-mails have been delivered into University accounts with a subject line of “USPS Shipment Info for 2351 3200 0122 9268 0611 3688”. The mail contains a cleverly disguised executable disguised as a web page or a document that when clicked or opened (the attachment) will modify the security settings in your Internet Explorer browser settings to allow criminals to gain access or control to your computer. If you get any mail with these sort of characteristics (often disguised as a USPS, UPS or international postal or courier services notification) please delete or quarantine the file. (Information supplied by David Wiles, Gerga)


© 2013-2017 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.