From Elk Cloner to Peacomm: A quarter century of malware
A quarter century of malware. You’d think we would have had this problem licked by now, yeah? No, not even close. Self replicating code was first theorized in 1949, the dawn of the computing age, and appeared in the wild around the early 1980s. The fundamental theories on computer viruses were worked out by Fred Cohen; you can read his original paper online from the early 1980s. The tension between usability and security is directly discussed in this seminal paper. From the paper’s ending, “To quickly summarize, absolute protection can be easily attained by absolute isolationism, but that is usually an unacceptable solution. Other forms of protection all seem to depend on the use of extremely complex and/or resource intensive analytical techniques, or imprecise solutions that tend to make systems less usable with time.” In fact, because of the nature of a general purpose computer, Cohen points out, you can never fully protect against viruses.
No great surprise, people started to experiment with the ideas of self replicating code and, in 1982, we saw Elk Cloner, an old Apple II computer virus. Things moved somewhat slowly for a while, moving to the IBM PC when it became more prominent as a platform, and eventually to MS Windows. The timeline below isn’t comprehensive, it’s not designed to be. What it’s designed to show is the progress of a few major milestones: Elk Cloner, one of the first “in the wild” viruses now 25 years old; the Morris Worm, one of the first major Internet worms; then the mass mailers Melissa and Loveletter; Code Red and Nimda, two Internet-disrupting Windows worms; then the continued presence of the mass mailer in Sober, MyDoom, Stration and now Peacomm. In short, what works continues to be used, and it works for many, many years.
Elk Cloner is almost cute in the way that it just teases you once you’re infected. Looking at the timeline above you can see a progression from “fun” and “proof of concept” to malice to making money with Stration and Peacomm.
Peacomm’s recent timeline tells the tale of an aggressive p2p spam bot. They went from EXE attachments to recently using postcard lures. They’ve been shifting tactics lately quite frequently, and they have also been launching a substantial number of DDoS events, including many at researchers lately.
Peacomm is designed for the long haul, these guys are now sending that flood of PDF stock spam you’ve been seeing. Pushing penny stocks is the new fad; the latest round I bothered to look at was pushing HXPN, a penny stock hovering around 0.25 lately, down from a high of 1.65 in the past year. The US SEC likes to investigate this kind of thing, and people get arrested for this kind of crime.
The past 25 years have been a dizzying flurry of malicious activity, from fun and games while exploring the architecture of your computer to disrupting the Internet at large and possibly threatening the very nature of e-commerce. Who knows what the future holds …