Viruses and other malware spreading for sinister or baffling reasons has been a staple of cyberpunk novels and real-life news stories alike for decades. And in truth, there have been computer viruses on the internet since before it was the internet.

Mikko Hyppönen, chief research officer at WithSecure, has been fighting malware and cybercrime since the 1990s. Computer viruses have evolved from a nuisance to a potential national security threat over that period.

“The major shift in malware outbreaks occurred around 2003-2004,” Hyppönen tells CSO. “Before that, most attacks were created by hobbyists for fun. Some of the self-replicating worms from that era had no purpose other than to spread as quickly and widely as possible. Since then, most malware has been developed by organized crime groups or governments, and attacks have become much more targeted.”

This article will take a look at some of the most important milestones in the evolution of malware: These entries each represent a novel idea, a lucky break that revealed a gaping security hole, or an attack that turned to be particularly damaging — and sometimes all three.

1. Creeper virus (1971)
2. Brain virus (1986)
3. Morris worm (1988)
4. ILOVEYOU worm (2000)
5. Mydoom worm (2004)
6. Zeus trojan (2007)
7. Stuxnet (2010)
8. CryptoLocker ransomware (2013)
9. Emotet trojan (2014)
10. Mirai botnet (2016)
11. Industroyer (2016)
12. Petya ransomware/NotPetya wiper (2016/2017)
13. WannaCry (2017)
14. Clop ransomware (2019-present)
15. Darkside (2021)

1. Creeper virus (1971)

Computer pioneer John von Neumann’s posthumous work Theory of Self-Reproducing Automata, which posited the idea of computer code that could reproduce and spread itself, was published in 1966. Five years later, the first known computer virus, called Creeper, was a written by Bob Thomas. Written in PDP-10 assembly language, Creeper could reproduce itself and move from computer to computer across the nascent ARPANET.

Creeper did no harm to the systems it infected — Thomas developed it as a proof of concept, and its only effect was that it caused connected teletype machines to print a message that said “I’M THE CREEPER: CATCH ME IF YOU CAN.” We’re mentioning it here despite its benign nature because it was the first, and set the template for everything that followed. Shortly after Creeper’s release, Ray Tomlinson, best known for implementing the first email program, wrote a rival program called Reaper that spread from computer to computer eliminating Creeper’s code.

2. Brain virus (1986)

Creeper was designed to leap across computer networks, but for most of the 1970s and ’80s that infection vector was in limited simply because most computers operated in isolation. What malware did spread from computer to computer did so via floppy disks. The earliest example is Elk Cloner, which was created by a 15-year-old as a prank and infected Apple II computers. But probably the most important of this generation of viruses was one that came to be known as Brain, and started spreading worldwide in 1986.

Brain was developed by computer programmers (and brothers) Amjad and Basit Farooq Alvi, who lived in Pakistan and had a business selling medical software. Because their programs were often pirated, they created a virus that could infect the boot sector of pirated disks. It was mostly harmless but included contact information for them and an offer to “disinfect” the software.

Whether they could actually “fix” the problem isn’t clear, but as they explained 25 years later, they soon started receiving phone calls from all over the world, and were shocked by how quickly and how far Brain had spread (and how mad the people who had illegally copied their software were at them, for some reason). Today Brain is widely regarded as the first IBM PC virus, so we’re including it on our list despite its benign nature, and the brothers still have the same address and phone number that they sent out 25 years ago.

3. Morris worm (1988)

1988 saw the advent of a piece of malware called Morris, which could claim a number of firsts. It was the first widespread computer worm, which meant it could reproduce itself without needing another program to piggyback on. It targeted multiple vulnerabilities to help it spread faster and further. While not designed to do harm, it was probably the first malware to do real substantive financial damage, more than earning its place on this list. It spread incredibly swiftly — within 24 hours of its release, it had infected 10% of all internet-connected computers — and created multiple copies of itself on each machine, causing many of them to grind to a halt. Estimates of the costs of the attack ranged into the millions.

The worm is named after its creator Robert Morris, who was a Cornell grad student at the time and meant it as a proof-of-concept and demonstration of widespread security flaws. Morris didn’t anticipate that it would spread so quickly or that its ability to infect individual computers multiple times would cause so much trouble, and he tried to help undo the damage, but it was too late. He ended up the unfortunate subject of another first: The first person convicted under the 1986 Computer Fraud and Abuse Act.

4. ILOVEYOU worm (2000)

Unlike the previous malware creators on this list, Onel de Guzman, who was 24 in 2000 and living in the Philippines, crafted his creation with straightforward criminal intent: he couldn’t afford dialup service, so he built a worm that would steal other people’s passwords so he could piggyback off of their accounts. But the malware so cleverly took advantage of a number of flaws in Windows 95 — especially the fact that Windows automatically hid the file extensions of email attachments so people didn’t realize they were launching executable files — that it spread like wildfire, and soon millions of infected computers were sending out copies of the worm and beaming passwords back to a Filipino email address. It also erased numerous files on target computers, causing millions of dollars in damage and briefly shutting down the UK Parliament’s computer system.

de Guzman was never charged with a crime, because nothing he did was illegal in the Philippines at the time, but he expressed regret in an interview 20 years later, saying he never intended the malware to spread as far as it did. He also ended up being something of a pioneer in social engineering: the worm got its name because it spread with emails with “ILOVEYOU” in the subject line. “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” de Guzman said.

5. Mydoom worm (2004)

Mydoom may be 20 years old, but still holds a number of records including the fastest-spreading computer worm ever. The Mydoom worm infected computers via email, then took control of the victim computer to email out more copies of itself, and did it so efficiently that at its height it accounted for a quarter of all emails sent worldwide, a feat that’s never been surpassed. The infection ended up doing an estimated $50 billion in damages.

The creator and ultimate purpose of Mydoom remain mysteries today. In addition to mailing out copies of the worm, infected computers were also used as a botnet to launch DDoS attacks on the SCO Group (a company that aggressively tried to claim intellectual property rights over Linux) and Microsoft, which led many to suspect some rogue member of the open source community. But nothing specific has ever been proven. 

6. Zeus trojan (2007)

Zeus was first spotted in 2007, at the tail end of the Web 1.0 era, but it showed the way for the future of what malware could be. A Trojan that infects via phishing and drive-by downloads from infected websites, isn’t just one kind of attacker; instead, it acts as a vehicle for all sorts of malicious payloads. Its source code and operating manual leaked in 2011, which helped both security researchers and criminals who wanted to exploit its capabilities.  

You’ll usually hear Zeus referred to as a “banking Trojan,” since that’s where its variants focus much of their energy. A 2014 variant, for instance, manages to interpose itself between a user and their banking website, intercepting passwords, keystrokes, and more. But Zeus goes beyond banks, with another variation slurping up Salesforce.com info.

7. Stuxnet (2010)

Stuxnet – the world’s first cyber-weapon – was a sophisticated worm that targeted industrial control systems. It was the first malware capable of causing physical damage to industrial equipment. Reports attribute the malware’s creation to a joint US and Israeli operation targeting industrial control systems used in Iran’s nuclear facilities at Nanantz.

Stuxnet exploited multiple previously unknown Windows zero-day vulnerabilities to infect Windows systems before spreading across a network, scanning for controlling programmable logical controllers (PLC) using Siemens Step7 software.

The main target for the malware was covertly procured systems used by the Iranians to control high-speed Uranium gas enrichment centrifuges. Once infected these systems were accelerated and slowed outside of normal operating conditions, effectively thrashing delicate machinery. Stuxnet sent false feedback to the system’s controller to hide the damage it had caused.

The malware, which spread internationally beyond its intended target, starkly illustrated the vulnerability of critical infrastructure to cyber-attacks.

8. CryptoLocker ransomware (2013)

Zeus could also be used to create botnets of controlled computers held in reserve for some later sinister purpose. The controllers of one such botnet, called Gameover Zeus, infected their bots with CryptoLocker, one of the earliest prominent versions of what became known as ransomware. Ransomware encrypts many of the files on the victim’s machine and demands a payment in cryptocurrency in order to restore access.

CryptoLocker became famous for its rapid spread and its powerful asymmetric encryption that was (at the time) uniquely difficult to break. It also became famous due to something unusual in the malware world: a happy ending. In 2014, the US DoJ and peer agencies overseas managed to take control of the Gameover Zeus botnet, and restore the files of CryptoLocker victims free of charge. Unfortunately, CryptoLocker spread via good old-fashioned phishing as well, and variants are still around.

9. Emotet trojan (2014)

Emotet is another piece of malware whose functionality has shifted and changed of the years that it has remained active. In fact, Emotet is a prime example of what’s known as polymorphic malware, with its code changing slightly every time it’s accessed, the better to avoid recognition by endpoint security programs. Emotet is a Trojan that, like others on this list, primarily spreads via phishing (repeat after us: do not open unknown email attachments).

Emotet first appeared in 2014, but like Zeus, is now a modular program most often used to deliver other forms of malware, with Trickster and Ryuk being two prominent examples. Emotet is so good at what it does that Arne Schoenbohm, head of the German Federal Office for Information Security, calls it the “king of malware.”

10. Mirai botnet (2016)

All the viruses and other malware we’ve been discussing so far have afflicted what we think of as “computers” — the PCs and laptops that we use for work and play. But in the 21st century, there are millions of devices with more computing power than anything that Creeper could have infected. These internet of things (IoT) devices are omnipresent, ignored, and often go unpatched for years.

The Mirai botnet was actually similar to some of the early malware we discussed because it exploited a previously unknown vulnerability and wreaked far more havoc than its creator intended. In this case, the malware found and took over IoT gadgets (mostly CCTV cameras) that hadn’t had their default passwords changed. Paras Jha, the college student who created the Mirai malware, intended to use the botnets he created for DoS attacks that would help settle scores in the obscure world of Minecraft server hosting, but instead he unleashed an attack that focused on a major DNS provider and cut off much of the US east coast from the internet for the better part of a day.

11. Industroyer (2016)

Industroyer is a sophisticated malware framework linked to attacks on Ukraine’s power grid. An attack using Industroyer resulted in a significant power outage affecting a fifth of Kyiv for about an hour in December 2016.

Previous malware variants, most notable Stuxnet, targeted industrial control systems but Industroyer (or Crash Override) was the first to specifically target equipment associated with electrical distribution.

12. Petya ransomware/NotPetya wiper (2016/7)

The ransomware Trojan dubbed Petya started afflicting computers in 2016. Though it had a clever mechanism for locking down its victims’ data — it encrypts the master file table, which the OS uses to find files — it spread via conventional phishing scams and wasn’t considered particularly virulent.

It would probably be forgotten today if not for what happened the following year. A new self-reproducing worm variant emerged that used the NSA’s leaked EternalBlue and EternalRomance exploits to spread from computer to computer. Originally distributed via a backdoor in a popular Ukrainian accounting software package, the new version — dubbed NotPetya — quickly wreaked havoc across Europe. The worst part? Though NotPetya still looked like ransomware, it was a wiper designed wholly to ruin computers, as the address displayed where users could send their ransom was randomly generated and did no good. Researchers believe that Russian intelligence repurposed the more ordinary Petya malware to use as a cyberweapon against Ukraine — and so, in addition to the massive damage it caused, NotPetya earns its place on this list by illustrating the symbiotic relationship between state sponsored and criminal hackers.

13. WannaCry (2017)

The notorious WannaCry ransomware worm affected more than 200,000 Windows computers across 150 countries when it was unleashed in May 2017. The spread of the malware resulted in substantial disruptions in critical services, including healthcare in general and the UK’s National Health Service in particular, before its spread was contained. Other victims included Telefonica in Spain, FedEx and Nissan.

WannaCry exploited a vulnerability in Microsoft’s SMBv1 network protocol called EternalBlue, which was developed by the NSA and leaked by hacking group Shadow Brokers. The malware spread without user interaction across unprotected systems against the, then recently discovered, vulnerability and end-of-life Windows XP machines.

UK security researcher Marcus Hutchins accidentally discovered a “kill switch” domain that stopped the malware spreading once he registered it.

US authorities blamed a named suspect of North Korea for the attack in September 2018. North Korea denies any responsibility.

Although WannaCry caused massive disruption its creators made little money, as little at $80,000 by some estimates, from their nefarious actions because of flaws in the malware’s design and implementation. These shortcomings included an inability to automatically verify payments or decrypt files even after payment.

14. Clop ransomware (2019)

Clop (sometimes written Cl0p) is another ransomware variant that emerged on the scene in 2019 and grown increasingly since, to the extent that it was dubbed one of the top malware threats of 2022. In addition to preventing victims from accessing their data, Clop allows the attacker to exfiltrate that data as well. McAfee has a breakdown of the technical details, including a review of ways it can bypass security software.

What makes Clop so interesting and dangerous, however, is not how it’s deployed, but by whom. It’s at the forefront of a trend called ransomware as a service, in which a professionalized group of hackers does all the work for whoever will pay them enough (or share in a percentage of the ransomware riches they extract from victims). The earlier entries in this list are from a day when the internet was for hobbyists and lone wolves; today, it seems even cybercrime is largely the province of governments and the professionals.

15. Darkside (2021)

The Darkside ransomware-as-a-service operation emerged in 2020, gaining infamy a year later with the attack on Colonial Pipeline in May 2021.

The attack led to fuel shortages across the southeastern United States. Colonial Pipeline agreed to pay the criminals who carried out the attack 75 bitcoin (around $4.4 million at the time) in return for a decryption key. Even after receiving the key it took several days to fully restore systems.