In January 2011, Brain - the first PC-based malware - turned 25 years old. (It's worth noting that the first computer virus was actually a Mac virus, Elk Cloner, in 1982). Following is a brief history of the first 25 years of malware evolution.
In 1986, most viruses were found in universities and propagation was primarily via infected floppy disks. Notable malware included Brain (1986), Lehigh, Stoned, and Jerusalem (1987), the Morris worm (1988), and Michelangelo - the first headline grabber - in 1991.
By the mid-90s, businesses were equally impacted (in large part due to macro viruses) and propagation had moved to the network. Notable malware for the period included DMV - the first proof of concept macro virus - in 1994, Cap.A - the first high risk macro virus - in 1997, CIH (aka Chernobyl) - the first virus to damage hardware - in 1998.
By the latter part of the 90s, viruses had begun impacting home users as well and email propagation was ramping up. Notable malware included Melissa (the first widespread email worm) and Kak - the first and one of the very few true email viruses - both in 1999.
At the start of the new millennium, Internet and email worms were making headlines across the globe. Notables included Loveletter - the first high-profile profit-motivate malware (May 2000), the Anna Kournikova email worm (Feb 2001), the March 2001 Magistr (which, like CIH before it, also impacted hardware), the Sircam email worm in July 2001 which harvested files from the My Documents folder, the CodeRed Internet worm in August 2001, and Nimda - a Web, email and network worm - in September 2001.
In January 2004, an email worm war broke out between the authors of MyDoom, Bagle and Netsky. Ironically, this led to improved email scanning and higher adoption rates of email filtering, which eventually spelled a near demise of mass-spreading email worms.
The November 2005 discovery and disclosure of the now infamous Sony rootkit led to the eventual inclusion of rootkits in most modern day malware. Pump & Dump and money mule job scams joined the growing numbers of Nigerian 419 scams, phishing, and lottery scams in 2006. Though not directly malware-related, such scams were a continuation of the theme of profit-motivated criminal activity launched via the Internet.
Website compromises escalated in 2007 due in large part to the discovery and disclosure of MPack, a crimeware kit used to deliver exploits via the Web. Notable compromises included the Miami Dolphins stadium site, Tomshardware.com, TheSun, MySpace, Bebo, Photobucket and The India Times websites.
By the end of 2007, SQL injection attacks had begun to ramp up, netting victim sites such as the popular cuteoverload.com and Ikea websites. By January 2008, Web attackers were employing stolen FTP credentials and leveraging weak configurations to inject iframes on tens of thousands of mom & pop style websites, the so-called long tail of the Web. In June 2008, the Asprox botnet facilitated automated SQL injection attacks, claiming walmart.com as one of its victims.
Advanced persistent threats emerged during this same period as attackers began segregating victim computers and delivering custom configuration files to those of highest interest. In early 2009, Gumblar - the first dual botnet - emerged. Gumblar not only dropped a backdoor on infected PCs and used it to steal FTP credentials, it used those credentials to hide a backdoor on compromised websites as well. This development was quickly adopted by other Web attackers. The result: today's website compromises no longer track back to a handful of malicious domain hosts - instead any of the thousands of compromised sites can interchangeably play the role of malware host.