đź”— Link to the Room
đź“š Study Notes
The Creeper Program
Early Malware Concepts
- The idea of malicious software goes back to 1949, when John von Neumann described self-replicating programs.
- He also created the von Neumann architecture, which explains how computers move data between memory and hardware.
- His work is considered the first theoretical computer virus, but it was only a concept and was proven years later.
The Creeper Program (1971)
- Creeper was the first real computer virus/worm, created by Bob Thomas in 1971.
- It spread between computers using ARPANET.
- Written in PDP-10 Assembly and ran on TENEX.
- Creeper didn’t cause harm—it only displayed the message: “I’m the creeper, catch me if you can!”
- Because it caused no damage, it’s not considered true malware.
- The original version deleted old copies of itself before moving on, preventing accidental overload.
Later Changes
- Ray Tomlinson modified Creeper so it copied itself without deleting old versions.
- Only 23 computers were infected, with full permission, and it was mainly for testing.
- Creeper was named after a Scooby-Doo villain.
ARPANET
- ARPANET was an early computer network that allowed remote login and file transfers.
- It led to the Network Control Program, enabling computers to communicate over a network.
- It used packet switching, where data is split into packets, sent, and reassembled— a method still used today.
Â
Â
âť“Who re-designed the Creeper Virus
Ray Tomlinson
âť“How is data transferred through a network?
Packet Switching
âť“Who created the first concept of a virus?
John von Neumann
âť“What text did the Creeper program print to the screen?
I'm the Creeper, catch me if you can!
âť“What does ARPANET stand for?
Advabced Research Projects Agency Network
âť“Which team created the network control program?
Network Working Group
âť“What is the first virus commonly known as?
Creeper
REAPER
- Reaper was created shortly after Creeper by Ray Tomlinson, the same person who later modified Creeper.
- Reaper’s job was to find and remove Creeper from infected computers and because of this, Reaper is considered the first antivirus program.
- Reaper moved between computers in a way similar to Creeper, using ARPANET.
- It was connected to RSEXEC, a project designed by Bob Thomas to allow programs to move and run on other computers.
-
Creeper was originally used to demonstrate this resource-sharing ability.
-
In simple terms: Reaper would move to another computer, check if Creeper was there and delete it if found.
- Reaper was a simple program that kept track of which computers it had already visited.
- Ray Tomlinson said it could easily visit all machines unless the network was disconnected.
-
Like any software, there was a risk of bugs, but it was intentionally kept basic.
- Some sources call Reaper a “nematode”, meaning malware that removes other malware.
- In practice, Reaper is best described as the first antivirus software.
âť“Who created Reaper?
Ray Tomlinson
âť“What type of malware may Reaper be known as?
Nematode
âť“What was the first ever anti-virus program known as?
Reaper
âť“What was Bob Thomas' main project to develop?
A resource-sharing capability.
âť“Research: What does API stand for?
Application Programming Interface
WABBIT
- Wabbit, also called Rabbit, was written in 1974 and its name comes from Elmer Fudd’s pronunciation of “rabbit” in Looney Tunes.
- The name also reflects how fast it replicates, like rabbits reproducing.
- Wabbit was an early self-replicating malicious program and it replicated so quickly that it used up all system resources, causing the computer to slow down and eventually crash.
-
Because it only spread within the same machine and not across networks, it is not a worm.
- Wabbit is often considered the first truly malicious program because it caused harm, Creeper is sometimes mentioned first, but it didn’t damage systems.
-
Wabbit was also important for education, showing how self-replicating programs could be abused.
- Wabbit runs an infinite loop that keeps creating new processes and copies of itself, this floods the CPU and operating system resources. Eventually, the system becomes unusable and crashes.
-
Today, this type of attack is known as a denial-of-service (DoS) attack.
- Specifically, Wabbit is an early example of a fork bomb.
âť“What is a modern day fork bomb also known as?
Denial of service attack
âť“Was Rabbit one of the first malicious programs?(Y/N)
Y
âť“What did the name "Wabbit" derive from?
Looney Tunes Cartoons
ANIMAL
- In 1975, the first Trojan program was created called ANIMAL and was written by John Walker.
- ANIMAL appeared as a game that asked users questions to guess an animal they were thinking of.
- While the user played the game, a hidden subroutine called PERVADE ran in the background.
- PERVADE copied ANIMAL and itself into every directory the user had permission to access.
-
This copying happened without the user’s knowledge, which is why it’s considered a Trojan.
-
Trojan term comes from the Trojan Horse in Greek mythology, just like the horse looked harmless but hid soldiers inside, a Trojan program looks safe but has a hidden purpose.
- ANIMAL was not malicious, it was carefully designed to avoid damaging files or directory structures.
-
It spread across UNIVAC systems when users with shared permissions ran the game.
- ANIMAL stopped spreading after an operating system upgrade as upgrade changed file status tables that PERVADE relied on to copy safely.
-
Without safe locations to copy itself, the program automatically stopped.
- ANIMAL originally existed in 1974 as a harmless “20 Questions” game.
- The PERVADE subroutine was added in 1975.
- When a privileged user ran ANIMAL, it copied itself into system libraries, making it available to all users.
- The program also spread when users shared tapes between systems.
âť“When was PERVADE added to ANIMAL?
1975
âť“Did John think this was a good idea?(Y/N)
Y
âť“What computers did the program spread across?
UNIVACs
âť“What type of malware is ANIMAL also known as?
A Trojan
âť“Who built the wooden horse?
The Greeks
Elk Cloner
- Elk Cloner was created in 1982 by Richard Skrenta, a 15-year-old high school student.
- It was one of the first viruses to spread “in the wild”, outside labs or research systems.
-
It was originally made as a practical joke.
- Elk Cloner infected Apple II systems. It spread through floppy disks.
- The virus attached itself to the boot sector of disks, making it a boot sector virus.
- The virus was hidden inside a game - on the 50th time the game was launched, the virus activated.
-
Instead of the game starting, a poem about Elk Cloner appeared on the screen. Elk Cloner: The program with a personality it will get on all your disks it will infiltrate your chips Yes, it’s Cloner! It will stick to you like glue It will modify RAM too Send in the Cloner!
- If a computer booted from an infected floppy disk, the virus loaded into memory then it infected any new floppy disks inserted into that computer.
- Elk Cloner marked infected disks with a signature byte so it wouldn’t reinfect them.
- Elk Cloner overwrote reserved tracks on Apple DOS disks and this caused accidental damage, making it true malware rather than just a harmless prank.
Boot Sector Viruses
- Boot sector viruses infect the part of the disk that starts the computer.
- They can spread even if the computer doesn’t fully boot.
- These viruses are rare today but still important to understand (mainly seen with floppy disks).
Background:
- Skrenta came up with the idea after people stopped letting him handle their floppy disks.
- He wanted a way to modify disks without physically touching them.
- Elk Cloner took about two weeks to write in assembly language.
- Later, Skrenta learned the virus had reached computers in the US Navy.
Â
Comparision with Modern Malware Concepts:
Â
| Method | Elk Cloner | Modern Malware Concepts | Analysis |
|---|---|---|---|
| Propagation | spread through floppy disks | usb, e-mail, network shares, exploit kits | malware needs a delivery and spread mechanism; How does it propagate? |
| Persistence | infected boot sector so it loaded when the system started | registry run keys, scheduled task, services, startup folders, bootkits/UEFI implants | execute before or every time the system starts; persistence technique |
| memory residency | loaded into memory and infected new disks inserted | live in memory, inject into processes, hook system calls, spread from a running session | Does this sample stay memory-resident? |
| Indicator of Compromise | wrote a signature byte to mark infected disks | mutex names, registry keys, unique file markers, config artifacts, C2 domains | look for IOCs (Indicators of Compromise) to detect and track infections |
| masquerading | hidden inside a game | cracked software, fake installers, office docs, browser extensions, mobile apps | masquerading or social engineering delivery |
| intent vs impact | was meant as a joke, but still caused real system damage | Malware classification depends on behavior and impact, not creator intent. | Incident response, threat classification, legal definitions |
Â
âť“Which US Military regiment caught the virus?
US Navy
âť“How many lines long is the Elk Cloner poem?
7
âť“When was Elk Cloner written?
1982
âť“Is a boot sector virus more or less common in modern technology?
less
âť“How long did it take Richard to write the program?
2 Weeks
âť“Which Operating System was affected?
Apple II
Â
The Morris Internet Worm
- Created by Robert Tappan Morris to show security flaws in academic networks in 1988.
- Spread via Sendmail bugs, rsh/rexec, and weak passwords.
- Didn’t check for reinfections, hece it caused denial-of-service (similar to a fork bomb) on many computers.
- Infected ~6,000 computers (~10% of the internet) in days.
- Morris became the first felony conviction under the 1986 Computer Fraud and Abuse Act.
- Highlighted the dangers of weak passwords and poor network security.
âť“What commands were a very big way that allowed Morris to access the computers?
Berkley r-commands
âť“Who was one the first person prosecuted for the computer misuse act?
Robert Tappan Morris
âť“What type of attack is a "Fork Bomb"?
Denial of Service
âť“When was this worm released?
1988
âť“How many computers did it infect within 15 hours?
2000
âť“What does rsh mean?
remote shell
âť“Under which act was Morris arrested for?
1986 Computer Fraund and Abuse act
Cascade
- One of the first viruses to use encryption to avoid detection (not to damage data).
- Mainly infected .COM executable files on DOS systems.
- Spread when an infected file was run.
-
Tried to avoid IBM computers but a bug caused it to infect them too — leading IBM to release its own antivirus.
- Infected files became larger (about +1704 bytes).
- Virus modified the first bytes of host files.
-
Payload aActivated between Oct–Dec, made text fall down the screen and played sounds.
- Had many variants due to small code changes and mutations.
- Known for being stealthy and widely spread for its time.
âť“What was the name of this virus?
Cascade
âť“What file extensions would this virus infect?
.COM
âť“How many variants of there virus were possibly found?
40
âť“What operating system would the virus run on?
DOS
âť“Which Operating System/Frame Work would Cascade try to avoid?
IBM
âť“How many bytes would be added onto your file if it got infected?
1704
Early Malware History Cheat Sheet
| Name | Year | Creator | Type / Key Feature | Spread / Infection | Impact / Notes |
|---|---|---|---|---|---|
| Creeper | 1971 | Bob Thomas | First self-replicating program | ARPANET, moved between computers | Displayed message “I’m the creeper, catch me if you can!”; harmless, deleted old copies |
| Reaper | 1971 | Ray Tomlinson | First antivirus | Followed Creeper, deleted it | Tracked which computers it visited; prevented damage |
| Wabbit (Rabbit) | 1974 | Unknown | First harmful self-replicating malware | Only infected local machine | Infinite loop creating processes → crash (early fork bomb) |
| ANIMAL (Trojan) | 1975 | John Walker | Trojan (masqueraded as game) | Copied itself via RSEXEC to system libraries | Not malicious; spread when tapes exchanged; showed hidden subroutine behavior |
| Elk Cloner | 1982 | Richard Skrenta | Boot sector virus | Spread via Apple II floppy disks | Displayed poem; overwrote reserved tracks → malware; first “in the wild” virus |
| Morris Worm | 1988 | Robert Tappan Morris | Worm | Exploited Sendmail, rsh/rexec, weak passwords | Infected ~6,000 computers (~10% of internet); first felony under CFAA; caused denial of service |
| Cascade | 1980s | Unknown | DOS virus, first with encryption | Infected .COM files | Text falls on screen, emits sound; stealthy; many variants; tried to avoid IBM but bug spread it there |