Malware evolves in trends. Yesterday’s boot virus is today’s Web server exploit program. Malware follows popularity, and it morphs to get past ubiquitous defenses. Understanding the growing trends in malware will help you plan better defenses.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

A little history first: When I began fighting hackers and malware in the second half of the 1980s, Apple viruses ruled the land. I always laugh when I hear that malware can’t attack Apple PCs — for my first two years on the job, it was the only place I could find them. It’s not like Apple’s OS X is superimpervious to malware today; more than 100 vulnerabilities were patched in OS X last year, and there are already over 100 this year.

When the IBM PC and DOS replaced Apple as the dominant personal computing platform, DOS boot and file viruses quickly took over. Interestingly, even though boot viruses accounted for less than 5 percent of virus types, they were responsible for more than 80 percent of the infections. This was due to two reasons. First, although there were many worldwide communication networks (FIDOnet, BBS, and so on), they were not nearly as popular as today’s Internet. Second, back in the day, most computer users copied each other’s pirated software by copying complete disks. Stacks of floppy disks gave boot viruses a sizable infection point. 

March 1992 was the climax of boot virus awareness due to the Michelangelo virus scare. I remember the date vividly, because thanks to Michelangelo, I got into Newsweek magazine. Some people discount the Michelangelo virus as nothing but media hype, but millions of computers were infected. Even after weeks of headline warnings, hundreds of thousands of people had their computer hard drives reformatted on the day Michelangelo’s payload went off.

In 1995, macro viruses took off. Looking back, I wish macro viruses were all we had to worry about. The years of 1999 and 2000 were the years of e-mail malware, such as Melissa and the Iloveyou incident. Remote-access Trojans, such as Back Orifice and NetBus, also appeared on the scene. Code Red and Nimda hit in 2001, with SQL Slammer and Blaster in 2003.

SQL Slammer set the bar for rapid infections by infecting nearly every vulnerable SQL server in about 10 minutes. Most people don’t remember that the vulnerability Slammer exploited had been patched for six months.

Up to this point, malicious infections were mostly easy to clean up: Remove the malware, replace any maligned files or data, and the damage was fixed.

That all changed in 2003 with the release of worms (such as Sobig, Mydoom, Bagle, Netsky) built specifically to spread spam (as spam bots). Created because e-mail administrators were closing off all open e-mail relays, spam bots introduced professional criminals to malware in a big way. Within a few years, criminally motivated, money-stealing, identity-thieving bots made up 99 percent of all malware. Today, you don’t have to ask why you are getting infected — it's an easy answer. They are trying to take your money.

This brings us to the current state of malware. Google recently released a paper entitled "The Ghost in the Browser: Analysis of Web-based Malware." Researched for more than 12 months through May 2007 by a crack team of malware analysts, including Niels Provos of Honeyd fame, this is one of the best malware reporting papers I’ve ever read. It’s a quick read and should be studied by anyone who has to protect computers.