VIRUS
Attaches to a host file. Requires human action to spread. Parasitic.
WORM
Standalone. Self-propagating. Moves across networks autonomously. No host needed.
A virus needs you to open the door. A worm finds its own way in.
GENESIS
1971Bob Thomas, a researcher at BBN Technologies, wanted to test an idea: could a program move itself from machine to machine across ARPANET? He wrote Creeper — a small program for the TENEX operating system running on DEC PDP-10 computers. It wasn't destructive. It didn't steal data. It simply displayed a message and hopped to the next node.
I'M THE CREEPER: CATCH ME IF YOU CAN!
The response was equally historic. Ray Tomlinson — the same engineer who invented email — wrote Reaper: a program that traveled ARPANET hunting Creeper instances and deleting them. The first worm. The first anti-worm. Both born in the same year.
THE NAME
1982In 1975, John Brunner published The Shockwave Rider, a sci-fi novel featuring a "tapeworm" program that propagated through a computer network to expose government secrets. Seven years later, John Shoch and Jon Hupp at Xerox PARC borrowed the name for something real.
Their paper — "The 'Worm' Programs — Early Experience with a Distributed Computation" — described beneficial worms: programs that crawled idle Ethernet-connected Alto workstations at night, distributing computation across the network. One variant searched for idle machines. Another ran distributed diagnostics.
One night, a worm malfunctioned. It crashed every machine in the building. Shoch and Hupp had to physically walk from room to room, power-cycling workstations. The first lesson in what happens when self-replicating code loses control.
THE ACCIDENT
1988On November 2, 1988, Robert Tappan Morris — a 23-year-old Cornell graduate student whose father happened to be the chief scientist at the NSA — released a program from an MIT computer to disguise its origin. He would later say he never intended to cause damage. The code disagreed.
ATTACK VECTORS
The fatal bug: Morris added a re-infection check — if a machine said "I'm already infected," the worm would move on. But to prevent administrators from faking the response, he coded it to re-infect anyway one in seven times. This ratio was catastrophic. Machines accumulated dozens of copies, grinding to a halt. Ten percent of the entire internet — roughly 6,000 of 60,000 connected hosts — went down.
Morris was the first person convicted under the Computer Fraud and Abuse Act. Sentenced to three years probation, 400 hours of community service, and a $10,050 fine. He went on to co-found Y Combinator and become a tenured professor at MIT. The incident led directly to the creation of CERT — the first computer emergency response team.
THE OUTBREAK
2000 — 2003Onel de Guzman, a computer science student in Manila, released a VBScript worm disguised
as a love letter. Subject line: "ILOVEYOU." Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs.
Windows hid the .vbs extension by default. Millions clicked.
It overwrote image and music files, then mailed itself to every contact in Microsoft Outlook. Within ten days, 45 million machines were infected. Estimated damage: $5.5 — 8.7 billion. The Philippines had no cybercrime laws. De Guzman was never prosecuted.
Named after the Mountain Dew flavor the researchers were drinking when they discovered it. Code Red exploited a buffer overflow in Microsoft IIS, defacing websites with "Hacked by Chinese!" and launching a DDoS attack against the White House. The White House had to change its IP address. 359,000 hosts infected in under 14 hours.
The entire worm fit in a single UDP packet — 376 bytes. No payload. No files on disk. Pure memory-resident propagation exploiting a buffer overflow in Microsoft SQL Server 2000.
It doubled in size every 8.5 seconds. In three minutes it reached full scanning rate. In ten minutes: 75,000 hosts. Bank of America ATMs went dark. 911 services in Seattle failed. Continental Airlines grounded flights. It was the fastest-spreading worm in history — and it didn't even have a malicious payload. The congestion alone was the weapon.
PROPAGATION
Select a worm. Watch it spread.
THE WEAPON
2010Every worm before Stuxnet was software attacking software. Stuxnet was software attacking the physical world. Discovered in June 2010 but likely deployed years earlier, it targeted one facility on Earth: the Natanz uranium enrichment plant in Iran.
UNPRECEDENTED SOPHISTICATION
It made the centrifuges oscillate between speeds that slowly destroyed them — too subtle for operators to notice, too precise to be accidental. Roughly 1,000 of Iran's 6,000 centrifuges were destroyed. The program was ~500KB, contained code to limit its own spread, and included a self-destruct date.
Widely attributed to the United States (NSA) and Israel (Unit 8200) under the codename "Olympic Games." Stuxnet proved that code could be a weapon of war. The line between software and munition disappeared.
THE RECKONING
2017In April 2017, a group calling themselves the Shadow Brokers dumped a cache of NSA hacking tools onto the internet. Among them: EternalBlue, an exploit for a vulnerability in Windows SMBv1 that Microsoft had patched two months earlier. Most organizations hadn't updated.
WannaCry weaponized EternalBlue as a delivery mechanism for ransomware. It encrypted files and demanded $300–$600 in Bitcoin. In one day: 230,000 computers across 150 countries. The UK's National Health Service was crippled — hospitals turned away patients.
Marcus Hutchins, a 22-year-old security researcher known as MalwareTech, noticed the worm checked a specific unregistered domain before executing. He registered it for $10.69. The domain acted as a kill switch — WannaCry stopped spreading globally. Attributed to North Korea's Lazarus Group. Despite worldwide havoc, total ransom collected: ~$140,000.
Six weeks after WannaCry, something worse arrived. NotPetya also used EternalBlue, combined with Mimikatz for credential harvesting. But it entered through a supply chain attack: a poisoned update to M.E.Doc, Ukrainian tax accounting software used by virtually every business operating in Ukraine.
It looked like ransomware. It displayed a ransom note. But there was no way to decrypt. The encryption key was randomly generated and immediately discarded. NotPetya was a wiper disguised as ransomware — destruction masquerading as crime.
Attributed to Russia's GRU military intelligence, Sandworm unit. Targeted at Ukraine but escaped via multinational companies with Ukrainian offices. Total estimated damage: over $10 billion. The most destructive cyberattack in history.
DOUBLING TIME
Time for the infected population to double. Lower is faster.
THE ARC
In fifty years, self-replicating code evolved from a proof of concept on a government research network to a weapon capable of destroying billions of dollars in infrastructure. Each era escalated not just in technical sophistication but in intent. The code didn't change as much as the people writing it did.