Hello Dear Reader, it is I, your humble admin Usagi. It’s been over two years since I started this silly blog, and I’ve not written a thing for it. So for the first real post, I thought we could go back to the beginning. Of malware. That’s what the site is about.

But prior to doing the research for this post I did not know the beginning of malware. The first piece of malware that entered my consciousness was the Michelangelo virus. Which was given a tribute in the epic 1995 film Hackers, and will likely get its own post some day.

I discovered that many folks consider an early worm program called Creeper to be the first example of malware. I disagree with this assessment, and I’ll substantiate this over the course of this post. But it does demonstrate many of the capabilities we will eventually come to expect from malware. So it is not a waste of our time to examine it.

But before we get to all of that, let’s consider where, er when maybe, we are going. Creeper shows up in 1971, and it only runs on Digital Equipment Corporation (DEC) PDP-10 mainframe computers. Even more specifically, PDP-10s that are running the TENEX operating system from BBN Technologies.

There’s another software requirement to run Creeper, but we’ll get to that in a minute.

The PDP-10 that Creeper originated on was connected to the ARPAnet. A very early computer network collaboration between the Department of Defense and universities. What it would do is move itself from one mainframe to another, and display the phrase, “I’M THE CREEPER : CATCH ME IF YOU CAN” on the mainframe’s terminal. It is important to note that it did not copy itself to other machines, it connected to a computer over the network, sent its program code to that new machine, and removed itself from its original host.

Creeper was written by a programmer named Bob Thomas, and it was written as a proof of concept for a piece of software he was working on called RSEXEC.1 Oddly enough, while researching this I discovered that Creeper itself is not all that interesting, except for the fact that it is considered to be the first of the first. Things that are interesting? TENEX and RSEXEC. So we’re going to talk about them in a moment.

But before we get to all of that, let’s talk about some details on Creeper that make it interesting from a malware perspective. First it is a worm program. It spreads through network connectivity. The first version of it, written by Bob, doesn’t even persist.1 It just moves. Later another programmer named Ray Tomlinson would craft a new version that did copy itself, so after his version of Creeper went across the ARPAnet to a new machine, there would then be two copies.1 And of course if those two copies then sent their program code to other machines there would be four total copies. Ray was not a bad guy, and we’ll explain why later.

Unlike modern malware, which is mostly crafted by organized crime to do crime things, Creeper was non-malicious. It actually couldn’t be. In order to work it had to run within the confines of the resource sharing environment RSEXEC, which the PDP-10 operators would have to have installed on their machines.1 Also, they were all participants in the initial proof of concept for a mobile program (no, not an app, a program that moves).

Which brings us to the first topic that isn’t exactly about the “malware”. The short short history is DEC produced the PDP-10s from 1966 to 1983. (One sold in 2024 for $126,000!2) They were multiuser mainframe systems with timesharing operating systems that ran on a single CPU. Creeper would have been just one process among many running on the computer. The timesharing was all software based, just a part of the operating system’s scheduler3.

Recently I was learning a little about how Windows structures its virtual memory, and finding out about TENEX’s implementation was what inspired a few nights of reading about TENEX outside of the context of Creeper. Now, I’ve known about virtual memory for a long time, but besides a part of one chapter in school once, never really paid attention until I was reading about Window’s page state and page protections. I wrongfully assumed that virtual memory was a more recent solution for memory addressing. And when I say recent I meant perhaps mid 1980s when the personal computer really became a thing.

Virtual memory had been a thing since 1962. However, DEC didn’t feel it necessary to include in the PDP-10. That’s where our creative friends at BBN come it. Implementing virtual memory wasn’t simply a software solution in this case. The BBN Pager, a mapping box, had to be installed between the main processor, a KA-10, and the memory bus3. The CPU also had to be altered, they added a system call and two new ways to access a calling memory context3.

A thing I discovered while researching this part of the post was that by the time that BBN was creating their virtual memory extension for the PDP-10, the standard of collecting bits into a standard size word (modern readers would call them bytes) had not be established as 8. The PDP-10 was a 36 bit machine. As such the memory pointers it used were 18 bits in size, unlike the 16 bits in a 32 bin machine, and those two extra bits allowed for quadruple the memory addressing. Up to 256K from 64K. According to Wikipedia this is good for Lisp reasons, but I don’t know Lisp and learning it seems outside of the scope of this post.

Some more interesting “gee-whiz” information is that the KA-10 processor that Creeper ran on weighed almost a ton. Again, Wikipedia says it weighed 1,920 pounds. Now this wasn’t a silicon wafer like we probably think of a main processor. The main processor back then included a ton (literally) of mechanical infrastructure to maintain, including cooling and cabinet.

But we could spend so much more time discovering the oddities of “ancient” computing within the PDP-10, but most of that is just interesting, and doesn’t really contribute to a post about malware. So let’s move on to the operating environment of Creeper, RSEXEC.

RSEXEC stands for Resource Sharing Executive, and it was designed as a way for users of the ARPANET to find and use resources greater than those offered by their own computer system4. Initially it was intended to pool the resources and capabilities of all of the TENEX hosts on the ARPANET, then they then extended it to provide this access to all hosts on the ARPANET4. Importantly, allowing those without access to their own TENEX host to always have access to all capabilities of the TENEX ecosystem. If the administrators of one TENEX host locked down some portion of the system, the paper calls out access to FORTRAN, and not for security reasons like a modern reader might assume, but mostly due to storage constraints, users on the ARPANET would be able to run their FORTRAN programs on any of the other TENEX machines who did have FORTRAN enabled4.

This resource sharing environment is what Creeper was written to demonstrate. So, it demonstrated the ability to craft a program on one computer, then send that program, and its data, to another computer for execution. In a malware context, this only demonstrates worm capabilities. But it does nothing malicious, and as such I don’t personally consider it malware. I did really enjoy reading about the community mindset of the Internet’s predecessor.

For instance, let’s go back to Ray Tomlinson. He wrote a new version of Creeper that did copy itself. Which could, if left unchecked, spread exponentially. I feel like this could, maybe, be considered malicious. But he also knew you can’t just have programs running all over the network copying themselves. Even though at the time there was a grand total of 28 DEC PDP-10s running TENEX on the ARPAnet, it’s still a bad idea1. So he crafted Reaper. Considered by many to be the first antivirus. Reaper would move through the ARPAnet, and remove any copies of Creeper that it found. I still probably wouldn’t accuse even this version of Creeper of being malware itself, but rather crafted with the knowledge that it unchecked use could be wasteful.

I guess the most interesting component of this part of the story is that anti-malware software actually pre-dates software written maliciously.

AFIPS ‘73: Proceedings of the National Computer Conference and Exposition, June 1973, pp. 155–163. https://dl.acm.org/doi/10.1145/1499586.1499636

  1. Cunningham, Jordan Spencer. “Q&A with Ray Tomlinson on Creeper “Virus”” Nerdology, November 2014. https://nerdology.org/2014/11/qa-with-ray-tomlinson-on-creeper/  2 3 4 5

  2. “DEC PDP-10 KA10 Mainframe Computer.” Christie’s, Paul G. Allen Collection — Firsts: A History of Computing. https://onlineonly.christies.com/s/firsts-history-computing-paul-g-allen-collection/dec-pdp-10-ka10-mainframe-computer-112/230050 

  3. Bobrow, Daniel G., et al. “TENEX, a Paged Time Sharing System for the PDP-10.” Bolt Beranek and Newman, August 1971. Via Defense Technical Information Center. https://archive.org/details/DTIC_AD0729261/mode/1up  2 3

  4. Thomas, Robert H. “A Resource Sharing Executive for the ARPANET.”  2 3