In 1988 I watched the Morris worm work its way through our University computers and through the computers of most of the people I interacted with on a professional basis. The Morris worm used numerous vectors (see "The Internet Worm Program: An Analysis") and a few evasion techniques to work its way through roughly 10% of the Internet (incidentally, "decimate" refers to the killing of one-tenth of a group, so technically the Morris worm decimated the Internet).
About two years later I started playing with Robert Baldwin's SU-Kuang bundled with Dan Farmer's COPS security checker system. SU-Kuang, named after the Kuang Grade Mark Eleven penetration program in William Gibson's Neuromancer, showed how an attacker with an initial set of capabilities could, through the knowledge of the UNIX security model, acquire more and more capabilities until it could achieve some particular goal such as becoming root or having the right privileges to access or modify a certain file. I learned a lot about the UNIX security model (and how one could hack UNIX systems) from Kuang.
In 1996 a colleague, Dan Zerkle, extended the Kuang approach to an entire network (see "NetKuang - A Multi-Host Configuration Vulnerability Checker"). It was disturbingly effective. And there were a number of other systems designed to automatically find their way through systems (see our 2004 report "A Taxonomy for Comparing Attack-Graph Approaches").
In 2004 I gave a talk at the Naval Postgraduate School where I discussed how (free) computer chess games could beat the pants off most human players. Given that the muti-vector Morris worm and Kuang systems as well the original fuzz tool were developed 16 years earlier (1988 was an amazing year), I suspected "GNU-Chess of MalCode" would become the new adversaries, and they would, like their computer chess game counter parts, be more effective than almost all humans playing the game.
Well, it has been another 12 years since I predicted the "GNU-Chess of MalCode" (it is easier to predict the future than predict when the future will arrive), and with DARPA's Cyber Grand Challenge we are starting to see the beginning of such systems. The EFF was very concerned, and engadget laughed at EFF.
I believe the threat is real.
Interestingly, also in 2004 DARPA held its first self-driving car Grand Challenge. Not a single car finished. The best car only made it about 7 miles. Today cars by Google and Tesla have driven themselves millions of miles on America's roads and highways.
I have to wonder how sophisticated automated malware will be 12 years from now?