Viral Evolution

Yet more re-purposed University work. At least this is vaguely interesting, to me at least.

In October 1989, The Economist published an article entitled 'This Morning's Computer Virus', detailing the 'Datacrime' or 'Columbus Day' virus^[1]. Although it was no means the first viral program, that dubious honour belonging to the 'Creeper' virus which infected the US military's ARPANET in 1970^[2], the article was one of the first 'mainstream' acknowledgements of the dangers posed by viral attacks. This article is intended to discuss several issues. In the first section I will be describing how the styles and attack vectors of viral programs have changed over time, and how the people and companies working within the field of IT security have responded to these changes; while towards the end I will tender some possibilities of how viral software might be used for means both fair and foul in the future.

Firstly, it might be a good idea to get a clear definition of the term 'virus'. The Economist, when referring to the Datacrime virus, states:

"...like any other computer virus, is a small, maliciously designed piece of software whose purpose is to damage computers or stored data."

This is not strictly true. It's too specific in the purpose of the virus itself, while at the same time being too generalised as to how the virus achieves its purpose. The Princeton WordNet gives us a slightly more useful definition^[3]:

"(n) virus, computer virus (a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer) 'a true virus cannot spread to another computer without human assistance'"

This is a much better definition, although I must admit I take issue with that final quote. It's important to note that we're talking only about viruses here, not other forms of malware such as spyware or Trojans, which rely on users to explicitly run the malware program itself. Much like a biological virus, a computer virus can only function by infecting a 'host'. In order to replicate it needs to be able to execute code and write to memory, which means that this host is commonly an executable file. Viruses are generally divided into two types, based on what actions they perform when executed. A non-resident virus immediately searches for and infects other potential hosts files before passing control over the application, while a resident virus loads itself into memory and lets the host program continue its execution as normal, performing actions in the background.

A Potted History

As previously mentioned, the first viral attack ever recorded was made by the 'creeper' virus in 1970. However the first time the term 'virus' was used to describe a self-replicating program was on November 10th, 1983. Len Eidelmen used the term while lecturing at a seminar on computer safety, before going on to demonstrate a virus-like program on a VAX11/750 system. This was the first concrete academic acknowledgement of the concept of virus programs, and indeed in 1984 it was Len Eidelmen who actually coined the phrase 'computer virus'.

Viral code has been written for many different systems; indeed I believe that you would be hard pressed to find an operating system for which a virus of some kind has not been created. However the world has moved on since the time of mainframes, and the most popular machines now are IBM micro-computers based on the x86 architecture. The first recorded virus to target IBM machines was the 'Brain' virus, written by Basit Farooq Alvi and his brother Amjad in 1986. The virus infected the disk's boot sector, and renamed it to ©Brain, while not doing anything else. The brothers claim that the virus was merely an experiment to find out how many people were pirating their software in Pakistan, but other motives have been proposed: for instance, that the virus was merely advertising for their store^[4].

The Brain virus was a just the start of a cavalcade of viral programs. The very next year, in 1987, the 'Vienna' virus appeared. Vienna is notable for being the first virus to be successfully neutralised; Bernt Fix was forwarded a copy by one of the potential authors, and was able to eradicate the virus. This can be seen, in some ways, as the genesis of modern anti-virus professionals. 1987 also saw 'Lehigh', the first virus which caused direct damage to data, and the creation of the Suriv family of viruses, which were the first able to infect .exe files as well as the .com and .bat files that were typical of virii of the time. Most interestingly however, 1987 also saw the foreshadowing of modern polymorphic viruses with the 'Cascade' virus. This was the first virus to encrypt itself, giving it a unique signature within every infected file.

By 1988, several dozen small anti-virus companies had sprung up around the world. Most were small, two or three man firms who released simple scanners to detect unique viral sequences, often for a very low cost or even totally free. There was also a preponderance of 'immunisers', which would modify programs in such a fashion that a virus would think it already infected. While effective for a while, these quickly fell by the wayside when the number of viruses made immunising each individual file for each virus infeasible. The first forum for discussion of anti-viral software and tactics was actually created in April 1988, but still at the time many computer experts didn't believe that viruses, or even the concept, existed. Probably the most famous quote showing this is from Peter Norton, creator of several Symantec products including their Norton Anti-Virus:

"'This is an urban myth. It is like the history of the crocodiles in the sewers of New York. All world knows of them, but nobody has seen them.'"

In 1989, as stated in the Economist article, the Datacrime virus hit and there was no longer any questioning that the viral threat was real. The Datacrime virus was deadly: overwriting the zero cylinder on the hard-drive, and so corrupting the FAT and any data on the drive. However the hysterical media reaction vastly overplayed the impact of this virus (a theme which would become common in the next few years). Distorted descriptions of the damage the virus caused and its rate of spread made the dangerous virus into a almost mythical super-virus, claims which were just not backed up in reality. The spread of the virus was far more limited than it was made out.

However, this media frenzy did spark the creation of several of the big players in today's anti-virus market. Eugene Kaspersky has his first experience with a variant of the cascade virus, which spurred him into dedicating his life to anti-viral research, while companies like F-Prot and ThunderBYTE were formed. Even IBM 'declassified' its internal anti-virus program, and green-lighted it for commercial release.

What followed was a classical evolutionary arms-race between virus writers and anti-virus professionals. As anti-virus software become more adept it tracking down viruses, viruses exploited new infection vectors and methods of avoiding detection. 'Stealth' viruses were developed, which intercept anti-virus program's requests to the operating system, and return 'clean' versions of files. 'Cavity' viruses can hide in un-used sections of executable files, meaning that the files size and appearance is not changed. With the development of the Internet, passing viruses over networks had become much easier, and even newer attack vectors like cross-site-scripting have become possibilities^[5]. Anti-virus developers have, by necessity, evolved into large, high-tech response teams, locked away in bunkers beneath the earth following the same tight security measures as might have been found in defence research a few years ago^[6].

Looking to the Future

One of the latest generations of viral attacks are polymorphic viruses. Like a typical encrypted virus, a polymorphic virus infects a host file with an encrypted version of itself, which is later decoded by a decryption module. However unlike the standard encrypted virus, in a polymorphic virus the decryption module itself is also modified on each infection. This makes it hard for anti-virus software to detect the virus by the code signature of its decryption module, which was previously one of the most common methods of detection.

Polymorphic viruses can be detected by emulation or statistical pattern analysis of the encrypted body, although these methods are not always very effective. Even more worrying, a new generation of metamorphic viruses can rewrite themselves completely each time they infect new executables, totally defeating the emulation method of detection. As viruses become more and more individual, it's becoming harder and harder to detect them by unique signatures, and the responsive model of anti-viral software is becoming more and more ineffective. We need some way to better prevent viral infection in the first place, or at the very least a way of changing our detection methods to match the way the viruses themselves are evolving.

In other areas of computer science, evolutionary computing and genetic algorithms model the same systems of inheritance, mutation, cross-over and selection that a biological evolutionary system is theorised to use, often with astonishing results. Computer models using these evolutionary techniques have been shown to come up with results that no human could possibly have conceived by logical development, and yet were far more effective than human-generated implementations. Artificial Life researchers have used these models to come up with highly effective path finding algorithms and other solutions to global optimisation problems, so why not try something of the same kind within anti-virus software, to counteract the use of genetic evolution within the virus population?

Another concept, which dates right back to the Creeper virus mentioned earlier, is that of a 'friendly' virus. Shortly after Creeper was released into the ARPANET, an anonymous person released the 'Reaper', which was also a virus. However Reaper's sole purpose was to eliminate any copy of Creeper which it came across. In this way it was mimicking an immune system response, seeking out and eliminating viral code. In 1991, Fred Cohen wrote a book expanding on the possibilities for these friendly viruses^[7], and there have been several other researches interested in the same idea^[8].

The problem is that received wisdom from security experts states that all viruses are bad by definition. Research into these possibilities tended to be quashed in the 1980s, and even today is not a easy to get funding in this area. But with computational capabilities rapidly expanding well beyond what a human mind can comprehend, especially in terms of interconnected networks, it may be necessary to take these concepts on-board. The biological defence system has evolved over time specifically to combat the same sort of threats as we are currently seeing coming from viruses. It might be time to take a closer look at mimicking this type of system, and seeing what impact this can have on the development of anti-viral programs.

Looking at Blue-Sky predictions for the future, we could easily envisage a system where roving viral code roams networks, acting in much the same manner as white blood cells. Whether this is a real possibility or merely a flight of science fiction fancy remains to be seen, but it can be stated with certainty that the arms race between virus writers and anti-viral professionals will continue unabated for the while.

References:

[1] The Economist: This Morning's Computer Virus (October 1989)
[2] http://www.viruslist.com/en/viruses/encyclopedia?chapter=153310937 - History of Malware
[3] Princeton WordNet Search: http://wordnet.princeton.edu/perl/webwn?s=computer%20virus
[4] Robert Slade
[5] Wade Alcorn: The Cross-Site Scripting Virus (27th September 2005)
[6] The Register: 'Doomsday nerds' defend cyberspace (24th March 2005)
[7] Cohen, F. "Friendly Contagion: Harnessing the Subtle Power of Computer Viruses." The Sciences Sept/Oct (1991): 22–8.
[8] Sampson, Tony. "Dr Aycock's Bad Idea: Is the Good Use of Computer Viruses Still a Bad Idea?." M/C Journal 8.1 (2005). 09 Nov. 2007