A Taste of Computer Security© Amit Singh. All Rights Reserved. Written in June 2004
Virus in Latin means poison, while in Sanskrit, the word for poison is visa.
Computer viruses today hold an extremely significant, even if negatively so, position in computing.
In his 1972 science-fiction novel When HARLIE was One, writer David Gerrold wrote about computer viruses.
The VIRUS program was actually supposed to erase itself from the first computer after reprogramming a new one. Apparently, a mutation happened at some point — possibly due to garbling during transmission, which in turn may have been caused by a faulty phone line or a premature disconnection. The mutation caused copies of the VIRUS to start appearing without the self-erase order at the end.
Gerrold further wrote that for every VACCINE program one could create, somebody else could create another VIRUS program immune to it: "Any safeguard that can be set up by one programmer can be breached or sidestepped by another."
Another early appearance of a computer virus was in a comic book. Issue #158 of "The Uncanny X-Men" (June 1982, Marvel Comics) has mention of a "VIRUS program":
Kitty Pryde: NO PROBLEM. WE SIMPLY DESIGN AN OPEN-ENDED VIRUS PROGRAM TO ERASE ANY AND ALL REFERENCES TO THE X-MEN AND PLUG IT INTO A CENTRAL FEDERAL DATA BANK. FROM THERE, IT'LL INFECT THE ENTIRE SYSTEM IN NO TIME.
Carol Danvers: THERE — THE VIRUS PROGRAM IS PRIMED AND READY TO GO. ONCE I'VE PUNCHED UP THE X-MEN DATA FILE ...
The First Microcomputer Virus (circa 1982)
Real-life computer viruses were in existence in the early 1980s, with perhaps the earliest one being Elk Cloner, written for DOS 3.3 on the Apple ][ (circa 1982). Cloner infected disks, and counted the number of times an infected disk had been used. Upon every 50th use, it would cause the screen to go blank, and the following poem would appear:
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
There were several other viruses for Apple platforms (including the Macintosh) in the 1980s, such as Festering Hate, Scores, and a peace-loving virus that conveyed a "UNIVERSAL MESSAGE OF PEACE" to "all Macintosh users around the world" on a specific date.
Formalizing Computer Virology
Fred Cohen pioneered the formal definition and study of computer viruses, and in fact his Ph. D. dissertation was titled Computer Viruses. On November 3, 1983, Cohen thought of creating a virus as an experiment to be presented at a weekly seminar on computer security. Cohen implemented the virus on a VAX 11/750 system running Unix, sought permission to perform his experiments, and demonstrated his work at the security seminar on November 10, 1983. The virus was seeded through a program called "vd" that displayed Unix file structures graphically, but executed viral code before performing its advertised function. "vd" was introduced as a new utility program on the system bulletin board. Note that in this sense, "vd" could be termed a Trojan horse.
Cohen defined a computer virus as a program that "infects" other programs by modifying them to include a (possibly evolved) copy of itself. The infection property allows a virus to spread through a computer system or network. In doing so, the virus abuses the authorizations of users executing the infected programs. Each infected program can act as a virus, thereby growing the infection.
The First PC Virus (circa 1986)
The first virus to actually spread (in the United States, and outside of research or academic context) was the Brain virus for the PC, initially reported at the University of Delaware in January 1986. Brain was a boot-sector virus that only infected DOS formatted 360 K floppy disks. Although the earliest known PC virus, Brain was sophisticated enough to have stealth capabilities: it intercepted INT 13 (the BIOS interrupt for calling diskette/disk-drive functions) so as to show the original boot sector if an attempt was made to read an infected boot sector. Brain was also a unique virus in that it carried the names and whereabouts of its alleged author(s):
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
7360 Nizam Block Allama
Phone: 430791, 443248, 280530
Beware of this VIRUS
Contact us for vaccination
Consequently, Brain was also known as the Pakistani virus. According to certain accounts, Basit and Amjad, two brothers from Lahore, wrote the virus as a tool against software piracy. The current (at the time of this writing) About Page of www.brain.net.pk apparently claims the virus as an achievement that "... had shown Americans to be the world's biggest copyright violators ...".
There are numerous differing accounts of the Brain virus and its variants, the examination of which is beyond the scope of this discussion.
In a 1988 paper titled An Abstract Theory of Computer Viruses, Leonard Adleman (the "A" in RSA, and Fred Cohen's advisor) states that for every computer program, there is an infected form of that program. He describes a computer virus as a mapping from programs to (infected) programs, and further says that each infected program on each input ("input" being all accessible information such as the user's keyboard input, the system's clock, files) causes injury (doing something else other than what was intended), infection (doing what was intended, but also infect), or imitation (doing what was intended without injury or infection). More interestingly, Adleman developed a formal (mathematical) definition of a computer virus in the paper.
As for protection against viruses, Adleman considered several mechanisms: isolation, quarantining, disinfecting, certificates, and operating system modification.
Viruses want to remain hidden, at least until they have done enough of their intended work. In order to thwart detection, they use various techniques. Historically, a standard technique to detect a virus has been to check for its signature. A typical virus might attach itself at the same logical location in an executable. Moreover, its viral code might be the same in all instances. Thus, it is possible to detect such viruses by looking for known strings, unique code sequences, etc. in suspected code.
Virus writers have developed their own mechanisms for defeating virus detection software (often called virus scanners). Polymorphic viruses, that is, those that can exist in one of many possible forms, can make things hard for scanners. Let us look at one approach.
Since signature-based detection systems depend upon a known signature (for example, a checksum) that does not change (or changes predictably), a virus may ensure that it looks different to a scanner every so often. The virus could have most of its logic, the viral core, abstracted out, and stored encrypted. There is a small piece of loader code that is externally visible as containing executable code. The loader's job is to decrypt the viral core, and load it. The viral core could generate a new key every time it runs, so that it can be re-encrypted to make even the encrypted part look different every time. It may even jettison the loader code every time, only to replace it with a new, different looking loader. Such a "new" loader could be created by changing the code structure while preserving its semantics. Consider some examples of doing so:
- Randomize the order of variables and subroutines.
- When possible, alter the order of instructions in certain instruction sequences.
- If it is not possible to rearrange instructions without modifying the control flow/semantics, rearrange anyway but maintain semantics by restoring the old control flow by using branch/jump instructions.
- Insert instructions that have a null effect on semantics (such as NOOPs).
Then again, new approaches are also used by anti-virus software to deal with such smart and complicated viruses. If signature-matching is ruled out, heuristics could be applied on the structure of the code in question. The code jugglery described above would not be used by a normal program, so there is some hope in heuristics. This might give the scanner an opportunity to look at the decrypted viral core in memory, or to observe the virus's behavior otherwise.
Another approach is to test a suspected binary by executing it within a restricted, virtualized environment, such as a sandbox.
Still, viruses keep "improving". A virus may add even more complicated code structures, such as subroutines that perform useless calculations, but otherwise appear legitimate to an onlooker. Traditionally, virus scanners have also relied upon viral code in an infected program being at a deterministic location, such as at the beginning or at the end. There are viruses that distribute their code throughout the infected program, chaining instructions together.