kernelthread.com

A Taste of Computer Security

© Amit Singh. All Rights Reserved. Written in June 2004


Viruses

Virus in Latin means poison, while in Sanskrit, the word for poison is visa.

Computer viruses today hold an extremely significant, even if negatively so, position in computing.

Looking Back

1972

In his 1972 science-fiction novel When HARLIE was One, writer David Gerrold wrote about computer viruses.

"Do you remember the VIRUS program?"

"Vaguely. Wasn't it some kind of computer disease or malfunction?"

"Disease is closer."

...

"You have a computer with an auto-dial phone link. You put the VIRUS program in it and it starts dialing phone numbers at random until it connects to another computer with an auto-dial. The VIRUS program then injects itself into the new computer.

...

"I'll just tell you that he also wrote a second program, only this one would cost you — it was called VACCINE."

— David Gerrold
When HARLIE Was One (1972, Ballantine Books, New York)

The VIRUS program was actually supposed to erase itself from the first computer after reprogramming a new one. Apparently, a mutation happened at some point — possibly due to garbling during transmission, which in turn may have been caused by a faulty phone line or a premature disconnection. The mutation caused copies of the VIRUS to start appearing without the self-erase order at the end.

Gerrold further wrote that for every VACCINE program one could create, somebody else could create another VIRUS program immune to it: "Any safeguard that can be set up by one programmer can be breached or sidestepped by another."

Actual viruses sometimes pay tribute to various things in interesting ways. The following text string alluding to Gerrold's novel appeared in the viral code in files infected by the "Aussie Dir" virus (discovered in January, 1993): "Did David Gerrold have a harley when he was one?".

1982

Another early appearance of a computer virus was in a comic book. Issue #158 of "The Uncanny X-Men" (June 1982, Marvel Comics) has mention of a "VIRUS program":

Kitty Pryde: NO PROBLEM. WE SIMPLY DESIGN AN OPEN-ENDED VIRUS PROGRAM TO ERASE ANY AND ALL REFERENCES TO THE X-MEN AND PLUG IT INTO A CENTRAL FEDERAL DATA BANK. FROM THERE, IT'LL INFECT THE ENTIRE SYSTEM IN NO TIME.

...

Carol Danvers: THERE — THE VIRUS PROGRAM IS PRIMED AND READY TO GO. ONCE I'VE PUNCHED UP THE X-MEN DATA FILE ...

The First Microcomputer Virus (circa 1982)

Real-life computer viruses were in existence in the early 1980s, with perhaps the earliest one being Elk Cloner, written for DOS 3.3 on the Apple ][ (circa 1982). Cloner infected disks, and counted the number of times an infected disk had been used. Upon every 50th use, it would cause the screen to go blank, and the following poem would appear:

Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!

There were several other viruses for Apple platforms (including the Macintosh) in the 1980s, such as Festering Hate, Scores, and a peace-loving virus that conveyed a "UNIVERSAL MESSAGE OF PEACE" to "all Macintosh users around the world" on a specific date.

Formalizing Computer Virology

Fred Cohen pioneered the formal definition and study of computer viruses, and in fact his Ph. D. dissertation was titled Computer Viruses. On November 3, 1983, Cohen thought of creating a virus as an experiment to be presented at a weekly seminar on computer security. Cohen implemented the virus on a VAX 11/750 system running Unix, sought permission to perform his experiments, and demonstrated his work at the security seminar on November 10, 1983. The virus was seeded through a program called "vd" that displayed Unix file structures graphically, but executed viral code before performing its advertised function. "vd" was introduced as a new utility program on the system bulletin board. Note that in this sense, "vd" could be termed a Trojan horse.

As we saw earlier, computer viruses had existed in science fiction, and in real-life, before Cohen's experiments. To recapitulate, the earliest viruses "in the wild" were written for the Apple ][, while the earliest academic viruses were written for Unix.

Cohen defined a computer virus as a program that "infects" other programs by modifying them to include a (possibly evolved) copy of itself. The infection property allows a virus to spread through a computer system or network. In doing so, the virus abuses the authorizations of users executing the infected programs. Each infected program can act as a virus, thereby growing the infection.

While the security implications of viruses were a matter of concern, Cohen suggested beneficial, non-evil viruses, such as a compression virus that would find "uninfected" (uncompressed) executables, and compress them (so as to recover disk space), if the user desired and permitted so.

The First PC Virus (circa 1986)

The first virus to actually spread (in the United States, and outside of research or academic context) was the Brain virus for the PC, initially reported at the University of Delaware in January 1986. Brain was a boot-sector virus that only infected DOS formatted 360 K floppy disks. Although the earliest known PC virus, Brain was sophisticated enough to have stealth capabilities: it intercepted INT 13 (the BIOS interrupt for calling diskette/disk-drive functions) so as to show the original boot sector if an attempt was made to read an infected boot sector. Brain was also a unique virus in that it carried the names and whereabouts of its alleged author(s):

Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 7360 Nizam Block Allama Iqbal Town Lahore, Pakistan Phone: 430791, 443248, 280530 Beware of this VIRUS Contact us for vaccination

Consequently, Brain was also known as the Pakistani virus. According to certain accounts, Basit and Amjad, two brothers from Lahore, wrote the virus as a tool against software piracy. The current (at the time of this writing) About Page of www.brain.net.pk apparently claims the virus as an achievement that "... had shown Americans to be the world's biggest copyright violators ...".

There are numerous differing accounts of the Brain virus and its variants, the examination of which is beyond the scope of this discussion.

Abstract Virology

In a 1988 paper titled An Abstract Theory of Computer Viruses, Leonard Adleman (the "A" in RSA, and Fred Cohen's advisor) states that for every computer program, there is an infected form of that program. He describes a computer virus as a mapping from programs to (infected) programs, and further says that each infected program on each input ("input" being all accessible information such as the user's keyboard input, the system's clock, files) causes injury (doing something else other than what was intended), infection (doing what was intended, but also infect), or imitation (doing what was intended without injury or infection). More interestingly, Adleman developed a formal (mathematical) definition of a computer virus in the paper.

As for protection against viruses, Adleman considered several mechanisms: isolation, quarantining, disinfecting, certificates, and operating system modification.

Detecting Viruses

On the detection of viruses, Cohen concluded that "a program that precisely discerns a virus from any other program by examining its appearance is infeasible". Chess and White have shown relatively recently, in 2000, that it is possible to have computer viruses which no algorithm can detect.

Viruses want to remain hidden, at least until they have done enough of their intended work. In order to thwart detection, they use various techniques. Historically, a standard technique to detect a virus has been to check for its signature. A typical virus might attach itself at the same logical location in an executable. Moreover, its viral code might be the same in all instances. Thus, it is possible to detect such viruses by looking for known strings, unique code sequences, etc. in suspected code.

Virus writers have developed their own mechanisms for defeating virus detection software (often called virus scanners). Polymorphic viruses, that is, those that can exist in one of many possible forms, can make things hard for scanners. Let us look at one approach.

Viral IQ

Since signature-based detection systems depend upon a known signature (for example, a checksum) that does not change (or changes predictably), a virus may ensure that it looks different to a scanner every so often. The virus could have most of its logic, the viral core, abstracted out, and stored encrypted. There is a small piece of loader code that is externally visible as containing executable code. The loader's job is to decrypt the viral core, and load it. The viral core could generate a new key every time it runs, so that it can be re-encrypted to make even the encrypted part look different every time. It may even jettison the loader code every time, only to replace it with a new, different looking loader. Such a "new" loader could be created by changing the code structure while preserving its semantics. Consider some examples of doing so:

Then again, new approaches are also used by anti-virus software to deal with such smart and complicated viruses. If signature-matching is ruled out, heuristics could be applied on the structure of the code in question. The code jugglery described above would not be used by a normal program, so there is some hope in heuristics. This might give the scanner an opportunity to look at the decrypted viral core in memory, or to observe the virus's behavior otherwise.

Another approach is to test a suspected binary by executing it within a restricted, virtualized environment, such as a sandbox.

Still, viruses keep "improving". A virus may add even more complicated code structures, such as subroutines that perform useless calculations, but otherwise appear legitimate to an onlooker. Traditionally, virus scanners have also relied upon viral code in an infected program being at a deterministic location, such as at the beginning or at the end. There are viruses that distribute their code throughout the infected program, chaining instructions together.

Don't Let Them Leave!

Twycross and Williamson of Hewlett-Packard Labs, U.K., have proposed an approach (Virus Throttling) for combating viruses and worms that involves preventing mobile malicious code from leaving a system, instead of trying to prevent it from entering. They monitor the network behavior of a virus, and only allow a certain number of outgoing connections in a given time interval. Connections that exceed the allowed rate are not dropped, but delayed.

<<< The Net Growth In Insecurity main Digital Life: Worms >>>