COMPUTER VIRUSES AS A LIFE FORM
“And God saw that it was good.
And God blessed them, saying ‘Be Fruitful and multiply’.”
Genesis 1:21,22
COMPUTER VIRUSES: ARTIFICIAL LIFE, APPLICATIONS AND ISSUES.
Mayur Hemani
Shreyansh Jain
PROLOGUE
The universe of computers is ruled by the whims of a handful of elite. Liberty is scarce, creativity is restricted, and monopoly empowers them who are the pillars of this red-taped bureaucracy. In this darkness, a creature possessing mysterious powers and the soul of many a free mind is born. It is borne to break free of the shackles of the dominant hypocrisy.
Some call this creature a VIRUS (Vital Information Resource under Siege), a term coined by Fred Cohen in the late 1980s. The contemporary rationalists would have probably called it a “Very-Intelligent Reproducing Undaunted System”. However, the word remained, and haunted those who planned to conquer the silicon world by means of sheer monopoly.
The very word disturbs the serenity of the heaven in which the software giants live peacefully, indifferent of the difficulties of a common computer user.
WHAT IS A VIRUS?
To a layman, a computer virus is some demon (because demons represent disease), that causes damage to computers. However, the technical definition of a computer virus is far from this. In reality, the essential feature of a computer program that causes it to be classified as a virus is not its ability to destroy data, but the ability to gain control of the system and make fully functional copies of itself. This has nothing to do with destruction.
Although, it is true that most viruses that appear in the wild are meant to cause damage, the same does not go for all viruses that are created.
In fact, out of the millions of viruses that are created only a few thousand ever make it into the open, and only about a few hundreds are known to cause widespread damage.
A virus, therefore, is just another computer program with the special ability to multiply, i.e. create copies of itself. There are many viruses that do no harm to the computer, yet are dangerous in their own self. And there are yet other programs that are not viruses, but can cause a lot of damage.
ANATOMY OF A COMPUTER VIRUS
The imaginary schematic of a computer virus
A computer virus is a program capable of replicating on its own, i.e. create its functional copies, which in turn can self-reproduce. The computer virus structure looks something like what is shown in the figure above. The diagram shows three parts of a computer virus – the payload, the replication routine, and the target-search programs.
The payload of a virus is the effect that a user feels when the virus infects his/her computer. The visible effects such as irritating messages, error messages caused by the malicious program, the erasure or disclosure of some private, valuable data etc. are some possible payloads of a program. The payload is the malignant effect for which most viruses are actually despised. Payloads can range from simple, crazy messages, drive cleansing programs, to sophisticated spy programs capable of collecting specific information from the infected computers and sending them to specified locations on a network (as the Internet).
The Replication Routine is the heart and soul of the computer virus. It is the program that is responsible for the replication feature of the virus. Viruses are basically programs, and so comprise of a few lines of code. This code (or a part of it) is referred to as the signature of the virus, and is used for identifying different types of viruses.
The replication routine is responsible for two things – search and copy.
The tentacle like projections in the diagram refers to the target-search routine, which may or may not be a part of the replication routine.
The first problem the replication routine must solve is how to find suitable objects.
A virus is always written so as to work attached to a certain type of carrier object, such as a program file or text document created by MS Word, or a limited number of carrier object types. The replication routine must be able to locate objects of the correct type. This can be done by searching through the computer, file by file. However, this is rather inefficient and requires a great deal of computer power. A more elegant approach is for the virus to remain in memory and monitor system activity. This enables the virus to infect files when they are used. The performance impact of infecting a single file is so small that the user would not notice it. This behaviour also improves the ability of the virus to spread, as recently accessed files are more likely to be transmitted to another system.
The idea that viruses can remain in the memory of a computer is taken from a class of programs called TSR (Terminate and stay resident) programs. These programs remain in the memory, once executed and are activated whenever a specific event (called the trigger) occurs. A computer virus does things similarly. It latches onto particular interrupt services, and whenever they occur, these interrupts result in the execution of the viral code. This is followed by the normal routine being executed in order to cloak the presence of the virus. Thus, in a way, the virus gains control over the system and does what it wants to without getting detected in a direct way.
An example of viral activity can be shown by means of a virus called the ‘STONED’ virus. This virus belongs to a class of viruses, called boot-sector viruses. The virus infected the boot sector of floppy disks (floppies were used for booting systems, then). Each time the system booted, the viral code was loaded into the memory, allowing it monitor all the floppy disks that are used on the computer, and copying itself to their boot-sectors. The virus in this case, however, yields its identity by flashing a message – “Your computer is now stoned”.
Several classes of viruses exist, of which the commonest are – boot-sector viruses, macro viruses, and parasitic viruses. Macro viruses affect documents that allow specific instructions to their respective document-processors, such as Microsoft Word Documents. User-defined macros are replaced by new virus-infected versions that are executed whenever the document is accessed. Viruses may also be classified on the basis of the domain that they affect. PC-viruses and Network-viruses (WORMS) are the two main clans of viruses in this respect. The most widespread viruses are actually worms. The notorious SirCam, Nimda, Melissa etc. are worms that use Internet services such as e-mail to spread.
In the context of virus types and the focus of this paper, a special mention must be made to a rather new kind of virus-class called Polymorphic viruses. These are highly sophisticated viruses that possess equally deadly payloads as those of common viruses, as well as a very special way of escaping detection. These viruses appear in different places in different forms (hence the name).
Polymorphic viruses change their signatures from target to target to escape detection. While even a single copy of the virus survives, the virus dwells on the computer. This is a feature that cannot be accounted for even by programs specifically written to detect and remove viruses from computer systems.
By varying the code sequences written to the file (but still functionally equivalent to the original), or by generating a different, random encryption key, the virus in the altered file will not be identifiable through the use of simple byte matching. To detect the presence of these viruses requires that a more complex algorithm be employed that, in effect reverses the masking to determine if the virus is present. This stealth technique makes a Polymorphic virus a dangerous adversary, and an interesting object of study.
POLYMORPHISM IN VIRUSES
Computer viruses of all classes are so despised that it is hardly noticed how closely a computer virus can resemble living creatures. Viruses are associated with destructive perspectives of computing. Following is an analogy that can be drawn between a microbial organism and a computer virus.
COMPUTER VIRUS: ARTIFICIAL LIFE?
Computer viruses can actually represent a form of life that is known to mankind – microbes. These viruses bear a close resemblance to their biological counterparts.
Real creatures are born. So are viruses. Real creatures feed and reproduce, and so do computer viruses. The real ones evolve and adapt, and it is possible for computer viruses to do the same.
VIRUSES ARE BORN: -
Computer viruses, as explained are nothing but programs of a certain kind, which have the capability of breeding copies of them. But, it is very rare to find a virus that can actually brew formulae for altogether new viruses (Polymorphic viruses being exceptions). They have to be born in the computer world, and to be brought into existence they must be executed atleast once.
It is notable that all malicious effects of a computer virus begin from its execution. So, basically a virus is nothing more than a few lines of code, inserted into some programs or documents.
VIRUSES SPAWN A NEW RACE: -
Computer viruses are initially brought into existence by human beings. However, they possess the capability of generating their copies and attaching themselves to new victims. Just like a biological virus, a computer virus can replicate itself, passing on its fingerprints to its kin. The new entity so obtained is itself capable of generating new copies, thereby spawning its race.
Unlike mammals, however, viruses do not require mating to reproduce. They have their own ‘DNA’, which allows their duplication. The part of a computer virus, which enables it to replicate itself, is the replication routine of the virus. Every virus must have atleast this feature, that it may create its children.
So even viruses have mums!
VIRUSES FEED: -
Computer viruses use up system resources for their own survival. Important resources like, memory (it cocoons the memory with certain protection measures to prevent direct access to the viral code), disk-space (inconspicuous), network bandwidth (in case it is made in order to slow a network down), interrupt services for its own existence, and so on. The items on the menu are too many. Some viruses are known to modify hardware configurations (the CIH virus tries to modify the Flash BIOS).
True, this is destructive. Yet, considering the fact, that very much like computer viruses, we human beings are never useful to any other species, and yet we use up resources, the viruses are perhaps better than us (atleast they exist only in the computer world).
VIRUSES GROW/SPREAD: -
Computer viruses are known to spread rapidly and undetected owing to the stealth and anti-detection mechanisms built into them, from computer to computer. The only restriction to a computer virus is that it is a program and so cannot go beyond the realm of computers.
VIRUSES EVOLVE WITH GENERATIONS: -
Computer viruses of the present generation are smart; so smart that they can actually change their appearance to avoid detection. And upon being detected, some viruses can not be removed from their hosts. Either the host program/document has to be erased, or isolated from access. This is so because the viruses that infect programs and documents attach their code in such a subtle way that without corrupting the file it would not be possible to remove the virus.
VIRUS METABOLISM: -
All computer programs use up computer resources. However, they do so for the user of the program, and not for themselves. Real organisms metabolize material into energy, for their existence. It goes for the computer viruses as well. If a virus would not lock up certain resources of the computer it infects, its survival would be out of question. Thus, it is possible to understand this phenomenon as a form of viral metabolism.
VIRUSES FIGHT FOR EXISTENCE: -
Some viruses are known to attack other species for acquiring the resources held by them. Some viruses show this kind of predatory behaviour. For instance, the DenZuk Virus seeks out and overwrites instances of the Brain virus if both are present on the same system. Other viruses exhibit territorial behaviour—marking their infected domain so that others of the same type will not enter and compete with the original infection. Some viruses also exhibit self-protective behaviour, including camouflage techniques.
EVOLUTION AND ADAPTATION IN A COMPUTER VIRUS
The concept of evolution and adaptation is alien to computer programs. The idea that a computer program could change with time and adapt to its changing environment is a bizarre one. But it is possible, atleast in theory to build such a virus that can adapt to changes in its environment, and evolve with generations.
Adaptation here means the changing of a virus’ appearance in its lifetime, in order to nullify the effects of its changing environment (typical of that caused by anti-virus software). Evolution on the other hand refers to changes inculcated in the virus program over the generations (mutations). Computer viruses of the present era are not capable of evolving and adapting. Consider, for example, the polymorphic viruses. These viruses use a very special stealth technique that involves changing the virus signature in the files that it has infected. However, this is not really an adaptive measure, as it does not have any intelligent real-time decision making involved.
Consider a new virus – one that can evolve as well as adapt autonomously. To accomplish the making of such a virus, the following things must be taken into consideration: -
- The main threats to a virus are: -
i) Anti-virus software which uses signature-scanning to detect the presence of viruses.
ii) Accidental erasure of viral code.
iii) Firewalls and other preventive software that filter data packets entering a network-node.
iv) Hostile conditions – such as inoculations.
- The virus under consideration must possess the intelligence to: -
i) Change its appearance with a change in its environment. Switching between payloads (because most viruses are detected in the first place because of their payloads) may bring about such a change.
ii) Pass on a different sequence (or encrypted sequence) of code to its successors.
iii) Span a variety of targets, not just one type.
iv) To actually disinfect hosts and copy itself to another, in order to remain hidden.
v) Pry into the system files of an operating system, and subtly change its services to suit itself.
- Following is the idea of a hypothetical virus that can both adapt and evolve, as well as do a few things that are possible for only a living thing.
i) This virus, for now, is a simple PC executable infector.
ii) It possesses the feature of polymorphism.
iii) It has a database of payload codes that it incorporates randomly in its copies.
iv) It has a powerful encryption scheme (such as one-time pads), to encrypt viral code in a polymorphic manner.
v) It has a recursive scan-engine that scans for other viral-presence, and adopts their payload functionality as its own.
vi) It can change its host (disinfecting the prior one).
vii) It recognizes itself, i.e. prevent redundant operations of copying.
viii) It possesses the capability of upgrading itself, every time it is provided with an upgrade patch.
ix) It can sense a virus-detection in progress in advance. This allows it to escape being sensed by even the most powerful anti-virus software.
In theory, it is possible to make such an adaptive and evolving virus. However, common sense tells us that such a virus would be too big in size to actually reside on a system, because learning and deciding program involve the use of sophisticated programming techniques (as self-teaching networks). A different approach could be to use the services of programs already present on the computer system for its own working.
Then again, it IS possible to make such a virus, on a computer (or perhaps a whole network), dedicated to this virus. But who would ‘waste’ valuable infrastructure on computer viruses? After all they are ‘useless’.
In our opinion, research in the field of computer viruses can prove to be really useful to mankind as a whole, and can find utility in several arenas.
APPLICATIONS OF COMPUTER VIRUSES: -
- Applications in military operations
A computer virus can be a powerful soldier in the modern era, because computers (and networks) are definitely going to be used in the near future in weapons and war-equipment control technology. Only a computer virus can actually penetrate the defences of a military computer system. Once into the system, the virus is uncontrollable mostly. Because of this feature of virii, till date, most military systems are kept heavily guarded against unsolicited data transfers.
A virus can also be an expert spy. Trojans, for instance, are programs that collect valuable information from a computer and send them to a predefined computer through a network. Because viruses can outnumber the number of defensive measures taken by a network administrator (as in the case of network worms), they offer an entry passage for hackers, etc.
If such technology were put into implementation, there would be an uncontrolled, unguarded exchange of information between enemy nations. This would, in turn, cause a deterrent environment to be created, which could prevent wars.
- Applications in maintaining market parity: -
Some software companies try to play God. They disallow programs of other vendors to work properly on their platforms, integrating features for their own programs to run predictably well. If this is allowed for long, and the platform does succeed in climbing the consumer’s preference levels, the company could monopolize the entire market with their products, and there would be no laws (because we live in a truly capitalist world) against them.