The art of computer virus research and defense

He has been act ivelyconduct ing r esear ch on com put er vir uses for m or e t han 15 year s, and he focused on t he subj ect of com put er vir uses and vir us pr ot ect ion in his dipl

Ripped by AaLl86

Sym ant ec's chief ant ivir us r esear cher has w r it t en t he definit ive guide t ocont em por ar y vir us t hr eat s, defense t echniques, and analysis t ools Unlike

m ost books on com put er vir uses, Th e Ar t of Com pu t e r V ir u s Re se a r ch

a n d D e fe n se is a r efer ence w r it t en st r ict ly for w hit e hat s: I T and secur it y

pr ofessionals r esponsible for pr ot ect ing t heir or ganizat ions against

m alw ar e Pet er Szor syst em at ically cover s ever yt hing you need t o know ,including vir us behavior and classificat ion, pr ot ect ion st r at egies, ant ivir usand w or m - blocking t echniques, and m uch m or e

Szor pr esent s t he st at e- of- t he- ar t in bot h m alw ar e and pr ot ect ion,

pr oviding t he full t echnical det ail t hat pr ofessionals need t o handleincr easingly com plex at t acks Along t he w ay, he pr ovides ext ensiveinfor m at ion on code m et am or phism and ot her em er ging t echniques, soyou can ant icipat e and pr epar e for fut ur e t hr eat s

Szor also offer s t he m ost t hor ough and pr act ical pr im er on vir us analysisever publishedaddr essing ever yt hing fr om cr eat ing your ow n per sonallabor at or y t o aut om at ing t he analysis pr ocess This book's cover ageincludes

Discover ing how m alicious code at t acks on a var iet y of plat for m s

Classifying m alw ar e st r at egies for infect ion, in- m em or y oper at ion,self- pr ot ect ion, payload deliver y, exploit at ion, and m or e

I dent ifying and r esponding t o code obfuscat ion t hr eat s: encr ypt ed,polym or phic, and m et am or phic

Mast er ing em pir ical m et hods for analyzing m alicious codeand w hat t o

do w it h w hat you lear n

Rever se- engineer ing m alicious code w it h disassem bler s, debugger s,

em ulat or s, and vir t ual m achines

I m plem ent ing t echnical defenses: scanning, code em ulat ion,disinfect ion, inoculat ion, int egr it y checking, sandboxing, honeypot s,behavior blocking, and m uch m or e

Using w or m blocking, host - based int r usion pr event ion, and net w or level defense st r at egies

Sym ant ec's chief ant ivir us r esear cher has w r it t en t he definit ive guide t ocont em por ar y vir us t hr eat s, defense t echniques, and analysis t ools Unlike

m ost books on com put er vir uses, Th e Ar t of Com pu t e r V ir u s Re se a r ch

a n d D e fe n se is a r efer ence w r it t en st r ict ly for w hit e hat s: I T and secur it y

pr ofessionals r esponsible for pr ot ect ing t heir or ganizat ions against

m alw ar e Pet er Szor syst em at ically cover s ever yt hing you need t o know ,including vir us behavior and classificat ion, pr ot ect ion st r at egies, ant ivir usand w or m - blocking t echniques, and m uch m or e

Szor pr esent s t he st at e- of- t he- ar t in bot h m alw ar e and pr ot ect ion,

pr oviding t he full t echnical det ail t hat pr ofessionals need t o handleincr easingly com plex at t acks Along t he w ay, he pr ovides ext ensiveinfor m at ion on code m et am or phism and ot her em er ging t echniques, soyou can ant icipat e and pr epar e for fut ur e t hr eat s

Szor also offer s t he m ost t hor ough and pr act ical pr im er on vir us analysisever publishedaddr essing ever yt hing fr om cr eat ing your ow n per sonallabor at or y t o aut om at ing t he analysis pr ocess This book's cover ageincludes

Discover ing how m alicious code at t acks on a var iet y of plat for m s

Classifying m alw ar e st r at egies for infect ion, in- m em or y oper at ion,self- pr ot ect ion, payload deliver y, exploit at ion, and m or e

I dent ifying and r esponding t o code obfuscat ion t hr eat s: encr ypt ed,polym or phic, and m et am or phic

Mast er ing em pir ical m et hods for analyzing m alicious codeand w hat t o

do w it h w hat you lear n

Rever se- engineer ing m alicious code w it h disassem bler s, debugger s,

em ulat or s, and vir t ual m achines

I m plem ent ing t echnical defenses: scanning, code em ulat ion,disinfect ion, inoculat ion, int egr it y checking, sandboxing, honeypot s,behavior blocking, and m uch m or e

Using w or m blocking, host - based int r usion pr event ion, and net w or level defense st r at egies

The aut hor and publisher have t aken car e in t he pr epar at ion of t his book, but m ake no expr essed

or im plied w ar r ant y of any kind and assum e no r esponsibilit y for er r or s or om issions No liabilit y isassum ed for incident al or consequent ial dam ages in connect ion w it h or ar ising out of t he use of

t he infor m at ion or pr ogr am s cont ained her ein

Sym ant ec Pr ess Publisher : Linda McCar t hy

Edit or in Chief: Kar en Get t m an

Acquisit ions Edit or : Jessica Goldst ein

Cover Designer : Alan Clem ent s

Managing Edit or : Gina Kanouse

Senior Pr oj ect Edit or : Kr ist y Har t

Copy Edit or : Chr ist al Andr y

I ndexer s: Cher yl Lenser and Lar r y Sw eazy

Com posit or : St ickm an St udio

Manufact ur ing Buyer : Dan Uhr ig

The publisher offer s excellent discount s on t his book w hen or der ed in quant it y for bulk pur chases

or special sales, w hich m ay include elect r onic ver sions and/ or cust om cover s and cont ent

par t icular t o your business, t r aining goals, m ar ket ing focus, and br anding int er est s For m or einfor m at ion, please cont act :

U S Corporat e and Governm ent Sales

( 800) 382- 3419

corpsales@pearsont echgroup.com

For sales out side t he U S., please cont act :

I nt ernat ional Sales

int ernat ional@pearsoned.com

Visit us on t he Web: www.awprofessional.com

Libr ar y of Congr ess Num ber : 2004114972

Copyr ight © 2005 Sym ant ec Cor por at ion

All r ight s r eser ved Pr int ed in t he Unit ed St at es of Am er ica This publicat ion is pr ot ect ed by

copyr ight , and per m ission m ust be obt ained fr om t he publisher pr ior t o any pr ohibit ed

r epr oduct ion, st or age in a r et r ieval syst em , or t r ansm ission in any for m or by any m eans,elect r onic, m echanical, phot ocopying, r ecor ding, or likew ise For infor m at ion r egar dingper m issions, w r it e t o:

Pearson Educat ion, I nc

Right s and Cont ract s Depart m ent

One Lake St reet

Upper Saddle River, NJ 07458

Text pr int ed in t he Unit ed St at es on r ecycled paper at Phoenix BookTech in Hager st ow n,Mar yland

Fir st pr int ing, Febr uar y, 2005

Dedication

t o Nat alia

About the Author

Pet er Szor is a w or ld r enow ned com put er vir us and secur it y r esear cher He has been act ivelyconduct ing r esear ch on com put er vir uses for m or e t han 15 year s, and he focused on t he subj ect

of com put er vir uses and vir us pr ot ect ion in his diplom a w or k in 1991 Over t he year s, Pet er hasbeen for t unat e t o w or k w it h t he best - know n ant ivir us pr oduct s, such as AVP, F- PROT, and

Sym ant ec Nor t on Ant iVir us Or iginally, he built his ow n ant ivir us pr ogr am , Past eur , fr om 1990 t o

1995, in Hungar y Par allel t o his int er est in com put er ant ivir us developm ent , Pet er also has year s

of exper ience in fault - t oler ant and secur ed financial t r ansact ion syst em s developm ent

He w as invit ed t o j oin t he Com put er Ant ivir us Resear cher s Or ganizat ion ( CARO) in 1997 Pet er is

on t he advisor y boar d of Vir us Bullet in Magazine and a founding m em ber of t he Ant iVir us

Em er gency Discussion ( AVED) net w or k He has been w it h Sym ant ec for over five year s as a chief

r esear cher in Sant a Monica, Califor nia

Pet er has aut hor ed over 70 ar t icles and paper s on t he subj ect of com put er vir uses and secur it yfor m agazines such as Vir us Bullet in , Chip, Sour ce, Window s NT Magazine, and I nfor m at ionSecur it y Bullet in, am ong ot her s He is a fr equent speaker at confer ences, including Vir us Bullet in,

EI CAR, I CSA, and RSA and has given invit ed t alks at such secur it y confer ences as t he USENI XSecur it y Sym posium Pet er is passionat e about shar ing his r esear ch r esult s and educat ing ot her sabout com put er vir uses and secur it y issues

Who Should Read This Book

Over t he last t w o decades, sever al publicat ions appear ed on t he subj ect of com put er vir uses, butonly a few have been w r it t en by pr ofessionals ( " insider s" ) of com put er vir us r esear ch Alt hough

m any books exist t hat discuss t he com put er vir us pr oblem , t hey usually t ar get a novice audienceand ar e sim ply not t oo int er est ing for t he t echnical pr ofessionals Ther e ar e only a few w or ks t hathave no w or r ies going int o t he t echnical det ails, necessar y t o under st and, t o effect ively defendagainst com put er vir uses

Par t of t he pr oblem is t hat exist ing books have lit t leif anyinfor m at ion about t he cur r ent com plexit y

of com put er vir uses For exam ple, t hey lack ser ious t echnical infor m at ion on fast - spr eadingcom put er w or m s t hat exploit vulner abilit ies t o invade t ar get syst em s, or t hey do not discuss

r ecent code evolut ion t echniques such as code m et am or phism I f you w ant ed t o get all t he

infor m at ion I have in t his book, you w ould need t o spend a lot of t im e r eading ar t icles and paper s

t hat ar e oft en hidden som ew her e deep inside com put er vir us and secur it y confer ence

pr oceedings, and per haps you w ould need t o dig int o m alicious code for year s t o ext r act t he

r elevant det ails

I believe t hat t his book is m ost useful for I T and secur it y pr ofessionals w ho fight against com put ervir uses on a daily basis Now adays, syst em adm inist r at or s as w ell as individual hom e user s oft enneed t o deal w it h com put er w or m s and ot her m alicious pr ogr am s on t heir net w or ks

Unfor t unat ely, secur it y cour ses have ver y lit t le t r aining on com put er vir us pr ot ect ion, and t hegener al public know s ver y lit t le about how t o analyze and defend t heir net w or k fr om such at t acks

To m ake t hings m or e difficult , com put er vir us analysis t echniques have not been discussed in anyexist ing w or ks in sufficient lengt h befor e

I also t hink t hat , for anybody int er est ed in infor m at ion secur it y, being aw ar e of w hat t he

com put er vir us w r it er s have " achieved" so far is an im por t ant t hing t o know

For year s, com put er vir us r esear cher s used t o be " file" or " infect ed obj ect " or ient ed To t he

cont r ar y, secur it y pr ofessionals w er e excit ed about suspicious event s only on t he net w or k level

I n addit ion, t hr eat s such as CodeRed w or m appear ed t o inj ect t heir code int o t he m em or y ofvulner able pr ocesses over t he net w or k, but did not " infect " obj ect s on t he disk Today, it is

im por t ant t o under st and all of t hese m aj or per spect ivest he file ( st or age) , in- m em or y, and

net w or k view sand cor r elat e t he event s using m alicious code analysis t echniques

Dur ing t he year s, I have t r ained m any com put er vir us and secur it y analyst s t o effect ively analyzeand r espond t o m alicious code t hr eat s I n t his book, I have included infor m at ion about anyt hing

t hat I ever had t o deal w it h For exam ple, I have r elevant exam ples of ancient t hr eat s, such as bit vir uses on t he Com m odor e 64 You w ill see t hat t echniques such as st ealt h t echnology

8-appear ed in t he ear liest com put er vir uses, and on a var iet y of plat for m s Thus, you w ill be able t o

r ealize t hat cur r ent r oot kit s do not r epr esent anyt hing new ! You w ill find sufficient cover age on32- bit Window s w or m t hr eat s w it h in- dept h exploit discussions, as w ell as 64- bit vir uses and

" pocket m onst er s" on m obile devices All along t he w ay, m y goal is t o illust r at e how old

t echniques " r eincar nat e" in new t hr eat s and dem onst r at e up- t o- dat e at t acks w it h j ust enough

t echnical det ails

I am sur e t hat m any of you ar e int er est ed in j oining t he fight against m alicious code, and

per haps, j ust like m e, som e of you w ill becom e invent or s of defense t echniques All of you should,how ever , be aw ar e of t he pit falls and t he challenges of t his field!

That is w hat t his book is all about

The easiest w ay t o r ead t his book is, w ell, t o r ead it fr om chapt er t o chapt er How ever , som e of

t he at t ack chapt er s have cont ent t hat can be m or e r elevant aft er under st anding t echniques

pr esent ed in t he defense chapt er s I f you feel t hat any of t he chapt er s ar e not your t ast e, or ar e

t oo difficult or lengt hy, you can alw ays j um p t o t he next chapt er I am sur e t hat ever ybody w illfind som e par t s of t his book ver y difficult and ot her par t s ver y sim ple, depending on individualexperience

I expect m y r eader s t o be fam iliar w it h t echnology and som e level of pr ogr am m ing Ther e ar e so

m any t hings discussed in t his book t hat it is sim ply im possible t o cover ever yt hing in sufficientlengt h How ever , you w ill know exact ly w hat you m ight need t o lear n fr om elsew her e t o beabsolut ely successful against m alicious t hr eat s To help you, I have cr eat ed an ext ensive

r efer ence list for each chapt er t hat leads you t o t he necessar y backgr ound infor m at ion

I ndeed, t his book could easily have been over 1,000 pages How ever , as you can t ell, I am notShakespear e My know ledge of com put er vir uses is gr eat , not m y English Most likely, you w ouldhave no benefit of m y w or k if t his w er e t he ot her w ay ar ound

What I Do Not Cover

I do not cover Tr oj an hor se pr ogr am s or backdoor s in gr eat lengt h This book is pr im ar ily aboutself- r eplicat ing m alicious code Ther e ar e plent y of gr eat books available on r egular m alicious

pr ogr am s, but not on com put er vir uses

I do not pr esent any vir us code in t he book t hat you could dir ect ly use t o build anot her vir us Thisbook is not a " vir us w r it ing" class My under st anding, how ever , is t hat t he bad guys alr eady knowabout m ost of t he t echniques t hat I discuss in t his book So, t he good guys need t o lear n m or eand st ar t t o t hink ( but not act ) like a r eal at t acker t o develop t heir defense!

I nt er est ingly, m any univer sit ies at t em pt t o t each com put er vir us r esear ch cour ses by offer ingclasses on w r it ing vir uses Would it r eally help if a st udent could w r it e a vir us t o infect m illions ofsyst em s ar ound t he w or ld? Will such st udent s know m or e about how t o develop defense bet t er ?Sim ply, t he answ er is no…

I nst ead, classes should focus on t he analysis of exist ing m alicious t hr eat s Ther e ar e so m any

t hr eat s out t her e w ait ing for som ebody t o under st and t hem and do som et hing against t hem

Of cour se, t he know ledge of com put er vir uses is like t he " For ce" in St ar War s Depending on t heuser of t he " For ce," t he know ledge can t ur n t o good or evil I cannot for ce you t o st ay aw ay fr om

t he " Dar k Side," but I ur ge you t o do so

Fir st , I w ould like t o t hank m y w ife Nat alia for encour aging m y w or k for over 15 year s! I also

t hank her for accept ing t he lost t im e on all t he w eekends t hat w e could have spent t oget her w hile

I w as w or king on t his book

I w ould like t o t hank ever ybody w ho m ade t his book possible This book gr ew out of a ser ies of

ar t icles and paper s on com put er vir uses, sever al of w hich I have co- aut hor ed w it h ot her

r esear cher s over t he year s Ther efor e, I could never adequat ely t hank Er ic Chien, Pet er Fer r ie,

Br uce McCor kendale, and Fr eder ic Per r iot for t heir excellent cont r ibut ions t o Chapt er 7 and

A big t hank you needs t o go t o t he follow ing people w ho encour aged m e t o w r it e t his book,

educat ed m e in t he subj ect , and influenced m y r esear ch over t he year s: Oliver Beke, Zolt anHor nak, Fr ans Veldm an, Eugene Kasper sky, I st van Far m osi, Jim Bat es, Dr Fr eder ick Cohen,

Fr idr ik Skulason, David Fer br ache, Dr Klaus Br unnst ein, Mikko Hypponen, Dr St eve Whit e, and

Dr Alan Solom on

I ow e a huge t hanks t o m y t echnical r eview er s: Dr Vesselin Bont chev, Pet er Fer r ie, Nick

Fit zGer ald, Halvar Flake, Mikko Hypponen, Dr Jose Nazar io, and Jason V Miller Your

encour agem ent s, cr it icism s, insight s, and r eview s of ear ly handbook m anuscr ipt s w er e sim plyinvaluable

I need t o t hank Janos Kis and Zsolt Szoboszlay for pr oviding m e access t o in- t he- w ild vir us codefor analysis, in t he days w hen t he BBS w as t he cent er of t he com put ing univer se I also need t o

t hank Gunt er May for t he gr eat est pr esent t hat an east Eur opean kid could get a C64

A big t hanks t o ever ybody at Sym ant ec, especially t o Linda A McCar t hy and Vincent Weafer , w ho

gr eat ly encour aged m e t o w r it e t his book I w ould also like t o t hank Nancy Conner and Chr isAndr y for t heir out st anding edit or ial w or k Wit hout t heir help, t his pr oj ect sim ply w ould neverhave finished I also ow e a huge t hanks t o Jessica Goldst ein, Kr ist y Har t , and Chr ist y Hacker d forhelping m e w it h t he publishing pr ocess all t he w ay

A big t hanks t o all past and pr esent m em ber s of t he Com put er Ant ivir us Resear cher s Or ganizat ion( CARO) , VFORUM, and t he Ant iVir us Em er gency Discussion ( AVED) List for all t he excit ing

discussions on com put er vir uses and ot her m alicious pr ogr am s and defense syst em s

I w ould like t o t hank ever ybody at Vir us Bullet in for publishing m y ar t icles and paper s

int er nat ionally for alm ost a decade and for let t ing m e use t hat m at er ial in t his book

Last but not least , I t hank m y t eacher par ent s and gr andpar ent s for t he ext r a " hom e educat ion"

in m at h, physics, m usic, and hist or y

Contact Information

I f you find er r or s or have suggest ions for clar ificat ion or m at er ial you w ould like t o see in a fut ur eedit ion, I w ould love t o hear fr om you I am planning t o int r oduce clar ificat ions, possible

cor r ect ions, and new infor m at ion r elevant t o t he cont ent of t his w or k on m y Web sit e While I

t hink w e have found m ost of t he pr oblem s ( especially in t hose par agr aphs t hat w er e w r it t en lat e

at night or bet w een vir us and secur it y em er gencies) , I believe t hat no such w or k of t his

com plexit y and size can exist w it hout som e m inor nit s Nonet heless, I m ade all t he effor t s t o

pr ovide you w it h " t r ust w or t hy" infor m at ion accor ding t o t he best of m y r esear ch know ledge

Pet er Szor ,

Sant a Monica, CA

pszor@acm org

ht t p: / / w w w pet erszor.com

Part I: STRATEGIES OF THE ATTACKER

Chapt er 1 I nt r oduct ion t o t he Gam es of Nat ur e

Chapt er 2 The Fascinat ion of Malicious Code Analysis

Chapt er 3 Malicious Code Envir onm ent s

Chapt er 4 Classificat ion of I nfect ion St r at egies

Chapt er 5 Classificat ion of I n- Mem or y St r at egies

Chapt er 6 Basic Self- Pr ot ect ion St r at egies

Chapt er 7 Advanced Code Evolut ion Techniques and Com put er Vir us Gener at or Kit sChapt er 8 Classificat ion Accor ding t o Payload

Chapt er 9 St r at egies of Com put er Wor m s

Chapt er 10 Exploit s, Vulner abilit ies, and Buffer Over flow At t acks

Chapter 1 Introduction to the Games of Nature

" To m e ar t is a desir e t o com m unicat e."

Endr e Szasz

Com put er vir us r esear ch is a fascinat ing subj ect t o m any w ho ar e int er est ed in nat ur e, biology, or

m at hem at ics Ever yone w ho uses a com put er w ill likely encount er som e for m of t he incr easinglycom m on pr oblem of com put er vir uses I n fact , som e w ell- know n com put er vir us r esear cher sbecam e int er est ed in t he field w hen, decades ago, t heir ow n syst em s w er e infect ed

The t it le of Donald Knut h's book ser ies1, The Ar t of Com put er Pr ogr am m ing , suggest s t hat

anyt hing w e can explain t o a com put er is science, but t hat w hich w e cannot cur r ent ly explain t o acom put er is an ar t Com put er vir us r esear ch is a r ich, com plex, m ult ifacet ed subj ect I t is about

r ever se engineer ing, developing det ect ion, disinfect ion, and defense syst em s w it h opt im izedalgor it hm s, so it nat ur ally has scient ific aspect s; how ever , m any of t he analyt ical m et hods ar e an

ar t of t heir ow n This is w hy out sider s oft en find t his r elat ively young field so har d t o under st and.Even aft er year s of r esear ch and publicat ions, m any new analyt ical t echniques ar e in t he cat egor y

of ar t and can only be lear ned at ant ivir us and secur it y vendor com panies or t hr ough t he per sonalassociat ions one m ust for ge t o succeed in t his field

This book at t em pt s t o pr ovide an insider 's view of t his fascinat ing r esear ch I n t he pr ocess, I hope

t o t each m any fact s t hat should int er est bot h st udent s of t he ar t and infor m at ion t echnology

pr ofessionals My goal is t o pr ovide an ext ended under st anding of bot h t he at t acker s and t hesyst em s built t o defend against vir ulent , m alicious pr ogr am s

Alt hough t her e ar e m any books about com put er vir uses, only a few have been w r it t en by peopleexper ienced enough in com put er vir us r esear ch t o discuss t he subj ect for a t echnically or ient edaudience

The follow ing sect ions discuss hist or ical point s in com put at ion t hat ar e r elevant t o com put ervir uses and ar r ive at a pr act ical definit ion of t he t er m com put er vir us

1.1 Early Models of Self-Replicating Structures

Hum ans cr eat e new m odels t o r epr esent our w or ld fr om differ ent per spect ives The idea of

self-r eplicat ing syst em s t hat m odel self- self-r eplicat ing st self-r uct uself-r es has been aself-r ound since t he Hungaself-r

ian-Am er ican, Neum ann JE1nos ( John von Neum ann) , suggest ed it in 19482 , 3 , 4

Von Neum ann w as a m at hem at ician, an am azing t hinker , and one of t he gr eat est com put er

ar chit ect s of all t im e Today's com put er s ar e designed accor ding t o his or iginal vision Neum ann's

m achines int r oduced m em or y for st or ing infor m at ion and binar y ( ver sus analog) oper at ions.Accor ding t o von Neum ann's br ot her Nicholas, " Johnny" w as ver y im pr essed w it h Bach's " Ar t of

t he Fugue" because it w as w r it t en for sever al voices, w it h t he inst r um ent at ion unspecified

Nicholas von Neum ann cr edit s t he Bach piece as a sour ce for t he idea of t he st or ed- pr ogr amcom put er5

I n t he t r adit ional von Neum ann m achine, t her e w as no basic differ ence bet w een code and dat a.Code w as differ ent iat ed fr om dat a only w hen t he oper at ing syst em t r ansfer r ed cont r ol and

execut ed t he infor m at ion st or ed t her e

To cr eat e a m or e secur e com put ing syst em , w e w ill find t hat syst em oper at ions t hat bet t er

cont r ol t he differ ent iat ion of dat a fr om code ar e essent ial How ever , w e also w ill see t he

w eaknesses of such appr oaches

Moder n com put er s can sim ulat e nat ur e using a var iet y of m odeling t echniques Many com put ersim ulat ions of nat ur e m anifest t hem selves as gam es Moder n com put er vir uses ar e som ew hatdiffer ent fr om t hese t r adit ional nat ur e- sim ulat ion gam e syst em s, but st udent s of com put er vir us

r esear ch can appr eciat e t he ut ilit y of such gam es for gaining an under st anding of self- r eplicat ing

st ruct ures

1.1.1 John von Neumann: Theory of Self-Reproducing Automata

Replicat ion is an essent ial par t of life John von Neum ann w as t he fir st t o pr ovide a m odel t odescr ibe nat ur e's self- r epr oduct ion w it h t he idea of self- building aut om at a

I n von Neum ann's vision, t her e w er e t hr ee m ain com ponent s in a syst em :

A Univer sal Machine

A univer sal m achine ( Tur ing Machine) w ould r ead t he m em or y t ape and, using t he infor m at ion on

t he t ape, it w ould be able t o r ebuild it self piece by piece using a univer sal const r uct or The

m achine w ould not under st and t he pr ocessit w ould sim ply follow t he infor m at ion ( bluepr int

inst r uct ions) on t he m em or y t ape The m achine w ould only be able t o select t he next pr oper piece

fr om t he set of all t he pieces by picking t hem one by one unt il t he pr oper piece w as found When

it w as found, t w o pr oper pieces w ould be put t oget her accor ding t o t he inst r uct ions unt il t he

m achine r epr oduced it self com plet ely

I f t he infor m at ion t hat w as necessar y t o r ebuild anot her syst em could be found on t he t ape, t hen

t he aut om at a w as able t o r epr oduce it self The or iginal aut om at a w ould be r ebuilt (Figur e 1.1) ,and t hen t he new ly built aut om at a w as boot ed, w hich w ould st ar t t he sam e pr ocess.

Figu r e 1 1 Th e m ode l of a se lf- bu ildin g m a ch in e

A few year s lat er , St anislaw Ulam suggest ed t o von Neum ann t o use t he pr ocesses of cellularaut om at ion t o descr ibe t his m odel I nst ead of using " m achine par t s," st at es of cells w er e

int r oduced Because cells ar e oper at ed in a r obot ic fashion accor ding t o r ules ( " code" ) , t he cell isknow n as an aut om at on The ar r ay of cells com pr ises t he cellular aut om at a ( CA) com put er

archit ect ure

Von Neum ann changed t he or iginal m odel using cells t hat had 29 differ ent st at es in a t w

o-dim ensional, 5- cell envir onm ent To cr eat e a self- r epr oducing st r uct ur e, he used 200,000 cells.Neum ann's m odel m at hem at ically pr oved t he possibilit y of self- r epr oducing st r uct ur es: Regularnon- living par t s ( m olecules) could be com bined t o cr eat e self- r epr oducing st r uct ur es ( pot ent iallyliving or ganism s)

I n Sept em ber 1948, von Neum ann pr esent ed his vision of self- r eplicat ing aut om at a syst em s Onlyfive year s lat er , in 1953, Wat son and Cr ick r ecognized t hat living or ganism s use t he DNA m olecule

as a " t ape" t hat pr ovides t he infor m at ion for t he r epr oduct ion syst em of living or ganism s

Unfor t unat ely, von Neum ann could not see a pr oof of his w or k in his life, but his w or k w as

com plet ed by Ar t hur Bur ks Fur t her w or k w as accom plished by E.F Codd in 1968 Codd sim plifiedNeum ann's m odel using cells t hat had eight st at es, 5- cell envir onm ent s Such sim plificat ion is t hebase for " self- r eplicat ing loops"6 developed by ar t ificial life r esear cher s, such as Chr ist opher G.Langt on, in 1979 Such r eplicat ion loops elim inat e t he com plexit y of univer sal m achine fr om t he

syst em and focus on t he needs of r eplicat ion.

I n 1980 at NASA/ ASEE, Rober t A Fr eit as, Jr and William B Zachar y7 conduct ed r esear ch on aself- r eplicat ing, gr ow ing lunar fact or y A lunar m anufact ur ing facilit y ( LMF) w as r esear ched, w hichused t he t heor y of self- r epr oducing aut om at a and exist ing aut om at ion t echnology t o m ake a self-

r eplicat ing, self- gr ow ing fact or y on t he m oon Rober t A Fr eit as, Jr and Ralph C Mer kle r ecent lyaut hor ed a book t it led Kinem at ic Self- Replicat ing Machines This book indicat es a r enew ed

scient ific int er est in t he subj ect A few year s ago, Fr eit as int r oduced t he t er m ecophagy, t he

t heor et ical consum pt ion of t he ent ir e ecosyst em by out of cont r ol, self- r eplicat ing nano- r obot s,and he pr oposed m it igat ion r ecom m endat ions8

I t is also int er est ing t o not e t hat t he t hem e of self- r eplicat ing m achines occur s r epeat edly in

w or ks of science fict ion, fr om m ovies such as Ter m inat or t o novels w r it t en by such aut hor s asNeal St ephenson and William Gibson And of cour se, t her e ar e m any m or e exam ples fr om beyond

t he w or ld of science fict ion, as nanot ech and m icr oelect r ical m echanical syst em s ( MEMS)

engineer ing have becom e r eal sciences

1.1.2 Fredkin: Reproducing Structures

Sever al people at t em pt ed t o sim plify von Neum ann's m odel For inst ance, in 1961 Edw ar d Fr edkinused a specialized cellular aut om at on in w hich all t he st r uct ur es could r epr oduce t hem selves and

r eplicat e using sim ple pat t er ns on a gr id ( see Figur e 1.2 for a possible illust r at ion) Fr edkin'saut om at a had t he follow ing r ules9:

On t he t able, w e use t he sam e kind of t okens

We eit her have a t oken or no t oken in each possible posit ion

Token gener at ions w ill follow each ot her in a finit e t im e fr am e

The envir onm ent of each t oken w ill det er m ine w het her w e w ill have a new t oken in t he nextgenerat ion

The envir onm ent is r epr esent ed by t he squar es above, below , t o t he left , and t o t he r ight of

t he t oken ( using t he 5- cell- based von Neum ann envir onm ent )

The st at e of a squar e in t he next gener at ion w ill be em pt y w hen t he t oken has an evennum ber of t okens in it s envir onm ent

The st at e of a squar e in t he next gener at ion w ill be filled w it h a t oken if it has an odd

num ber of t okens in it s envir onm ent

I t is possible t o change t he num ber of st at es

Figu r e 1 2 Ge n e r a t ion 1 , Ge n e r a t ion 2 , a n d…Ge n e r a t ion 4

Using t he r ules descr ibed pr eviously w it h t his init ial layout allow s all st r uct ur es t o r eplicat e.

Alt hough t her e ar e far m or e int er est ing layout s t o explor e, t his exam ple is t he sim plest possible

m odel of self- r epr oducing cellular aut om at a

1.1.3 Conway: Game of Life

I n 1970, John Hor t on Conw ay10 cr eat ed one of t he m ost int er est ing cellular aut om at a syst em s.Just as t he pioneer von Neum ann did, Conw ay r esear ched t he int er act ion of sim ple elem ent sunder a com m on r ule and found t hat t his could lead t o sur pr isingly int er est ing st r uct ur es Conw aynam ed his gam e Life Life is based on t he follow ing r ules:

Ther e should be no init ial pat t er n for w hich t her e is a single pr oof t hat t he populat ion can

gr ow w it hout lim it

Ther e should be an init ial pat t er n t hat appar ent ly does gr ow w it hout lim it

Ther e should be sim ple init ial pat t er ns t hat w or k accor ding t o sim ple genet ic law : bir t h,sur vival, and deat h

Figur e 1.3 dem onst r at es a m oder n r epr esent at ion of t he or iginal Conw ay t able gam e w r it t en byEdw in Mar t in11

Figu r e 1 3 Edw in M a r t in ' s Ga m e of Life im ple m e n t a t ion on t h e M a c

u sin g " Sh oot e r " st a r t in g st r u ct u r e

I t is especially int er est ing t o see t he com put er anim at ion as t he gam e develops w it h t he so- called

" Shoot er " st ar t ing st r uct ur e I n a few gener at ions, t w o shoot er posit ions t hat appear t o shoot t oeach ot her w ill develop on t he sides of t he t able, as show n in Figur e 1.4, and in doing so t heyappear t o pr oduce so- called glider s t hat " fly" aw ay ( see Figur e 1.5) t ow ar d t he low er - r ight cor ner

of t he t able This sequence cont inues endlessly, and new glider s ar e pr oduced

Figu r e 1 4 " Sh oot e r " in Ge n e r a t ion 3 5 5

Figu r e 1 5 Th e glide r m ov e s a r ou n d w it h ou t ch a n gin g sh a pe

On a t w o- dim ensional t able, each cell has t w o pot ent ial st at es: S= 1 if t her e is one t oken in t hecell, or S= 0 if t her e is no t oken Each cell w ill live accor ding t o t he r ules gover ned by t he cell'senvir onm ent ( see Figur e 1.6)

Figu r e 1 6 Th e 9 - ce ll- ba se d M oor e e n v ir on m e n t

The follow ing char act er ist ics/ r ules define Conw ay's gam e, Life:

Bir t h : I f an em pt y cell has t hr ee ( K= 3) ot her filled cells in it s envir onm ent , t hat par t icular

cell w ill be filled in a new gener at ion

Su r v iv a l: I f a filled cell has t w o or t hr ee ( K= 2 or K= 3) ot her filled cells in it s envir onm ent ,

t hat par t icular cell w ill sur vive in t he new gener at ion

D e a t h: I f a filled cell has only one or no ot her filled cells ( K= 1 or K= 0) in it s envir onm ent ,

t hat par t icular cell w ill die because of isolat ion Fur t her , if a cell has t oo m any filled cells in

it s envir onm ent four , five, six, seven, or eight ( K= 4, 5, 6, 7, or 8) , t hat par t icular cell w illalso die in t he next gener at ion due t o over populat ion

Conw ay or iginally believed t hat t her e w er e no self- r eplicat ing st r uct ur es in Life He even offer ed

$50 t o anyone w ho could cr eat e a st ar t ing st r uct ur e t hat w ould lead t o self- r eplicat ion One such

st r uct ur e w as quickly found using com put er s at t he ar t ificial int elligence gr oup of t he

Massachuset t s I nst it ut e of Technology ( MI T)

MI T st udent s found a st r uct ur e t hat w as lat er nicknam ed a glider When 13 glider s m eet , t hey

cr eat e a pulsing st r uct ur e Lat er , in t he 100t h gener at ion, t he pulsing st r uct ur e suddenly " givesbir t h" t o new glider s, w hich quickly " fly" aw ay Aft er t his point , in each 30t h subsequent

gener at ion, t her e w ill be a new glider on t he t able t hat flies aw ay This sequence cont inues

endlessly This set up is ver y sim ilar t o t he " Shoot er " st r uct ur e show n in Figur es 1.3 and 1.4.Gam es w it h Com put er s, w r it t en by Ant al Csakany and Fer enc Vaj da in 1980, cont ains exam ples

of com pet it ive gam es The aut hor s descr ibed a t able gam e w it h r ules sim ilar t o t hose of Life The

t able gam e uses cabbage, r abbit s, and foxes t o dem onst r at e st r uggles in nat ur e An init ial cell isfilled w it h cabbage as food for t he r abbit s, w hich becom es food for t he foxes accor ding t o

pr edefined r ules Then t he r ules cont r ol and balance t he populat ion of r abbit s and foxes

I t is int er est ing t o t hink about com put er s, com put er vir uses, and ant ivir al pr ogr am s in t er m s of

t his m odel Wit hout com put er s ( in par t icular , an oper at ing syst em or BI OS of som e sor t ) ,

com put er vir uses ar e unable t o r eplicat e Com put er vir uses infect new com put er syst em s, and as

t hey r eplicat e, t he vir uses can be t hought of as pr ey for ant ivir us pr ogr am s

I n som e sit uat ions, com put er vir uses fight back These ar e called r et r o vir uses I n such a

sit uat ion, t he ant ivir al applicat ion can be t hought t o " die." When an ant ivir al pr ogr am st ops aninst ance of a vir us, t he vir us can be t hought t o " die." I n som e cases, t he PC w ill " die" im m ediat ely

as t he vir us infect s it

For exam ple, if t he vir us indiscr im inat ely delet es key oper at ing syst em files, t he syst em w ill cr ash,and t he vir us can be said t o have " killed" it s host I f t his pr ocess happens t oo quickly, t he vir us

m ight kill t he host befor e having t he oppor t unit y t o r eplicat e t o ot her syst em s When w e im agine

m illions of com put er s as a t able gam e of t his for m , it is fascinat ing t o see how com put er vir us andant ivir al populat ion m odels par allel t hose of t he cabbage, r abbit s, and foxes sim ulat ion gam e

Rules, side effect s, m ut at ions, r eplicat ion t echniques, and degr ees of vir ulence dict at e t he balance

of such pr ogr am s in a never - ending fight At t he sam e t im e, a " co- evolut ion"12 exist s bet w eencom put er vir uses and ant ivir us pr ogr am s As ant ivir us syst em s have becom e m or e sophist icat ed,

so have com put er vir uses This t endency has cont inued over t he m or e t han 30- year hist or y ofcom put er vir uses

Using m odels along t hese lines, w e can see how t he vir us populat ion var ies accor ding t o t henum ber of com put er s com pat ible w it h t hem When it com es t o com put er vir uses and ant ivir al

pr ogr am s, m ult iple par allel gam es occur side by side Vir uses w it hin an envir onm ent t hat consist s

of a lar ge num ber of com pat ible com put er s w ill be m or e vir ulent ; t hat is, t hey w ill spr ead m or e

r apidly t o m any m or e com put er s A lar ge num ber of sim ilar PCs w it h com pat ible oper at ing

syst em s cr eat e a hom ogeneous envir onm ent fer t ile gr ound for vir ulence ( sound fam iliar ?)

Wit h sm aller gam e boar ds r epr esent ing a sm aller num ber of com pat ible com put er s, w e w ill

obviously see sm aller out br eaks, along w it h r elat ively sm all vir us populat ions

This sor t of m odeling clear ly explains w hy w e find m aj or com put er vir us infect ions on oper at ingsyst em s such as Window s, w hich r epr esent s about 95% of t he cur r ent PC populat ion ar ound us

on a huge " gr id." Of cour se t his is not t o say t hat 5% of com put er syst em s ar e not enough t ocause a global epidem ic of som e sor t

N o t e

I f you ar e fascinat ed by self- r eplicat ing, self- r epair ing, and evolving st r uct ur es, visit t heBioWall pr oj ect , ht t p: / / lslwww.epfl.ch/ biowall/ index.ht m l

1.1.4 Core War: The Fighting Programs

Ar ound 1966, Rober t Mor r is, Sr , t he fut ur e Nat ional Secur it y Agency ( NSA) chief scient ist ,

decided t o cr eat e a new gam e envir onm ent w it h t w o of his fr iends, Vict or Vyssot sky and DennisRit chie, w ho coded t he gam e and called it Dar w in ( Mor r is, Jr w as t he fir st infam ous w or m w r it er

in t he hist or y of com put er vir uses His m ar k on com put er vir us hist or y w ill be discussed lat er in

I use t he t er m hacker in it s or iginal, posit ive sense I also believe t hat all good vir us

r esear cher s ar e hacker s in t he t r adit ional sense I consider m yself a hacker , t oo, but

fundam ent ally differ ent fr om m alicious hacker s w ho br eak int o ot her people's

com put ers

The gam e is called Cor e War because t he obj ect ive of t he gam e is t o kill your opponent 's

pr ogr am s by over w r it ing t hem The or iginal gam e is played bet w een t w o assem bly pr ogr am s

w r it t en in t he Redcode language The Redcode pr ogr am s r un in t he cor e of a sim ulat ed ( forexam ple, " vir t ual" ) m achine nam ed Mem or y Ar r ay Redcode Sim ulat or ( MARS) The act ual fightbet w een t he w ar r ior pr ogr am s w as r efer r ed t o as Cor e War s

The or iginal inst r uct ion set of Redcode consist s of 10 sim ple inst r uct ions t hat allow m ovem ent ofinfor m at ion fr om one m em or y locat ion t o anot her , w hich pr ovides gr eat flexibilit y in cr eat ing

t r icky w ar r ior pr ogr am s Dew dney w r ot e sever al " Com put er Recr eat ions" ar t icles in Scient ific

Am er ican13 , 14 t hat discussed Cor e War , beginning w it h t he May 1984 ar t icle Figur e 1.7 is ascr een shot of a Cor e War im plem ent at ion called PMARSV, w r it t en by Alber t Ma, Na'ndor Sieben,

St efan St r ack, and Mint ar dj o Wangsaw I t is int er est ing t o w at ch as t he lit t le w ar r ior s fight each

ot her w it hin t he MARS envir onm ent

Figu r e 1 7 Cor e W a r s w a r r ior pr ogr a m s ( D w a r f a n d M I CE) in ba t t le

[View full size image]

As pr ogr am s fight in t he annual t our nam ent s, cer t ain w ar r ior s m ight becom e t he King of t he Hill( Kot H) These ar e t he Redcode pr ogr am s t hat out per for m t heir com pet it or s

The w ar r ior pr ogr am nam ed MI CE w on t he fir st t our nam ent I t s aut hor , Chip Wendell, r eceived a

t r ophy t hat incor por at ed a cor e- m em or y boar d fr om an ear ly CDC 6600 com put er14.

The sim plest Redcode pr ogr am consist s of only one MOV inst r uct ion: MOV 0,1 ( in t he t r adit ionalsynt ax) This pr ogr am is nam ed I MP, w hich causes t he cont ent s at r elat ive addr ess 0 ( nam ely t heMOV, or m ove, inst r uct ion it self) , t o be t r ansfer r ed t o r elat ive addr ess 1, j ust one addr ess ahead

of it self Aft er t he inst r uct ion is copied t o t he new locat ion, cont r ol is given t o t hat addr ess,

execut ing t he inst r uct ion, w hich, in t ur n, m akes a new copy of it self at a higher addr ess, and so

on This happens nat ur ally, as inst r uct ions ar e execut ed follow ing a higher addr ess The

inst r uct ion count er w ill be incr em ent ed aft er each execut ed inst r uct ion

The basic cor e consist ed of t w o w ar r ior pr ogr am s and 8,000 cells for inst r uct ions New er r evisions

of t he gam e can r un m ult iple w ar r ior s at t he sam e t im e War r ior pr ogr am s ar e lim it ed t o a

specific st ar t ing size, nor m ally 100 inst r uct ions Each pr ogr am has a finit e num ber of it er at ions;

by default , t his num ber is 80,000

The or iginal ver sion of Redcode suppor t ed 10 inst r uct ions Lat er r evisions cont ain m or e Forexam ple, t he follow ing 14 inst r uct ions ar e used in t he 1994 r evision, show n in List ing 1.1

List in g 1 1 Cor e W a r I n st r u ct ion s in t h e 1 9 9 4 Re v ision

JMZA0 jump if zero

JMNA0 jump if not zero

DJNA0 decrement, jump if not zero

CMPA0 compare

SLTA0 skip if less than

SPLA0 split execution

Let 's t ake a look at Dew dney's Dw ar f t ut or ial ( see List ing 1.2)

List in g 1 2 D w a r f Bom bin g W a r r ior Pr ogr a m

;name Dwarf

;author A K Dewdney

;version 94.1

;date April 29, 1993

;strategy Bombs every fourth instruction

ORG 1 ; Indicates execution begins with the second

; instruction (ORG is not actually loaded, and is

; therefore not counted as an instruction)

DAT.F #0, #0 ; Pointer to target instruction

ADD.AB #4, $-1 ; Increments pointer by 4.

MOV.AB #0, @-2 ; Bombs target instruction

JMP.A $-2, #0 ; Loops back two instructions

Dw ar f follow s a so- called bom bing st r at egy The fir st few lines ar e com m ent s indicat ing t he nam e

of t he w ar r ior pr ogr am and it s Redcode 1994 st andar d Dw ar f at t em pt s t o dest r oy it s opponent s

by " dr opping" DAT bom bs int o t heir oper at ion pat hs Because any w ar r ior pr ocess t hat at t em pt s

t o execut e a DAT st at em ent dies in t he MARS, Dw ar f w ill be a likely w inner w hen it hit s it s

opponent s

The MOV inst r uct ion is used t o m ove infor m at ion int o MARS cells ( The I MP w ar r ior explains t hisver y clear ly.) The gener al for m at of a Redcode com m and is of t he Opcode A, B for m Thus, t hecom m and MOV.AB # 0, @- 2 w ill point t o t he DAT st at em ent in Dw ar f's code as a sour ce

The A field point s t o t he DAT st at em ent , as each inst r uct ion has an equivalent size of 1, and at 0,

w e find DAT # 0, # 0 Thus, MOV w ill copy t he DAT inst r uct ion t o w her e B point s So w her e does Bpoint t o now ?

The B field point s t o DAT.F # 0, # 0 st at em ent in it Or dinar ily, t his w ould m ean t hat t he bom b

w ould be put on t op of t his st at em ent , but t he @ sym bol m akes t his an indir ect point er I n effect ,

t he @ sym bol says t o use t he cont ent s of t he locat ion t o w her e t he B field point s as a new point er( dest inat ion) I n t his case, t he B field appear s t o point t o a value of 0 ( locat ion 0, w her e t heDAT.F inst r uct ion is placed)

The fir st inst r uct ion t o execut e befor e t he MOV, how ever , is an ADD inst r uct ion When t his ADD

# 4, $- 1 is execut ed, t he DAT's offset field w ill be incr em ent ed by four each t im e it is execut edt hefir st t im e, it w ill be changed fr om 0 t o 4, t he next t im e fr om 4 t o 8, and so on

This is w hy, w hen t he MOV com m and copies a DAT bom b, it w ill land four lines ( locat ions) above

t he DAT st at em ent ( see List ing 1.3)

List in g 1 3 D w a r f' s Code W h e n t h e Fir st Bom b I s D r oppe d

At t hat point , Dw ar f begins t o bom b over it s ow n bom bs, unt il t he end of 80,000 cycles/ it er at ions

or unt il anot her w ar r ior act s upon it At any t im e, anot her w ar r ior pr ogr am m ight easily kill Dw ar fbecause Dw ar f st ays at a const ant locat ionso t hat it can avoid hit t ing it self w it h fr iendly fir e But

in doing so, it exposes it self t o at t acker s

Ther e ar e sever al com m on st r at egies in Cor e War , including scanning, r eplicat ing, bom bing, I spir al ( t hose using t he SPL inst r uct ion) , and t he int er est ing bom ber var iat ion nam ed t he vam pir e

MP-Dew dney also point ed out t hat pr ogr am s can even st eal t heir enem y w ar r ior 's ver y soul by

hij acking a w ar r ior execut ion flow These ar e t he so- called vam pir e w ar r ior s, w hich bom b JMP( JUMP) inst r uct ions int o t he cor e By bom bing w it h j um ps, t he enem y pr ogr am 's cont r ol can behij acked t o point t o a new , pr edefined locat ion w her e t he hij acked w ar r ior w ill t ypically execut euseless code Useless code w ill " bur n" t he cycles of t he enem y w ar r ior 's execut ion t hr eads, t husgiving t he vam pir e w ar r ior an advant age

I nst ead of w r it ing com put er vir uses, I st r ongly r ecom m end playing t his har m less and int er est inggam e I n fact , if w or m s fascinat e you, a new ver sion of Cor e War can be cr eat ed t o link bat t les indiffer ent net w or ks and allow w ar r ior pr ogr am s t o j um p fr om one bat t le t o anot her t o fight newenem ies on t hose m achines Evolving t he gam e t o be m or e net w or ked allow s for sim ulat ing

w or m - like w ar r ior pr ogr am s

1.2 Genesis of Computer Viruses

Vir us- like pr ogr am s appear ed on m icr ocom put er s in t he 1980s How ever , t w o fair ly r ecount ed

pr ecur sor s deser ve m ent ion her e: Cr eeper fr om 1971- 72 and John Walker 's " infect ive" ver sion of

t he popular ANI MAL gam e for UNI VAC15 in 1975

Cr eeper and it s nem esis, Reaper , t he fir st " ant ivir us" for net w or ked TENEX r unning on PDP- 10s atBBN, w as bor n w hile t hey w er e doing t he ear ly developm ent of w hat becam e " t he I nt er net "

Even m or e int er est ingly, ANI MAL w as cr eat ed on a UNI VAC 1100/ 42 m ainfr am e com put er r unningunder t he Univac 1100 ser ies oper at ing syst em , Exec- 8 I n Januar y of 1975, John Walker ( lat erfounder of Aut odesk, I nc and co- aut hor of Aut oCAD) cr eat ed a gener al subr out ine called

PERVADE16, w hich could be called by any pr ogr am When PERVADE w as called by ANI MAL, itlooked ar ound for all accessible dir ect or ies and m ade a copy of it s caller pr ogr am , ANI MAL in t hiscase, t o each dir ect or y t o w hich t he user had access Pr ogr am s used t o be exchanged r elat ivelyslow ly, on t apes at t he t im e, but st ill, w it hin a m ont h, ANI MAL appear ed at a num ber of places

The fir st vir uses on m icr ocom put er s w er e w r it t en on t he Apple- I I , cir ca 1982 Rich Skr ent a17, w ho

w as a nint h- gr ade st udent at t he t im e in Pit t sbur gh, Pennsylvania, w r ot e " Elk Cloner " He did not

t hink t he pr ogr am w ould w or k w ell, but he coded it nonet heless His fr iends found t he pr ogr amquit e ent er t ainingunlike his m at h t eacher , w hose com put er becam e infect ed w it h it Elk Clonerhad a payload t hat displayed Skr ent a's poem aft er ever y 50t h use of t he infect ed disk w hen r eset

w as pr essed ( see Figur e 1.8) On ever y 50t h boot , Elk Cloner hooked t he r eset handler ; t hus, only

pr essing r eset t r igger ed t he payload of t he vir us

Figu r e 1 8 Elk Clon e r a ct iv a t e s.

Not sur pr isingly, t he fr iendship of t he t w o ended shor t ly aft er t he incident Skr ent a also w r ot ecom put er gam es and m any useful pr ogr am s at t he t im e, and he st ill finds it am azing t hat he is

best know n for t he " st upidest hack" he ever coded.

I n 1982, t w o r esear cher s at Xer ox PARC18 per for m ed ot her ear ly st udies w it h com put er w or m s

At t hat t im e, t he t er m com put er vir us w as not used t o descr ibe t hese pr ogr am s I n 1984,

m at hem at ician Dr Fr eder ick Cohen19 int r oduced t his t er m , t her eby becom ing t he " fat her " ofcom put er vir uses w it h his ear ly st udies of t hem Cohen int r oduced com put er vir us based on t he

r ecom m endat ion of his advisor , Pr ofessor Leonar d Adlem an20, w ho picked t he nam e fr om sciencefict ion novels

1.3 Automated Replicating Code: The Theory and

Definition of Computer Viruses

Cohen pr ovided a for m al m at hem at ical m odel for com put er vir uses in 1984 This m odel used aTur ing m achine I n fact , Cohen's for m al m at hem at ical m odel for a com put er vir us is sim ilar t oNeum ann's self- r eplicat ing cellular aut om at a m odel We could say, t hat in t he Neum ann sense, acom put er vir us is a self- r epr oducing cellular aut om at a The m at hem at ical m odel does not have

m uch pr act ical use for t oday's r esear cher I t is a r at her gener al descr ipt ion of w hat a com put ervir us is How ever , t he m at hem at ical m odel pr ovides significant t heor et ical foundat ion t o t hecom put er vir us pr oblem

Her e is Cohen's infor m al definit ion of a com put er vir us: " A vir us is a pr ogr am t hat is able t o infect

ot her pr ogr am s by m odifying t hem t o include a possibly evolved copy of it self."

This definit ion pr ovides t he im por t ant pr oper t ies of a com put er vir us, such as t he possibilit y ofevolut ion ( t he capabilit y t o m ake a m odified copy of t he sam e code w it h m ut at ions) How ever , it

m ight also be a bit m isleading if applied in it s st r ict est sense

This is, by no m eans, t o cr it icize Cohen's gr oundbr eaking m odel I t is difficult t o pr ovide a pr ecisedefinit ion because t her e ar e so m any differ ent kinds of com put er vir uses now adays For inst ance,som e for m s of com put er vir uses, called com panion vir uses, do not necessar ily m odify t he code of

ot her pr ogr am s They do not st r ict ly follow Cohen's definit ion because t hey do not need t o include

a copy of t hem selves w it hin ot her pr ogr am s I nst ead, t hey m ake devious use of t he pr ogr am 'senvir onm ent pr oper t ies of t he oper at ing syst em by placing t hem selves w it h t he sam e nam e ahead

of t heir vict im pr ogr am s on t he execut ion pat h This can cr eat e a pr oblem for behavior - blocking

pr ogr am s t hat at t em pt t o block m alicious act ions of ot her pr ogr am sif t he aut hor s of such blocker s

st r ict ly apply Cohen's infor m al definit ion I n ot her w or ds, if such blocking pr ogr am s ar e lookingonly for vir uses t hat m ake unw ant ed changes t o t he code of anot her pr ogr am , t hey w ill m isscom panion vir uses

N o t e

Cohen's m at hem at ical for m ulat ion pr oper ly encom passes com panion vir uses; it is only

t he lit er al int er pr et at ion of t he single- sent ence hum an language definit ion t hat is

pr oblem at ic A single- sent ence linguist ic definit ion of vir uses is difficult t o com e up w it h

I nt egr it y checker pr ogr am s also r ely on t he fact t hat one pr ogr am 's code r em ains unchanged over

t im e Such pr ogr am s r ely on a dat abase ( cr eat ed at som e init ial point in t im e) assum ed t o

r epr esent a " clean" st at e of t he pr ogr am s on a m achine I nt egr it y checker pr ogr am s w er e

Cohen's favor it e defense m et hod and m y ow n in t he ear ly '90s How ever , it is easy t o see t hat t heint egr it y checker w ould be challenged by com panion vir uses unless t he int egr it y checker alsoaler t ed t he user about any new applicat ion on t he syst em Cohen's ow n syst em pr oper ly

per for m ed t his Unfor t unat ely, t he gener al public does not like t o be bot her ed each t im e a new

pr ogr am is int r oduced on t heir syst em s, but Cohen's appr oach is definit ely t he safest t echnique t ouse

Dr Cohen's definit ion does not differ ent iat e bet w een pr ogr am s explicit ly designed t o copy

t hem selves ( t he " r eal vir uses" as w e call t hem ) fr om t he pr ogr am s t hat can copy t hem selves as aside effect of t he fact t hat t hey ar e gener al- pur pose copying pr ogr am s ( com piler s and so on)

I ndeed, in t he r eal w or ld, behavior - blocking defense syst em s oft en alar m in such a sit uat ion Forinst ance, Nor t on Com m ander , t he popular com m and shell, m ight be used t o copy t he

com m ander 's ow n code t o anot her har d dr ive or net w or k r esour ce This act ion m ight be confused

w it h self- r eplicat ing code, especially if t he folder in w hich t he copy is m ade has a pr evious ver sion

of t he pr ogr am t hat w e over w r it e t o upgr ade it Though such " false alar m s" ar e easily dealt w it h,

t hey w ill undoubt edly annoy end user s

Taking t hese point s int o consider at ion, a m or e accur at e definit ion of a com put er vir us w ould be

t he follow ing: " A com put er vir us is a pr ogr am t hat r ecur sively and explicit ly copies a possiblyevolved ver sion of it self."

Ther e is no need t o specify how t he copy is m ade, and t her e is no st r ict need t o " infect " or

ot her w ise m odify anot her applicat ion or host pr ogr am How ever , m ost com put er vir uses do

indeed m odify anot her pr ogr am 's code t o t ake cont r ol Blocking such an act ion, t hen, consider ably

r educes t he possibilit y for vir uses t o spr ead on t he syst em

As a r esult , t her e is alw ays a host , an oper at ing syst em , or anot her kind of execut ion

envir onm ent , such as an int er pr et er , in w hich a par t icular sequence of sym bols behaves as acom put er vir us and r eplicat es it self r ecur sively

Com put er vir uses ar e self- aut om at ed pr ogr am s t hat , against t he user 's w ishes, m ake copies of

t hem selves t o spr ead t hem selves t o new t ar get s Alt hough par t icular com put er vir uses ask t heuser w it h pr om pt s befor e t hey infect a m achine, such as, " Do you w ant t o infect anot her

pr ogr am ? ( Y/ N?) ," t his does not m ake t hem non- vir uses Oft en, novice r esear cher s in com put ervir us labs believe ot her w ise, and t hey act ually ar gue t hat such pr ogr am s ar e not vir uses

Obviously, t hey ar e w r ong!

When at t em pt ing t o classify a par t icular pr ogr am as a vir us, w e need t o ask t he im por t ant

quest ion of w het her a pr ogr am is able t o r eplicat e it self r ecur sively and explicit ly A pr ogr amcannot be consider ed a com put er vir us if it needs any help t o m ake a copy of it self This help

m ight include m odifying t he envir onm ent of such a pr ogr am ( for exam ple, m anually changingbyt es in m em or y or on a disk) or heaven for bidapplying a hot fix t o t he int ended vir us code it selfusing a debugger ! I nst ead, nonw or king vir uses should be classified as int ended vir uses

The copy in quest ion does not have t o be an exact clone of t he init ial inst ance Moder n com put ervir uses, especially so- called m et am or phic vir uses ( fur t her discussed in Chapt er 7, " AdvancedCode Evolut ion Techniques and Com put er Vir us Gener at or Kit s" ) , can r ew r it e t heir ow n code insuch a w ay t hat t he st ar t ing sequence of byt es r esponsible for t he copy of such code w ill lookcom plet ely differ ent in subsequent gener at ions but w ill per for m t he equivalent or sim ilar

funct ionalit y

1 Donald E Knut h , The Ar t of Com put er Pr ogr am m ing , 2nd Edit ion, Addison- Wesley, Reading,

MA, 1973, 1968, I SBN: 0- 201- 03809- 9 ( Har dcover )

2 John von Neum ann , " The Gener al and Logical Theor y of Aut om at a," Hixon Sym posium , 1948

3 John von Neum ann , " Theor y and Or ganizat ion of Com plicat ed Aut om at a," Lect ur es at t heUniver sit y of I llinois, 1949

4 John von Neum ann , " The Theor y of Aut om at a: Cont r uct ion, Repr oduct ion, Hom ogenit y,"Unfinished m anuscr ipt , 1953

5 William Poundst one , Pr isoner 's Dilem m a, Doubleday, New Yor k, I SBN: 0- 385- 41580- X( Paper back) , 1992

6 Eli Bachm ut sky , " Self- Replicat ion Loops in Cellular Space,"

ht t p: / / necsi.org: 16080/ post docs/ sayam a/ sdrs/ j ava

7 Rober t A Fr eit as, Jr and William B Zachar y , " A Self- Replicat ing, Gr ow ing Lunar Fact or y,"Fift h Pr incet on/ AI AA Confer ence, May 1981

8 Rober t A Fr eit as, Jr , " Som e Lim it s t o Global Ecophagy by Biovor ous Nanor eplicat or s, w it hPublic Policy Recom m endat ions," ht t p: / / w w w foresight org/ nanorev/ ecophagy.ht m l

9 Györ gy Mar x , A Ter m észet Ját ékai, I fj úsági Lap és Könyvt er j eszt ô Vállalat , Hungar y, 1982,

13 Dew dney, A K , The Ar m chair Univer se: An Explor at ion of Com put er Wor lds, New Yor k: W

H Fr eem an ( c) , 1988, I SBN: 0- 7167- 1939- 8 ( Paper back)

14 Dew dney, A K , The Magic Machine: A Handbook of Com put er Sor cer y , New Yor k: W H

Fr eem an ( c) , 1990, I SBN: 0- 7167- 2125- 2 ( Har dcover ) , 0- 7167- 2144- 9 ( Paper back)

15 John Walker , " ANI MAL," ht t p: / / fourm ilab.ch/ docum ent s/ univac/ anim al.ht m l

16 John Walker , " PERVADE," ht t p: / / fourm illab.ch/ docum ent s/ univac/ pervade.ht m l

17 Rich Skr ent a , ht t p: / / www.skrent a.com

18 John Shock and Jon Hepps , " The Wor m Pr ogr am s, Ear ly Exper ience w it h a Dist r ibut edCom put at ion," ACM, Volum e 25, 1982, pp 172180

19 Dr Fr eder ick B Cohen , A Shor t Cour se on Com put er Vir uses, Wiley Pr ofessonal Com put ing,New Yor k, 2nd edit ion, 1994, I SBN: 0471007684 ( Paper back)

20 Vesselin Vladim ir ov Bont chev , " Met hodology of Com put er Ant i- Vir us Resear ch," Univer sit y ofHam bur g Disser t at ion, 1998

Chapter 2 The Fascination of Malicious Code Analysis

" The Lion looked at Alice w ear ily 'Ar e you anim alor veget ableor m iner al?' he said, yaw ning

at ever y ot her w or d."

Lew is Car r oll ( 18321898) , Thr ough t he Looking- Glass and What Alice Found Ther e ( 1871)

For people w ho ar e int er est ed in nat ur e, it is difficult t o find a subj ect m or e fascinat ing t hancom put er vir uses Com put er vir us analysis can be ext r em ely difficult for m ost people at fir stglance How ever , t he difficult y depends on t he act ual vir us code in quest ion Binar y for m s ofvir uses, t hose com piled t o obj ect code, m ust be r ever se- engineer ed t o under st and t hem in det ail.This pr ocess can be challenging for an individual, but it pr ovides a gr eat deal of know ledge aboutcom put er syst em s

My ow n int er est in com put er vir uses began in Sept em ber of 1990, w hen m y new PC clone

displayed a bizar r e m essage, follow ed by t w o beeps The m essage r ead

" Your PC is now St oned! "

I had hear d about com put er vir uses befor e, but t his w as m y fir st exper ience w it h one of t heseincr edible nuisances Consider ing t hat m y PC w as t w o w eeks old at t he t im e, I w as fascinat ed byhow quickly I encount er ed a vir us on it I had int r oduced t he St oned boot vir us w it h an infect eddisket t e, w hich cont ained a copy of a popular gam e nam ed Jbir d A fr iend had given m e t hegam e Obviously he did not know about t he hidden " ext r as" st or ed on t he disket t e

I did not have ant ivir us soft w ar e at t he t im e, of cour se, and because t his incident happened on aSat ur day, help w as not r eadily available The PC clone had cost m e five m ont hs' w or t h of m ysum m er salar y, so you can im agine m y disappoint m ent !

I w as w or r ied t hat I w as going t o lose all t he dat a on m y syst em I r em em ber ed an incident t hathad happened t o a fr iend in 1988: His PC w as infect ed w it h a vir us, causing char act er s t o fall

r andom ly dow n his com put er scr een; aft er a w hile, he could not do anyt hing w it h t he m achine Hehad t old m e t hat he needed t o for m at t he dr ive and r einst all all t he pr ogr am s

Lat er , w e lear ned t hat a st r ain of t he Cascade vir us had infect ed his com put er Cascade couldhave been r em oved fr om his syst em w it hout for m at t ing t he har d dr ive, but he did not know t hat

at t he t im e Unfor t unat ely, as a r esult , he lost all his dat a Of cour se I w ant ed t o do t he exactopposit e on m y m achiner em ove t he vir us w it hout losing m y dat a

To find t he St oned vir us, I fir st sear ched t he files on t he infect ed disket t e for t he t ext t hat w asdisplayed on t he scr een I w as not lucky enough t o find any files t hat cont ained it I f I had had

m or e exper ience in hunt ing vir uses at t he t im e, I m ight have consider ed t he possibilit y t hat t hevir us w as encr ypt ed in a file But t his vir us w as not encr ypt ed, and m y inst inct about a nonfilesyst em hiding place w as heading in t he r ight dir ect ion

This gave m e t he idea t hat t he vir us w as not st or ed in t he files but inst ead w as locat ed

som ew her e else on t he disket t e I had Pet er Nor t on's book, Pr ogr am m er 's Guide t o t he I BM PC,on- hand Up t o t his point , I had only r ead a few pages of it , but luckily t he book descr ibed how

t he boot sect or of disket t es could be accessed using a st andar d DOS t ool called DEBUG

Aft er som e hesit at ion, I finally execut ed t he DEBUG com m and for t he fir st t im e t o t r y t o look int o

t he boot sect or of t he disket t e, w hich w as inser t ed in dr ive A The com m and w as t he follow ing:

DEBUG

-L 100 0 0 1

This com m and inst r uct s DEBUG t o load t he fir st sect or ( t he boot sect or ) fr om dr ive A: t o m em or y

at offset 100 hexadecim al When I used t he dum p ( D) com m and of DEBUG t o display t he loadedsect or 's cont ent , I saw t he vir us's m essage, as w ell as som e ot her t ext

The Nor t on book int r oduced m e t o a subst ant ial am ount of t he infor m at ion I needed t o begin Forexam ple, it pr ovided det ailed and super b descr ipt ions of t he boot pr ocess, disk st r uct ur es, andvar ious int er r upt s of t he DOS and basic input - out put syst em ( BI OS) r out ines

I spent a few days analyzing St oned on paper and com m ent ing ever y single Assem bly inst r uct ionunt il I under st ood ever yt hing I t t ook m e alm ost a full w eek t o absor b all t he infor m at ion, but ,sadly, m y com put er w as st ill infect ed w it h t he vir us

Aft er a few m or e days of w or k, I cr eat ed a det ect ion pr ogr am , t hen a disinfect ion pr ogr am for t hevir us, w hich I w r ot e in Tur bo Pascal The disinfect ion pr ogr am w as able t o r em ove t he vir us fr omall over : fr om t he syst em m em or y as w ell as fr om t he boot and Mast er boot sect or s in w hich t hevir us w as st or ed

A couple of days lat er , I visit ed t he univer sit y w it h m y vir us det ect or and found t hat t he vir us hadinfect ed m or e t han half of t he PC labs' m achines I w as am azed at how successfully t his sim plevir us code could invade m achines ar ound t he w or ld I could not fat hom how t he vir us had

t r aveled all t he w ay fr om New Zealand w her e, I lear ned lat er , it had been r eleased in ear ly 1988,

t o Hungar y t o infect m y syst em

The St oned vir us w as in t he w ild ( I BM r esear cher , Dave Chess, coined t he t er m in t he w ild t odescr ibe com put er vir uses t hat w er e encount er ed on pr oduct ion syst em s Not all vir uses ar e in

t he w ild The vir uses t hat only collect or s or r esear cher s have seen ar e nam ed zoo vir uses.)

People w elcom ed t he help, and I w as happy because I w ant ed t o assist t hem and lear n m or eabout vir us hunt ing I st ar t ed t o collect vir uses fr om fr iends and w r ot e disinfect ion pr ogr am s for

t hem Vir uses such as Cascade, Vacsina, Yankee_Doodle, Vienna, I nvader , Tequila, and

Dar k_Avenger w er e am ong t he fir st set t hat I analyzed in det ail, and I w r ot e det ect ion and

disinfect ion code for t hem one by one

Event ually, m y w or k culm inat ed in a diplom a, and m y ant ivir us pr ogr am becam e a popular

shar ew ar e in Hungar y I nam ed m y pr ogr am Past eur aft er t he Fr ench m icr obiologist Louis

Past eur

All m y effor t s and exper iences opened up a car eer for m e in ant ivir us r esear ch and developm ent This book is designed t o shar e m y know ledge of com put er vir us r esear ch

2.1 Common Patterns of Virus Research

Com put er vir us analysis has som e com m on pat t er ns t hat can be lear ned easily, lending efficiency

t o t he analysis pr ocess Ther e ar e sever al t echniques t hat com put er vir us r esear cher s use t o

r each t heir ult im at e goal, w hich is t o acquir e a pr ecise under st anding of vir al pr ogr am s in a t im ely

m anner t o pr ovide appr opr iat e pr event ion and t o r espond so t hat com put er vir us out br eaks can

This book w ill int r oduce t hese useful t echniques t o t each you how t o deal w it h vir al pr ogr am s

m or e efficient ly Along t he w ay, you w ill lear n how t o analyze a com put er vir us m or e effect ivelyand safely by using disassem bler s, debugger s, em ulat or s, vir t ual m achines, file dum per s, goatfiles, dedicat ed vir us r eplicat ion m achines and syst em s, vir us t est net w or ks, decr ypt ion t ools,unpacker s, and m any ot her useful t ools You can use t his infor m at ion t o deal w it h com put er vir us

pr oblem s m or e effect ively on a daily basis

You also w ill lear n how com put er vir uses ar e classified and nam ed, as w ell as a gr eat deal about

st at e- of- t he- ar t com put er vir us t r icks

Com put er vir us sour ce code is not discussed in t his book Discussions on t his t opic ar e unet hicaland in som e count r ies, illegal1 Mor e im por t ant ly, w r it ing even a dozen vir uses w ould not m akeyou an exper t on t his subj ect

Som e vir us w r it er s2 believe t hat t hey ar e exper t s because t hey cr eat ed a single piece of code t hat

r eplicat es it self This assum pt ion could not be fur t her fr om t he t r ut h Alt hough som e vir us w r it er s

m ight be ver y know ledgeable individuals, m ost of t hem ar e not exper t s on t he subj ect of

com put er vir uses The m ast er m inds w ho ar guably at var ious t im es r epr esent ed t he st at e of t he

ar t in com put er vir us w r it ing go ( or w ent ) by aliases such as Dar k Avenger3, Vecna, Jacky

Qw er t y, Mur kr y, Sandm an, Quant um , Spanska, Gr iYo, Zom bie, r oy g biv, and Ment al Dr iller

2.2 Antivirus Defense Development

I nit ially, developing ant ivir us soft w ar e pr ogr am s w as not difficult I n t he lat e '80s and ear ly '90s,

m any individuals w er e able t o cr eat e som e sor t of ant ivir us pr ogr am against a par t icular for m of acom put er vir us

Fr eder ick Cohen pr oved t hat ant ivir us pr ogr am s cannot solve t he com put er vir us pr oblem

because t her e is no w ay t o cr eat e a single pr ogr am t hat can det ect all fut ur e com put er vir uses infinit e t im e Regar dless of t his pr oven fact , ant ivir us pr ogr am s have been quit e successful in

dealing w it h t he pr oblem for a w hile At t he sam e t im e, ot her solut ions have been r esear ched anddeveloped, but com put er ant ivir us pr ogr am s ar e st ill t he m ost w idely used defenses againstcom put er vir uses at pr esent , r egar dless of t heir m any dr aw backs, including t he inabilit y t o

cont end w it h and solve t he afor em ent ioned pr oblem

Per haps under t he delusion t hat t hey ar e exper t s on com put er vir uses, som e secur it y analyst s

st at e t hat any sor t of ant ivir us pr ogr am is useless if it cannot find all t he new vir uses How ever ,

t he r ealit y is t hat w it hout ant ivir us pr ogr am s, t he I nt er net w ould be br ought t o a st andst ill

because of t he t r affic undet ect ed com put er vir uses w ould gener at e

Oft en w e do not com plet ely under st and how t o pr ot ect our selves against vir uses, but neit her do

w e know how t o r educe t he r isk of becom ing infect ed by t hem by adopt ing pr oper hygiene habit s.Unfor t unat ely, negligence is one of t he biggest cont r ibut or s t o t he spr ead of com put er vir uses.The sociological aspect s of com put er secur it y appear t o be m or e r elevant t han t echnology

Car elessly neglect ing t he m ost m inim al level of com put er m aint enance, net w or k secur it y

configur at ion, and failing t o clean an infect ed com put er opens up a Pandor a's box t hat allow s

m or e pr oblem s t o spr ead t o ot her com put er s

I n t he ear ly phases of vir us det ect ion and r em oval, com put er vir uses w er e easily m anaged

because ver y few vir uses exist ed ( t her e w er e few er t han 100 know n st r ains in 1990) Com put ervir us r esear cher s could spend w eeks analyzing a single vir us alone To m ake life even easier ,com put er vir uses spr ead slow ly, com par ed t o t he r apid pr olifer at ion of t oday's vir uses For

exam ple, m any successful boot vir uses w er e 512 byt es long ( t he size of t he boot sect or on t he

I BM PC) , and t hey oft en t ook a year or longer t o t r avel fr om one count r y t o anot her Consider

t his: The spr ead t im e at w hich a com put er vir us t r aveled in t he past com par ed t o t oday's vir usspr ead t im e is analogous t o com par ing t he speed of m essage t r ansfer in ancient t im es, w hen

m essenger s w alked or r an fr om cit y t o cit y t o deliver par cels, w it h t oday's inst ant m essage

t r ansfer , via e- m ail, w it h or w it hout at t achm ent s

Finding a vir us in t he boot sect or w as easy for t hose w ho knew w hat a boot sect or w as; w r it ing a

pr ogr am t o r ecognize t he infect ion w as t r icky Manually disinfect ing an infect ed syst em w as a t r uechallenge in and of it self, so cr eat ing a pr ogr am t hat aut om at ically r em oved vir uses fr om

com put er s w as consider ed a t r em endous achievem ent Cur r ent ly, t he developm ent of ant ivir usand secur it y defense syst em s is deem ed an ar t for m , w hich lends it self t o cult ivat ing and

developing a plet hor a of useful skills How ever , nat ur al cur iosit y, dedicat ion, har d w or k, and t hecont inuous desir e t o lear n oft en super sede m er e hobbyist cur iosit y and ar e t hus essent ial t obecom ing a m ast er of t his ar t ist ic and cr eat ive vocat ion

2.3 Terminology of Malicious Programs

The need t o define a unified nom enclat ur e for m alicious pr ogr am s is alm ost as old as com put ervir uses t hem selves4 Obviously, each classificat ion has a com m on pit fall because classes w illalw ays appear t o over lap, and classes oft en r epr esent closely r elat ed subclasses of each ot her

2.3.1 Viruses

As defined in Chapt er 1, " I nt r oduct ion t o t he Gam es of Nat ur e," a com put er vir us is code5 t hat

r ecur sively r eplicat es a possibly evolved copy of it self Vir uses infect a host file or syst em ar ea, or

t hey sim ply m odify a r efer ence t o such obj ect s t o t ake cont r ol and t hen m ult iply again t o for mnew gener at ions

2.3.2 Worms

Wor m s ar e net w or k vir uses, pr im ar ily r eplicat ing on net w or ks Usually a w or m w ill execut e it selfaut om at ically on a r em ot e m achine w it hout any ext r a help fr om a user How ever , t her e ar e

w or m s, such as m ailer or m ass- m ailer w or m s, t hat w ill not alw ays aut om at ically execut e

t hem selves w it hout t he help of a user

Wor m s ar e t ypically st andalone applicat ions w it hout a host pr ogr am How ever , som e w or m s, likeW32/ Nim da.A@m m , also spr ead as a file- infect or vir us and infect host pr ogr am s, w hich is

pr ecisely w hy t he easiest w ay t o appr oach and cont ain w or m s is t o consider t hem a special

subclass of vir us I f t he pr im ar y vect or of t he vir us is t he net w or k, it should be classified as a

w or m

2.3.2.1 Mailers and Mass-Mailer Worms

Mailer s and m ass- m ailer w or m s com pr ise a special class of com put er w or m s, w hich send

t hem selves in an e- m ail Mass- m ailer s, oft en r efer r ed t o as " @m m " w or m s such as

VBS/ Lovelet t er A@m m , send m ult iple e- m ails including a copy of t hem selves once t he vir us isinvoked

Mailer s w ill send t hem selves less fr equent ly For inst ance, a m ailer such as W32/ SKA.A@m ( alsoknow n as t he Happy99 w or m ) sends a copy of it self ever y t im e t he user sends a new m essage

2.3.2.2 Octopus

An oct opus is a sophist icat ed kind of com put er w or m t hat exist s as a set of pr ogr am s on m or e

t han one com put er on a net w or k

For exam ple, head and t ail copies ar e inst alled on individual com put er s t hat com m unicat e w it heach ot her t o per for m a funct ion An oct opus is not cur r ent ly a com m on t ype of com put er w or mbut w ill likely becom e m or e pr evalent in t he fut ur e ( I nt er est ingly, t he idea of t he oct opus com es

fr om t he science fict ion novel Shockw ave Rider by John Br unner I n t he st or y, t he m ain char act er ,Nickie, is on t he r un and uses var ious ident it ies Nickie is a phone phr eak, and he uses a

" t apew or m ," sim ilar t o an oct opus, t o er ase his pr evious ident it ies.)

2.3.2.3 Rabbits

A r abbit is a special com put er w or m t hat exist s as a single copy of it self at any point in t im e as it

" j um ps ar ound" on net w or ked host s Ot her r esear cher s use t he t er m r abbit t o descr ibe cr aft y,

m alicious applicat ions t hat usually r un t hem selves r ecur sively t o fill m em or y w it h t heir ow n copiesand t o slow dow n pr ocessing t im e by consum ing CPU t im e Such m alicious code uses t oo m uch

m em or y and t hus can cause ser ious side effect s on a m achine w it hin ot her applicat ions t hat ar enot pr epar ed t o w or k under low - m em or y condit ions and t hat unexpect edly cease funct ioning

2.3.3 Logic Bombs

A logic bom b is a pr ogr am m ed m alfunct ion of a legit im at e applicat ion An applicat ion, for

exam ple, m ight delet e it self fr om t he disk aft er a couple of r uns as a copy pr ot ect ion schem e; a

pr ogr am m er m ight w ant t o include som e ext r a code t o per for m a m alicious act ion on cer t ainsyst em s w hen t he applicat ion is used These scenar ios ar e r ealist ic w hen dealing w it h lar ge

pr oj ect s dr iven by lim it ed code- r eview s

An exam ple of a logic bom b can be found in t he or iginal ver sion of t he popular Mosquit os gam e onNokia Ser ies 60 phones This gam e has a built - in funct ion t o send a m essage using t he Shor tMessage Ser vice ( SMS) t o pr em ium r at e lines The funct ionalit y w as built int o t he fir st ver sion of

t he gam e as a soft w ar e dist r ibut ion and pir acy pr ot ect ion schem e, but it backfir ed6 When

legit im at e user s com plained t o t he soft w ar e vendor , t he r out ine w as elim inat ed fr om t he code of

t he gam e The pr em ium lines have been " disconnect ed" as w ell How ever , t he pir at ed ver sions of

t he gam e ar e st ill in cir culat ion, w hich have t he logic bom b inside and send r egular SMS

m essages The gam e used four pr em ium SMS phone num ber s such as 4636, 9222, 33333, and

87140, w hich cor r esponded t o four count r ies For exam ple, t he num ber 87140 cor r esponded t o

t he UK When t he gam e used t his num ber , it sent t he t ext " king.001151183" as shor t m essage

I n t ur n, t he user of t he gam e w as char ged a heft y A31.5 per m essage

Oft en ext r a funct ionalit y is hidden as r esour ces in t he applicat ionand r em ains hidden I n fact , t he

w ay in w hich t hese funct ions ar e built int o an applicat ion is sim ilar t o t he w ay so- called East ereggs ar e m aking headw ay int o lar ge pr oj ect s Pr ogr am m er s cr eat e East er eggs t o hide som eext r a cr edit pages for t eam m em ber s w ho have w or ked on a pr oj ect

Applicat ions such as t hose in t he Micr osoft Office suit e have m any East er eggs hidden w it hin

t hem , and ot her m aj or soft w ar e vendor s have had sim ilar cr edit pages em bedded w it hin t heir

pr ogr am s as w ell Alt hough East er eggs ar e not m alicious and do not t hr eat en end user s ( even

t hough t hey m ight consum e ext r a space on t he har d dr ive) , logic bom bs ar e alw ays m alicious

m alicious act ivit ies lat er

For exam ple, on UNI X- based syst em s, hacker s oft en leave a m odified ver sion of " ps" ( a t ool t odisplay a pr ocess list ) t o hide a par t icular pr ocess I D ( PI D) , w hich can r elat e t o anot her backdoor

Tr oj an's pr ocess Lat er on, it m ight be difficult t o find such changes on a com pr om ised syst em

These kinds of Tr oj ans ar e oft en called user m ode r oot kit s.

The at t acker can easily m anipulat e t he t ool by m odifying t he sour ce code of t he or iginal t ool at acer t ain locat ion At fir st glance, t his m inor m odificat ion is ext r em ely difficult t o locat e

Pr obably t he m ost fam ous Tr oj an hor se is t he AI DS TROJAN DI SK7 t hat w as sent t o about 7,000

r esear ch or ganizat ions on a disket t e When t he Tr oj an w as int r oduced on t he syst em , it

scr am bled t he nam e of all files ( except a few ) and filled t he em pt y ar eas of t he disk com plet ely.The pr ogr am offer ed a r ecover y solut ion in exchange of a bount y Thus, m alicious cr ypt ogr aphy

w as bor n The aut hor of t he Tr oj an hor se w as capt ur ed shor t ly aft er t he incident Dr JosephPopp, 39 at t he t im e, a zoologist fr om Cleveland, Ohio w as pr osecut ed in t he UK8

The filenam e scr am bling funct ion of AI DS TROJAN DI SK w as based on t w o subst it ut ion t ables9.One w as used t o encr ypt t he filenam es and anot her t o encr ypt t he file ext ensions At som e point

in t he hist or y of cr ypt ogr aphy10, such an algor it hm w as consider ed unbr eakable11 How ever , it iseasy t o see t hat subst it ut ion cipher s can be easily at t acked based on t he use of st at ist ical

m et hods ( t he dist r ibut ion of com m on w or ds) I n addit ion, if given enough t im e, t he defender candisassem ble t he Tr oj an's code and pick t he t ables fr om it s code

Ther e ar e t w o kinds of Tr oj ans:

One hundr ed per cent Tr oj an code, w hich is easy t o analyze

A car eful m odificat ion of an or iginal applicat ion w it h som e ext r a funct ionalit y, som e of w hichbelong t o backdoor or r oot kit subclasses This kind of Tr oj an is m or e com m on on opensour ce syst em s because t he at t acker can easily inser t backdoor funct ionalit y t o exist ingcode

N o t e

The sour ce code of Window s NT and Window s 2000 got int o cir culat ion in ear ly 2004 I t

is expect ed t hat backdoor and r oot kit pr ogr am s w ill be cr eat ed using t hese sour ces

2.3.4.1 Backdoors (Trapdoors)

A backdoor is t he m alicious hacker 's t ool of choice t hat allow s r em ot e connect ions t o syst em s A

t ypical backdoor opens a net w or k por t ( UDP/ TCP) on t he host w hen it is execut ed Then, t helist ening backdoor w ait s for a r em ot e connect ion fr om t he at t acker and allow s t he at t acker t oconnect t o t he syst em This is t he m ost com m on t ype of backdoor funct ionalit y, w hich is oft en

m ixed w it h ot her Tr oj an- like feat ur es

Anot her kind of backdoor r elat es t o a pr ogr am design flaw Som e applicat ions, such as t he ear ly

im plem ent at ion of SMTP ( sim ple m ail t r ansfer pr ot ocol) allow ed feat ur es t o r un a com m and ( forexam ple, for debugging pur poses) The Mor r is I nt er net w or m uses such a com m and t o execut e

it self r em ot ely, w it h t he com m and placed as t he r ecipient of t he m essage on such vulner ableinst allat ions For t unat ely, t his com m and w as quickly r em oved once t he Mor r is w or m exploit ed it How ever , t her e can be m any applicat ions, especially new er ones, t hat allow for sim ilar insecur efeat ur es

2.3.4.2 Password-Stealing Trojans

Passw or d- st ealing Tr oj ans ar e a special subclass of Tr oj ans This class of m alicious pr ogr am isused t o capt ur e and send a passw or d t o an at t acker As a r esult , an at t acker can r et ur n t o t hevulner able syst em and t ake w hat ever he or she w ant s Passw or d st ealer s ar e oft en com bined w it hkeylogger s t o capt ur e keyst r okes w hen t he passw or d is t yped at logon

2.3.5 Germs

Ger m s ar e fir st - gener at ion vir uses in a for m t hat t he vir us cannot gener at e t o it s usual infect ion

pr ocesses Usually, w hen t he vir us is com piled for t he fir st t im e, it exist s in a special for m andnor m ally does not have a host pr ogr am at t ached t o it Ger m s w ill not have t he usual m ar ks t hat

m ost vir uses use in second- gener at ion for m t o flag infect ed files t o avoid r einfect ing an alr eadyinfect ed obj ect

A ger m of an encr ypt ed or polym or phic vir us is usually not encr ypt ed but is plain, r eadable code.Det ect ing ger m s m ight need t o be done differ ent ly fr om det ect ing second, and lat er , - gener at ioninfect ions

2.3.6 Exploits

Exploit code is specific t o a single vulner abilit y or set of vulner abilit ies I t s goal is t o r un a

pr ogr am on a ( possibly r em ot e, net w or ked) syst em aut om at ically or pr ovide som e ot her for m of

m or e highly pr ivileged access t o t he t ar get syst em Oft en, a single at t acker builds exploit codeand shar es it w it h ot her s " Whit e hat " hacker s cr eat e a for m of exploit code for penet r at ion ( or

" pen" ) t est ing Ther efor e, depending on t he act ual use of t he exploit , t he exploit at ion m ight be

m alicious in som e cases but har m less in ot her st he sever it y of t he t hr eat depends on t he int ent ion

of t he at t acker

2.3.7 Downloaders

A dow nloader is yet anot her m alicious pr ogr am t hat inst alls a set of ot her it em s on a m achine

t hat is under at t ack Usually, a dow nloader is sent in e- m ail, and w hen it is execut ed ( som et im esaided w it h t he help of an exploit ) , it dow nloads m alicious cont ent fr om a Web sit e or ot her

locat ion and t hen ext r act s and r uns it s cont ent

aw ar e of t he char ges A com m on for m of dialer is t he so- called por n dialer

Sim ilar appr oaches exist on t he Wor ld Wide Web using links t o Web pages t hat connect t o paidser vices

2.3.9 Droppers

The or iginal t er m r efer s t o an " inst aller " for fir st - gener at ion vir us code For exam ple, boot vir uses

t hat fir st exist as com piled files in binar y for m ar e oft en inst alled in t he boot sect or of a floppyusing a dr opper The dr opper w r it es t he ger m code t o t he boot sect or of t he disket t e Then t hevir us can r eplicat e on it s ow n w it hout ever gener at ing t he dr opper for m again

When t he vir us r egener at es t he dr opper for m , t he int er m ediat e for m is par t of an infect ion cycle,

w hich is not t o be confused w it h a dedicat ed ( or pur e) dr opper

2.3.10 Injectors

I nj ect or s ar e special kinds of dr opper s t hat usually inst all vir us code in m em or y An inj ect or can

be used t o inj ect vir us code in an act ive for m on a disk int er r upt handler Then, t he fir st t im e auser accesses a disket t e, t he vir us begins t o r eplicat e it self nor m ally

A special kind of inj ect or is t he net w or k inj ect or At t acker s also can use legit im at e ut ilit ies, such

as Net Cat ( NC) , t o inj ect code int o t he net w or k Usually, a r em ot e t ar get is specified, and t hedat agr am is sent t o t he m achine t hat w ill be at t acked using t he inj ect or An at t acker init iallyint r oduced t he CodeRed w or m using an inj ect or ; subsequent ly, t he w or m r eplicat ed as dat a on

t he net w or k w it hout ever hit t ing t he disk again as a file

I nj ect or s ar e oft en used in a pr ocess called seeding Seeding is a pr ocess t hat is used t o inj ectvir us code t o sever al r em ot e syst em s t o cause an init ial out br eak t hat is lar ge enough t o cause aquick epidem ic For exam ple, t her e is suppor t ing digit al evidence t hat W32/ Wit t y w or m12 w asseeded t o sever al syst em s by it s aut hor

2.3.11 Auto-Rooters

Aut r oot er s ar e usually m alicious hacker t ools used t o br eak int o new m achines r em ot ely Aut

o-r oot eo-r s t ypically use a collect ion of exploit s t hat t hey execut e against a specified t ao-r get t o " gain

r oot " on t he m achine As a r esult , a m alicious hacker ( t ypically a so- called scr ipt - kiddie) gainsadm inist r at ive pr ivileges t o t he r em ot e m achine

2.3.12 Kits (Virus Generators)

Vir us w r it er s developed kit s, such as t he Vir us Cr eat ion Labor at or y ( VCL) or PSMPC gener at or s, t ogener at e new com put er vir uses aut om at ically, using a m enu- based applicat ion Wit h such t ools,even novice user s w er e able t o develop har m ful com put er vir uses w it hout t oo m uch backgr oundknow ledge Som e vir us gener at or s exist t o cr eat e DOS, m acr o, scr ipt , or even Win32 vir uses and

m ass- m ailing w or m s As discussed in Chapt er 7 " Advanced Code Evolut ion Techniques and

Com put er Vir us Gener at or Kit s," t he so- called " Anna Kour nikova" vir us ( t echnically

VBS/ VBSWG.J) w as cr eat ed by a Dut ch t eenager , Jan de Wit , fr om t he VBSWG kit sadly, de Witgot lucky and t he kit , infam ous for chur ning out m ainly br oken, int ended code pr oduced a w or kingvir us De Wit w as subsequent ly ar r est ed, convict ed, and sent enced for his r ole in t his

2.3.13 Spammer Programs

Vikings: Spam spam spam spam

Wait r ess: …spam spam spam egg and spam ; spam spam spam spam spam baked beans