Professional Documents
Culture Documents
Viruses are a cause of much confusion and a target of considerable misinformation even from some
You could probably also say that the virus must do this without the permission or knowledge of the
user, but that's not a vital distinction for purposes of our discussion here. We are using a broad
An obvious example of an executable file would be a program (COM or EXE file) or an overlay or
library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what
you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to
also realize that the system sectors on either a hard or floppy disk contain executable code that can
be infected--even those on a data disk. More recently, scripts written for Internet Web sites and/or
To attach might mean physically adding to the end of a file, inserting into the middle of a file, or
simply placing a pointer to a different location on the disk somewhere where the virus can find it.
Most viruses do their job by placing self-replicating code in other programs, so that when those
other programs are executed, even more programs are infected with the self-replicating code. This
self-replicating code, when triggered by some event, may do a potentially harmful act to your
computer.
Another way of looking at viruses is to consider them to be programs written to create copies of
themselves. These programs attach these copies onto host programs (infecting these programs).
When one of these hosts is executed, the virus code (which was attached to the host) executes, and
Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often
the characteristics of both a virus and a worm can be found in the same beast; confusing the issue
even further.
Note: The balance between viruses, worms, and Trojan Horses changes from time to time. In the
early days of such malware viruses tended to dominate. Various macro viruses/worms appeared
later as the dominate form and by around 2005 or so Trojan Horses started to be more prominent
Before looking at specific virus types you might also want to consider the following general
discussions:
Virus Behavior
Viruses need time to infect. Not all viruses attack, but all use system resources and often have
bugs.
Viruses come in a great many different forms, but they all potentially have two phases to their
Infection Phase
When the virus executes it has the potential to infect other programs. What's often not clearly
understood is precisely when it will infect the other programs. Some viruses infect other programs
each time they are executed; other viruses infect only upon a certain trigger. This trigger could be
anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers
want their programs to spread as far as possible before anyone notices them.
It is a serious mistake to execute a program a few times - find nothing infected and presume there
are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its
infection phase.
Many viruses go resident in the memory of your PC in the same or similar way as terminate and
stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs
that executed under DOS but stayed in memory instead of ending.) This means the virus can wait
for some external event before it infects additional programs. The virus may silently lurk in memory
waiting for you to access a diskette, copy a file, or execute a program, before it infects anything.
This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use
On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is
possible to construct a virus which will locate itself in upper memory (the space between 640K and
1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows,
Resident viruses frequently take over portions of the system software on the PC to hide their
existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet
avoid detection.
Note that worms often take the opposite approach and spread as fast as possible. While this makes
their detection virtually certain, it also has the effect of bringing down networks and denying
Attack Phase
Many viruses do unpleasant things such as deleting files or changing random data on your disk,
simulating typos or merely slowing your PC down; some viruses do less harmful things such as
playing music or creating messages or animation on your screen. Just as the infection phase can be
triggered by some event, the attack phase also has its own trigger.
Does this mean a virus without an attack phase is benign? No. Many viruses have bugs in them and
these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it
still steals system resources. (Also, see the "good" virus discussion.)
Viruses often delay revealing their presence by launching their attack only after they have had
ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or
The attack phase is optional, many viruses simply reproduce and have no trigger for an attack
phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk
without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.)
This is made worse since viruses that "just infect," with no attack phase, often damage the
programs or disks they infect. This is not an intentional act of the virus, but simply a result of the
An an example, one of the most common past viruses, Stoned, is not intentionally harmful.
Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The
original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of
the entire diskette (this bug was fixed in later versions of the virus).
Number of Viruses
margin). Estimates of exactly how many there are vary widely and the number is constantly
growing.
In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000
different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994,
the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000.
1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now. Indeed, in April
2008, the BBC reported that Symantec now claims "that the security firm's anti-virus programs
detect to 1,122,311" viruses and that "almost two thirds of all malicious code threats currently
The confusion exists partly because it's difficult to agree on how to count viruses. New viruses
frequently arise from someone taking an existing virus that does something like put a message out
on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck
is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in
More confusion arises with some companies counting viruses+worms+Trojans as a unit and some
not.
Another problem comes from viruses that try to conceal themselves from scanners by mutating. In
other words, every time the virus infects another file, it will try to use a different version of itself.
One example, the Whale (an early, huge, clumsy 10,000 byte virus), creates 33 different versions
of itself when it infects files. At least one vendor counted this as 33 different viruses on their list.
Many of the large number of viruses known to exist have not been detected in the wild but probably
David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus
Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections
that we see in day-to-day operation." In late 2007, about 580 different viruses, worms, and Trojans
(and some of these are members of a single family) account for all the virus-related malware that
actually spread in the wild. To keep track visit the Wildlist , a list which reports virus sightings.
How can there be so few viruses active when some experts report such high numbers? This is
probably because most viruses are poorly written and cannot spread at all or cannot spread without
betraying their presence. Although the actual number of viruses will probably continue to be hotly
debated, what is clear is that the total number of viruses is increasing, although the active viruses
Summary
• Only a small percentage of this total number account for those viruses found in the wild,
What's in a name? When it comes to viruses it's a matter of identification to the general public. An
anti-virus program does not really need the name of a virus as it identifies it by its characteristics.
But, while giving a virus a name helps the public at large it also serves to confuse them since the
names given to a particular beast can differ from anti-virus maker to anti-virus maker.
How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some
have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore
such text (mostly to spite the virus writers ). And, any virus writer that insists on a particular
name has to identify themselves in the process--something they usually don't want to do. So, the
anti-virus companies control the virus naming process. But, that leads to the naming problem.
Viruses come into various anti-virus companies around the world at various times and by various
means. Each company analyzes the virus and assigns a name to it for tracking purposes. While
there is cooperation between companies when new viruses are identified, that cooperation often
takes a back seat to getting a product update out the door so the anti-virus company's customers
are protected. This delay allows alternate names to enter the market. Over time these are often
standardized or, at least, cross-referenced in listings; but that does not help when the beast makes
This problem/confusion will continue. One practical and well documented example of how it affects a
real-world virus listing can be seen at the WildList site on the page...
http://www.wildlist.org/naming.htm
One attempt at bringing some order to the naming problem is Ian Whalley's VGrep [registration
required to view page]. VGrep attempts to collect all of the various virus names and then correlates
them into a single searchable list. While useful, there is, again, the lag time necessary to collect and
Another attempt is the database at VirusPool which "...tries to put information from all known
infections and antivirus creators into one place so you can compare names and results." I wish them
A new site to try to correlate malware names: CME - Common Malware Enumeration. CME
provides single, common identifiers to new virus threats to reduce public confusion during malware
outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses
and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing
Finally, some vendors have largely given up with naming specific malware and resorting to generic
names for the type of malware (e.g., Troj/Agent). The malware is being generated faster than the
naming system can reasonably keep up. Look for this to probably continue. Of course, this will then
mean changes to the specific methods of disinfection as you would no longer be able to download a
specific disinfector for a named beast. Time will tell how this develops.
Summary
• Virus naming is a function of the anti-virus companies. This results in different names for
new viruses.
• Different names can cause confusion for the public but not anti-virus software which looks
While serious if you have one, viruses are only one way
your data can be damaged. You must be prepared for all
threats; many of which are more likely to strike than
viruses.
It's important to keep viruses in perspective. There are many other threats to your programs and
data that are much more likely to harm you than viruses. A well known anti-virus researcher once
said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the
growth in number of viruses, the introduction of the Microsoft Word macro viruses, VisualBasic
Script worms, and socially-engineered Trojans now puts this statement into question (even though
you can avoid these by just not clicking on them to open them!), it's still clear that there are many
dangerous occurrences of data corruption from causes other than from viruses.
So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that
it's foolish to spend much money and time on addressing the threat of viruses if you've done
nothing about the other more likely threats to your files. Because viruses and worms are
deliberately written to invade and possibly damage your PC, they are the most difficult threat to
guard against. It's pretty easy to understand the threat that disk failure represents and what to do
about it (although surprisingly few people even address this threat). The threat of viruses is really
no different; lost concentration or a zero-day attack can give you the same kind of problem a lost
hard drive can. There are no "cures" for the virus problem. One just has to take protective steps
with anti-virus software and use common sense when dealing with unknown files and Web links.
Summary
• While viruses are a serious threat, there are other, probably more serious, threats to your
data.
• If you have not taken precautions (e.g., regular backup) against general threats you have
By definition, viruses do not have to do something bad. An early (and current) virus researcher,
Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered
a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.
Most researchers, however, take the other side and argue that the use of self-replicating programs
are never necessary; the task that needs to be performed can just as easily be done without the
replication function.
Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are
"Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Lest you think others have not been thinking about this, here are some of the proposals (from the
above-referenced paper) for a good virus that have not worked out:
• The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus;
a virus which would be able to locate other (presumably malicious) computer viruses and
remove them.
• The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The
idea consists of creating a self-replicating program, which will compress the files it infects,
sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in
this particular case) and a user-supplied password to ensure the privacy of the user's data.
• The "Maintenance" Virus. The idea consists of a self-contained program, which spawns
copies of itself across the different machines in a network (thus acting more like a worm)
and performing some maintenance tasks on those machines (like deleting temporary files).
All of the above viruses fail one or more of the standard measures typically used to judge if a virus
• Technical Reasons
o Lack of Control. Once released, the person who has released a computer virus
between "good" and "bad" viruses will be much easier. Many people are relying on
o Resource Wasting. A computer virus eats up disk space, CPU time, and memory
themselves at runtime.
other people's data without their authorization. In many countries this is also
illegal.
o Copyright and Ownership Problems. In many cases, modifying a particular
program could mean that copyright, ownership, or at least technical support rights
activities and to claim that they are actually doing some kind of "research."
• Psychological Reasons
o Trust Problems. Users like to think that they have full control on what is
o Negative Common Meaning. For most people, the word "computer virus" is
Summary
• While frequently discussed, the general consensus is that there is no task that requires a
virus.
Back in the dim mists of time, most virus writers were people who just wanted to test the system
and push the envelope. They delighted in finding a way to insert their code into places where others
might not find it and held contests of sorts to see who could do what the fastest during various
conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The
Brain virus, for example, was said to have been written to punish users of illegal copies of software
(software pirates). Users could become legitimate by contacting Brain Computer Services for help.
The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:
The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the
bored who had too much time on their hands and decided to spend it making and distributing
viruses just for the heck of it. Many of these people could not actually program one if they had to;
they just used the kits and put in different parameters and then sent whatever came out on their
way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused
This sort of activity expanded as the virus and worm and Trojan world expanded and script worms
became common. Indeed, the term "script kiddie " was more or less coined during this time to
indicate someone who would just take an existing script worm, modify a small part of it, and then
As spyware and adware started to appear motives started to change. Money started to enter into
the picture.
First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a
central command to do something, maybe crash the system(s) they were installed on. Then, the
botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could
use the botnets to make the infected computers send out spam. Since spammers would pay to send
out spam money started to enter into the equation. The botnets were sending out messages based
on the infected users computers' stored address lists so the spammers had an automatic source of
valid E-mail addresses and a possible way to get through blacklists because they could put the
infected user's return address on the E-mail and the receiver might very well have that user
whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect
users and then sent out in the spam so the new users would not only get spam but if they
responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer
holes made this form of malware even easier to send to and infect others who might not have
updated their computer system recently. The use of social engineering to make these message
The malware sent evolved as well. Newer malware tended toward collecting information from
systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen
Some of this malware is designed to target specific banks in specific countries and is quite
professional looking. And, it's not limited to crimes of identity theft for banking purposes; some
malware targets the massively multiplayer on-line games. Why target games? Because once you
steal someone's credentials in such a game you can pretend to be that person and sell virtual items
to other players. The games have become so popular that virtual items are going for large prices (a
virtual space station went for $100,000 if you can believe that). Of course, the person doing the
buying is getting scammed and the person who's credentials have been stolen gets the blame. The
Rootkit installation to do the data collection is one of the newer threats and promises to increase
the revenue of the criminal groups behind some of the latest attacks.
Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to
do that efficiently and anonymously and that's exactly what P2P networks do.
Summary
• The first malware came from people who basically wanted to push the envelope with the
system at hand.
• Later malware came from so-called script kiddies who took advantage of other people's
malware game.
• Eventually, criminal groups started to generate the malware in order to make more money
for their activities and can be expected to continue for the purpose of moving information.
Hardware Threats
Hardware problems are all too common. We all know that when a PC or disk gets old, it might start
acting erratically and damage some data before it totally dies. Unfortunately, hardware errors
frequently damage data on even young PCs and disks. Here are some examples.
Power Faults
Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe
so, maybe not; it's vital to know for sure if anything was damaged.
Other power problems of a similar nature would include brownouts, voltage spikes, and frequency
shifts. All can cause data problems, particularly if they occur when data is being written to disk
(data in memory generally does not get corrupted by power problems; it just gets erased if the
extraordinary drain on the power system. Frequently you will see a brownout during a heat
wave when more people than normal have air conditioners on full. Sometimes these power
shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe
you'll get yours just as that important file is being written to disk.
• Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit
breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a
power pole) can causes spikes as the circuits balance. An appliance in your home can cause
a spike, particularly with older wiring. Lightning can put large spikes on power lines. And,
the list goes on. In addition to current backups and integrity information for your software
and data files, including a hardware voltage spike protection device between the wall and
your computer hardware (don't forget the printer and monitor) can be very helpful.
• Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz
(or 50 Hertz in some countries), the power supply on the computer can be affected and
this, in turn, can reflect back into the computer causing data loss.
Age
It's not magic; as computers age they tend to fail more often. Electronic components are stressed
over time as they heat up and cool down. Mechanical components simply wear out. Some of these
failures will be dramatic; something will just stop working. Some, however, can be slow and not
obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.
Incompatibilities
You can have hardware problems on a perfectly healthy PC if you have devices installed that do not
properly share interrupts. Sometimes problems are immediately obvious, other times they are
subtle and depend upon certain events to happen at just the wrong time, then suddenly strange
Solution: Make a really good backup before installing anything (hardware or software) so you can
revert the system back to a stable state should something crop up.
Finger Faults
These are an all too frequent cause of data corruption. This commonly happens when you are
intending to delete or replace one file but actually get another. By using wild cards, you may
experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here;
something was deleted; what was it? Or was I in the other directory?" Of course if you're a
programmer or if you use sophisticated tools like a sector editor, then your fingers can really get
Another finger fault problem arises with touchpads below the space bar on notebook computers. It's
very easy to brush the touchpad when you are typing away and suddenly find yourself entering
characters in a screen location very different from where you were before you touched the pad.
Solution: Be careful and look up now and again to make certain your cursor is where you want it.
Someone may accidentally or deliberately delete or change a file on your PC when you're not
around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was
changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this
type of damage is done unintentionally by someone you probably know. This person didn't mean to
cause trouble; they simply didn't know what they were doing when they used your PC.
Solution: Never run the computer as an administrative user and have guest accounts available for
Typhoid Mary
One possible source for computer infections is the Customer Engineer (CE), or repairman. When a
CE comes for a service call, they will almost always run a diagnostic program from diskette. It's
very easy for these diskettes to become infected and spread the infection to your computer. Sales
representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always
check your system after other people have placed their floppy disk into it. (Better yet, if you can,
check their disk with up-to-date anti-virus software before anything is run.)
Solution: Insist on testing their disk before use or make certain they've used an up-to-date anti-
Magnetic Zaps
Computer data is generally stored as a series of magnetic changes on disks. While hard disks are
generally safe from most magnetic threats because they are encased within the computer
compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a
floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.
• Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a
magnetic field.
• Telephone. When ringing, telephones (particularly older phones with a bell) generate a
magnetic field.
• Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the
vacuum cleaner that the maintenance people slide under the desk to clean the floor does.
• Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer
just above.
• Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk,
can affect files on the disk. Instead of "The dog ate my homework," today it could just as
easily be: "The cat sat on my homework." (I once had a student where this exact problem
happened; a cat sat on her floppy disk and static wiped out the data on the disk.)
Solution: Stay away from magnets or sources of static of all kinds when working with a computer.
Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the
data is OK? These tools do not always recover good copies of the original files. Active action on your
part before disaster strikes is your best defense. It's best to have a good, current backup and, for
• There are many different kinds of hardware threats to your data. Some include:
o Power faults
o Age
o Equipment incompatibilities
o Typos
• Active action on your part can help you identify problems and, perhaps, head them off
early.
Back in the dim mists of time, most virus writers were people who just wanted to test the system
and push the envelope. They delighted in finding a way to insert their code into places where others
might not find it and held contests of sorts to see who could do what the fastest during various
conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The
Brain virus, for example, was said to have been written to punish users of illegal copies of software
(software pirates). Users could become legitimate by contacting Brain Computer Services for help.
The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:
The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the
bored who had too much time on their hands and decided to spend it making and distributing
viruses just for the heck of it. Many of these people could not actually program one if they had to;
they just used the kits and put in different parameters and then sent whatever came out on their
way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused
This sort of activity expanded as the virus and worm and Trojan world expanded and script worms
became common. Indeed, the term "script kiddie " was more or less coined during this time to
indicate someone who would just take an existing script worm, modify a small part of it, and then
As spyware and adware started to appear motives started to change. Money started to enter into
the picture.
First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a
central command to do something, maybe crash the system(s) they were installed on. Then, the
botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could
use the botnets to make the infected computers send out spam. Since spammers would pay to send
out spam money started to enter into the equation. The botnets were sending out messages based
on the infected users computers' stored address lists so the spammers had an automatic source of
valid E-mail addresses and a possible way to get through blacklists because they could put the
infected user's return address on the E-mail and the receiver might very well have that user
whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect
users and then sent out in the spam so the new users would not only get spam but if they
responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer
holes made this form of malware even easier to send to and infect others who might not have
updated their computer system recently. The use of social engineering to make these message
The malware sent evolved as well. Newer malware tended toward collecting information from
systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen
Some of this malware is designed to target specific banks in specific countries and is quite
professional looking. And, it's not limited to crimes of identity theft for banking purposes; some
malware targets the massively multiplayer on-line games. Why target games? Because once you
steal someone's credentials in such a game you can pretend to be that person and sell virtual items
to other players. The games have become so popular that virtual items are going for large prices (a
virtual space station went for $100,000 if you can believe that). Of course, the person doing the
buying is getting scammed and the person who's credentials have been stolen gets the blame. The
Rootkit installation to do the data collection is one of the newer threats and promises to increase
the revenue of the criminal groups behind some of the latest attacks.
Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to
do that efficiently and anonymously and that's exactly what P2P networks do.
Summary
• The first malware came from people who basically wanted to push the envelope with the
system at hand.
• Later malware came from so-called script kiddies who took advantage of other people's
• Botnets were created and their potential to raise money brought other elements into the
malware game.
• Eventually, criminal groups started to generate the malware in order to make more money
for their activities and can be expected to continue for the purpose of moving information.
COMPUTER VIRUSES
Computers can do anything: from running spreadsheets, word processors, power stations to
music synthesizers and missile control systems. And because computers can do anything, they
can in particular run viruses and any other nasty software. Of course viruses aren’t the only way
computer systems can go wrong: you can have your computer stolen; you might simply have a
disc crash or some other hardware fault. None of these problems are predictable.
However, viruses are unique in their abilities. They can stop many computers at once: this
would be much more serious for a small company than ‘normal’ faults that affect only one PC at a
time. Thus, viruses rank with hazards like power cuts and fire in their effect and speed of action.
Worse than fire, you may find that you cannot take your work elsewhere, for if you did you
might simply take the virus infection with you and bring more systems down too! Secondly,
viruses can spread disinformation and bring disrepute to individuals or organisations: viruses
may send malicious email apparently on behalf of the person whose computer has been infected.
Normal information management precautions, such as taking backups, can be of considerable
help in avoiding and recovering after virus attacks. (But you may also have backed up your
viruses.)
Definition A computer virus is a piece of program code that attaches copies of itself to other
programs, incorporating itself into them so that the modified programs, while still possibly
performing their intended function, surreptitiously do other things. Programs so corrupted seek
others to which to attach the virus, and so the “infection” spreads. Successful viruses lie low until
they have thoroughly infiltrated the system, and only reveal their presence when they cause
damage. The effect of a virus is rarely traceable back to its originator, so viruses make attractive
weapons for vandals.
Computer viruses generally work by altering files that contain otherwise harmless programs.
This is infection. When an infected program is invoked, it seeks other programs stored in files to
which it has write permission, and infects them by modifying the files to include a copy of itself
(replication) and inserting an instruction to branch to that code at the old program’s starting point.
Then the virus starts up the original program so that the user is unaware of its intervention. (The
exact details vary from virus to virus.)
A virus can spread when information is shared: on a multi-user system with shared disk
facilities, or on a PC where users download programs from bulletin boards, or if they share
floppy disks or other exchangeable media. Email is an common vector, especially when powerful
email programs run arbitrary programs ‘to be helpful’ — but which turn out to be able to run
viruses.
If person A executes one of person B’s programs (or programs embedded in email, etc) that is
infected, A’s programs and files risk becoming infected, since programs that A invokes normally
have permission to alter A’s own files. Even when they never execute one another’s programs,
infection can spread from A to B through an intermediary. In practice, it is hard to guard against
infection in an environment that encourages program (data or email…) sharing. Even in an
isolated personal computer environment, viruses easily spread from one floppy disk to another
once having infiltrated the system.
Many applications interpret their data in some way as programs. Spreadsheets, email
programs, and word processors typically have “macro programs,” such as Visual Basic, to
provide extra functionality. Viruses can therefore infect even the data which is handled by such
applications. Viruses can be spread, then, by users sharing a word processor or spreadsheet file: it
is not necessary to share a ‘program’ as such.
Other Malicious Programs The term “virus” is a popular catch-all for other kinds of malicious
software. A logic bomb or time bomb is a destructive program activated by a certain combination of
circumstances, or on a certain date. A Trojan horse is any bug inserted into a computer program
1
that takes advantage of the trusted status of its host by surreptitiously performing unintended
functions. A worm is a distributed program that invades computers on a network. It consists of
several processes or “segments” that keep in touch through the network; when one is lost (e.g.,
by a server being rebooted), the others conspire to replace it on another server — they search for
an ‘idle’ server, load it with copies of themselves. Like viruses, worms spread by replication;
unlike them, they may run as independent processes rather than as part of a host program.
It is unproductive to be pedantic over the precise terms; the main distinction is that viruses
replicate themselves, and Trojan horses explicitly deceive users. Of course, viruses may include
Trojan components, and often do.
To escape detection, viruses normally reside in compiled programs rather than as readable
source code and thus do not survive recompilation or re-installation of a back-up. Viruses in
scripting languages (e.g., Visual Basic) use encryption for the same reason: to try to conceal their
purpose from casual readers, and indeed from virus detection programs. Just as worms are
destroyed by simultaneously rebooting all affected machines, viruses are eradicated by
simultaneously recompiling all affected programs. However, under special circumstances a bug
can survive recompilation: in a compiler that is written in the language it compiles (a common
bootstrapping practice), it is possible to implant a bug that re-inserts itself into the binary code
whenever the compiler is recompiled. Such a bug need never be visible in source form.
History and Examples In 1962 V. A. Vyssotsky, a researcher at Bell Telephone Laboratories
(New Jersey), devised a game called Darwin, played on an IBM 7090 computer. The object of the
game was survival, for “species” of programs to fight it out in an arena set up in the 7090’s
memory. Successful programs would be able to make more copies of themselves, and perhaps go
on to take over the entire arena. The idea was taken up ten years later (Aleph Null, 1972), and
converted to run on other computers. Within the somewhat arbitrary rules of the game, Doug
McIlroy invented what he called a virus: an unkillable organism that could still fight.
The idea, though, of a maliciously self-propagating computer program originated in Gerrold’s
1972 novel When Harlie Was One, in which a program called telephone numbers at random until it
found other computers into which it could spread. Worms were also presaged in science fiction,
by Brunner’s 1975 novel The Shockwave Rider. The first published report of a worm program, done
in 1982 by Shoch and Hupp as an experiment in distributed computing, included a quotation
from this book.
The idea of self-replication and viral ideas was explored by Douglas Hofstadter (1983), partly
taking up the ideas of Richard Dawkin’s memes: ideas that persist (like genes) because they
replicate (Dawkins, 1976). Hofstadter claimed the ideas of self-reproducing ideas could be traced
back to 1952. The Scientific American published Hofstadter’s articles, but was probably first to
popularise viruses in the computer sense with Dewdney’s series of articles on a game called
corewars (over the period 1984–87). Corewars is a game where players wrote attacking programs,
not unlike today’s viruses in theory, but the programs all ran within corewars rather than
running wild on a PC unrestricted.
The first actual virus program seems to have been created in 1983, as the result of a discussion
in a computer security seminar, and described at the AFIPS Computer Security Conference the
following year.
It is interesting that when Roberto Cerruti and Marco Morocutti read Dewdney’s corewars
articles they thought out how to write a virus for the Apple II computer, and considered
installing a disc at the biggest computer shop in Bresica (Italy) to cause an epidemic in their home
city. They thought that a ‘real’ epidemic had to be malignant, and that after 16 reproductive
cycles they would have the virus reinitialise (erase) discs. Having realised how devious their idea
was they decided not to do it, but instead told the world via Dewdney’s column in the Scientific
American.
Dewdney went on to consider spreading advertising copy by virus: the infected computer
could display irritating messages in commercial breaks! “It’s time you got DISC DOCTOR,
available at a store near you.” The idea of using virus-like mechanisms for information
dissemination was later pursued by Thimbleby and Witten (1990) in a system called Liveware.
In 1984 Ken Thompson, in his Turing Award Lecture, showed how a self-replicating bug can
infest a compiler or other language processor and become completely invisible — an idea
mentioned above.
Real virus attacks were not reported until a few years thereafter, and so far have been more in
the nature of electronic vandalism than serious subversion. One of the first occurred in late 1987
2
when, over a two-month period, a virus quietly insinuated itself into IBM-PC programs at a
Jerusalem university. It was noticed because it caused programs to grow longer (due to a bug, it
repeatedly reinfected files). Once discovered, it was analysed and an antidote devised. It was
designed to slow processors down on certain Fridays, and to erase all files on Friday, 13 May.
At about the same time, another PC virus invaded Lehigh University, and a much-publicised
“chain letter” Christmas message spread itself by self-replication, clogging the Bitnet network.
The latter was eradicated only by a massive network shutdown. Early 1988 saw a relatively
harmless Macintosh virus designed to distribute a “message of peace,” and a number of other
viruses appeared for this and other PCs. By that time talk about viruses had invaded the news
media.
At 9pm on 2 November 1988, a worm program was inserted into the Internet computer
network by Cornell graduate student Robert Morris, Jr. It exploited several security flaws in
systems running Unix to spread itself from system to system. Although discovered within hours,
it required a huge effort (estimated at 5,000 hours and $200,000) by programmers at affected sites
to counteract and eliminate it over a period of weeks. It was unmasked by a bug: under some
circumstances it replicated itself so fast that it seriously slowed down the infected host. On 21
January 1990, Morris was convicted and in May 1990 he was sentenced to three years probation
and fined $10,000. In addition, he was ordered to perform 400 hours of community service.
On 6 March 1992, the Michelangelo virus (so named because 6 March is Michelangelo’s
birthday), although widely heralded as a worldwide threat to computer systems, actually did
little damage.
Viruses now have no distinct identity, but (typically) “mutate” each time they copy
themselves to other files. This, combined with various cryptographic techinques, makes modern
viruses difficult to detect. Some viruses have “stealth” code, and behave differently when a user
attempts to detect them. False alarms have become an increasing problem, particularly with users
sending “chain email” warning about supposed virus problems; ironically, the panic may cause
more problems than the viruses it warns about!
Email has become a popular way to distribute viruses, because powerful commercial email
packages (e.g., Microsoft Outlook) are themselves programmable — and users often configure
email systems to ‘helpfully’ run programs automatically! If it doesn’t happen automatically, the
virus mail typically tricks the user into running its program, which then reads the user’s email
address list and mails out further copies of itself to the user’s contacts. Once installed, the payload
part of the virus may do nasty or innocuous things, depending on the whim of the virus writer,
such as deleting files on a specific date.
Viruses are not difficult to develop, and many ‘virus construction kits’ are readily available on
the internet. Many viruses are simple variants of others, indicating that virus writers are often
unimaginative — but no less dangerous for that.
Computer viruses and real viruses Despite their similarities, computer viruses do not behave
like biological viruses. For example, Koch’s Postulates (which apply to biological agents; cf.
Thimbleby, Anderson & Cairns, 1999) are irrelevant. Computer viruses are purely conceptual,
and indeed the equivalent of computer viruses for the human mind — as opposed to digital
computers — are called memes. Memes are potentially either good or bad, but for any supposedly
‘good’ computer virus there is always a far better way of achieving the same ends without using
a virus (and without the risk of giving a vandal a virus model to copy and subvert).
Computer viruses have stimulated the research field of “artificial life,” the study of what non-
carbon based life might be like, and of course mostly life as simulated on computer. In contrast to
viruses, which are destructive, artificial life has a positive outlook! See Thimbleby, Witten and
Pullinger (1995) for a review of the differences, which are beyond the scope of these notes.
Defences The obvious, but generally impractical, defence against viruses is never to use
anyone else’s software and never to connect with anyone else’s computer — assuming you could
guarantee that the computer never had an infection to start with. One can achieve this using
cryptographic techniques. Another defence is to implement a check in the operating system that
queries users whenever a program they have invoked attempts to write to disk. In practice,
however, this imposes an intolerable burden because users do not generally know what files their
software does legitimately. Given a particular virus, one can write an antibody program that
spreads itself in the same way, removing the original virus from infected programs, and
ultimately removing itself too. However, this approach cannot protect against viruses in general,
since it is not possible to tell whether a particular piece of code is a virus or not — worse, some
3
such antibodies have been ‘hijacked’ by virus writers and been turned to be destructive. There is
at least one example of a virus writer (belatedly) releasing anti viral software to detect his own
virus: Vaxene was an anonymous program to detect Scores infections (which it did not do very
well) but it claims to have been written by the Scores author.
Digital signatures can help prevent the corruption of files. Each file as it is written is sealed by
attaching an encrypted checksum. Also, before it is used, the checksum is decrypted and checked
against the file’s actual checksum. Such a scheme may engender unacceptable overhead,
however, in the logicistics of handling encryption keys. Moreover, it also assumes that the file is
not infected before it is signed, and that the checking system itself has not been compromised (e.g.,
by a Trojan horse).
A practical approach is to regularly (or continuously) run programs that recognise (enough)
viruses, and which try to eliminate virus infections before they do too much damage. Because
new viruses are being devised every day, it is important to keep detection programs up to date
(e.g., by regular subscription from a reputable company), and to minimise risky procedures (e.g.,
sharing information as infrequently as possible).
All approaches are trade-offs. The only real hope is eternal vigilance on the part of users, and,
above all, education of users to the possible consequences of their actions.
Theoretical problems The basic problem of detecting a virus (or Trojan) is that there are an
infinite number of ways of getting a computer to do anything. Consider printing the number 5.
You could ask the computer to print 5, or 4+1, or 3+2, or 100–95, or 10sin(π/6). Only the first few
of these alternatives is readily recognisable as printing 5; and, as the last example shows, you can
make recognition that the program prints 5 as difficult as you wish.
So, even supposing that there was exactly one sort of virus, there would still be an infinite
number of ways of doing the same nasty work — and most of those ways would be
unrecognisable. In fact, there are an infinite number of ways in which viruses might work, and
each of these ways can itself be expressed in an infinite number of ways. Actual viruses don’t
really take advantage of the infinite possibilities, and in fact it would not be possible to do so!
Advice Be very careful opening unsolicited email with attachments, especially if you are using
Microsoft Outlook or similar programmable products. Never download software from web sites
unless you have antivirus software to check it. Your organisation should have policies,
including the following points:
Have ʻfire drillsʼ
If your organisational rules permit it, run ‘fire drills’ where you simulate the impact of a virus
(or other computer problems).
Awareness
Just as you wouldn’t share food (goodness knows what diseases you might catch!) with
someone you don’t know very well, don’t share programs (files, emails…). Just as you wouldn’t
eat food you found lying on the ground, don’t run any old program that comes your way.
Disable all automatic programs, such as automatically running email attachments. And so on!
Remember: computer viruses work very much like real viruses.
Use more than one hardware platform
If you have the resources, one of the best protections against total disaster is to use several
different sorts of computer (for instance, PCs and Macintoshes). In many cases you will be able to
run compatible software on a range of equipment (if your software is so good then it should be
available on many machines). Very few viruses can migrate from one machine type to another,
though some viruses embedded in (for example) spreadsheet files may be able to if you are
running the same spreadsheet package on different systems.
4
A virus reproduces, usually without your permission or
knowledge. In general terms they have an infection phase
where they reproduce widely and an attack phase where
they do whatever damage they are programmed to do (if
any). There are a large number of virus types.
Viruses are a cause of much confusion and a target of considerable misinformation even from some
You could probably also say that the virus must do this without the permission or knowledge of the
user, but that's not a vital distinction for purposes of our discussion here. We are using a broad
An obvious example of an executable file would be a program (COM or EXE file) or an overlay or
library file used by an EXE file. Less obvious, but just as critical, would be the macro portion of what
you might generally consider to be a data file (e.g., a Microsoft Word document). It's important to
also realize that the system sectors on either a hard or floppy disk contain executable code that can
be infected--even those on a data disk. More recently, scripts written for Internet Web sites and/or
To attach might mean physically adding to the end of a file, inserting into the middle of a file, or
simply placing a pointer to a different location on the disk somewhere where the virus can find it.
Most viruses do their job by placing self-replicating code in other programs, so that when those
other programs are executed, even more programs are infected with the self-replicating code. This
self-replicating code, when triggered by some event, may do a potentially harmful act to your
computer.
Another way of looking at viruses is to consider them to be programs written to create copies of
themselves. These programs attach these copies onto host programs (infecting these programs).
When one of these hosts is executed, the virus code (which was attached to the host) executes, and
Similar to viruses, you can also find malicious code in Trojan Horses, worms, and logic bombs. Often
the characteristics of both a virus and a worm can be found in the same beast; confusing the issue
even further.
Note: The balance between viruses, worms, and Trojan Horses changes from time to time. In the
early days of such malware viruses tended to dominate. Various macro viruses/worms appeared
later as the dominate form and by around 2005 or so Trojan Horses started to be more prominent
Before looking at specific virus types you might also want to consider the following general
discussions:
Virus Behavior
Viruses need time to infect. Not all viruses attack, but all use system resources and often have
bugs.
Viruses come in a great many different forms, but they all potentially have two phases to their
Infection Phase
When the virus executes it has the potential to infect other programs. What's often not clearly
understood is precisely when it will infect the other programs. Some viruses infect other programs
each time they are executed; other viruses infect only upon a certain trigger. This trigger could be
anything; a day or time, an external event on your PC, a counter within the virus, etc. Virus writers
want their programs to spread as far as possible before anyone notices them.
It is a serious mistake to execute a program a few times - find nothing infected and presume there
are no viruses in the program. You can never be sure the virus simply hasn't yet triggered its
infection phase.
Many viruses go resident in the memory of your PC in the same or similar way as terminate and
stay resident (TSR) programs. (For those not old enough to remember TSRs, they were programs
that executed under DOS but stayed in memory instead of ending.) This means the virus can wait
for some external event before it infects additional programs. The virus may silently lurk in memory
waiting for you to access a diskette, copy a file, or execute a program, before it infects anything.
This makes viruses more difficult to analyze since it's hard to guess what trigger condition they use
On older systems, standard (640K) memory is not the only memory vulnerable to viruses. It is
possible to construct a virus which will locate itself in upper memory (the space between 640K and
1M) or in the High Memory Area (the small space between 1024K and 1088K). And, under Windows,
Resident viruses frequently take over portions of the system software on the PC to hide their
existence. This technique is called stealth. Polymorphic techniques also help viruses to infect yet
avoid detection.
Note that worms often take the opposite approach and spread as fast as possible. While this makes
their detection virtually certain, it also has the effect of bringing down networks and denying
Attack Phase
Many viruses do unpleasant things such as deleting files or changing random data on your disk,
simulating typos or merely slowing your PC down; some viruses do less harmful things such as
playing music or creating messages or animation on your screen. Just as the infection phase can be
triggered by some event, the attack phase also has its own trigger.
Does this mean a virus without an attack phase is benign? No. Many viruses have bugs in them and
these bugs often cause unintended negative side effects. In addition, even if the virus is perfect, it
still steals system resources. (Also, see the "good" virus discussion.)
Viruses often delay revealing their presence by launching their attack only after they have had
ample opportunity to spread. This means the attack could be delayed for days, weeks, months, or
The attack phase is optional, many viruses simply reproduce and have no trigger for an attack
phase. Does this mean that these are "good" viruses? No! Anything that writes itself to your disk
without your permission is stealing storage and CPU cycles. (Also see the "good" virus discussion.)
This is made worse since viruses that "just infect," with no attack phase, often damage the
programs or disks they infect. This is not an intentional act of the virus, but simply a result of the
An an example, one of the most common past viruses, Stoned, is not intentionally harmful.
Unfortunately, the author did not anticipate the use of anything other than 360K floppy disks. The
original virus tried to hide its own code in an area of 1.2MB diskettes that resulted in corruption of
the entire diskette (this bug was fixed in later versions of the virus).
Number of Viruses
margin). Estimates of exactly how many there are vary widely and the number is constantly
growing.
In 1990, estimates ranged from 200 to 500; then in 1991 estimates ranged from 600 to 1,000
different viruses. In late 1992, estimates were ranging from 1,000 to 2,300 viruses. In mid-1994,
the numbers vary from 4,500 to over 7,500 viruses. In 1996 the number climbed over 10,000.
1998 saw 20,000 and 2000 topped 50,000. It's easy to say there are more now. Indeed, in April
2008, the BBC reported that Symantec now claims "that the security firm's anti-virus programs
detect to 1,122,311" viruses and that "almost two thirds of all malicious code threats currently
The confusion exists partly because it's difficult to agree on how to count viruses. New viruses
frequently arise from someone taking an existing virus that does something like put a message out
on your screen saying: "Your PC is now stoned" and changing it to say something like "Donald Duck
is a lie!". Is this a new virus? Most experts say yes. But, this is a trivial change that can be done in
More confusion arises with some companies counting viruses+worms+Trojans as a unit and some
not.
Another problem comes from viruses that try to conceal themselves from scanners by mutating. In
other words, every time the virus infects another file, it will try to use a different version of itself.
One example, the Whale (an early, huge, clumsy 10,000 byte virus), creates 33 different versions
of itself when it infects files. At least one vendor counted this as 33 different viruses on their list.
Many of the large number of viruses known to exist have not been detected in the wild but probably
David M. Chess of IBM's High Integrity Computing Laboratory reported in the November 1991 Virus
Bulletin that "about 30 different viruses and variants account for nearly all of the actual infections
that we see in day-to-day operation." In late 2007, about 580 different viruses, worms, and Trojans
(and some of these are members of a single family) account for all the virus-related malware that
actually spread in the wild. To keep track visit the Wildlist , a list which reports virus sightings.
How can there be so few viruses active when some experts report such high numbers? This is
probably because most viruses are poorly written and cannot spread at all or cannot spread without
betraying their presence. Although the actual number of viruses will probably continue to be hotly
debated, what is clear is that the total number of viruses is increasing, although the active viruses
Summary
• Only a small percentage of this total number account for those viruses found in the wild,
What's in a name? When it comes to viruses it's a matter of identification to the general public. An
anti-virus program does not really need the name of a virus as it identifies it by its characteristics.
But, while giving a virus a name helps the public at large it also serves to confuse them since the
names given to a particular beast can differ from anti-virus maker to anti-virus maker.
How? Why? Much as they would like to, the virus writers do not get to name their beasts. Some
have tried by putting obvious text into the virus but most of the anti-virus companies tend to ignore
such text (mostly to spite the virus writers ). And, any virus writer that insists on a particular
name has to identify themselves in the process--something they usually don't want to do. So, the
anti-virus companies control the virus naming process. But, that leads to the naming problem.
Viruses come into various anti-virus companies around the world at various times and by various
means. Each company analyzes the virus and assigns a name to it for tracking purposes. While
there is cooperation between companies when new viruses are identified, that cooperation often
takes a back seat to getting a product update out the door so the anti-virus company's customers
are protected. This delay allows alternate names to enter the market. Over time these are often
standardized or, at least, cross-referenced in listings; but that does not help when the beast makes
This problem/confusion will continue. One practical and well documented example of how it affects a
real-world virus listing can be seen at the WildList site on the page...
http://www.wildlist.org/naming.htm
One attempt at bringing some order to the naming problem is Ian Whalley's VGrep [registration
required to view page]. VGrep attempts to collect all of the various virus names and then correlates
them into a single searchable list. While useful, there is, again, the lag time necessary to collect and
Another attempt is the database at VirusPool which "...tries to put information from all known
infections and antivirus creators into one place so you can compare names and results." I wish them
A new site to try to correlate malware names: CME - Common Malware Enumeration. CME
provides single, common identifiers to new virus threats to reduce public confusion during malware
outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses
and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing
Finally, some vendors have largely given up with naming specific malware and resorting to generic
names for the type of malware (e.g., Troj/Agent). The malware is being generated faster than the
naming system can reasonably keep up. Look for this to probably continue. Of course, this will then
mean changes to the specific methods of disinfection as you would no longer be able to download a
specific disinfector for a named beast. Time will tell how this develops.
Summary
• Virus naming is a function of the anti-virus companies. This results in different names for
new viruses.
• Different names can cause confusion for the public but not anti-virus software which looks
While serious if you have one, viruses are only one way
your data can be damaged. You must be prepared for all
threats; many of which are more likely to strike than
viruses.
It's important to keep viruses in perspective. There are many other threats to your programs and
data that are much more likely to harm you than viruses. A well known anti-virus researcher once
said that you have more to fear from a cup of coffee (which may spill) than from viruses. While the
growth in number of viruses, the introduction of the Microsoft Word macro viruses, VisualBasic
Script worms, and socially-engineered Trojans now puts this statement into question (even though
you can avoid these by just not clicking on them to open them!), it's still clear that there are many
dangerous occurrences of data corruption from causes other than from viruses.
So, does this mean that viruses are nothing to worry about? Emphatically, no! It just means that
it's foolish to spend much money and time on addressing the threat of viruses if you've done
nothing about the other more likely threats to your files. Because viruses and worms are
deliberately written to invade and possibly damage your PC, they are the most difficult threat to
guard against. It's pretty easy to understand the threat that disk failure represents and what to do
about it (although surprisingly few people even address this threat). The threat of viruses is really
no different; lost concentration or a zero-day attack can give you the same kind of problem a lost
hard drive can. There are no "cures" for the virus problem. One just has to take protective steps
with anti-virus software and use common sense when dealing with unknown files and Web links.
Summary
• While viruses are a serious threat, there are other, probably more serious, threats to your
data.
• If you have not taken precautions (e.g., regular backup) against general threats you have
By definition, viruses do not have to do something bad. An early (and current) virus researcher,
Fred Cohen, has argued that good computer viruses are a serious possibility. In fact, he has offered
a reward of $1,000 for the first clearly useful virus; but, he hasn't paid yet.
Most researchers, however, take the other side and argue that the use of self-replicating programs
are never necessary; the task that needs to be performed can just as easily be done without the
replication function.
Vesselin Bontchev has written a paper originally delivered at the 1994 EICAR conference, titled Are
"Good" Computer Viruses Still a Bad Idea?. The paper covers all aspects of the topic. As of this
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip
Lest you think others have not been thinking about this, here are some of the proposals (from the
above-referenced paper) for a good virus that have not worked out:
• The "Anti-Virus" Virus. Several people have had the idea to develop an "anti-virus" virus;
a virus which would be able to locate other (presumably malicious) computer viruses and
remove them.
• The "File Compressor" Virus. This is one of the oldest ideas for "beneficial" viruses. The
idea consists of creating a self-replicating program, which will compress the files it infects,
sector virus, which encrypts the disks it infects with a strong encryption algorithm (IDEA in
this particular case) and a user-supplied password to ensure the privacy of the user's data.
• The "Maintenance" Virus. The idea consists of a self-contained program, which spawns
copies of itself across the different machines in a network (thus acting more like a worm)
and performing some maintenance tasks on those machines (like deleting temporary files).
All of the above viruses fail one or more of the standard measures typically used to judge if a virus
• Technical Reasons
o Lack of Control. Once released, the person who has released a computer virus
between "good" and "bad" viruses will be much easier. Many people are relying on
o Resource Wasting. A computer virus eats up disk space, CPU time, and memory
themselves at runtime.
other people's data without their authorization. In many countries this is also
illegal.
o Copyright and Ownership Problems. In many cases, modifying a particular
program could mean that copyright, ownership, or at least technical support rights
activities and to claim that they are actually doing some kind of "research."
• Psychological Reasons
o Trust Problems. Users like to think that they have full control on what is
o Negative Common Meaning. For most people, the word "computer virus" is
Summary
• While frequently discussed, the general consensus is that there is no task that requires a
virus.
Back in the dim mists of time, most virus writers were people who just wanted to test the system
and push the envelope. They delighted in finding a way to insert their code into places where others
might not find it and held contests of sorts to see who could do what the fastest during various
conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The
Brain virus, for example, was said to have been written to punish users of illegal copies of software
(software pirates). Users could become legitimate by contacting Brain Computer Services for help.
The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:
The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the
bored who had too much time on their hands and decided to spend it making and distributing
viruses just for the heck of it. Many of these people could not actually program one if they had to;
they just used the kits and put in different parameters and then sent whatever came out on their
way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused
This sort of activity expanded as the virus and worm and Trojan world expanded and script worms
became common. Indeed, the term "script kiddie " was more or less coined during this time to
indicate someone who would just take an existing script worm, modify a small part of it, and then
As spyware and adware started to appear motives started to change. Money started to enter into
the picture.
First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a
central command to do something, maybe crash the system(s) they were installed on. Then, the
botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could
use the botnets to make the infected computers send out spam. Since spammers would pay to send
out spam money started to enter into the equation. The botnets were sending out messages based
on the infected users computers' stored address lists so the spammers had an automatic source of
valid E-mail addresses and a possible way to get through blacklists because they could put the
infected user's return address on the E-mail and the receiver might very well have that user
whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect
users and then sent out in the spam so the new users would not only get spam but if they
responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer
holes made this form of malware even easier to send to and infect others who might not have
updated their computer system recently. The use of social engineering to make these message
The malware sent evolved as well. Newer malware tended toward collecting information from
systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen
Some of this malware is designed to target specific banks in specific countries and is quite
professional looking. And, it's not limited to crimes of identity theft for banking purposes; some
malware targets the massively multiplayer on-line games. Why target games? Because once you
steal someone's credentials in such a game you can pretend to be that person and sell virtual items
to other players. The games have become so popular that virtual items are going for large prices (a
virtual space station went for $100,000 if you can believe that). Of course, the person doing the
buying is getting scammed and the person who's credentials have been stolen gets the blame. The
Rootkit installation to do the data collection is one of the newer threats and promises to increase
the revenue of the criminal groups behind some of the latest attacks.
Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to
do that efficiently and anonymously and that's exactly what P2P networks do.
Summary
• The first malware came from people who basically wanted to push the envelope with the
system at hand.
• Later malware came from so-called script kiddies who took advantage of other people's
malware game.
• Eventually, criminal groups started to generate the malware in order to make more money
for their activities and can be expected to continue for the purpose of moving information.
Hardware Threats
Hardware problems are all too common. We all know that when a PC or disk gets old, it might start
acting erratically and damage some data before it totally dies. Unfortunately, hardware errors
frequently damage data on even young PCs and disks. Here are some examples.
Power Faults
Your PC is busy writing data to the disk and the lights go out! "Arghhhh!" Is everything OK? Maybe
so, maybe not; it's vital to know for sure if anything was damaged.
Other power problems of a similar nature would include brownouts, voltage spikes, and frequency
shifts. All can cause data problems, particularly if they occur when data is being written to disk
(data in memory generally does not get corrupted by power problems; it just gets erased if the
extraordinary drain on the power system. Frequently you will see a brownout during a heat
wave when more people than normal have air conditioners on full. Sometimes these power
shortages will be "rolling" across the area giving everyone a temporary brownout. Maybe
you'll get yours just as that important file is being written to disk.
• Voltage Spikes: Temporary voltage increases are fairly common. Large motors or circuit
breakers in industry can put them on the electrical line. Sudden losses (e.g., a driver hits a
power pole) can causes spikes as the circuits balance. An appliance in your home can cause
a spike, particularly with older wiring. Lightning can put large spikes on power lines. And,
the list goes on. In addition to current backups and integrity information for your software
and data files, including a hardware voltage spike protection device between the wall and
your computer hardware (don't forget the printer and monitor) can be very helpful.
• Frequency Shifts: While infrequent, if the line frequency varies from the normal 60 Hertz
(or 50 Hertz in some countries), the power supply on the computer can be affected and
this, in turn, can reflect back into the computer causing data loss.
Age
It's not magic; as computers age they tend to fail more often. Electronic components are stressed
over time as they heat up and cool down. Mechanical components simply wear out. Some of these
failures will be dramatic; something will just stop working. Some, however, can be slow and not
obvious. Regrettably, it's not a question of "if", but "when" in regard to equipment failure.
Incompatibilities
You can have hardware problems on a perfectly healthy PC if you have devices installed that do not
properly share interrupts. Sometimes problems are immediately obvious, other times they are
subtle and depend upon certain events to happen at just the wrong time, then suddenly strange
Solution: Make a really good backup before installing anything (hardware or software) so you can
revert the system back to a stable state should something crop up.
Finger Faults
These are an all too frequent cause of data corruption. This commonly happens when you are
intending to delete or replace one file but actually get another. By using wild cards, you may
experience a really "wild" time. "Hmmm I thought I deleted all the *.BAK files; but they're still here;
something was deleted; what was it? Or was I in the other directory?" Of course if you're a
programmer or if you use sophisticated tools like a sector editor, then your fingers can really get
Another finger fault problem arises with touchpads below the space bar on notebook computers. It's
very easy to brush the touchpad when you are typing away and suddenly find yourself entering
characters in a screen location very different from where you were before you touched the pad.
Solution: Be careful and look up now and again to make certain your cursor is where you want it.
Someone may accidentally or deliberately delete or change a file on your PC when you're not
around. If you don't keep your PC locked in a safe, then this is a risk. Who knows what was
changed or deleted? Wouldn't it be nice to know if anything changed over the weekend? Most of this
type of damage is done unintentionally by someone you probably know. This person didn't mean to
cause trouble; they simply didn't know what they were doing when they used your PC.
Solution: Never run the computer as an administrative user and have guest accounts available for
Typhoid Mary
One possible source for computer infections is the Customer Engineer (CE), or repairman. When a
CE comes for a service call, they will almost always run a diagnostic program from diskette. It's
very easy for these diskettes to become infected and spread the infection to your computer. Sales
representatives showing demonstrations via floppy disks are also possibly spreading viruses. Always
check your system after other people have placed their floppy disk into it. (Better yet, if you can,
check their disk with up-to-date anti-virus software before anything is run.)
Solution: Insist on testing their disk before use or make certain they've used an up-to-date anti-
Magnetic Zaps
Computer data is generally stored as a series of magnetic changes on disks. While hard disks are
generally safe from most magnetic threats because they are encased within the computer
compartment, floppy disks are highly vulnerable to magnets. The obvious threat would be to post a
floppy disk to the refrigerator with a magnet; but there are many other, more subtle, threats.
• Computer Monitor. Don't put floppy disks anywhere near the monitor; it generates a
magnetic field.
• Telephone. When ringing, telephones (particularly older phones with a bell) generate a
magnetic field.
• Bottom Desk Drawer. While the desk drawer does not generate a magnetic field, the
vacuum cleaner that the maintenance people slide under the desk to clean the floor does.
• Bottom Bookcase Shelf and File Cabinet Drawer. Same comment as the desk drawer
just above.
• Pets. Pet fur generates a strong electrostatic charge which, if discharged through a disk,
can affect files on the disk. Instead of "The dog ate my homework," today it could just as
easily be: "The cat sat on my homework." (I once had a student where this exact problem
happened; a cat sat on her floppy disk and static wiped out the data on the disk.)
Solution: Stay away from magnets or sources of static of all kinds when working with a computer.
Bottom line: There are tools to assist in recovery from disk problems, but how do you know all the
data is OK? These tools do not always recover good copies of the original files. Active action on your
part before disaster strikes is your best defense. It's best to have a good, current backup and, for
• There are many different kinds of hardware threats to your data. Some include:
o Power faults
o Age
o Equipment incompatibilities
o Typos
• Active action on your part can help you identify problems and, perhaps, head them off
early.
Back in the dim mists of time, most virus writers were people who just wanted to test the system
and push the envelope. They delighted in finding a way to insert their code into places where others
might not find it and held contests of sorts to see who could do what the fastest during various
conferences.
Another common reason for writing viruses was to "punish" users for some perceived infraction. The
Brain virus, for example, was said to have been written to punish users of illegal copies of software
(software pirates). Users could become legitimate by contacting Brain Computer Services for help.
The early virus writer Dark Avenger, in an interview with Sarah Gordon , put it this way:
The innocent users would be much less affected if they bought all the software they used (and from
an authorized dealer) and if they used it in the way they are allowed to by the license agreement. If
somebody instead of working plays pirated computer games all day long, then it's quite likely that
at some point they will get a virus. ... Besides, viruses would spread much less if the 'innocent
users' did not steal software, and if they worked a bit more at the workplace, instead of playing
games.
With the advent of virus writing kits more people entered into the picture. These were largely the
bored who had too much time on their hands and decided to spend it making and distributing
viruses just for the heck of it. Many of these people could not actually program one if they had to;
they just used the kits and put in different parameters and then sent whatever came out on their
way in the hope of getting their name ("handle" actually -- a person's true name on a virus caused
This sort of activity expanded as the virus and worm and Trojan world expanded and script worms
became common. Indeed, the term "script kiddie " was more or less coined during this time to
indicate someone who would just take an existing script worm, modify a small part of it, and then
As spyware and adware started to appear motives started to change. Money started to enter into
the picture.
First came botnets; networks of worms/viruses or Trojans designed to sit on a system and wait for a
central command to do something, maybe crash the system(s) they were installed on. Then, the
botnets evolved; or, at least, their purpose evolved. The botnet creators realized that they could
use the botnets to make the infected computers send out spam. Since spammers would pay to send
out spam money started to enter into the equation. The botnets were sending out messages based
on the infected users computers' stored address lists so the spammers had an automatic source of
valid E-mail addresses and a possible way to get through blacklists because they could put the
infected user's return address on the E-mail and the receiver might very well have that user
whitelisted. So, the spammer got what they wanted and the botnet creators started to get paid.
Once money came into the game, however, so did crime. Trojans were developed to quickly infect
users and then sent out in the spam so the new users would not only get spam but if they
responded they would be infected by the Trojan as well. Scripts and Windows/Internet Explorer
holes made this form of malware even easier to send to and infect others who might not have
updated their computer system recently. The use of social engineering to make these message
The malware sent evolved as well. Newer malware tended toward collecting information from
systems instead of crashing them or destroying data. This stolen data became even more valuable
to criminals than just the fact that spam was getting through. Identity theft based on the stolen
Some of this malware is designed to target specific banks in specific countries and is quite
professional looking. And, it's not limited to crimes of identity theft for banking purposes; some
malware targets the massively multiplayer on-line games. Why target games? Because once you
steal someone's credentials in such a game you can pretend to be that person and sell virtual items
to other players. The games have become so popular that virtual items are going for large prices (a
virtual space station went for $100,000 if you can believe that). Of course, the person doing the
buying is getting scammed and the person who's credentials have been stolen gets the blame. The
Rootkit installation to do the data collection is one of the newer threats and promises to increase
the revenue of the criminal groups behind some of the latest attacks.
Peer-to-peer networking is also a target as that allows massive data to be moved. Criminals need to
do that efficiently and anonymously and that's exactly what P2P networks do.
Summary
• The first malware came from people who basically wanted to push the envelope with the
system at hand.
• Later malware came from so-called script kiddies who took advantage of other people's
• Botnets were created and their potential to raise money brought other elements into the
malware game.
• Eventually, criminal groups started to generate the malware in order to make more money
for their activities and can be expected to continue for the purpose of moving information.