CNET

0

 
Decades after creation, viruses defy cure

By Robert Lemos
Staff Writer, CNET News.com
November 25, 2003, 4:00AM PT

Of all the accomplishments in the annals of technology, Fred Cohen's contribution is undeniably unique: He introduced the term "virus" to the lexicon of computers.

The University of New Haven professor used the phrase in a 1984 research paper, in which he described threats self-propagating programs pose and explored potential defenses against them. When he asked for funding from the National Science Foundation three years later to further explore countermeasures, the agency rebuffed him.

"They turned it down," said Cohen, who is also principal analyst for research firm Burton Group. "They said it wasn't of current interest."

Two decades later, countless companies and individuals are still paying for that mistake. The technology industry has yet to find a blanket solution to the ever-growing list of viruses and worms that constitute the greatest risk to computers on the Internet. Every year, companies lose billions of dollars when forced to halt work and deal with infectious digital diseases, such as Sobig and Slammer.

While much attention has been paid to the malicious online attackers who exploit technology's vulnerabilities, little has been documented about the origins of the virus. Its early iterations were not created by malcontent teenagers or antisocial geeks but by campus researchers, system administrators and a handful of old-school hackers who thought that the ability to reproduce their programs automatically was a neat trick.

The result is a tale of technical genius, academic naivete, bureaucratic arrogance and humans' penchant for tearing down institutions simply for the sake of doing so.

Sarah Gordon, senior research fellow at Symantec Security Response, caught her first computer virus more than a decade ago. She became so fascinated with the phenomenon that she spent several years studying the underground world of virus writers.

"The design of the Internet facilitates the distribution of information--all sorts of information; it's a double-edged sword," Gordon said in a recent e-mail interview. "Even if (viruses) are not designed to be intentionally malicious or dangerous, if they get outside of a controlled environment, there can be unexpected results."

That was precisely what happened with the fathers of the computer virus: The exponential doubling of viral code can greatly magnify minor errors and become the difference between a harmless prank and a devastating attack. Unlike the simple technologies behind isolated attacks on the Internet, the ability to propagate adds a level of complexity that often stymies the virus writers themselves. Although many programs quickly fizzle out, others have far outgrown the intentions of their authors.

Cohen had an inkling of much of the future when he first thought up the idea in November 1983 as a University of Southern California graduate student. During a weekly seminar on computer security, he conceived of a program that could infect other systems with copies of itself.

"All at once, a light bulb came on, and I said, 'Aha!'" Cohen recalled. "Within a few seconds, I knew how to write the program and that it would work."

His adviser at the time, Len Adleman--well known as a creator of public-key encryption and the "A" in a popular form of the security technology known as RSA (Rivest, Shamir & Adleman)--suggested that the programs were the digital analogy of viruses. The name stuck.

The birth of a concept
In a paper published the next year, he defined a virus as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." Cohen proved that such a virus could spread through any system that allows information to be shared, interpreted in a general manner and given away, despite the presence of security technologies.

To demonstrate its potential dangers, Cohen created a test program to see how quickly the virus could spread and undermine the security of a mainframe computer system. He implanted the program in a command that presents Unix file structures graphically, then conducted five attack runs.

The virus managed to "gain system rights"--essentially seizing control of the computer--within an average of half an hour. The shortest run took five minutes.

"It could spread with all the security technologies out there at the time," Cohen said. "The concept showed that the least trusted user is the weakest link, and the program can quickly spread up to the most trusted user."

Cohen's work provided a concrete definition of a virus and showed how other programs, such as worms, are a subset of that definition. But a few viruslike programs existed before his research, and many of its theoretical underpinnings were established by John von Neumann, one of the founding fathers of computer science.

Born in Hungary in 1903, von Neumann was responsible for seminal work in many branches of computer science, mathematics and physics, including logical analysis of a strategy called game theory and the newly born branch of quantum physics. Between 1948 and 1956, he extended much of the work of one of his peers, famed computer scientist Alan Turing.

Turing had come up with an idea for a universal computing system, a logical construct that could solve a wide variety of problems by using a processor and a tape to store programs and data. Computers still use the basic division of labor Turing identified: processors and storage.

Von Neumann expanded Turing's concept to the creation of a universal constructor, a system that could replicate itself. This self-reproducing automaton, as he called it, used tens of thousands of elements--each of which could be in any of 29 states--to create another automaton on an imaginary grid. The system was so complex that it took more than 40 years for even a limited version of it to be implemented in hardware.

Survival of the fittest program
Von Neumann's work later served as the foundation for a new branch of computer science known as cellular automata theory, and it inspired other researchers to create simpler computer "creatures" and the field of artificial life. His pioneering research also spurred three Bell Labs researchers to put his ideas into action in the early 1960s.

		Related story Twenty years of malware Seasoned campaigners from the antivirus industry weigh in

In August 1961, researcher Victor Vyssotsky invented a game, dubbed "Darwin," in which small programs competed with one another to dominate a digital landscape. His colleague Douglas McIlroy programmed much of the game, including the code that would run the simulation. The third researcher, Robert Morris Sr., created a lethal digital creature that evolved and passed along its successful attack to its progeny.

"It was clear that by tinkering the rules to introduce a bit of uncertainty into the game, we could have revived it after Morris' devastating entry, but we had other things to do," said McIlroy, now an adjunct professor in the computer science department at Dartmouth College. The game ran on an IBM 7090 system and was largely forgotten.

However, the researchers and their progeny were to have a profound impact on computers and the Internet.

Morris went to work for the National Security Agency. In November 1988, his son, Robert Jr., created the first worm to spread widely across the Internet. While "Darwin" didn't survive the evolution of its IBM 7090 computer system, the researchers' recreational activities led to the invention of a more popular game called "Core War," where players write battle programs in a language called Redcode and duke it out in a virtual-memory arena dubbed the Memory Array Redcode Simulator, or MARS. Many aficionados still play the game on the Internet.

But those digital creatures were all contained in artificial environments. It took a different game to help introduce viruses to computers and spread infections worldwide.

That game was "Animal," a program akin to "20 Questions," which became highly popular among mainframe computer operators in the 1970s. The game would ask a person to think of an animal and then ask questions for clues as to the type of creature it was. If the program guessed wrong, it would ask the player to provide a question and an answer that would differentiate the new animal.

John Walker, a UNIVAC (Universal Automatic Calculator) systems programmer for a large multinational firm, created his own version of the game in 1974, improving it so that erroneous information one player enters could eventually be corrected by another. The game was an immediate hit.

"I started getting calls from people at other UNIVAC installations asking for tapes of the game," he said.

From games to viruses
In the pre-Internet days, Walker found himself telling people to mail him a tape, onto which he would copy the program and return it. He quickly tired of the laborious process: "It was really annoying and got me thinking on how best to distribute the game. That's when I thought about making it self-reproducing."

In January 1975, Walker created another program, "Pervade," which would hitch a ride with a new version of "Animal." Any time someone played the "Animal" game, Pervade would also start running to check directories, duplicate itself in any directory that didn't already have a copy and overwrite any older versions.

Walker recalls reflecting on the implications of the program for a couple of months to ensure that he hadn't made any damaging errors. Then he released it.

Within a week, UNIVAC administrators at another corporate office started reporting that "Animal" had suddenly appeared on their system. Weeks later, other companies discovered the program on their systems as well.

"A few months later, a lot of people started talking about it, and that meant more people were asking for it," Walker said. "It propagated as much by word of mouth as by copying itself to new directories."

The Pervade program stopped working when UNIVAC released a new version of the operating system that changed its directory structure. But Walker insists that a modified copy of his program could have easily overcome its new security features.

"UNIVAC was putting forth all these security methods, and here was an example of a threat that all the defenses couldn't do anything about," he said in comments Cohen would echo a decade later. Walker went on to found Autodesk in the early 1980s, and he remains the largest individual stockholder in the company.

In a testament to the unpredictable nature of viruses, even Walker guessed wrong about how long his self-replicating creation would last. He recently talked to an administrator of a Unisys 2200 system, a descendent of the UNIVAC computers, who reported that the program still runs on his machine.

"It's still looking for file system tables that are 30 years out of date," Walker said.

The host in the machine
Viruses proliferated exponentially with the popularity of desktop computers. Not only did individual computers enlarge the pool of hosts a virus could infect, but they also yielded a new techno-savvy generation armed with the knowledge to create such programs.

		Special report Tracking Code Red Virulent worm casts doubt on Net protection

Rich Skrenta fit the bill to a tee: A Pittsburgh-area ninth-grader in 1982, he knew a lot about the Apple II and loved to use software to play practical jokes on his classmates. The then-teenager supplied his friends with Apple II programs to which he had added some custom "features," such as the machine's ability to shut down automatically after being used just a few times or to display a taunting message.

"After I had done this a number of times, no one would take games from me anymore," said Skrenta, now the president of his own, soon-to-be-launched search start-up, Topix.net. "And so, I was puzzling on how to get my tricks onto their disks."

That's when he got the idea to write a self-propagating program that would infect Apple II disks. Skrenta's idea for "cloner" programs--he didn't employ the term virus--would infect a popular command on the system disks used by the Apple II. The program he created, called Elk Cloner, counted how often a disk had been used and, on every fifth run, made the computer shut down or perform some other "trick." Every 50th time the computer started up, Elk Cloner would display a little poem.

		Special report Year of the worm Fast-spreading code is favorite weapon

Four years later, two Pakistani brothers, Amjad and Basit Farooq Alvi, created the first computer virus to infect IBM PCs. Known as the Brain virus, the brothers used the program as a piece of true viral marketing: Each copy caused a message to flash on the screen, advertising the brothers' company, Brain Computer Services of Lahore, Pakistan.

"Beware of this VIRUS...Contact us for vaccination," stated the message, which can be found on their Internet site today.

That was only the beginning. Although viruses and worms took more than a decade to emerge in significant numbers, they soared in subsequent years. By the end of 1990, about 200 viruses had been identified. Today, that number has jumped to more than 70,000. Although less than 1 percent of those viruses have compromised computers on the Internet, more than 80 percent of companies suffered a digital infection, according to the Computer Security Institute.

Symantec's Gordon said most virus creators--not unlike their predecessors--still don't understand the ability of the programs to spread throughout the Internet. "They tend to be curious--often articulate individuals with a variety of relationship and interaction styles," she said.

Cohen, however, said the scientific heavy lifting for today's Internet viruses was done in the 1980s. Everything else, he said, is just mechanics.

"Everything that we know now was known then," he said. "Everything we see now is just an engineering solution based on old science."