Are “Good” Computer Viruses Still a Bad Idea? 13782 Essay Example
Are “Good” Computer Viruses Still a Bad Idea? 13782 Essay Example

Are “Good” Computer Viruses Still a Bad Idea? 13782 Essay Example

Available Only on StudyHippo
  • Pages: 18 (4806 words)
  • Published: November 21, 2018
  • Type: Research Paper
View Entire Sample
Text preview

Are "Good" Computer Viruses Still a Bad Idea?

Vesselin Bontchev

Research Associate

Virus Test Center

University of Hamburg

Vogt-Koelln-Str. 30, 22527 Hamburg, Germany

[email protected] [Editor's note: Vesselin's

current email address is [email protected]]

During the past six years, computer viruses have caused unaccountable amount of

damage - mostly due to loss of time and resources. For most users, the term

"computer virus" is a synonym of the worst nightmares that can happen on their

system. Yet some well-known researchers keep insisting that it is possible to

use the replication mechanism of the viral programs for some useful and

beneficial purposes.

This paper is an attempt to summarize why exactly the general public appreciates

computer viruses as something inherently bad. It is also considering several of

>the proposed models of "beneficial" viruses and points out the problems in them.

A set of conditions is listed, which every virus that claims to be beneficial

must conform to. At last, a realistic model using replication techniques for

beneficial purposes is proposed and directions are given in which this technique

can be improved further.

The paper also demonstrates that the main reason for the conflict between those

supporting the idea of a "beneficial virus" and those opposing it, is that the

two sides are assuming a different definition of what a computer virus is.

1. What Is a Computer Virus?

The general public usually associates the term "computer virus" with a small,

nasty program, which aims to destroy the information on their machines. As usual,

the general public's understanding of the term is incorrect. There are many

kinds of destructive or otherwise malicious

View entire sample
Join StudyHippo to see entire essay

computer programs and computer

viruses are only one of them. Such programs include backdoors, logic bombs,

trojan horses and so on [Bontchev94]. Furthermore, many computer viruses are not

intentionally destructive - they simply display a message, play a tune, or even

do nothing noticeable at all. The important thing, however, is that even those

not intentionally destructive viruses are not harmless - they are causing a lot

of damage in the sense of time, money and resources spent to remove them -

because they are generally unwanted and the user wishes to get rid of them.

A much more precise and scientific definition of the term "computer virus" has

been proposed by Dr. Fred Cohen in his paper [Cohen84]. This definition is

mathematical - it defines the computer virus as a sequence of symbols on the

tape of a Turing Machine. The definition is rather difficult to express exactly

in a human language, but an approximate interpretation is that a computer virus

is a "program that is able to infect other programs by modifying them to include

a possibly evolved copy of itself".

Unfortunately, there are several problems with this definition. One of them is

that it does not mention the possibility of a virus to infect a program without

modifying it - by inserting itself in the execution path. Some typical examples

are the boot sector viruses and the companion viruses [Bontchev94]. However,

this is a flaw only of the human-language expression of the definition - the

mathematical expression defines the terms "program" and "modify" in a way that

clearly includes the kinds of viruses mentioned above.

A second problem with the above definition

is its lack of recursiveness. That is,

it does not specify that after infecting a program, a virus should be able to

replicate further, using the infected program as a host.

Another, much more serious problem with Dr. Cohen's definition is that it is too

broad to be useful for practical purposes. In fact, his definition classifies as

"computer viruses" even such cases as a compiler which is compiling its own

source, a file manager which is used to copy itself, and even the program

DISKCOPY when it is on diskette containing the operating system - because it can

be used to produce an exact copy of the programs on this diskette.

In order to understand the reason of the above problem, we should pay attention

to the goal for which Dr. Cohen's definition has been developed. His goal has

been to prove several interesting theorems about the computational aspects of

computer viruses [Cohen89]. In order to do this, he had to develop a

mathematical (formal) model of the computer virus. For this purpose, one needs a

mathematical model of the computer. One of the most commonly used models is the

Turing Machine (TM). Indeed, there are a few others (e.g., the Markoff chains,

the Post Machine, etc.), but they are not as convenient as the TM and all of

them are proven to be equivalent to it.

Unfortunately, in the environment of the TM model, we cannot speak about

"programs" which modify "other programs" - simply because a TM has only one,

single program - the contents of the tape of that TM. That's why Cohen's model

of a computer virus considers the history

of the states of the tape of the TM.

If a sequence of symbols on this tape appears at a later moment somewhere else

on the tape, then this sequence of symbols is said to be a computer virus for

this particular TM. It is important to note that a computer virus should be

always considered as related to some given computing environment - a particular

TM. It can be proven ([Cohen89]) that for any particular TM there exists a

sequences of symbols which is a virus for that particular TM.

Finally, the technical computer experts usually use definitions for the term

"computer virus", which are less precise than Dr. Cohen's model, while in the

same time being much more useful for practical reasons and still being much more

correct than the general public's vague understanding of the term. One of the

best such definitions is ([Seborg]):

"We define a computer 'virus' as a self-replicating program that can

'infect' other programs by modifying

them or their environment such that a call to an 'infected' program implies

a call to a possibly evolved, and in

most cases, functionally similar copy of the 'virus'."

The important thing to note is that a computer virus is a program that is able

to replicate by itself. The definition does not specify explicitly that it is a

malicious program. Also, a program that does not replicate is not a virus,

regardless of whether it is malicious or not. Therefore the maliciousness is

neither a necessary, nor a sufficient property for a program to be a computer

virus.

Nevertheless, in the past ten years a huge number of

intentionally or non

intentionally destructive computer viruses have caused an unaccountable amount

of damage - mostly due to loss of time, money, and resources to eradicate them -

because in all cases they have been unwanted. Some damage has also been caused

by a direct loss of valuable information due to an intentionally destructive

payload of some viruses, but this loss is relatively minor when compared to the

main one. Lastly, a third, indirect kind of damage is caused to the society -

many users are forced to spend money on buying and time on installing and using

several kinds of anti-virus protection.

Does all this mean that computer viruses can be only harmful? Intuitively,

computer viruses are just a kind of technology. As with any other kind of

technology, they are ethically neutral - they are neither "bad" nor "good" - it

is the purposes that people use them for that can be "bad" or "good". So far

they have been used mostly for bad purposes. It is therefore natural to ask the

question whether it is possible to use this kind of technology for good purposes.

Indeed, several people have asked this question - with Dr. Cohen being one of

the most active proponents of the idea [Cohen91]. Some less qualified people

have attempted even to implement the idea, but have failed miserably (see

section 3). It is natural to ask - why? Let's consider the reasons why the idea

of a "good" virus is usually rejected by the general public. In order to do this,

we shall consider why people think that a computer virus is always harmful and

cannot be used

for beneficial purposes.

2. Why Are Computer Viruses Perceived as Harmful?

About a year ago, we asked the participants of the electronic forum Virus-

L/comp.virus, which is dedicated to discussions about computer viruses, to list

all reasons they could think about why do they perceive the idea of a

"beneficial" virus as a bad one. What follows is a systematized and generalized

list of those reasons.

2.1. Technical Reasons

This section lists the arguments against the "beneficial virus" idea, which have

a technical character. They are usually the most objective ones.

2.1.1. Lack of Control

Once released, the person who has released a computer virus has no control on

how this virus will spread. It jumps from machine to machine, using the

unpredictable patterns of software sharing among the users. Clearly, it can

easily reach systems on which it is not wanted or on which it would be

incompatible with the environment and would cause unintentional damage. It is

not possible for the virus writer to predict on which systems the virus will run

and therefore it is impossible to test the virus on all those systems for

compatibility. Furthermore, during its spread, a computer virus could reach even

a system that had not existed when that virus has been created - and therefore

it had been impossible to test the virus for compatibility with this system.

The above is not always true - that is, it is possible to test the virus for

compatibility on a reasonably large number of systems that are supposed to run

it. However, it is the damaging potential of a program that is spreading out of

control which is

scaring the users.

2.1.2. Recognition Difficulty

Currently a lot of computer viruses already exist, which are either

intentionally destructive or otherwise harmful. There are a lot of anti-virus

programs designed to detect and stop them. All those harmful viruses are not

going to disappear overnight. Therefore, if one develops a class of beneficial

viruses and people actually begin to use them, then the anti-virus programs will

have to be able to make the difference between the "good" and the "bad" viruses

- in order to let the former in and keep the latter out.

Unfortunately, in general it is theoretically impossible even to distinguish

between a virus and a non-viral program ([Cohen89]). There is no reason to think

that distinguishing between "good" and "bad" viruses will be much easier. While

it might be possible to distinguish between them using virus-specific anti-virus

software (e.g., scanners), we should not forget that many people are relying on

generic anti-virus defenses, for instance based on integrity checking. Such

systems are designed to detect modifications, not specific viruses, and

therefore will be triggered by the "beneficial" virus too, thus causing an

unwanted alert. Experience shows that the cost of such false positives is the

same as of a real infection with a malicious virus - because the users waste a

lot of time and resources looking for a non-existing problem.

2.1.3. Resource Wasting

A computer virus would eat up disk space, CPU time, and memory resources during

its replication. A computer virus is a self-replicating resource eater. One

typical example is the Internet Worm, accidentally released by a Carnegie-Mellon

student. It was not designed to be intentionally destructive, but in

the process

of its replication, the multiple copies of it used so much resources, that they

practically brought down a large portion of the Internet.

Even when the computer virus uses a limited amount of resources, it is

considered as a bad thing by the owner of the machine on which the virus is

doing it, if it happens without authorization.

2.1.4. Bug Containment

A computer virus can easily escape the controlled environment and this makes it

very difficult to test such programs properly. And indeed - experience shows

that almost all computer viruses released so far suffer from significant bugs,

which would either prevent them from working in some environments, or even cause

unintentional damage in those environments.

Of course, any program can (and usually does) contain bugs. This is especially

true for the large and complex software systems. However, a computer virus is

not just a normal buggy program. It is a self-spreading buggy program, which is

out of control. Even if the author of the virus discovers the bug at a later

time, there is the almost untreatable problem of revoking all existing copies of

the virus and replacing them with fixed new versions.

2.1.5. Compatibility Problems

A computer virus that can attach itself to any of the user's programs would

disable the several programs on the market that perform a checksum on themselves

at runtime and refuse to run if modified. In a sense, the virus will perform a

denial-of-service attack and thus cause damage.

Another problem arises from some attempts to solve the "lack of control" problem

by creating a virus that asks for permission before infecting. Unfortunately,

this causes

an interruption of the task being currently executed until the user

provides the proper response. Besides of being annoying for the user, it could

be sometimes even dangerous. Consider the following example.

It is possible that a computer is used to control some kind of life-critical

equipment in a hospital. Suppose that such a computer gets infected by a

"beneficial" computer virus, which asks for permission before infecting any

particular program. Then it is perfectly possible that a situation arises, when

a particular program has to be executed for the first time after the virus has

appeared on the computer, and that this program has to urgently perform some

task which is critical for the life of a patient. If at that time the virus

interrupts the process with the request for permission to infect this program,

then the caused delay (especially if there is no operator around to authorize or

deny the request) could easily result in the death of the patient.

2.1.6. Effectiveness

It is argued that any task that could be performed by a "beneficial" virus could

also be performed by a non-replicating program. Since there are some risks

following from the capability of self-replication, it would be therefore much

better if a non-replicating program is used, instead of a computer virus.

2.2. Ethical and Legal Reasons

The following section lists the arguments against the "beneficial virus" idea,

which are of ethical or legal kind. Since neither ethics, nor the legal systems

are universal among the human society, it is likely that those arguments will

have different strength in the different countries. Nevertheless, they have to

be taken into account.

2.2.1. Unauthorized

Data Modification

It is usually considered unethical to modify other people's data without their

authorization. In many countries this is also illegal. Therefore, a virus which

performs such actions will be considered unethical and/or illegal, regardless of

any positive outcome it could bring to the infected machines. Sometimes this

problem is perceived by the users as "the virus writer claims to know better

than me what software should I run on my machine".

2.2.2. Copyright and Ownership Problems

In many cases, modifying a particular program could mean that copyright,

ownership, or at least technical support rights for this program are voided.

We have witnessed such an example at the VTC-Hamburg. One of the users who

called us for help with a computer virus was a sight-impaired lawyer, who was

using special Windows software to display the documents he was working on with a

large font on the screen - so that he could read them. His system was infected

by a relatively non-damaging virus. However, when the producer of the software

learned that the machine was infected, they refused any technical support to the

user, until the infection was removed and their software - installed from clean

originals.

2.2.3. Possible Misuse

An attacker could use a "good" virus as a means of transportation to penetrate a

system. For instance, a person with malicious intent could get a copy of a

"good" virus and modify it to include something malicious. Admittedly, an

attacker could trojanize any program, but a "good" virus will provide the

attacker with means to transport his malicious code to a virtually unlimited

population of computer systems. The potential to be easily modified

to carry

malicious code is one of the things that makes a virus "bad".

2.2.4. Responsibility

Declaring some viruses as "good" and "beneficial" would just provide an excuse

to the crowd of irresponsible virus writers to condone their activities and to

claim that they are actually doing some kind of "research". In fact, this is

already happening - the people mentioned above are often quoting Dr. Fred

Cohen's ideas for beneficial viruses as an excuse of what they are doing - often

without even bothering to understand what Dr. Cohen is talking about.

2.3. Psychological Reasons

The arguments listed in this section are of psychological kind. They are usually

a result of some kind of misunderstanding and should be considered an obstacle

that has to be "worked around".

2.3.1. Trust Problems

The users like to think that they have full control on what is happening in

their machine. The computer is a very sophisticated device. Most computer users

do not understand very well how it works and what is happening inside. The lack

of knowledge and uncertainty creates fear. Only the feeling that the reactions

of the machine will be always known, controlled, and predictable could help the

users to overcome this fear.

However, a computer virus steals the control of the computer from the user. The

virus activity ruins the trust that the user has in his/her machine, because it

causes the user to lose his/her belief that s/he can control this machine. This

may be a source of permanent frustrations.

2.3.2. Negative Common Meaning

For most people, the word "computer virus" is already loaded with negative

meaning. The media has already widely established

the belief that a computer

virus is a synonym for a malicious program. In fact, many people call "viruses"

many malicious programs that are unable to replicate - like trojan horses, or

even bugs in perfectly legitimate software. People will never accept a program

that is labelled as a computer virus, even if it claims to do something useful.

3. Some Bad Examples of "Beneficial" Viruses

Regardless of all the objections listed in the previous section, several people

have asked themselves the question whether a computer virus could be used for

something useful, instead of only for destructive purposes.

And several people have tried to positively answer this question. Some of them

have even implemented their ideas in practice and have been experimenting with

them in the real world - unfortunately, without success. In this section we

shall present some of the unsuccessful attempts to create a beneficial virus so

far, and explain why they have been unsuccessful.

3.1. The "Anti-Virus" Virus

Some computer viruses are designed to work not only in a "virgin" environment of

infectable programs, but also on systems that include anti-virus software and

even other computer viruses. In order to survive successfully in such

environments, those viruses contain mechanisms to disable and/or remove the said

anti-virus programs and "competitor" viruses. Examples for such viruses in the

IBM PC environment are Den_Zuko (removes the Brain virus and replaces it with

itself), Yankee_Doodle (the newer versions are able to locate the older ones and

"upgrade" the infected files by removing the older version of the virus and

replacing it with the newer one), Neuroquila (disables several anti-virus

programs), and several other viruses.

Several

people have had the idea to develop the above behaviour further and to

create an "anti-virus" virus - a virus which would be able to locate other

(presumably malicious) computer viruses and remove them. Such a self-replicating

anti-virus program would have the benefits to spread very fast and update itself

automatically.

Several viruses have been created as an implementation of the above idea. Some

of them locate a few known viruses and remove them from the infected files,

others attach themselves to the clean files and issue an error message if

another piece of code becomes attached after the virus (assuming that it has to

be an unwanted virus), and so on. However, all such pieces of "self-replicating

anti-virus software" have been rejected by the users, who have considered the

"anti-virus" viruses just as malicious and unwanted as any other real computer

virus. In order to understand why, it is enough to realize that the "anti-virus

viruses" matches several of the rules that state why a replicating program is

considered malicious and/or unwanted. Here is a list of them for this particular

idea.

First, this idea violates the Control condition. Once the "anti-virus" virus is

released, its author has no means to control it.

Second, it violates the Recognition condition. A virus that attaches itself to

executable files will definitely trigger the anti-virus programs based on

monitoring or integrity checking. There is no way for those programs to decide

whether they have been triggered by a "beneficial" virus or not.

Third, it violates the Resource Wasting condition. Adding an almost identical

piece of code to every executable file on the system is definitely a waste

- the

same purpose can be achieved with a single copy of the code and a single file,

containing the necessary data.

Fourth, it violates the Bug Containment condition. There is no easy way to

locate and update or remove all instances of the virus.

Fifth, it causes several compatibility problems, especially to the selfchecking

programs, thus violating the Compatibility condition.

Sixth, it is not as effective as a non-viral program, thus violating the

Effectiveness condition. A virus-specific anti-virus program has to carry

thousands of scan strings for the existing malicious viruses - it would be very

ineffective to attach a copy of it to every executable file. Even a generic

anti-virus (i.e., based on monitoring or integrity checking) would be more

effective if it exists only in one example and is executed under the control of

the user.

Seventh, such a virus modifies other people's programs without their

authorization, thus violating the Unauthorized Modification condition. In some

cases such viruses ask the user for permission before "protecting" a file by

infecting it. However, even in those cases they cause unwanted interruptions,

which, as we already demonstrated, in some situations can be fatal.

Eight, by modifying other programs such viruses violate the Copyright condition.

Ninth, at least with the current implementations of "anti-virus" viruses, it is

trivial to modify them to carry destructive code - thus violating the Misuse

condition.

Tenth, such viruses are already widely being used as examples by the virus

writers when they are trying to defend their irresponsible actions and to

disguise them as legitimate research - thus the idea violates the responsibility

condition too.

As we can see from the

above, the idea of a beneficial anti-virus virus is "bad"

according to almost any of the criteria listed by the users.

3.2. The "File Compressor" Virus

This is one of the oldest ideas for "beneficial" viruses. It is first mentioned

in Dr. Cohen's original work [Cohen84]. The idea consists of creating a self-

replicating program, which will compress the files it infects, before attaching

itself to them. Such a program is particularly easy to implement as a shell

script for Unix, but it is perfectly doable for the PC too. And it has already

been done - there is a family of MS-DOS viruses, called Cruncher, which appends

itself to the executable files, then compresses the infected file using Lempel-

Zev-Huffman compression, and then prepends a small decompressor which would

decompress the file in memory at runtime.

Regardless of the supposed benefits, this idea also fails the test of the

criteria listed in the previous section. Here is why.

First, the idea violates the Control condition. Once released, the author of the

virus has no means to controls its spread. In the particular implementation of

Cruncher, the virus writer has attempted to introduce some kind of control. The

virus asks the user for permission before installing itself in memory, causing

unwanted interruptions. It is also possible to tell the virus to install itself

without asking any questions - by the means of setting an environment variable.

However, there are no means to tell the virus not to install itself and not to

ask any questions - which should be the default action.

Second, the idea violates the Recognition condition. Several virus scanners

detect and recognize

Cruncher by name, the process of infecting an executable

triggers most monitoring programs, and the infected files are, of course,

modified, which triggers most integrity checkers.

Third, the idea violates the Resource condition. A copy of the decompressor is

present in every infected file, which is obviously unnecessary.

Fourth, the idea violates the Bug Containment condition. If bugs are found in

the virus, the author has no simple means to distribute the fix and to upgrade

all existing copies of the virus.

Fifth, the idea violates the Compatibility condition. There are many files which

stop working after being compressed. Examples include programs that perform a

self-check at runtime, self-modifying programs, programs with internal overlay

structure, Windows executables, and so on. Admitedly, those programs stop

working even after being compressed with a stand-alone (i.e., non-viral)

compression program. However, it is much more difficult to compress them by

accident when using such a program - quite unlike the case when the user is

running a compression virus.

Sixth, the idea violates the Effectiveness condition. It is perfectly possible

to use a stand-alone, non-viral program to compress the executable files and

prepend a short decompressor to them. This has the added advantage that the code

for the compressor does not have to reside in every compressed file, and thus we

don't have to worry about its size or speed - because it has to be executed only

once. True, the decompressor code still has to be present in each compressed

file and many programs will still refuse to work after being compressed. The

solution is to use not compression at a file level, but at a disk level.

And

indeed, compressed file systems are available for many operating environments

(DOS, Novell, OS/2, Unix) and they are much more effective than a file-level

compressor that spreads like a virus.

Seventh, the idea still violates the Copyright condition. It could be argued

that it doesn't violate the Data Modification condition, because the user is

asked to authorize the infection. We shall accept this, with the remark

mentioned above - that it still causes unwanted interruptions. It is also not

very trivial to modify the virus in order to make it malicious, so we'll assume

that the Misuse condition is not violated too - although no serious attempts are

made to ensure that the integrity of the virus has not been compromised.

Eighth, the idea violates the responsibility condition. This particular virus -

Cruncher - has been written by the same person who has released many other

viruses - far from "beneficial" ones - and Cruncher is clearly used as an

attempt to condone virus writing and to masquerade it as legitimate "research".

3.3. The "Disk Encryptor" Virus

This virus has been published by Mark Ludwig - author of two books and a

newsletter on virus writing, and of several real viruses, variants of many of

which are spreading in the real world, causing real damage.

The idea is to write a boot sector virus, which encrypts the disks it infects

with a strong encryption algorithm (IDEA in this particular case) and a user-

supplied password, thus ensuring the privacy of the user's data. Unfortunately,

this idea is just as flawed as the previous ones.

First, it violates the Control condition. True, the virus author has

attempted

to introduce some means of control. The virus is supposed to ask the user for

permission before installing itself in memory and before infecting a disk.

However, this still causes unwanted interruptions and reportedly in some cases

doesn't work properly - that is, the virus installs itself even if the user has

told it not to.

Second, it violates the Recognition condition. Several virus-specific scanners

recognize this virus either by name or as a variant of Stealth_Boot, which it

actually is. Due to the fact that it is a boot sector infector, it is unlikely

to trigger the monitoring programs. However, the modification that it causes to

the hard disk when infecting it, will trigger most integrity checkers. Those

that have the capability to automatically restore the boot sector, thus removing

any possibly present virus, will cause the encrypted disk to become inaccessible

and therefore cause serious damage.

Third, the idea violates the Compatibility condition. A boot sector virus that

is permanently resident in memory usually causes problems to Windows

Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New