GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 7, part 1
Introduction to Computer Viruses
____________________________________________________
It’s Saturday morning. You boot up your Windows
98 computer and lo and behold, the graphics on the desktop are
a mirror image of what they should be. Congratulations,
you have a computer virus!
According to “Virus Bulletin,” the Oxfordshire,
England-based technical journal that tracks viruses, this new
virus flips any uncompressed bitmaps horizontally, but only on
Saturdays. This bulletin credits GriYo of the 29A virus-writing
group as the author of this 32-bit polymorphic Windows virus
now known as HPS (Hantavirus Pulmonary Syndrome).
Panda Software of Spain has announced that it has the antidote
to HPS. Meanwhile, other antivirus companies scramble to
code a cure for this Windows 98 desktop graphics virus.
So far HPS appears, like many viruses, to be harmless and
humorous. According to the book “Computer Viruses”
by Robert Slade (Springer, 1996), “The truth is that relatively
few viral programs perform any overt damage to a system.”
However, no matter how harmless any virus may appear to be, people
worry that it might do something else, perhaps on some Friday
the 13th or maybe, who knows Jan. 1, the year 2000. Even
if GriYo had the best of intentions, people worry that a mistake
buried somewhere in his HPS code might accidentally cause harm.
Let’s face it. Turn a computer virus loose and
you can become mighty unpopular -- regardless of how harmless,
funny, or even beneficial you believe your virus might be. People
don’t like to have programs running on their computers unless
they make the decision to put them there.
***************************************************
In this Guide you will learn:
Part One:
* What is a computer virus?
* Types of computer viruses
* Why study and create viruses?
* How to catch them
* How to fight them
*************************************************
One of the nice things about the recent escalation in
computer crime is that the media doesn’t make such a big
fuss over viruses any more. Sure, they (viruses and the
media both) can be a pain. However, with all those antivirus
programs we can call upon for help, and with almost everyone
now understanding the importance of frequent backups, viruses
are no big deal, right?
“Computer viruses are no big deal.” Famous
last words? Digital viruses may be the first stages of
artificial life. Think about it -- are we ready yet to
share the planet with artificial life? Will we find some
means of friendly coexistence, just as we have learned to safely
enjoy cheetahs, lions and wolves? Will viruses perhaps
even evolve into helpful life forms that will end poverty and
war, help us understand the meaning of life itself and even shed
light on the nature of God? Or will some computer virus
designer create code that evolves into something that destroys
the human race? Or ... maybe you readers will get fed up with
me hyping viruses and flame war me into hiding!
What is a Computer Virus?
In 1988 the Internet was shut down by the “Morris
Worm,” a self-replicating program coded by Robert Tappan
Morris of the Chaos Computer Club. It used sendmail and
finger exploits to break into and propagate from one Unix computer
to another. By the time it had infected some 10% of the
computers on the Internet, it was clogging essential Internet
communications lines as the worm shipped around ever more copies
of itself.
Yet many computer scientists say we shouldn’t call
the Morris Worm a computer virus.
Before the first computer virus was ever coded, in 1984,
Dr. Fred Cohen wrote his doctoral thesis on the topic (published
in his book “Computer Viruses,” ASP Press, 1986).
As a result, Cohen is credited by many with being the first to
conceive of their existence. It is important to remember
-- Cohen is AGAINST computer viruses. He didn’t invent them,
but was the first to prove they could be created, and to foresee
the damage they could cause. Purists hold by the definition
of virus that appeared in Cohen’s doctoral thesis: a computer
virus is code that, when active, attaches itself to other programs.
However, long before Dr. Cohen detailed the characteristics
of viruses, mathematician John von Neumann proved that a Turing
machine (a mathematical construct representing a single-processor
computer) is capable of containing a “universal constructor”
which, if provided with a program containing its own description,
is able to reproduce itself. Von Neumann’s “universal
constructor” proof covers not only Cohen’s definition
of a computer virus, but also self-replicating programs such
as the Morris Worm.
Are these definitions making you dizzy? Me, too.
So I decided in this Guide to use the definition proposed by
virus researcher Dr. Mark Ludwig. He defines a computer
virus as “a program that reproduces. When executed,
it simply makes more copies of itself. Those copies may
later be executed to create still more copies, ad infinitum.”
This definition is broad enough to include the Morris Worm.
******************************************************
Newbie note: To “execute” a program means to
make it run. As long as a program is merely a file, it
is doing nothing. However, when something is done to feed
the information of a file into the central processing unit of
a computer in such a way as to command it to do something, we
say the program has been “executed.”
****************************************************
Each virus program must consist of at least two parts.
It must contain a search routine which helps it find new files,
disks or host computers on which to replicate. It also
must have a routine that copies itself to these new computers
that its search routine discovers.
Many viruses also contain self-defense features that allow
them to hide from or even fight back against anti-virus programs.
Some also, like HPS, contain a harmless message or prank.
The Stoned virus carries the message “Your computer is now
stoned” along with an occasional plea to legalize marijuana.
Unfortunately, a few viruses do something harmful.
Often the harm is accidental, as few virus coders wish to harm
anyone. Robert Tappan Morris had no intention of crashing
the Internet with his Worm. Each individual worm was harmless.
The trouble came because they multiplied far faster than he had
expected.
Also, there are a few -- very few -- people who willfully
misuse their programming talents to unleash destructive viruses
on the world.
Types of Viruses
There are several major types of viruses.
* Boot sector infectors, which can live even on a blank DOS/Windows
disk by taking advantage of the little-known program which tells
your computer how to read the disk.
* Program file infectors (this includes MS Word document macro
viruses)
* Worms (such as the Morris Worm) which use other programs to
replicate but do not attach themselves to programs.
Currently the most common type of virus is the macro virus.
A recent example of a macro virus is WM/PolyPoster. This
virus will wait until you go online and post your infected document(s)
to alt.sex.stories and other popular Usenet news groups under
the title "Important Monica Lewinsky Info". For
more details, see http://www.datafellows.com/news/pr/eng/fsav/19980618.htm
and http://www.datafellows.com/v-descs/agent.htm
Why Study -- and Create -- Viruses?
“The Giant Black Book of Computer Viruses”
by Ludwig (American Eagle Press, 1995) argues “Should we
not be a Socrates, who ... sought Truth and Wisdom ... the question
that really matters is not how computers can make us wealthy
or give us power over others, but how they might make us wise.
What can we learn about ourselves? about our world? and yes,
maybe even about God? Might we not understand life a little
better if we can create something similar, and study it, and
try to understand it?”
Some researchers seek to figure out new ways to defeat
antivirus programs because they believe it is the best way to
design them to stay one jump ahead of the tiny minority of virus
writers who release damaging code. Do you really want to
rely on a commercial antivirus program to be your only defense?
Yes, these programs can be really helpful. However, if
you are a serious hacker who downloads and tests lots of Windows
programs (almost all viruses attack Windows), you had better
be prepared to fight viruses that the antivirus companies have
never even heard of.
Other people research viruses because they could become
potent weapons in time of war. The story of a computer
virus being unleashed against Iraq during the Desert Storm War
is a April Fool’s Day hoax that got out of hand. But
the day is coming when they will be used in wartime.
If you live in a country where the government is run by
a dictatorship or is occupied by an invader’s troops, viruses
may be the guerrilla warrior’s best friend.
Some virus designers want to create artificial life forms
that will, for good or evil, revolutionize history.
How to Catch Them
Have you ever gotten an email from a friend that reads
something like this?
Internet Virus !!!!Warning!!!!
Hello;
Please Broadcast this message.
Mails CCMAIL or E-MAIL name's JOINT THE CREW & PENPALS
GREETINGS
should destroy all datas on your hard disk when you open them.
These virus call CHEVAL TROYEN make infection on boot sector.
These can be autoduplicator.
You should destroy them, DO NOT OPEN THEM.....
After a week or so you are probably are getting the
same message again and again, each time slightly mutated:
VIRUS WARNING !!!!!!
If you receive an email titled "JOIN THE CREW" DO NOT
open it. It
will erase everything on your hard drive.
Forward this letter out to as many people as you can. This
is a new, very malicious virus and not many people know about
it. This
information was announced yesterday morning from IBM; please
share it with everyone that might access the internet...
This “join the crew” virus warning is yet
another example of the kind of message that first warned of an
email virus entitled “Good Times.” In 1994-5
that first emailed virus warning flashed across the Internet
with amazing speed and persistence. Soon people were getting
Good Times warnings every day. Even reputable sysadmins
broadcast the warning to all their users.
Good Times was a hoax. It is impossible to catch a virus
from merely reading email. You must run a program to catch
a virus.
True, there are macro viruses such as those that infest
Microsoft Word (MS Word) documents. They replicate when
you merely read a file in MS Word. However, macros are programs
which are executed when you read a text file -- but only when
you read it in MS Word. Unfortunately, this “feature”
of MS Word has the consequence that macro viruses are now the
most common of viruses.
However, email is structured so that macros cannot, absolutely
cannot, be embedded in it. If someone wants to email a
macro to you, it will always be in a file attached to email.
As long as you refuse to load email attachments into programs
that run macros such as MS Word, you are safe.
Some people have argued that phony email virus warnings
are in themselves computer viruses. They have a search
routine -- the plea to email them to everyone you know.
Their copy mechanism is you -- if you are dumb enough to command
your email program to send these warnings on to other people.
So how does a computer get infected by a computer virus?
You must always run a vulnerable program in association with
the virus code in order to catch one. In the case of the
Morris Worm, all you needed to do was hook up your computer as
an Internet host. The sendmail and finger daemons, which
run quietly in the background all the time, were the active programs
that spread the Worm. In the case of MS Word macros, the
act of reading an MS Word text file activates a macro which replicates
the virus. In the case of a boot sector virus, simply putting
a floppy disk into a drive and giving a command to see what is
on the disk propagates the virus.
How to Fight Them
Maybe you are one of those people who greet each new
uninvited program with the shout “Get that !@#$@#$% virus
OUT of my COMPUTER!” If so, what is the best way to
avoid infection? Once infected, how do you get that !@#$@#$%
virus OUT?
There are a number of commercial antivirus programs that
automatically scan for viruses very day at a certain time, as
well as every time you start your computer. They also scan
every floppy disk for boot sector viruses every time you load
one in a disk drive and try to read it. I use Norton Antivirus
with good results; many others say McAffee works well.
Dr. Ludwig reports that all commercial antivirus software works
about equally poorly. Of course, he’s always testing
them against the most amazing, exotic, tricky viruses in the
world, half of which he has written himself. So it’s
understandable that he’s not impressed.
I learned the hard way that a really bad way to get antivirus
software was from a floppy given to me by a friend. I tried
that once and caught a new virus from his floppy instead of getting
rid of an old one! That disk was infected with a boot sector
infector. So before I could even run it on my friend’s
program, the instant my computer tried to read the directory
on the disk, it got infected. This new virus had the cute
side effect of disabling the antivirus program.
Because of this problem, commercial antivirus software
comes complete with instructions on how to bootstrap your computer
back to health. If you don’t follow those instructions
exactly, you may end up like me, giving your computer a virus
instead of eradicating one.
Since, according to Ludwig, there are many viruses out
there for which there are no antivirus programs, this should
motivate us to try to avoid catching them in the first place.
What are some precautions even those of us who run commercial
antivirus programs should take? Here are my top recommendations.
1) Use the Unix operating system. There are few Unix viruses
or worms. I like to think that is because it is a superior
operating systems. However, it may also be largely because
Windows computers are common and cheap and the kind of people
who code malicious viruses are so lame that they can’t figure
out how to code for Unix systems. However, be warned --
the second part of this Guide includes the source code for a
Unix virus!
2) See that kewl warez d00dz site? Wouldn’t it be nice
to get thousands of dollars worth of commercial software from
them for free? Watch out! The kind of guys who pirate
software might also be the kind of guys who get a chuckle out
of reformatting your hard drive by giving you viruses hidden
in their archives. Also, some people fight warez sites
by secretly booby-trapping them with viruses.
3) See that lovely haxor dOOdz site full animated flames,
spinning skulls and creepy organ music? See all those programs
on that site that promise to empower you to mail bomb people,
crash their computers and break into the Pentagon? Now,
is it just possible that the kind of people who want to help
other people raise heck -- gosh -- could they also be the kind
of people who would slip a virus or two into those programs you
download?
4) See that email with an attached file? The sender
says it is a really kewl program. A new game, better than
Quake or Barbie Fashion Designer. Wait, why is a stranger
sending you a free game program? Maybe he’s up to
no good. Or -- maybe it is an attached file sent to you
by a friend. Wait! How do you know that email is
really from your friend? Does it have his or her PGP signature?
Have you phoned your friend to ask whether he or she really sent
you that program? Don’t run a new program unless you
are certain it comes from a trustworthy source.
5) Upgrade Microsoft Office (or Microsoft Word) to Office
97 (Word 97). This disables all the old macro viruses.
It also checks for macros in any new file you open. If
it finds them, it prompts you to decide whether you want to disable
these macros. Unfortunately, it is even easier to write
macro viruses for Office 97, which uses Visual basic for its
macro language. So if you want to be really safe, simply
refuse to let any macros whatsoever run on this office suite.
Better yet, use some other office suite such as Corel.
Only Microsoft programs are vulnerable to macro viruses.
6) Disable Java on your Web browser. Haven’t heard
about Java viruses yet? In part two of this Guide you will
get source code for a Java virus that infects Unix computers
that run the Bourne shell. Java can also transmit viruses
that will infect Windows computers.
7) Do or don’t do all the other stuff I forgot to put
in this list. What this really means is, don’t trust
me or anyone to be the last word on viruses. Good books
to study which include source code to viruses are “It’s
Alive” by Dr. Fred Cohen, (Wiley, New York, 1994) and “The
Giant Black Book of Computer Viruses” by Dr. Mark Ludwig
(American Eagle, Show Low AZ, 1998). You can also get lots
of information from the virus-l email list, a moderated, digested
mail forum. To subscribe to the email list, email listproc@lehigh.edu
with message subscribe virus-l. Archives are at ftp://ftp.cs.ucr.edu/pub/virus-l.
An archive of virus FAQs is at http://webworlds.co.uk/dharley/anti-virus/virFAQs.
For Mac viruses, email listproc@listproc.bgsu.edu a message containing
the line “subscribe mac-virus-announce YOUR FULL NAME”.
More on viruses --->>
