Chapter 2DEFINITIONS AND TIMELINEIt

Chapter 2
DEFINITIONS AND TIMELINE
It would be nice to present a clever taxonomy of malicious software, one that
clearly shows how each type of malware relates to every other type. However,
a taxonomy would give the quaint and totally incorrect impression that there is
a scientific basis for the classification of malware.
In fact, there is no universally-accepted definition of terms like "virus" and
"worm," much less an agreed-upon taxonomy, even though there have been occasional
attempts to impose mathematical formalisms onto malware. ^^^ Instead
of trying to pin down these terms precisely, the common characteristics each
type of malware typically has are listed.
2.1 Malware Types
Malware can be roughly broken down into types according to the malware's
method of operation. Anti-"virus" software, despite its name, is able to detect
all of these types of malware.
There are three characteristics associated with these malware types.
1 Self-replicating malware actively attempts to propagate by creating new
copies, or instances, of itself. Malware may also be propagated passively,
by a user copying it accidentally, for example, but this isn't self-replication.
2 The population growth of malware describes the overall change in the number
of malware instances due to self-replication. Malware that doesn't selfreplicate
will always have a zero population growth, but malware with a
zero population growth may self-replicate.
3 Parasitic malware requires some other executable code in order to exist.
"Executable" in this context should be taken very broadly to include anything
that can be executed, such as boot block code on a disk, binary code
12 COMPUTER VIRUSES AND MALWARE
in applications, and interpreted code. It also includes source code, like application
scripting languages, and code that may require compilation before
being executed.
2.1.1 Logic Bomb
Self-replicating: no
Population growth: zero
Parasitic: possibly
A logic bomb is code which consists of two parts:
1 A pay load, which is an action to perform. The payload can be anything, but
has the connotation of having a malicious effect.
2 A trigger, a boolean condition that is evaluated and controls when the payload
is executed. The exact trigger condition is limited only by the imagination,
and could be based on local conditions like the date, the user logged
in, or the operating system version. Triggers could also be designed to be
set off remotely, or - like the "dead man's switch" on a train - be set off by
the absence of an event.
Logic bombs can be inserted into existing code, or could be standalone. A simple
parasitic example is shown below, with a payload that crashes the computer
using a particular date as a trigger.
legitimate code
if date is Friday the 13th:
crash^computerO
legitimate code
Logic bombs can be concise and unobtrusive, especially in millions of lines
of source code, and the mere threat of a logic bomb could easily be used to
extort money from a company. In one case, a disgruntled employee rigged a
logic bomb on his employer's file server to trigger on a date after he was fired
from his job, causing files to be deleted with no possibility of recovery. He
was later sentenced to 41 months in prison.^^^ Another case alleges that an
employee installed a logic bomb on 1000 company computers, date-triggered
to remove all the files on those machines; the person allegedly tried to profit
from the downturn in the company's stock prices that occurred as a result of the
damage.^
2.1.2 Trojan Horse
Self-replicating: no
Population growth: zero
Parasitic: yes
Definitions and Timeline 13
There was no love lost between the Greeks and the Trojans. The Greeks had
besieged the Trojans, holed up in the city of Troy, for ten years. They finally
took the city by using a clever ploy: the Greeks built an enormous wooden horse,
concealing soldiers inside, and tricked the Trojans into bringing the horse into
Troy. When night fell, the soldiers exited the horse and much unpleasantness
ensued. ^^^
In computing, a Trojan horse is a program which purports to do some benign
task, but secretly performs some additional malicious task. A classic example is
a password-grabbing login program which prints authentic-looking "username"
and "password" prompts, and waits for a user to type in the information. When
this happens, the password grabber stashes the information away for its creator,
then prints out an "invalid password" message before running the real login
program. The unsuspecting user thinks they made a typing mistake and reenters
the information, none the wiser.
Trojan horses have been known about since at least 1972, when they were
mentioned in a well-known report by Anderson, who credited the idea to D. J.
Edwards. ^^-^
2.1.3 Back Door
Self-replicating: no
Population growth: zero
Parasitic: possibly
A back door is any mechanism which bypasses a normal security check. Programmers
sometimes create back doors for legitimate reasons, such as skipping
a time-consuming authentication process when debugging a network server.
As with logic bombs, back doors can be placed into legitimate code or be
standalone programs. The example back door below, shown in gray, circumvents
a login authentication process.
username = read_username()
password = read_password()
if tisername i s "133t h4ck0r":
return ALLOW^LOGIN
if username and password are valid:
return ALLOW_LOGIN
e l s e:
return DENY^LOGIN
One special kind of back door is a RAT, which stands for Remote Administration
Tool or Remote Access Trojan, depending on who's asked. These programs
allow a computer to be monitored and controlled remotely; users may deliberately
install these to access a work computer from home, or to allow help desk
14 COMPUTER VIRUSES AND MALWARE
staff to diagnose and fix a computer problem from afar. However, if malware
surreptitiously installs a RAT on a computer, then it opens up a back door into
that machine.
2.1.4 Virus
Self-replicating: yes
Population growth: positive
Parasitic: yes
A virus is malware that, when executed, tries to replicate itself into other executable
code; when it succeeds, the code is said to be infected? The infected
code, when run, can infect new code in turn. This self-replication into existing
executable code is the key defining characteristic of a virus.
When faced with more than one virus to describe, a rather silly problem
arises. There's no agreement on the plural form of "virus." The two leading
contenders are "viruses" and "virii;" the latter form is often used by virus writers
themselves, but it's rare to see this used in the security community, who prefer
"viruses."^^^
If viruses sound like something straight out of science fiction, there's a reason
for that. They are. The early history of viruses is admittedly fairly murky, but
the first mention of a computer virus is in science fiction in the early 1970s,
with Gregory Benford's The Scarred Man in 1970, and David Gerrold's When
Harlie Was One in 1972.^^^ Both stories also mention a program which acts to
counter the virus, so this is the first mention of anti-virus software as well.
The earliest real academic research on viruses was done by Fred Cohen in
1983, with the "virus" name coined by Len Adleman.^^^ Cohen is sometimes
called the "father of computer viruses," but it turns out that there were viruses
written prior to his work. Rich Skrenta's Elk Cloner was circulating in 1982, and
Joe Dellinger's viruses were developed between 1981-1983; all of these were
for the Apple II platform.^^^ Some sources mention a 1980 glitch in Arpanet
as the first virus, but this was just a case of legitimate code acting badly; the
only thing being propagated was data in network packets. ^^^ Gregory Benford's
viruses were not limited to his science fiction stories; he wrote and released nonmalicious
viruses in 1969 at what is now the Lawrence Livermore National
Laboratory, as well as in the early Arpanet.
Some computer games have featured self-replicating programs attacking one
another in a controlled environment. Core War appeared in 1984, where programs
written in a simple assembly language called Redcode fought one another;
a combatant was assumed to be destroyed if its program counter pointed
to an invalid Redcode instruction. Programs in Core War existed only in a
virtual machine, but this was not the case for an earlier game, Darwin. Darwin
was played in 1961, where a program could hunt and destroy another combat
Definitions and Timeline 15
ant in a non-virtual environment using a well-defined interface. ^^^ In terms of
strategy, successful combatants in these games were hard-to-find, innovative,
and adaptive, qualities that can be used by computer viruses too.-^
Traditionally, viruses can propagate within a single computer, or may travel
from one computer to another using human-transported media, like a floppy
disk, CD-ROM, DVD-ROM, or USB flash drive. In other words, viruses don't
propagate via computer networks; networks are the domain of worms instead.
However, the label "virus" has been applied to malware that would traditionally
be considered a worm, and the term has been diluted in common usage to refer
to any sort of self-replicating malware.
Viruses can be caught in various stages of self-replication. A germ is the
original form of a virus, prior to any replication. A virus which fails to replicate
is called an intended. This may occur as a result of bugs in the virus, or
encountering an unexpected version of an operating system. A virus can be
dormant, where it is present but not yet infecting anything - for example, a
Windows virus can reside on a Unix-based file server and have no effect there,
but can be exported to Windows machines."^
2.1,5 Worm
Self-replicating: yes
Population growth: positive
Parasitic: no
A worm shares several characteristics with a virus. The most important characteristic
is that worms are self-replicating too, but self-replication of a worm
is distinct in two ways. First, worms are stan