Malicious Code 101 Definitions and Background

Malicious code in general can be defined as "software which interferes with the normal operation of a computer system." Another general definition might be "software which executes without the express consent of the user."

Basic Definitions

The colorful names given to different types of malicious code reflect different approaches to malicious programming. Several years ago, a key member of IBM's anti-virus team, Alan Fedeli, provided working definitions for three types of malicious code:

Note that while viruses and worms replicate themselves, Trojans do not. Viruses and worms both produce copies of themselves but worms do so without using host files as carriers. Also note that, despite the use of medical terminology to describe computer viruses, such as "infection" of "host" programs, these pieces of program code are not a biological life form of any kind (some scientists, notably Dr. Stephen Hawking, have postulated that viruses may constitute a life form, but this is a theoretical concept, and there is certainly no need to wear rubber gloves and a surgical mask when handling infected files).

A fourth category of malicious code, the logic bomb, has historically been associated with mainframe programs but can also appear in desktop and network applications. A logic bomb can be defined as dormant code, the activation of which is triggered by a pre-determined time or event. For example, a logic bomb might start erasing data files when the system clock reaches a certain date or when the application has been loaded X number of times. In practice, these various elements can be combined, so that a virus could gain access to a system via a Trojan, then plant a logic bomb, which triggers a worm.

Code Attack Types

Confusion about the different types of malicious code is widespread, due in part to the way the problem has matured from shop talk in data processing departments to general public consciousness. Here is how IBM's Al Fedeli put it: "Since the late 1980s, corporations have witnessed harmful code events, and have taken some precautions as a direct result. Key events include: the Internet Worm of 1989 which was written by Robert Tappan Morris, the Christmas EXEC Worms experienced by universities and corporations, the media attention to the Jerusalem or Friday the 13th virus in 1989, the AIDS Trojan Horse which was distributed to conference attendees in 1990, Internet break-ins described by Clifford Stoll in The Cuckoo's Egg, and the Michelangelo media hype in March, 1992. These events are a mix of PC viruses, network worms, and Trojan horses, which tend to blur the harmful code issue, making it hard for the layman to understand what is under attack, and what can and should be defended against."

What is under attack is the integrity of your data, the reliability of your systems, and the resources of your organization. The integrity of your data is threatened by aggressive viruses that attempt to format hard disks, Trojans that try to delete directory structures, and logic bombs that threaten to delete customer records unless money is paid to the programmer who wrote your order-taking application. The reliability of your systems is threatened by viruses that spread from machine to machine across a network, by Trojan horses that trap keystrokes to compromise passwords, by worms that clog memory and storage facilities and slow down the system. The resources of your organization are threatened by the need to divert processing cycles and person-power to the task of watching out for and cleaning up after, virus infections, Trojan attacks, and worm outbreaks. We will now look more closely at what can and should be defended against.

What is a Computer Virus?

Some of the first serious experiments with virus code were carried out in 1983 by Dr. Fred Cohen who originally used this definition of a virus: "a program that can infect other programs by modifying them to include a slightly altered copy of itself." A decade later, the following definition appears on the first page of Cohen's book, A Short Course on Computer Viruses, which many consider to be required reading for serious students of the subject:

"When we talk about computer viruses in the deepest sense, we are talking about sequences of symbols in the memory of a machine....What makes one of those sequences of symbols an element of a "viral set" is that when the other machine interprets that sequence of symbols, it causes some other element of the that viral set to appear somewhere else in the system at a later point in time."

Viruses were described in more practical and less scientific terms in the booklet "How to Avoid Computer Viruses" produced by the National Computer Security Association (with help from 3M and Ziff-Davis) as a relatively small program that does certain things:

Further light is shed by IBM's Al Fedeli who notes that "While viruses exhibit many other characteristic behaviors, such as causing pranks, changing or deleting files, displaying messages or screen effects, hiding from detection by changing or encrypting themselves, modifying programs and spreading are the necessary and sufficient conditions for a program to be considered a virus."

So how do viruses differ from worms and Trojans? In the document "Computer Virus Myths" shareware and virus experts Rob Rosenberger and Ross M. Greenberg state that "a computer virus falls in the realm of malicious programming techniques known as "Trojan horses." However, other experts would say that this stretches the definition of Trojan horse too far, since many viruses gain access to systems without directly misrepresenting themselves to the user as something beneficial. Indeed, boot sector viruses, which are still relatively common, are practically invisible.

Fedeli notes that Trojan horses tend to be single instances of harmful code, "such as a modified payroll system, or an unauthorized addition to software which is being distributed." A virus carries out its task of replication by altering files, usually program files, attaching itself to them and spreading from one to another, much like a biological virus attacks and spreads among cells. The files modified by the virus act as carriers for the virus, leading to the definition "a self-replicating file modification."

As to the distinction between viruses and worms, Fedeli observes that "Worms spread, as do viruses, but worms don't modify or attach themselves to other code. If they did, they would be viruses. This distinction between viruses and worms isn't appreciated, and the terms are frequently used synonymously. But notice that worms tend to get stamped out quickly, since they don't leave their residue in other programs, while viruses persist. Perhaps the distinction is more than semantics." The very act of modifying files means that the presence of a virus causes disruption to normal operation, in addition to which the virus program can be written to carry out a specific task, like playing a tune at a certain time every day.

In a mix of metaphors, such a virus task is referred to as a payload and the event that releases or invokes it is referred to as a trigger. Triggers may be dates or actions, such as booting up the machine. Some payloads are very nasty, such as corrupting the file allocation table (FAT) on a disk and thus rendering files unaccessable. Even though playing a tune not seem like a particularly disruptive task, we have already observed that it is impossible to write a virus that can carry out such a task without interfering with the normal operation of the host system, if for no other reason than that the programmer cannot possibly predict conditions on all of the host computers to which the virus will spread. A lot of viruses attack operating system files, meaning that they have the potential to disrupt a wide range of users.

Other viruses attack a particular application. Consider the virus that attacks dBASE data files, stored with the DBF extension. The virus reverses the order of bytes in the file as it is written to disk. The virus reverses them back to normal when the file is retrieved, making the change transparent to the casual user. However, if the file is sent to an uninfected user, or if the virus is inadvertently removed from the host system, the data is left in a scrambled state.

Before moving on to Trojan horses, it is important to point out that although some people say there are tens of thousands of viruses to worry about, as of Spring 2000, only a few hundred were "in the wild". This term is reserved for viruses that have actually infected someone, somewhere. It is important to distinguish this small number of "in the wild" viruses from the much larger number of "in the zoo" viruses. We use this term to describe a virus that has never been seen in a real world situation (believe it or not, some people who write viruses send them to anti-virus researchers, which is one reason the population of the zoo far out-numbers that of the wild).

What is Trojan Code?

According to Rosenberger and Greenberg "Trojan horse is a generic term describing a set of computer instructions purposely hidden inside a program. Trojan horses tell programs to do things you don't expect them to do. The term comes from the legendary battle in which the ancient city of Troy received a large wooden horse to commemorate a fierce battle." This gift horse held enemy soldiers in its belly who thus gained entrance to the fortified city.

In computer terms, a seemingly legitimate program is loaded by the user, but at some point thereafter Trojan code goes to work, possibly capturing password keystrokes or erasing data. Such was the case with a Trojan that troubled Mac users in 1988. The so-called Sexy Ladies HyperCard stack dished up the promised pictures, but also erased data on the computer that loaded it. A more recent example appeared in 1995 when someone started distributing a file described as PKZIP 3.0, describing it as the long-awaited update of PKZIP version 2.04g, an excellent file archiving tool. Naturally, since the purpose of PKZIP is to compress and decompress files, version 2.04g was distributed as a self-extracting file. That is, it had the EXE extension and was executed as a program at the DOS prompt (for the simple reason that people would need the compressed contents to be automatically uncompressed in order to uncompress compressed files).

PKZIP 3.0 was also made available on bulletin boards as an executable file, but it was not a self-extracting archive. Instead it was a Trojan horse that attempted to execute the DELTREE and FORMAT commands. Although this particular Trojan was clumsily written, it did work and some people lost data, largely because the underlying idea was cleverly conceived: there has not been an update of PKZIP in several years; it is logical that the update would be an executable; and millions of people use PKZIP, many of them unlicensed shareware users.

Perhaps the most famous case of a Trojan horse was the "AIDS disk,'' distributed in 1989. This installed a counter program and every time it was executed it incremented by one. After approximately 90 executions, data on the hard disk was encrypted and a message displayed indicating that the only way to get the data back was to pay the licensing fee to PC Cyborg Corporation. The program was clearly an attempt to extort money from unsuspecting users (the program actually conducted an AIDS risk factor questionnaire, so that users might have considerable reason to be nervous about their data -- for more on the case, see below). So, while virus programs might sound very nasty, gaining undetected entrance to a computer system by hiding within a normal program, and then spreading to other programs within the new host, Trojan software may be no less malicious. However, instead of spreading secretly, Trojans depend upon being attractive or interesting to prospective users.

What is a Worm?

According to Rosenberger and Greenberg, a worm is similar to a Trojan horse, but there is no "gift" involved: "If the Trojans had left that wooden horse outside the city, they wouldn't have been attacked from inside the city. Worms, on the other hand, can bypass your defenses without having to deceive you into dropping your guard." The classic example is a program designed to spread itself by exploiting bugs in a network operating software. In the context of malignant programs, worm is used figuratively.

A worm is a program that spreads parts of itself across many different computers that are connected into a network, the parts remain in touch with, or related to, each other, thus giving rise to the term worm, a segmented insect. Naturally, this has a disruptive effect on the host computers, eating up empty space in memory and storage, and wasting valuable processing time (this has no connection with the acronym WORM, standing for Write-Once Read-Many, a type of optical disk drive used for archiving data, and as such, a defense against breaches of security).

The best-known example is the Internet worm. This consumed so much memory space and processor time that eventually several thousand computers ground to a halt (the Morris/Internet worm has been exhaustively analyzed -- click here for exhaustive details). More destructive worms might erase files. But even without malicious intent, communications on the network are likely to be disrupted by any worm as it attempts to grow from one area to another. Most people agree that a worm is typified by independent growth rather than modification of existing programs.

The difference between a worm and a virus might be characterized by saying a virus reproduces, while a worm grows. You could even distinguish between a worm infestation and a virus infection. Worm programs have been more harshly described as "program code that destroys data held in memory or storage." The implication being that worms cannot operate without negatively affecting the computers that "host'' them. In recent years there have been several cases of worms that spread via email, notably the LoveLetter code, described here. Like viruses, worms can be left dormant within legitimate code to be triggered later by such events as a particular date or a certain number of uses of the host program. Malicious code that is triggered like this can also be described as a logic bomb.

What is a Logic Bomb?

One of the oldest forms of malicious programming is the creation of dormant code that is later activated or triggered by specific circumstances. Typical triggers are events such as a particular date or a certain number of system starts. Stories abound of disgruntled programmers planting logic bombs to get back at employers deemed to have been unfair. Several logic bombs have been planted in order to extort money ("pay up or the computer gets it''). This requires paying up or finding the malicious code and removing it. The latter option can be extremely costly when the system is a large mainframe computer.

What's the Problem?

While the terms virus and worm might sound playful, another term for such programs is harmful code, which acknowledges the fact that some people who write this type of code claim that their intentions are not malicious. In some cases this may be true, but it really makes no difference to the ethical or practical implications of releasing software that is designed to execute without the express consent of the user.

Ethically speaking, we must object to such software, even when it does not interfere with the normal operation of our systems, as an invasion of privacy. In other words, someone who writes a program that is designed to get onto your system, or use your system's resources, without your permission, is akin to someone walking into your garage and using your workbench without asking.

The practical objection to viruses and worms, Trojans and logic bombs, is that no programmer, however smart, can write code that will run benignly on every computer it encounters. For practical proof of this you probably don't need to look any further than the nearest desktop computer. We have all experienced the frustration of trying to add a new piece of hardware or software to a system only to find that it conflicts with something within the pre-existing configuration. We even learn to live with conflicts because we fear that resolving them would take too long or result in yet more problems. Consider the math behind the number of hardware permutations alone (with just 12 possible alternatives in 12 categories you get 8,916,100,448,256 possible different combinations).

The precise math may well be irrelevant to the practical bottom line: you cannot write benign code which can insert itself unannounced into every system without causing problems for at least some of those systems (consider how hard it is to keep Windows running properly, and that code comes from the world's largest software company, which invested millions of programmer hours and massive beta tests to try and get it right).

Furthermore, even if the code does no damage, most of the damage that viruses cause arises from the simple fact that contamination by them must be cleaned-up. Unless you search through all the computers at your site (including servers, and maybe even removable media such as diskettes and backups), you can have no assurance that you have found all copies of the virus that may have actually infected only four or five PCs. And if even a single instance of the virus is missed, then other computers will most likely be re-infected and the whole clean-up process must start again.

Virtual Viruses & Viruses Hoaxes

The climate of fear and doubt created by viruses has led to the existence of what might be called "virtual viruses." These viruses only exist in people's minds, as rumors. Yet they can still cause a lot of trouble. Consider the message people received early in 1995 via their Internet account. It warned of a "Good Times" virus, allegedly circulated in electronic mail on bulletin boards and commercial online services. The warning stated that simply reading the message in a mail reader would cause it to activate, reaping various forms of havoc.

A good response to a message like this is to visit a reputable information source, such as the Datafellows hoax pages. These contains excellent advise, and a list of all known hoax warnings. With respect to "Good Times," a report from the Purdue Computer Emergency Response Team (CERT) describes how this rumor had appeared in December of the previous year. Since then nobody has actually reported any credible sighting of such a virus, but the warnings keep appearing, clogging up mail boxes and swamping help desks. Furthermore, as CERT noted, there is always a possibility that "someone is using this as a precursor to a real attack. That is, someone is repeatedly circulating the Good Times rumor to condition people to believing there is no danger, and will then circulate some damaging code under that name....if you ever get any mail labeled Good Times that is in some way executable (that is, a program or command file), do not run it!"

The CERT report also pointed out that "virus and Trojan horse code must be executed in some way to have an effect." That is, it must be run as a program, or passed as instructions to some interpreter program. Prior to Microsoft Outlook, it was generally the case when e-mail arrived at a system and was read by the user, it was not "executed" by anything that could damage the system, let alone reproduce the code itself. The level of automation achieved by VBscript and HTML-enabled email means that hard and fast claims about what has to happen before an email virus is executed can no longer be made. As of the LoveLetter code in May of 2000, it was still generally true that the user had to do something (such as click on a file icon) to get infected, but this may not continue to be the rule.

Malicious Code Costs and Cases

Here are some cases of malicious code that indicate how costly it can be to a computer-using organization, and how long this has been a known and documented problem.

1993 Virus Cost Study

In late April 1993, the Hi virus was discovered at a heavily networked US division of Rockwell International (9 file servers, 630 client PCs, connected to 64 other sites around the world). The virus had entered the division on program disks from a legitimate European business partner. One day after the disks arrived, the Hi virus was found by technicians on file servers, PCs and floppy disks. Despite eradication efforts, the virus continued to infect the network throughout the entire month of May. Here are the costs of this incident, as provided by Rockwell's Micki Krause to the October 1993 issue of Virus Bulletin:

* 160 hours spent by internal PC and LAN support personnel to identify and contain the infections ($45.00 per hour = $7,200).

* An external consultant to assist Rockwell employees in the cleanup (200 hours @ $40 per = $8,000).

* One file server disconnected from the LAN to prevent the virus from propagating across the network (used by 100 employees, down for an entire day = $9,000 or 100 users @ $45/hr for 8 hours, with users accessing the server, on average, 25% of the normal workday).

* While some anti-virus software was in use, Rockwell purchased additional software for both the servers and the client PCs for an additional $19,800.

* Total cost of the virus incident to Rockwell = $44,000.

National City Virus Case

As reported in the Ernst & Young Information Security Survey, a virus brought down National City's operations in 1977, spreading throughout the company's Novell NetWare environment to nearly all of the bank's 300 file servers and 10,000 client workstations across six cities in four states. The virus was introduced to the bank's network from eight newly purchased notebook PCs, despite the fact that the bank's IT administrators checked two of the notebooks before hooking all eight to the network. The virus got by them because it was too new for the company's antivirus software to detect.

As the virus spread, users started to call the IT department, reporting that they couldn't log on to their computers. This suggested a logon problem or a Novell NetWare problem, but when the bank found it wasn't either, but a virus, they shut down operations to contain it. The virus didn't wreak havoc on National City's corporate data, but because operations went down, the IT department had to mobilize application-development teams to build workarounds, so that people could get at vital information they needed for their work, which they would have gotten from the network. That meant relying on hard-copy printouts and re-establishing 3270 terminal connections. Two days later, with the help of IBM, National City eradicated the virus. But the attack left an indelible mark, not to mention $500,000 in costs. National City also hired a full-time virus administrator to make sure that all the systems are protected and that all antivirus software updates are done at least once a month.

Burleson Logic Bomb Case

In September 1987, Donald Burleson, a 40-year-old programmer at the Fort Worth based insurance company, USPA, was fired for allegedly being quarrelsome and difficult to work with. Two days later, approximately 168,000 vital records erased themselves from the company computers. A logic bomb had gone off, wreaking havoc with the files that were the lifeblood of USPA! Burleson was caught after investigators went back through several years worth of system files. They found that two years before he was fired Burleson had planted a logic bomb which lay dormant until he triggered it on the day of his dismissal. He became the first person in America to be convicted of "harmful access to a computer.''

AIDS Trojan Horse

Known as the the "AIDS disk,'' this was distributed in 1989. According to Virus Bulletin "some twenty thousand envelopes containing a 5.25 inch floppy disk were bulk mailed from London to computer users in the UK, Europe, Africa, Scandinavia, and Australia. The disks, which were DOS compatible, were marked "Aids Information Diskette Version 2.0" and encouraged the recipient to insert the disk and install its contents on the computer." When this was done, the program modified AUTOEXEC.BAT so that every time it was executed a hidden counter program incremented by one.

After approximately 90 executions, data on the hard disk was encrypted and a message displayed indicating that the only way to get the data back was to pay the licensing fee to PC Cyborg Corporation. As Virus Bulletin notes "a blue leaflet accompanied the diskette, on the reverse of which and in very small print, was the "License Agreement" which urged the user to send $189 or S378 to a post office box in Panama." However, the program was clearly an attempt to extort money from unsuspecting users (the program actually conducted an AIDS risk factor questionnaire, so that users might have considerable reason to be nervous about their data). The perpetrator of this scam was one Dr. Joseph Popp, who was identified when he began behaving strangely in Schipol Airport, Amsterdam. An alert security guard who inspected Popp's luggage spotted a rubber stamp bearing the name PC Cyborg Corporation. After more strange behavior during detention in the UK Popp was found to be unfit to stand trial, but was later convicted, in absentia, by Italian courts.

Unless otherwise stated © 2000 Spectria InfoSec