The Batman Approach Part I: Historical & Modern Malware/Antimalware

by Jordan Spencer Cunningham on

Blaster Virus Hex Dump

One of the modern world’s most dynamic and prolific concerns is that of computer and network security. Nearly since the dawn of computer technology, viruses and security flaws have plagued client and server machines alike as well as the networks that integrate them. No operating system is immune, though some appear to be more secure than others by nature. Often—but not always—users and administrators are partially to blame for security breaches. In all, these ever-present security flaws are combatted often in a reactionary way and always in a defensive manner, costing industries billions of dollars in damages and technical disaster cleanup every year, not to mention the billions in preventative maintenance. It would be worth the research, investment, and development for the IT departments of every industry spending millions of dollars on defensive security warfare to invest some of that time and money to take a new approach to computer security—that is, to offensively and automatically attack the attackers using tools fashioned after the very weapons attackers have used for decades. In other words, we need groups of people who have the knowledge, skills, and means to fight back against malware to fight fire with fire.

 See The Batman Approach Part II: Current Malware Defenses & Their Downfalls

See The Batman Approach Part III: The Only Way Forward Against Malware

Historical Foundations of Malware and Antimalware

Theories about self-replicating “living” software for both malevolent and benevolent purposes made the rounds through technological circles as early as 1949 when John von Neumann explored these avenues in his Theory of Self-Reproducing AutomataA genius among genii, von Neumann’s theory in part predicted the future existence of computer viruses more than two decades prior to the first documented technical example, the benign Creeper that spread through ARPAnet-connected TENEX computers in 1971. Thus began a long war between viruses and computer users—virus makers and system administrators—that wages on stronger than ever despite advances in security and best practice standards and defaults.

ARPAnet, the predecessor to the internet, in 1977 (click for full size)

ARPAnet, the predecessor to the internet, in 1977 (click for full size)

Creeper is commonly accepted as the first known virus. Creeper was completely benign in comparison with today’s long list of viral vehemency. It was a time when computer networks were mostly in trusted hands and a virus was only something with which living beings could be infected: Creeper was developed more or less as an experiment than for anything else, simply demonstrating the ability for a program to self-replicate and move its way through a network. The creeper’s payload1 was simply to print “I’M THE CREEPER : CATCH ME IF YOU CAN” on the affected computer’s printer and then “jump” to another node, not generally leaving behind a copy of itself. Again, it can only be called a virus (specifically a “worm”2) by technicality—its traits of replication are all it shares with some types of viruses called worms, but the motives behind it, its payload, and especially its method of transport were in no way similar to its more recent and malevolent descendants. For example, the way it transported itself from node to node did not take advantage of some system bug or insecurity but rather used an existing technology known as RSEXEC to “package itself and its data up and ship itself to another RSEXEC instance on another computer which would unpack and fire up the application on the other computer” (see this interview I had with Ray Tomlinson). Actual worms take advantage of programmer oversight, system bugs, and other unintentional system holes while Creeper did not. Also, the design of Creeper was agreed upon between the managers of the various TENEX machines on ARPAnet– Creeper was no surprise to anyone. Still, the creation and deployment of Creeper showed capabilities that had yet to be seen in the computer world; though its capabilities would hardly be used on the TENEX operating system later on, its legacy would endure.

Interestingly enough, the first technical computer virus also spurred the creation of the first technical friendly computer virus, or “helpful worm”.  A helpful worm is a type of virus whose payload it is to do beneficial things for the system and the user instead of the kind of malevolent things most viruses do, such as corrupting data, stealing sensitive information, or one or several of a large number of other possible outcomes. In the case of Creeper, its antithesis was Reaper, created by Ray Tomlinson (creator of what would become modern email); Reaper’s entire purpose was to spread throughout computers running the TENEX operating system on ARPAnet (the predecessor to the internet) using the same RSEXEC technology Creeper had used and then remove Creeper from all of those machines; even though Creeper wasn’t created for malevolent purposes, its program would potentially continue jumping from node to node on ARPAnet indefinitely, and thus Reaper was born to remove it. History shows that this approach worked quite well: Reaper effectively eliminated Creeper from ARPAnet. This primeval example of virus elimination raises a question whose answer may be groundbreaking: if offensively attacking a virus with another virus worked at the dawn of virology, why can’t it be effective today?

 

The Danger Today

Virus threats have exploded since Creeper made the rounds on ARPAnet in 1971, especially since the widespread adoption of the internet in the late 1990s and early 2000s. In fact, the chances that your machine is infected with malware right now is a whopping 30%— higher or lower depending on what country you live in and what version of operating system you’re running. It is an ever-present and ever-growing threat that costs consumers over four billion dollars a year in remediation and causes vast arrays of untold problems anywhere from losing one’s family photos to losing control of vital government systems.

Computers running the Windows operating system are by far the group most targeted by virus makers—tens of thousands of known active Windows viruses exist along with all of their innumerable variants3. This is due to poor security implementation—especially in past versions of Windows—and a massive, monocultured, untrained userbase. In other words, the majority of Windows viruses don’t spread on their own—most of them spread due to a mixture of users’ poor choices and poor technical knowledge compounded by poor security implementation in the operating system itself.

These problems have led to more than just the frustrating single-user virus infection experience. In recent years there have been cases of compromised Windows machines allowing attackers to steal credit card and other personal information from large companies such as Target as well as numerous examples of large botnets. Botnets are vast networks of computers infected with viruses that give some amount of control of those computers to the owner of the botnet. Botnets are used for subversive purposes, especially to billions of spam email messages each day, to perform DDoS4 attacks, to steal money and personal information, and to spread more malware.  Botnet wranglers or botnet herders (the term for the people in charge of a botnet) often rent out their botnets, making the illegal practice a very lucrative one. There are botnets that have reached up to an estimated 30 million infected computers, capable of untold naughtiness including nearly 100 billion spam messages per day. Botnets much smaller than this have easily taken down multiple web servers and a plethora of other services.

All of these facts compound upon one another to prove that the virus industry is alive and well, and it wastes billions of dollars and hundreds of thousands of man hours each year, not to mention the untold losses of irreplaceable data, identity information, and much more. It seems a worthy cause against which to fight. The questions, though, are these: Are our current tools doing enough? Using our current practices, will we have and keep the upper hand against malware in coming attacks?

  1. A payload, in terms of virology, is the defining and usually harmful action a virus takes after it successfully spreads to another node. It’s the entire reason the virus was created and was designed to spread maliciously. The action may be, for example, stealing sensitive information, corrupting data, installing a spam mail server, installing a BitCoin miner, or one or several of a large number of other possible outcomes.
  2. Officially, a virus is a type of computer program that requires a vector to move from one machine to another—a file, for example—always requiring user interaction to replicate and deliver payload—executing that file, for example. In other words, it doesn’t replicate on its own. A worm, however, is a type of computer program that replicates on its own, moving from one node on a network to another without any user intervention. For the purpose of this report and to use the vernacular instead of the technical definition, the term “virus” will be used to denote all types of malware—viruses, worms, and trojans—unless otherwise specified.
  3. Some antivirus makers will cite virus numbers much higher—even up in the tens of millions. This is a scare tactic to get aloof computer users to purchase their products. To get away with quoting such a high number, they’re counting all of the innumerable variants of each virus; for example, if a wannabe hacker captures a virus and makes minor alterations to it, many antivirus companies count that as a new virus even though it is functionally and effectively the same virus. There are many viruses that are polymorphic, meaning that they are able to morph and change their encrypted code through each infection in order to better escape detection while still performing the exact same functions; many antivirus companies also count all of these morphlings as new viruses.
  4. DDoS attacks, or Distributed Denial of Service attacks, are basically done when any number of computers systematically attempt to overwhelm a server’s network and/or system capacities by utilizing normal communication with that server; the goal is to ultimately crowd out legitimate users of the service and even cause the server to crash.