The Batman Approach Part III: The Only Way Forward Against Malware

by Jordan Spencer Cunningham on

Batman's approach: illegal, yes-- but effective?Twenty years of the current defensive antivirus model described previously has proven to be insufficient in the battle against malware. Antivirus companies spend millions of dollars to lead the public to believe that this is the only way. The entire point of this series is to show that it is not the only way, and that we would be shooting ourselves in the foot, so to speak, to keep insisting that it is. Only relying on antivirus would be like only relying on only the body’s immune system for all types of diseases: without modern medicine, even the most mysophobic person would die by his or her sixties. It’s just not a smart idea, but many antivirus companies don’t want anyone believing that.

See The Batman Approach Part I: Historical & Modern Malware/Antimalware

See The Batman Approach Part II: Current Malware Defenses & Their Downfalls

Battling the Powers of Darkness

Thankfully various groups with the knowledge and the means have seen beyond antivirus companies’ limited (and profit-tainted) views. Microsoft, the FBI, and other lesser-known organizations have spearheaded efforts to actually fight back in the war against malware in an offensive way rather than to just sit and wait to defend one computer node at a time like we’ve been doing for decades. To formally coordinate efforts in gathering intelligence on and taking down various modes of cybercrime, Microsoft has formed its own sort of CSI division: the Microsoft Digital Crimes Unit, or DCU. The DCU has worked with the FBI and other organizations in various countries on various crime mitigation projects; to date they have been able to take down no fewer than seven botnets, freeing millions of computers from information-stealing and virus-spreading malware. In addition, Microsoft uses its monolithic legal prowess in attempts to pursue the creators of this malware and, through due process, remove the threat permanently. Several years before Microsoft formally organized its malware attack unit, the FBI used similar tactics to take down other botnets. Even some antivirus companies have joined the fight, though one might suspect it’s merely a PR move.

Their method? It certainly isn’t to wait for viruses to come to them. Using their tactics, technology, and legal procedures, they’re able to hack into these botnets and take control of the entire network, which sometimes reach into millions of computers. They are then able to issue self-destruct commands to the malware on each infected computer and effectively eliminate a great digital threat to computer security worldwide. This seems like a Bourne-ish approach to mitigating malware threats and cybercrime, and you would be right to assume so.

It’s a bold new direction in fighting viruses: the bullies of the digital age have until recently been largely unchallenged on their own playing field. Now we have the satisfaction of knowing several botnet masters (thus far) must have frantically tried to regain control over their networks and then were only able to curse as their list of available zombies1 altogether dissipated—a fine taste of the same frustration they caused countless others.

Is this bold new direction enough, though? Some people tend to think Microsoft et al are only trying to garner press and make themselves look good while actually holding their true malware-fighting potential. With profits to lose, many of the antivirus companies whose names are listed among the contributors of these projects might just be doing that. Regardless, why not go further? Why not give them a dose of their own medicine—fight fire with fire—and add another tool to the growing arsenal used to fight malware?


The Virophage Theory: The Batman Approach

To use an example from the natural world, scientists have discovered several viruses that impair the function of other particular viruses. These are what is known as “virophages”, or literally “virus eaters”. We have taken the term “virus” from the natural world and have applied it to computer technology because of the similarities we saw between the natural and technical worlds; if virophages work in the natural world, there is no reason the principle shouldn’t apply to its technological  counterpart.

There are questions as to just what a virophage would do, how it would do it, if the doing would be legal or even moral, who would do it, and if it would be successful. While there are some few prior examples of the virophage principle, the fact remains that they are few, and such a grand undertaking would require extensive testing and re-evaluating. However, the main idea is that the questions revolving around a virophage undertaking do not prove it is a poor idea; rather, the questions point to a virophage software being successful and a powerful offence if it is done correctly.

In essence, a virophage would use tactics traditionally associated only with malware in order to spread itself among different nodes. It would target known malware and would ideally be able to intelligently identify unknown malware using artificial intelligence and maybe heuristics, but that feature would probably not be very effective at least in our decade.

The virophage, once released into the wild, would “infect” computers, looking for malware, and would relay anonymous information, similar to the way antivirus does today, back to the creators of the virophages as to the rates of infections, where and when infections occur, and, if possible, how the infection likely occurred; this would aid in tracking down malware sources and eliminating them in the methods described in the prior session. Being in communication with central servers would also allow the virophage to be updated according to new intelligence.

The virophage would clean the computer of any known malware and thereafter display a message for the user letting him or her know that the computer had been infected by so much malware, that the malware had been cleaned, and how to avoid being infected again. The virophage would then “pick itself up” and move to another infected node, leaving behind no trace of its existence nor the existence of the former malware except for the message to the user.

The virophages would generally target machines infected with known malware, though it would be difficult to differentiate between an infected machine and a clean machine without getting into the system first; it wouldn’t be a bad idea to monitor network traffic by having a virophage emitter software running on volunteer routers, identify nodes sending and receiving traffic indicative of malware, and then direct virophages to attempt to infiltrate viruses found at that network address.

Virophage command and control—the central servers relaying instructions to virophages—would also be able to issue updates to the virophages as the virophages relay back information about the current trends of malware threats.

Batman InterrogationJust like real malware, virophages would absolutely have be developed, deployed, and managed by anonymous individuals, anonymous groups, or anonymous subsidiaries of well-endowed corporations (unless laws change in favor of them, which they likely never will); these would be the Batman and Robin—the Robin Hood and Little John—of the virus world. Their work would be extremely controversial, not to mention thoroughly illegal. It would be ideal for large, wealthy corporations that already manage aspects of what the virophage would affect to be involved in the development, testing, deployment, refinement, and organization: Microsoft, Apple, open source developers, internet service providers, and departments of government throughout the developed world. These organizations working together would be ideal candidates for the Consortium of Virophage Warfare, but it’s unlikely most of them would ever join.

Legal questions still remain even if these large and powerful organizations were to become involved– especially if they were to become involved, really. Privacy would be the main issue: is it moral to deploy a helpful worm that would end up performing unsolicited actions on millions of computers whose owners largely did not agree for the actions to be done in the first place? Perhaps one should take in stride the fact that these millions of computers also will have had malevolent software running on their machines, taking actions to which the owners certainly did not agree. Even with all of this in mind, it is likely that the legal barrier cannot be overcome, and thus only a Batman approach to the virophage theory would suffice: anonymous people with the knowledge, skills, and means must develop a technically illegal but overwhelmingly helpful virophage.

Also, battling viruses is a complicated thing. Many viruses can easily be removed, but the most pervasive kind of viruses that have caused the most damage in recent history often don’t go without a fight. They change bits of the operating system upon which they run to break the system in order to embed and protect themselves from detection and removal. Even if removal is successful, sometimes arduous cleanup is necessary to get the operating system working properly again.

There have been some few “helpful worms” (similar to the idea of a virophage) in the past, the most notorious of which is the Welchia Worm. The Welchia Worm was a helpful worm released upon the world at large with the intent to remove the Blaster Worm and then download and apply a patch that would keep the Blaster Worm from re-infecting the machine. The removal of Blaster seemed to work quite well, but Welchia was responsible for unintended, catastrophic consequences, mainly crippling corporate networks by forcing hundreds or thousands of machines to simultaneously download the same patch from the internet as well as sometimes breaking the customized setups of those network administrators who had not yet been able to adapt their setups to the new patch. In short, it was a disastrous attempt at virophagology and has since put a bitter taste for the idea in the mouths of those who remember it or who have studied it.

The truth is, though, that Welchia was just one virophage created at a time when infrastructure was not ready for it, neither was it created or executed very well at all. This doesn’t mean that the world and its network infrastructures and operating systems aren’t ready for virophages now, over a decade later, or that they won’t be in the future.

Welchia’s main problem was its forceful download of the Microsoft patch—that’s what mainly caused the worm to be just as awful as an actual virus– as well as the buffer overflow it caused on Windows 2003, similarly to Blaster. A true virophage should only ever eliminate the existing threat and never do more than alert the user to his or her machine’s vulnerability with instructions on how to remedy it. It should never try to fix those vulnerabilities itself, especially if the machine is on a domain managed by other IT people rather than just an individual’s computer often plagued by PEBKAC errors2. It would be easy to program a virophage to execute its payload differently if the machine was connected to a business or enterprise domain or a VPN so as to better suit those environments.

Even if a virophage were to create measurable amounts of traffic differentiation on certain networks, modern and emerging network technologies have rendered this problem moot as long as the virophage is designed well. In a world where the slowest group of connections on a network might be running wirelessly at 54Mbps while the backplanes are capable of—at minimum—40Gbps, it takes more than a misguided helpful worm to clog up the pipes.

Map of Worldwide IP Addresses in 2012Thus far the only thing on a large enough scale with positive outcome to compare with the Batman Approach was undertaken during a five-month period in 2012. An anonymous individual created a worm that infiltrated devices on the internet that were not password protected, set itself up as a port scanner, and then infiltrated more devices, creating a somewhat large botnet. He was able to eventually infiltrate around 420,000 of these devices. The main purpose of this project was to make a census of the internet– scan every single IP address in existence and collect the data (while respecting privacy of the device owners and their data). The project was wildly successful as one can see by reading the extremely interesting information found via the link above. The data made publicly available is invaluable for understanding more of how this manmade organism called the internet works. The anonymous creator of what was dubbed the Carna botnet also used his network to protect these half a million unsecured devices from other people with malicious intent: he discovered another botnet called Aidra performing malicious actions and helped to reduce its footprint by at least several tens of thousands of devices using impermanent and extremely minor modifications. This is an example of one of the many positive outcomes that widespread adoption of the Batman Approach would have.

The Carna botnet also was able to discover millions of additional insecure devices that anyone can access that have no business being directly connected to the internet such as security cameras, baby monitors, printers, city infrastructure computers, industrial controllers, physical door security systems, and plenty of routers. This goes to show how easily exploitable millions of devices and computers truly are– and how vulnerable the rest of the world becomes because of it, secured or not.

We also have to remember that virophagology is an historic idea successfully done near the epoch of our digital age. If it worked in a collaborative effort with Ray Tomlinson and Reaper rooting out Creeper—a Batman of his own technological frontier time—certainly it can work with the collaboration of others following the Batman approach to fight back against and root out malware worldwide.

Malware is more than prevalent in today’s world; it’s grown in plenitude, boldness, and criminality. The traditional methods of defensively fighting against it must also grow—antimalware and firewalls still have their place, but they aren’t enough anymore. We must fight back using more powerful and pervasive methods. Some organizations have already started doing this using their skillsets and legal and monetary prowess to target malware and malware makers. If these organizations will not also utilize the skills and methods already available to them to fight fire with fire—to give the malware makers a dose of their own medicine—then it is up to the anonymous individuals to take the Batman approach and create a new culture of virophagology. Virophages would be another most powerful tool in the arsenal against malware and cybercrime.

This could be you.

You are the hacker the internet deserves, but, until recently, you were not the hacker the internet needed. Now you are needed. Will you respond?


  1. “Zombie” is a term commonly given to computers infected with malware that enables a malevolent entity to control that machine in some fashion. Generally, zombies steal information, send spam, and/or spread more malware.
  2. PEBKAC = Problem Exists Between Keyboard and Chair. Also known as an ID: 10-T (idiot) error.