No Love for Computer Bugs By John Schwartz LIVERMORE, Calif. –– Anthony Carathimas, an intense, dark-haired college student, is writing his first computer virus. His eyes locked on his computer screen at Sandia National Laboratories' Livermore branch, he tentatively types a line: Cat virus >> /etc/profile When the program is complete and Carathimas launches it, that first line will instruct his computer to make a copy (cat) of the virus file he is creating and add it (>>) to another file (/etc/profile), which manages the user profiles of everyone with an account on that computer system. Carathimas writes two more lines and is done. Most viruses are short, but Carathimas's program is just three lines of code, shorter than the average newspaper paragraph. It does the job, however: It reproduces. That is the defining characteristic of a computer virus. Viruses can do more--delete files from a victim's hard drive and send themselves out to others via e-mail, for instance. But at the core, a virus is simply a program that makes copies of itself. The virus that Carathimas has written--the term of art is "malware," a combination of "malicious" and "software"--produces a message that appears on the screen: "This is the virus." The screen soon fills with the message, line after line, the virus replicating itself so fast that the computer eventually crashes. Bored with his quick success, Carathimas writes a new line of code that will render his creation more like the destructive viruses that make headlines: rm -rf /& This one is a killer. If a computer follows those instructions, it will delete every file on its hard drive. The "rm" is a standard housekeeping command used to delete files. The "r" in "rf" tells the computer to act recursively, working through every subdirectory; the "f" tells the machine to force the action--to refuse to take no for an answer when the computer attempts to protect the files. Fred Cohen glances over Carathimas's shoulder and sees the lethal instructions. "No damage, please," he tells Carathimas. Cohen, a rumpled, freewheeling Sandia researcher who is generally credited with first applying the term "virus" to describe reproducing computer programs back in 1983, supervises the 30 or so students in his 18-month-old College Cyber Defenders program as they try their hands at writing viruses. The idea is to show just how easily viruses can be made and how easily they can be blocked. But at Cohen's request, Carathimas deletes the line just as he might delete an ill-advised sentence from a school essay. How hard is it to write a virus? No harder than ordering dinner at a provincial French restaurant: The biggest hurdle is knowing enough of the language to make your wishes known. "Any idiot can write a virus--and lots of idiots have," said Steve White, a computer security researcher at International Business Machines Corp. That's why viruses are increasingly common--about 40,000 have been identified since 1984, most of them in the past few years. One of them, attached to the "love bug" e-mail message sent earlier this year, reached about 15 million Americans, according to the Pew Internet and American Life Project. Computers run because software tells them what to do, and malware is no different from the programs that enable people to write letters, create spreadsheets and view photos of their grandchildren. The first PCs were little more than boxes that buyers could use to write programs. Even when commercial software emerged, any pioneer who bought an Apple II or an early IBM PC with the MS-DOS operating system had to learn a bit of programming just to make the balky things work. The most direct way to talk to a computer is in what's known as machine language--the string of ones and zeroes in which a PC's microprocessor "thinks." Not many mere mortals can understand and type out the long strings of numbers that make up machine-language code, however, and so a virtual Babel of higher-level languages has been developed for writing programs. These languages allow programmers to write the "source code" of their programs in something approximating words--with a vocabulary and syntax that can be learned by anyone willing to crack open a book or take the right classes--by using a simple word-processing program. The coder then uses a helpful translating program, often called a "compiler" or "assembler," to get the program into "object code," which is the language the machine will understand. The New Breed While "virus" is the broad term for a program that replicates, a virus can operate in different ways. A "Trojan horse" emulates its Homeric namesake by pretending to be a program the user wants to launch--for example, an animated birthday card that arrives via e-mail--but which then does things the user doesn't want, such as deleting files in the background while the cartoon plays on screen. Members of the most notorious subset of viruses, the "worms," don't just duplicate themselves on a single machine or from disk to disk; they spread across computer networks. The love bug is an example of a worm. As viruses have evolved, the most striking aspect about them is how much faster they have become. Some of the earliest viruses for IBM PCs--in the days before the Windows operating system--targeted specific program files or the first software routines that a computer goes through when it is turned on, the "boot" sectors. Most of those viruses were written in a low-level programming code that was very close to machine language. Those earliest viruses copied themselves from file to file and spread via shared diskettes, a process that allowed them to spread gradually over months and years. The introduction of Microsoft Corp.'s Windows and its successors changed all that. Windows 95 automatically scans the boot sector for viruses, all but eliminating that threat. So the virus writers shifted their focus. The biggest crop of viruses today attack via "macros," the automated commands used in such programs as Microsoft Word and Excel. Macros are small programs that can be used to quickly format a document or insert a letterhead at the top of a note, and Microsoft has gone a long way to make them easy to write. Macros run automatically when users open their files and travel with documents when they are appended to e-mail messages. The arrival of macro viruses hastened the spread of viruses; they took mere weeks to get around as they hitchhiked on documents sent innocently from victim to victim, most often via e-mail. But the bugs still had to wait for someone to send the infected document in order to spread. The most recent viruses speed the process further by sending themselves out over e-mail without the victim's help. They can go global in hours. The love bug is typical of the new breed--it came to users masquerading as a mash e-note with an attachment, LOVE-LETTER-FOR-YOU.TXT.vbs. Clicking on that file launched the virus, which was written in the Visual Basic programming environment. Microsoft developed Visual Basic so users could create easy-to-write macros that would work across a range of Microsoft programs. The love bug's destructive payload scanned the user's hard disk and destroyed many types of files, including those that stored music and pictures. If the victim used Microsoft Outlook, the virus sent itself out to everyone in the victim's e-mail address book. Viruses generally infect only one type of file or computer subsystem. So writing a virus is much like writing any other program: It starts with choices. Just as an entrepreneur hoping to score big with a new program has to decide whether to design it to run on a Windows PC, a Macintosh, a computer running some variant of the Unix operating system or something else, a virus writer has to choose a platform. Virus makers tend to look for the largest possible population of machines to infect. That helps to explain the large number of viruses, notably the love bug, that run on the Microsoft Windows operating systems and, in particular, those computers running Microsoft's Office program suite. Like almost all viruses, the one Carathimas has written is very specific. It will run on Unix, the operating system he is using. He and his fellow students at Sandia National Laboratories don't need to overcome the security measures built into many computer operating systems the way that malicious outsiders do. But if they had to, they could do it the same way that "script kiddie" virus writers do--by grabbing ready-written chunks of code from Internet sites devoted to the craft of virus writing and putting them together like Lego blocks. Looking for Trouble At instructor Cohen's suggestion, Carathimas comes up with another line for his virus: (The line of code is not reproduced with complete accuracy here because it can trigger anti-virus alert programs, which could cause problems for anyone downloading this story.) Arnold has also written a winner. He has taken a different tack than Carathimas, creating a small program that causes its lines of code to be added to every file in the directory and prints out the word "foo," a catchall nonsense word programmers like to use. He wrote his seven-line program in Perl, a general-purpose computer language favored by many programmers. Arnold's computer will recognize this latest effort as a Perl program because, in the very first line, he has written a command that identifies it as such: #! /usr/bin/perl. Next to Arnold, Corbin Stewart has written a program almost as small that takes yet another approach: Its virus replicates by creating five new files. He has told the computer to name the files "trouble1," "trouble2," "trouble3," "trouble4" and "trouble5." He does this by naming the file to be created trouble$i; the "i" is a variable, or a blank, for the program to fill in with the values for i in 1 2 3 4 5 The program will keep creating the same five files over and over again, overwriting the previous versions. Stewart could have written the program to make plenty of "trouble"--trouble6, 7, 8 and beyond until all the disk storage space on the planet couldn't hold the proliferating garbage. But he doesn't want to crash his own PC. Even so, the furiously repeated creation of the same five files occupies the computer so thoroughly that Corbin has trouble getting the machine to stop. And at the back of the room, Erik Sechser has created a virus with a surprising flaw: When he runs the program, it deletes itself. "If only that could catch on," one of the students jokes. But code is not the only component of viruses. Those who write malware love to gloat and tend to personalize their work. They do this, generally, in "comment lines"--sections of the program that start with a special character, such as a quotation mark, that tells the computer to leave it alone without trying to run it as part of the program. Normally, software designers use comment lines to describe what the various parts of the program do. But for virus writers, comment lines afford an outlet for creativity and ego. Jimmy Kuo, director of anti-virus research for computer security company McAfee.com Corp., compares virus writing to graffiti--showy vandalism. "Why do virus writers write a virus in the first place?" he asked. "To get a message out--most of the time with their name." An early virus by an alleged co-author of the love bug, Michael Buen, a Philippine college student, offered commentary as well--including a threat to set off a truly destructive virus "if I don't get a stable job by the end of the month." Some of the comments Buen tucked in before the functioning lines of code were elegiac: 'The tragedy of life is not death, rather, it is what we allow to die within us while we live. 'Watch your thoughts, it becomes word 'Watch your words, it becomes actions 'Watch your actions, it becomes your habit 'Watch your habit, it becomes your character 'Watch your character, it becomes your Destiny Such commentary can come in handy in tracking viruses to their origin. So can similarities in programming style, comments made in online discussions and traceable records of Internet access, according to Richard M. Smith, a privacy advocate who also investigates virus incidents. "There are so many little traces you leave behind," said Smith, who helped catch the author of last year's "Melissa" virus by analyzing his online postings. Once an anti-virus company, police officer or member of a loose constellation of amateur virus hunters worldwide identifies a new virus, the next step is to come up with software "patches" that will block it. The methods for doing this vary, but at their simplest they involve scanning software as it comes into a computer for a "signature," lines from the virus that can be identified. Demonstrating to his class how simple it is to write an anti-virus program, Cohen sits down and hammers out in less than a minute a detector for the virus he wrote: It tells the machine to search (or, in the language he's using, "grep") for a phrase he wrote into the virus, "echo $0." The signature has to be truly distinctive, however, or the program will be constantly sounding false alarms as programs or files with similar lines are scanned. IBM researcher White compares the process to browsing the World Wide Web with a search engine. Someone hoping to track down a copy of "Hamlet," for example, might be tempted to type in the famous opening lines from the Dane's "To be or not to be" soliloquy. But those words, even in that order, appear about 20,000 times and in documents having nothing to do with Shakespeare. Instead, try searching for the line "That, swoopstake, you will draw both friend and foe," uttered by the King in Act 4, Scene 5, and only a handful of Web pages come up. IBM and Symantec Corp. have teamed up to develop a constantly evolving "digital immune system," to be released this summer, that will work automatically to identify possible viruses, find those distinctive signatures and send defenses out to clients' machines--all in less than an hour. Notes From the Underground The love bug infected an estimated 45 million computers in 20 countries and caused an estimated $8 billion in damage, including employee downtime. "That's nothing," White warned. "This could happen every day. This could happen every hour." To Cohen, one of the most alarming prospects is a virus that improves on early efforts at simulating evolution--in other words, a program that changes its own code as it goes along. That kind of program would be much harder to detect since it would offer no consistent signature for virus hunters. Still, Cohen said he was simply unimpressed with what he has seen from the amateur virus makers out there. "There are no . . .really clever viruses [actually infecting computers]--not yet, and may never be," he said. "There may be a limit to the amount of effort people are willing to put into doing malicious things." In online discussions of viruses, signs abound that things will get worse before they get better. "The almost exponential increase in the 'I wanna virus' posts in the last few weeks are incredible," wrote a virus buff who goes by the name PaX [SlaM]. "My own mailbox slowly but surely fills up with 'I wanna infect' type of mails on a daily basis." He was complaining, mind you; like many who study viruses, he has no patience for the "lamers" who just want to stir up trouble. The old hands in the virus community, those who have seen virus writers come and go, have no paucity of warnings for the newcomers who want to ply the craft. In a recent online discussion, PaX [SlaM] wrote: "not too many virus writers are enough of a retard to cause a global infection. your going to get the FBI etc crawling all over you until you get caught so what the hell is the point, Pride from a jail cell is stupid." What Is a Virus? Viruses are computer programs that make copies of themselves. Some delete files on the victim's computer, some spread via e-mail -- but they all replicate. The people who create them take advantage of the weaknesses in computer and network defenses. How Viruses Have Mutated Computer researchers were the first to play with viruses. As computer use grew, viruses did, too. Common early viruses of the 1980s attacked individual PCs, often infecting the "boot" sector -- the first software routines a computer runs when it starts up -- or program files. They spread slowly, via shared diskettes. Most viruses today pose as "macros," smallish, easy-to-write programs that are used extensively in Microsoft Word files and Ami Pro desktop-publishing documents and other files. The virus writers embed the rogue programs in the word-processing document or spreadsheet so that they run automatically when the document is opened. Programs such as the "love bug" are written in the same Microsoft Visual Basic programming environment used to build many macros, but the creator sends the program as an attachment to e-mail messages. Thanks to the global Internet, the new breed can spread across the planet in hours. The Washington Post Company
|
||