This chapter is from the book
This chapter is from the book
This chapter is from the book
Hostile Code
Viruses continue to plague our computers. The first viruses were created in the early 1980s. Early viruses were handcrafted, and their creators had some degree of skill. Virus creation became much easier with the introduction of powerful virus-creation toolkits. This has led to a dramatic upswing in the number of viruses. This problem with viruses is not unique to any one vendor of computer software. Viruses affect a wide variety of systems, from mobile phones to mainframes.
For the last twenty years, the majority of anti-virus (AV) products have relied on explicit knowledge about every virus that exists in the world. That knowledge is codified within a signature. When a piece of AV software can match the bits in a file to a signature in its library, it blocks or deletes what it presumes to be a virus. This approach is effective close to 100% of the time when the AV software has a signature for the particular virus that happens to be attacking the computer. When it doesn’t, this approach doesn’t help. The value of an AV product therefore hinges on two things: the AV product vendor must identify new viruses and create signatures for them, and those signatures must reach the end user’s computer as quickly as possible. Most AV products are updated daily or weekly with new signatures, but this is a never-ending race between the virus writers and the AV product vendors. Even if you run AV software, your computer might become infected by a virus before a signature is installed. The dramatic changes in virus creation over the past quarter century contrast with the rather tepid evolution of AV products.
Commercial AV products have typically been signature-based. Vendors have periodically brought products to market that use heuristics, such as analyzing behavior, to try to identify viruses. The idea is to remove the dependency on signatures by learning how viruses tend to act. But this technology can struggle with distinguishing between hostile and benign actions, and it can have an error rate of 50% or more. We certainly have fewer problems with computer viruses due to the degree of protection that AV software can provide. But we have only treated the symptoms. Viruses continue to be created at a very high rate. We haven’t solved the problem with existing technology, and millions of people continue to be affected. With no cure in sight, it seems that viruses will be with us for some time.
Specialists refer to self-propagating network viruses as worms. On November 2, 1988, Robert Morris, Jr., a student at Cornell University, released the first internet worm. Morris claimed that his intention was not to create damage, but to attempt to determine the size of the internet at the time. It had a bug that caused it to infect machines too quickly. The Morris Worm, as it became known, pre-dated a raft of damaging internet worms that took root on the internet and within enterprise networks from 2001 onward. There was no fundamental difference between the methodology or techniques used by those modern incarnations of worms and the original Morris Worm. (The Morris Worm targeted the most popular operating systems on the internet, just as subsequent worms have done.) A decade passed between the Morris Worm and those later incarnations.
Viruses, worms, adware, and other hostile code are now lumped together under the generic term malware, meaning software that no one wants around. We have gained more knowledge of malware, and the defensive technologies we can employ have become more robust. But modernity is little consolation if we continue to fall victim to the same problems.