The good computer virus

Is it possible or even advisable to create a good computer virus?

Let's take Wikipedia's current definition of a computer virus is of "a computer program that can replicate itself and spread from one computer to another."

There is no "malicious intent" in that definition, so it sounds like creating an automatic, self-distributing security program could work. Certainly Dr Cyrus Peikari thinks so.

I first heard Dr Peikari's argument in favour of creating good viruses, the presence of which would increase a host's immune system, at the Defcon conference in 2001. He wrote a paper on the subject three years later.

One significant problem with this approach is that once a viral program starts spreading there is no telling how it might affect systems. The creator may not be able to maintain control of the virus either, which means that they could initiate a potentially catastrophic sequence of events.

Let's say that someone wrote a worm that sought out and destroyed a (fictional) malware threat called Hercules. And let's say that this malware exists not only on home PCs but also on some smart TVs, mobile phones, ATMs and prison door control systems.

Our imaginary Hercules-killing worm might spread between all of these systems and attempt to deactivate the threats that it finds. It might work with 100 per cent effectiveness, or not. When it fails, or even when it succeeds, it might have unexpected side-effects.

As our benevolent worm interacts with Windows XP PCs running no anti-virus software, it does exactly as was intended. However, in other cases, where security software is in place, its unexpected presence is noted and blocked. As we all know, anti-virus software is not without its faults so maybe the worm makes some changes to the system before it is stopped.

We now have a damaged Windows XP PC.

The case becomes even more complex when you consider the other platforms in use (Android, Chromium OS, iOS, OS X, Linux etc.). The smart TVs might crash, mobile phones might be unaffected and hopefully any life-support systems or prison doors remain operational. But there is no guarantee.

There is also a legal issue. This worm, no matter how beneficial its intentions, and how effective its execution, is running on systems without authority. This falls foul of many laws, including the UK's Computer Misuse Act.

Some facts worth remembering, when thinking about well-intentioned viruses:

1. One person's good intentions are not necessarily someone else's.
2. The Morris Worm was allegedly written to discover the size of the internet, rather than to cause denial of service (DoS) problems. However, DoS it did.
3. The Code Blue worm, when released in 2001, appeared to be designed to remove a prevalent threat at the time called the Code Red worm. It even patched infected systems to prevent re-infection. However, it reduced system stability (presumably unintentionally) and also launched DoS attacks (presumably intentionally).

In January 2012 Rig Ferguson wrote about a Japanese project to create a defensive virus. This supposed "cyberweapon" appears to have a benign, healing component. Let's hope that it works with the telly.

0-day a criminal or media obsession?

[0-day (ō dā) n. 1. A generally undisclosed security hole in software.]

1. Do criminals, spies and cyber-warriors want to know about zero day (0-day) vulnerabilities?

- Undoubtedly.

2. Do they spend vast amount of time seeking them out and developing exploits?

- Doubtful.

Which of  the two statements above is more exciting for a journalist to follow up on?

I'd say the first. The concept of shady organisations knowing something that no one else does, and then using that knowledge to perform movie-style techno-magic is intriguing.

The truth, depending on who you talk to and believe, is altogether more mundane.

Earlier this year, at the Kaspersky Threatpost Security Analyst Summit, I was talking to Greg Hoglund about targeted attacks. You might imagine that this type of attack would be at the cutting edge of malware. However, Greg said that, "a lot of what we see is not 0-day. The victims aren't patching."

(left to right) Greg Hoglund, Simon Edwards,
Paul Judge, Karthik Raman and Terry McCorkle

This makes complete sense when you understand that criminals and others are having plenty of success using fairly well-known threats. Why run when you are not being chased?

Dancho Danchev has compiled a sound analysis of the situation in his article Seven myths about zero day vulnerabilities debunked.

[How many people have to know about an 0-day before it's not an 0-day any more?]

The dangers of hidden data

Download this issue of
Secureview for free

Whether it's nuclear war secrets or embarrassing photos you never thought would see the light of day, information has a way of finding its way into the wrong hands, time and time again.

In an article that covers weapons of mass destruction, nuclear submarines, formula one cars and personal photos, I examine why data is leaked and explore ways to avoid it.

The full feature is available in the latest edition of Kaspersky Labs' Secureview magazine, which is available for free to download.

There is also a bluffer's guide/Devil's Dictionary-style definition of mobile encryption in the Crib Notes page at the back of the magazine.

Secureview is usually distributed in PDF format but those fortunate enough to have attended the RSA Conference 2012 (USA) had the opportunity to pick up a printed copy from Kaspersky's stand.

Spam kills and saves lives

A spam message sent to the mobile phone of a would-be suicide bomber caused a premature explosion.

The accident happened on new year's eve in Moscow. The bomber, a woman believed to belong to a radical Islamist terror group, was killed but no one else was hurt.

According to a report in The Telegraph, "Islamist terrorists in Russia often use cheap unused mobile phones as detonators."

The newspaper quotes security sources, who claim that a spam message wishing recipients a happy new year triggered the detonator. This caused the suicide belt to explode while the wearer was still in a safe house, preparing for the attack.

For those in the targeted area of Red Square, their new year was certainly improved by one simple spam message.

25 years of computer viruses in pictures

F-Secure has produced a graphical summary that shows some of the most talked-about computer viruses.

You can view the entire 'infographic' or download a high-resolution version from F-Secure's blog.

To summarise, quickly, the history starts with Brain; runs through the likes of Melissa, Code Red and Love Letter (aka ILoveYou); and concludes with Stuxnet and Conficker.

Interestingly the chart includes Sony's used of rootkit-like technology. This not a virus, but uses an approach also used by some malware. Additionally, many of the other threats are actually worms rather than viruses.

Stuxnet explained: video

Stuxnet is one of the most interesting pieces of malicious code found in the last few years.

It provides significant evidence that nation states are using computers to undermine each other.

The well-made video below explains what Stuxnet is (a weapon in code form), what it did and poses some questions about the future.

It suggests, incorrectly as far as I know, that the source code is available. Thus far it is not "open source", as claimed in the video.

This is one of many pieces of recent media that explores the concept of cyber war. It is a controversial area, largely because there is little proof. Stuxnet is tangible evidence, which is why security companies are so excited about it.

Cold war, cyber war or simply war?

Eugene Kaspersky has just written an interesting article that poses the view that this type of cyber war, in which malicious code is used as a form of weapon, is a series of acts of international aggression. He believes that it is tantamount to cyber terrorism.

Malicious code such as Stuxnet can do a few things but one of the most interesting characteristics is its capacity for sabotage. In the Cold War of the 1980s there were claims of sabotage, but rarely anything as direct as the tasks that Stuxnet is capable of carrying out.

One similar incident involved the Trans-Siberian pipeline back in 1982. The US is said to have planted a logic bomb that resulted in a massive explosion. Rather than introducing a virus from a network or USB key, the theory goes that US programmers planted the malicious code into a program that they knew would be stolen by the Russians.


Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

Computer virus theory on missile explosion

Did a computer virus cause the explosion of an Iranian ballistic missile, capable of carrying a nuclear warhead?

The story that is doing the rounds claims that on the 12th November 2011 a missile exploded in an Iranian army base. A number of Iranian officers and rocket experts were killed.

The Stuxnet worm is considered to be the culprit.

So far the facts seem rather vague, as the coverage of this event stems almost entirely from a report on one website, that being Debkafile. This site appears to be "unabashedly in the hawkish camp of Israeli politics" and uses unattributed sources extensively.

Taking this main report on its merits, let's see what the 'facts' are, versus the 'theory'. I'll assume that the following four details are accurate:

1. Maj. Gen. Moghaddam presents a new type of warhead to experts.
2. He runs a computer simulation on a system attached to the missile.
3. The missile explodes, killing over one dozen people.
4. The extent of the explosion means that there are no witnesses and little physical evidence.

The Debkafile report also notes the following:

1. The missile exploded because the computer sent it an order to do so.
2. Iranian intelligence have two theories:
• Western or Israeli intelligence services planted a technician, who sent the signal ordering the missile to explode.
  [Note: I think the reporter meant that the technician programmed, rather than signalled, the computer.]
• The computer was responsible, having been infected with the Stuxnet worm.
3. Iranian intelligence considers the second theory (above) to be more plausible than the first.

To summarise, a missile has exploded in an apparent accident and there are no living witnesses. The computer involved is completely destroyed, as is the missile.

Somehow Debkafile is able to deduce that the computer sent the order to explode, despite no apparent evidence to support this. This is a significant problem with Debkafile's report. It contains no attributed facts, just statements of fact without any evidence.

Which of the following do you think is more likely?:

1. The missile exploded, accidentally.
2. A spy programmed a computer to explode the missile.
3. A computer virus programmed a computer to explode the missile.

It's coming to something when the idea of computer viruses exploding nuclear-capable missiles is more plausible that accidents or more mundane methods of sabotage.

Lottery funds WWII codebreaker base

Bletchley Park, wartime home of the Government Code and Cypher School, has received £4.6m from the Heritage Lottery Fund.

The site, which is not too far from where I live, has been decaying for some time but it receives no external funding. Earlier this year Google provided some cash when it bought some of Alan Turing's papers.

Bletchley Park is also home to The National Museum of Computing.

The gift shop sells all sorts of interesting things, but my favourite is the Engima mug (see above), which is my regular drinking vessel of choice.

Mass US power hack possible

Cyber warfare is most certainly no longer the subject of blockbuster Hollywood movies. An ex-chief of US national intelligence has told CBS' 60 Minutes programme that not only is the country vulnerable to cyber warfare but that it is unprepared for an attack. Speculating on what an attacker might do, Retired Admiral Mike McConnell said:

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker." A couple of years ago this would have been a Jame Bond/Die Hard baddy-plan. Now the guy whose day job involved running the CIA and NSA is talking about hackers turning the lights out on the US.

The report also quoted President Obama as saying, "We know that cyber intruders have probed our electrical grid, and that in other countries cyber attacks have plunged entire cities into darkness." He is most likely referring to hacker attacks against Brazilian power supplies in 2005 and 2007. The report states, "Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007."*

So when you're watching the inevitable action movies this Christmas, don't scoff at the evil hacker elements of the baddys' plans. They're probably realistic.

Watch the report or read about it.

* UPDATE: Brazilian government officials have recently denied that the 2007 blackout was the result of hacker action. The cause was apparently "pollution in the chain of insulators due to deposits of soot", as claimed in a report by Brazil’s independent systems operator group (Spanish).