Virus Nightmare Scenarios

Sometimes virus writers draw inspiration from researchers' bad dreams

By Shane Coursen

"Nightmare sessions" are anything but scary to most antivirus researchers: In fact, they might be the most fun an antivirus researcher can have. The idea is to get together with other researcher-friends and discuss viruses and security exploits that do not yet exist. The nice part about it is at the end of the day, researchers aren't under the gun to find solutions within a few hours.

Nightmare sessions are usually closed to the general public -- naturally the last thing an antivirus researcher would want is for details from his or her theoretical nightmare to find their way to the general public. We know that somewhere exists an individual that would be more than happy to try and convert the theory into reality.

And yet some of the worst possible nightmare theories have filtered out into the world, and some of the most destructive viruses seem to have been inspired by ideas virus researchers discussed in too public of a manner.

In a nightmare session in the early nineties, virus researchers imagined a virus that would encrypt a victim's data, and hide the key in the loader program in the computer's Master Boot Record (MBR). Back then, a common manual fix to viruses was to rewrite the loader, which, in this particular nightmare, would cause the hapless victim to inadvertently destroy their only hope of salvaging their files.

It wasn't long after this nightmare session that the One_Half virus was spotted in the wild. It encrypted half the cylinders on a target's hard drive, and wrote the key into the loader.

Someone had taken a basic idea and developed it in to a very dangerous reality. An otherwise innocuous virus type (most boot viruses at the time were benign) became something far from run-of-the-mill, and from that day on, it was no longer okay to manually rewrite the MBR to rid a computer of a virus.

THE THREE-YEAR RULE. The cycle has repeated again and again. Macro virus were theorized in 1993, and in 1996, they came along. By then, VBS viruses were the stuff of nightmare sessions, and in 1999 someone made it real with VBS/Freelink. Then it was malicious Active-X controls, which we're now beginning to see implemented, though not yet in the wild.

The trend of recent viruses to compromise data -- which is far worse than merely destroying it -- also follows this path. Code Red evolved from benign to sinister in less than a week. The first version simply took advantage of a known exploit; the second incarnation dropped a backdoor. While not directly damaging, the backdoor opened up computers to untold amounts of potential harm.

Possibly more damaging are the indirect results of such a large-scale outbreak. No longer are their necessarily tangible files that one may target for detection. Instead, huge amounts of data that can not be considered a virus are bringing down routers. Instead of efficiently directing data to where it needs to go, we find only delays. To add insult to injury, those delays then cause further problems for time-critical operations. In the basic terms, some of today's viruses have the ability to produce a snowball effect that is nearly impossible to predict.

SirCam and Nimda also seemed to be inspired by ideas virus fighters have discussed with one another in too public of a manner. Overall, the average time between a nightmare session and a virus coming out in the real world is three years

What's scary, and hopeful, about all this is that only a very few of our nightmare scenarios have become reality -- you wouldn't believe some of the ideas we've dreamed up. I asked Joe Wells, longtime antivirus researcher, why so few of the nightmares discussed in public have been implemented. Wells maintains that "virus writers usually do not have the same breadth of knowledge as an antivirus researcher." It is a very good point.

The average virus writer has not made a career of analyzing malicious code. Many have difficulties in making their creation function as a simple virus, let alone adorning it with revolutionary techniques.

However, it is not always in the best interest to divulge too much detail. What starts out as an honorable attempt to make software more secure might end up in disaster. All I can ask of those who believe in full disclosure is to be very aware of the composition of your audience.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.