Computer Viruses – From Theory to Applications

ddThe purpose of this book is to propose a teaching approach to under-
stand what computer viruses1 really are and how they work. To do this,
three aspects are covered ranging from theoretical fundamentals, to prac-
tical applications and technical features; fully detailed, commented sourcecodes of viruses as well as inherent applications are proposed. So far, the
applications-oriented aspects have hardly ever been addressed through the
scarce existing literature devoted to computer viruses.

The obvious question that may come to the reader’s mind is: why did the
author write on a topic which is likely to offend some people? The motivation
is definitely not provocation; the original reason for writing this book comes
from the following facts. For roughly a decade, it turns out that antiviral
defense finds it more and more difficult to organize and quickly respond
to viral attacks which took place during the last four years (remember the
programs caused by the release of worms, such as Sapphire, Blaster or Sobig,
for example). There is a growing feeling among users – and not to say among
the general public – that worldwide attacks give antivirus developers too
short a notice. Current viruses are capable of spreading substantially faster
than antivirus companies can respond.

As a consequence, we can no longer afford to rely solely on antivirus
programs to protect against viruses and the knowledge in the virus field is
wholly in the hands of the antiviral community which is totally reluctant
to share it. Moreover, the problems associated with antiviral defense are
complex by nature, and technical books dedicated to viruses are scarce,
which does not make the job easy for people interested in this ever changing
field.

For all of these reasons, I think there is a clear need for a technical book
giving the reader knowledge of this subject. I hope that this book will go
some way to satisfying that need.

This book is mainly written for computer professionals (systems adminis-
trators, computer scientists, computer security experts) or people interested
in the virus field who wish to acquire a clear and independent knowledge
about viruses as well as incidently of the risks and possibilities they repre-
sent. The only audience the book is not for, is computer criminals, unfairly
referred as “computer geniuses” in the media who unscrupulously encourage
and glamorize them somehow. Computer criminals have no other ambition
than to cause as much damage as possible, which mostly is highly prejudi-
cial to everyone’s interests. In this situation, it is constructive to give some
essential keys that open the door to the virus world and to show how wrong
and dangerous it is to consider computer criminals as “geniuses”.

With a few exceptions, the vast majority of computer vandals and com-
puter copycats simply copy existing programs written by others and clearly
are not very well versed in computer virology. Their ignorance and silliness
just casts a shadow over a fascinating and worthwhile field. As said the fa-mous French writer, F. Rabelais in 1572, “science without conscience is the
soul’s perdition”.

The problem lies in the fact that users (including administrators) are
doomed, on the one part, to rely on antivirus software developed by profes-
sionals and, on the other part, to be subjected to viral programs written by
computer criminals. Computers were originally created to free all mankind.
The reality is quite different. There is no conceivable reason why some self-
proclaimed experts driven for commercial interests should restrict computer
knowledge. The latter should not be the exclusive domain of the antiviral
programs developers.

In this respect, one of the objectives of the book is to introduce the reader
to the basic techniques used in viral programs. Computer virology is indeed
simply a branch of artificial intelligence, itself a part of both mathematics
and computer science. Viruses are only simple programs, which incidentally
include specific features.

However uncomfortable that may be for certain people, it is easy to pre-
dict that viruses will play an important role in the future. The point of this
book is to provide enough knowledge on viruses so that the user becomes
self-sufficient especially when it comes to antiviral protection and can find
a suitable solution whenever his antiviral software fail to eradicate a virus.
Whether one likes it or not, computer virology teaching is gradually becom-
ing organized. At Calgary University, Canada, computer science students
have been offered a course in virus writing since 2003, which as might be
expected, has set off a wave of criticism within the antivirus community (the
reader will refer to [138,139,147–149] for details).

For all of the above-mentioned reasons, there is no option but to work
on raw material: source codes of viral programs. Knowledge can only gained
through code analysis. Here lies the difference between talking about viruses
and exploring them. Studying viruses surely will not make you a computer
vandal for all that, on the contrary. Every year, thousands of people are
studying chemistry. As far as I know, they rarely indulge in making chem-
ical weapons once they have received their Ph. D degree. Should we ban
chemistry courses to avoid potential but unlikely risks even though they do
exist and must be properly assessed? Would it not be a nonsense to give up
the benefits chemistry brings to mankind? The same point can be made for
computer virology.

There is another reason for speaking in favour of a technical analysis of
viruses. Unexpectedly, most of the antivirus publishers, are partly responsi-
ble for viruses. Because some of them chose a commercial policy enhancedby a fallacious marketing, because some of them are reluctant to disseminate
all relevant technical information, users are inclined to think that antivirus
software is a perfect protection, and that the only thing to do is to buy any-
one of them to get rid of a virus. Unfortunately, the reality is quite different
since most antiviral products have proved to be unreliable. In practice, it is
not a good thing to rely solely on commercial anti-virus programs for pro-
tection. It is essential that users get involved in viral defense so that they
may assess their needs as far as protection is concerned, and thus choose
appropriate solutions. This presupposes however, some adequate knowledge
as basic background.

The last reason for providing a clear presention of the viral source code,
is that it will enable to both explain and prove what is possible or not in
this field. Too many decision-makers tend to base their antiviral protection
policies on hazy and ill-defined concepts (not to say, fancy concepts). Only a
detailed analysis of the source codes will provide a clear view of the problems
thus easing the decision maker’s task.

In order that the book may be accessible to nonspecialists, prerequisite
knowledge for a good understanding of the described concepts are kept to
a minimum. The reader is assumed to have a good background in basic
mathematics, in programming, as well as basic fundamentals in operating
systems such as Linux and Unix. Our main purpose is to lay a heavy em-
phasis on what could be called “viral algorithmics” and to show that viral
techniques can be simply explained independently from either any language
or operating system.

For simplicity’s sake, the C programming language and pseudo code have
been used whenever it was pertinent and possible, mainly because most
computer professionnals are familiar with this language. In the same way,
I have chosen simple examples, and have geared the introduction toward
nonspecialists.

Some readers may regret that many aspects of computer virology have not
been deeply covered, like mutation engines, polymorphism, and advanced
stealth techniques. Others may object that no part of the book is devoted
to viruses or worms written in assembly language or in more “exotic” yet
important languages like Java, script languages like VBS or Javascript, Perl,
Postscript… Recall once again that, the book’s purpose is a general and ped-
agogical introduction based on simple and illustrative examples accessible,
to the vast majority of people. It is essential to understand algorithmics
fundamentals shared by both viruses and worms, before focusing on specific
features inherent to such or such language, technique, or operating system.