Security

There isn’t a month that goes by where I don’t hear about a new Windows bug or vulnerability. To say that Windows requires regular security updates is an understatement. To really understand the issues that face Windows, Linux, and Mac users, we need context. We have to understand the threats that computer users faced in the late 80’s and early 90’s and compare those to the threats of today.

In the early 90’s, I had no qualms about computer security. It wasn’t naivety either. You see, in the world of DOS, viruses only had a few ways to replicate: alter executable files or the boot sector. The original computer viruses were simple parasites. When you ran an infected file, the virus would stick around in memory and then insert a copy of itself into all of the other executable files you subsequently ran. The really tricky ones would implant themselves into the boot sector. Anti-virus scanners could easily detect these types of viruses by looking for a unique signature. That is, the anti-virus scanner could search for a subset of the viral machine code (the raw bytes representing the instructions of the virus) in executable files. It’s basically a “find” in all files command. Easy.

But the programmers in the virus scene were talented. They struck back with stealth technology. In DOS, any application can take full control of the system due to the single super-user paradigm (something that continues through the Windows XP era) and unprotected kernel (which continues through the 32-bit Windows operating system). Once a stealth virus was active in memory, it could do all sorts of tricks to prevent itself from being detected. For example, some stealth viruses disinfected themselves each time the file was being searched by the anti-virus scanner and then re-infected the file as the link was closed. Anti-virus scanners would have to move closer to the metal to address these challenges. The scanner just needed to be loaded into memory first. Although stealth technology represented an added challenge, viruses were still detectable based upon their individual signature. While virus writers could create new variants by throwing in random data to throw off the search string, all it took was a virus signature update.

But the human mind is as clever as biology itself. If you had to name an untreatable but widespread virus, you’d probably think about HIV. It’s secret is mutation. In the 90’s, the next major advance from the virus scene was polymorphism. Viruses were now written to be self-mutating, self-encrypting themselves using a randomly generated key resulting in over 4.2 billion (2^32) combinations. The Dark Avenger MtE (Mutation Engine) was the most infamous of these tools. The MtE, developed by a single programmer, appeared to make every signature-based virus scanner impotent.

But the anti-virus researchers were not going to concede to the virus scene. The cat-and-mouse game continued. The anti-virus scanning world was also home to some of the most sophisticated software engineers. Even though there were 4.2 billion combinations for the virus to encrypt itself, the revelation came with the recognition that mutation process itself represented a fixed algorithm. While you still couldn’t detect the virus itself, you could still detect the code that was used for decryption. This involved more complex algorithms than a simple signature search, but it worked and even the formidable self-mutating engine was neutralized by the best anti-virus makers. This revelation made it possible to detect new mutation engines in the same way they had detected new non-polymorphic viruses. In essence, once a new polymorphic virus was released into the wild, researchers could confidently develop a detection strategy by fingerprinting the decryption algorithm.

As the virus scene got more sophisticated, anti-virus makers would also continue to improve their efforts. Research into heuristic scanning grew in favor; this was the ability to detect the unknown viruses that had not yet been discovered. With some degree of voodoo and an equal degree of algorithmic panache, anti-virus researchers began to think of ways viruses would work and developed complex algorithmic systems for detecting “unusual behavior.” To use a qualitative example, wouldn’t it be odd if an executable file contained code that searched for other executable files, used direct disk access, had weird garbage instructions (i.e. encrypted data or padded data to alter a viral signature), allocated memory in a weird way (i.e. stealth), and a suspicious jump construct (the program starts by skipping ahead several times or starts by running a routine to determine where the routine to be run is located)? The specific questions asked and the manner with which things were evaluated varied. Some heuristics were passive, while other early anti-virus scanners used simple virtual machines or code interpreters to execute the virus within protected space to look for abnormal activity, further enhancing the ability to detect stealth viruses.

The only way for a virus to truly cause damage and succeed was if the virus scene could outwit the researchers. The appeal of the cat and mouse chase should certainly be clear. It was a game where any creative mind could challenge some of the best computer scientists in the world. It wasn’t an issue of numbers. There’s no doubt that the anti-virus world had more resources, more experience, and the driving passion of moral superiority. However, even the elite group of anti-virus researchers failed to predict the next evolution of the virus scene: the macro virus.