A New Generation of Virus Hunters Enters Boot Camp

Anthony Carathimas, an intense, dark-haired college student, is writing his first computer virus. His eyes locked on his computer screen at Sandia National Laboratories’ Livermore branch, he tentatively types a line:

Cat virus >> /etc/profile

When the program is complete and Carathimas launches it, that first line will instruct his computer to make a copy (cat) of the virus file he is creating and add it (>>) to another file (/etc/profile), which manages the user profiles of everyone with an account on that computer system.

Carathimas writes two more lines and is done. Most viruses are short, but Carathimas’ program is just three lines of code, shorter than the average newspaper paragraph.

It does the job, however: It reproduces.

That is the defining characteristic of a computer virus. Viruses can do more--delete files from a victim’s hard drive and send themselves out to others via e-mail, for instance. But at the core, a virus is simply a program that makes copies of itself.

The virus that Carathimas has written--the term of art is “malware,” a combination of “malicious” and “software”--produces a message that appears on the screen: “This is the virus.” The screen soon fills with the message, line after line, the virus replicating itself so fast that the computer eventually crashes.

Bored with his quick success, Carathimas writes a new line of code that will render his creation more like the destructive viruses that make headlines:

rm -rf /&

This one is a killer. If a computer follows those insxtructions, it will delete every file on its hard drive. The “rm” is a standard housekeeping command used to delete files. The “r” in “rf” tells the computer to act recursively, working through every subdirectory; the “f” tells the machine to force the action--to refuse to take no for an answer when the computer attempts to protect the files.

Fred Cohen glances over Carathimas’ shoulder and sees the lethal instructions. “No damage, please,” he tells Carathimas.

Cohen, a rumpled, freewheeling Sandia researcher who is generally credited with first applying the term “virus” to describe reproducing computer programs back in 1983, supervises the 30 or so students in his 18-month-old College Cyber Defenders program as they try their hands at writing viruses.

The idea is to show just how easily viruses can be made and how easily they can be blocked. But at Cohen’s request, Carathimas deletes the line just as he might delete an ill-advised sentence from a school essay.

How hard is it to write a virus? No harder than ordering dinner at a provincial French restaurant: The biggest hurdle is knowing enough of the language to make your wishes known.

“Any idiot can write a virus--and lots of idiots have,” said Steve White, a computer security researcher at International Business Machines Corp.

That’s why viruses are increasingly common. About 40,000 have been identified since 1984, most of them in the past few years. One of them, attached to the “love bug” e-mail message sent this year, reached about 15 million Americans, according to the Pew Internet and American Life Project.

Computers run because software tells them what to do, and malware is no different from the programs that enable people to write letters, create spreadsheets and view photos of their grandchildren.

While “virus” is the broad term for a program that replicates, a virus can operate in different ways. A “Trojan horse” emulates its Homeric namesake by pretending to be a program the user wants to launch--for example, an animated birthday card that arrives via e-mail--but which then does things the user doesn’t want, such as deleting files in the background while the cartoon plays on screen.

Members of the most notorious subset of viruses, the “worms,” don’t just duplicate themselves on a single machine or from disk to disk; they spread across computer networks. The love bug is an example of a worm.

As viruses have evolved, the most striking aspect about them is how much faster they have become. Some of the earliest viruses for IBM PCs, in the days before the Windows operating system, targeted specific program files or the first software routines that a computer goes through when it is turned on, the “boot” sectors.

The introduction of Microsoft Corp.’s Windows and its successors changed all that. Windows 95 automatically scans the boot sector for viruses, all but eliminating that threat. So the virus writers shifted their focus. The biggest crop of viruses today attack via “macros,” the automated commands used in such programs as Microsoft Word and Excel.

Macros run automatically when users open their files and travel with documents when they are appended to e-mail messages. The arrival of macro viruses hastened the spread of viruses; they took mere weeks to get around as they hitchhiked on documents sent innocently from victim to victim, most often via e-mail. But the bugs still had to wait for someone to send the infected document in order to spread.

The most recent viruses speed the process further by sending themselves out over e-mail without the victim’s help. They can go global in hours. The love bug is typical of the new breed. It came to users masquerading as a mash e-note with an attachment, LOVE-LETTER-FOR-YOU.TXT.vbs.

Clicking on that file launched the virus, which was written in the Visual Basic programming environment. Microsoft developed Visual Basic so users could create easy-to-write macros that would work across a range of Microsoft programs. The love bug’s destructive payload scanned the user’s hard disk and destroyed many types of files, including those that stored music and pictures. If the victim used Microsoft Outlook, the virus sent itself out to everyone in the victim’s e-mail address book.

Virus makers tend to look for the largest possible population of machines to infect. That helps to explain the large number of viruses, notably the love bug, that run on the Microsoft Windows operating systems and, in particular, those computers running Microsoft’s Office program suite.

Like almost all viruses, the one Carathimas has written is very specific. It will run on Unix, the operating system he is using. He and his fellow students at Sandia National Laboratories don’t need to overcome the security measures built into many computer operating systems the way that malicious outsiders do.

But if they had to, they could do it the same way that “script kiddie” virus writers do--by grabbing ready-written chunks of code from Internet sites devoted to the craft of virus writing and putting them together like Lego blocks.

The love bug infected an estimated 45 million computers in 20 countries and caused an estimated $8 billion in damage, including employee downtime. “That’s nothing,” White warned. “This could happen every day. This could happen every hour.”

To Cohen, one of the most alarming prospects is a virus that improves on early efforts at simulating evolution; in other words, a program that changes its own code as it goes along. That kind of program would be much harder to detect since it would offer no consistent signature for virus hunters.

Still, Cohen said he was simply unimpressed with what he has seen from the amateur virus makers out there.

“There are no . . . really clever viruses [actually infecting computers]--not yet, and may never be,” he said. “There may be a limit to the amount of effort people are willing to put into doing malicious things.”