When a doctor wants to create a vaccine to protect against a virus he usually begins by obtaining a live sample of the virus. The live sample is studied to determine how it replicates and to find its weakness so that a vaccine can be developed that will stop the virus from spreading.
This is considered fairly standard operation in the world of computer viruses as well. When a new virus is discovered in the wild (a term used to mean that a virus is active on the Internet at large) the antivirus vendors must first get a copy of theactual virus. They will break it down and determine how it works and how it replicates so that they can develop a means of detecting and blocking this new threat with their antivirus software.
The process takes time though. Depending on the impact of the threat, the virus may already have disabled a significant portion of the Internet before the antivirus vendors develop the “vaccine”. This was the case with the SQL Slammer worm in January of 2003. It spread around the world in under an hour and generated enough traffic to effectively shut down much of the Internet. It was hours later before the antivirus vendors began to release their updated virus files to detect the new threat.
The entire model of developing a signature for the new threat and adding it to the database of detected threats will eventually become too cumbersome in my opinion anyway. Currently the weekly SuperDAT update from McAfee, which includes both the updated virus database as well as an updated detection engine, is about 5Mb in size. New viruses are detected weekly and sometimes daily. Eventually this file may be 10Mb, 50Mb or 100Mb. Not only will it become too daunting for users to download each week, but it may significantly affect the performance of your computer if it has to verify all network traffic against this database.
This method also means that the security experts and antivirus vendors are always one step behind the malicious code writers. It is a reactionary model where nothing is done proactively. The virus writer gets the first move and if it’s a good one it can cause major damage before the antivirus community can develop an effective response.
Most antivirus software performs heuristic scanning as well which can detect some unknown threats. Heuristic scans attempt to detect virus or worm activity by comparing traffic against past virus-like activity and looking for behavior that is anomalous or out of the ordinary. Heuristic scanning is far from perfect though and doesn’t catch a lot of new viruses. Again, even heuristic scanning depends in part on what we already know about viruses and worms.Somewhere out there, perhaps in many “somewhere’s” around the globe, there are programmers and developers who are actively pursuing creating the next mega-virus or super-worm. The next Nimda or SQL Slammer that can spread around the world and cripple the Internet.
These developers may look at past viruses to find out why they worked or why they didn’t work. They may use them as inspiration or examples of what not to do. But, they don’t rely on them as their only source of information. They are also explorers and hackers in the true sense of the word. They will dig and hunt for new flaws and vulnerabilitiesto exploit rather than simply relying on past virus-writing precedent.
We need for the good guys to think like the bad guys. We need the whitehat security gurus to proactively discover new attack vectors and new vulnerabilities and develop the vaccine before the virus is invented. Rather than waiting for the bad guys to make the first move we need the antivirus community to think one step ahead and try to plot out what the next move might be and block it.
There is a heated debate going on right now in the security community. The University of Calgary intends to offer a class this fall that will teach students about viruses and in which the students will actually learn to write their own viruses. The course will only be offered to 4th-year students and the lab environment will prohibit the taking out of any removable media and will not be connected to the external world at all to minimize the risk of an accidental virus release to almost zero.
Many in the antivirus and security administration world vehemently oppose the strategy of teaching virus creation in order to teach virus defense. AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) have issued a joint statement encouraging the University to teach students “subject matter relating to the prevention, protection, and cure, rather than how to attack and destroy.”
The University of Calgary Department of Computer Science web site has a statement about this controversy which says “It is time for critics to take their heads out of the sand and work with us to start developing the next generation of computer professional who will be proactive in stopping computer viruses. The current approach of reacting to the viruses is simply not working.”
The statement goes on to detail different security measures that will be in place to ensure that students act responsibly and that viruses developed in the lab will not accidentally escape and spread on the Internet at large. Any such infections would be contained to the lab environment.
Robert Vibert of AVIEN is quoted in an ITBusiness.ca article as saying “there’s nothing stopping them from learning how to do it and write a slightly different virus at home. This is giving them skills that they can apply without copying anything out of the labs.”
The University of Calgary statement goes on to say “Let's be honest: any reasonably intelligent individual can get this information from the internet without having to spend four years at University. There are easier and cheaper ways for them to wreak havoc. It is naïve and dangerous to think that virus writers can be stopped without a better understanding of how they operate.”
I am a member of AVIEWS and I have the utmost respect for the knowledge and expertise of its members, but I have to agree with the philosophy of the University.
The experts in the field that insist students can learn about viruses by dissecting the existing viruses are still pushing the reactionary model. Tomorrow’s experts need to learn to think beyond and develop better applications and operating systems that proactively block potential attack vectors rather than waiting to be attacked and then responding.
Prohibition did not stop the consumption of alcohol. Gun laws do not stop the sale of guns. Demonizing and mystifying the creation of viruses won’t work to stop them from being created. What happens is that the underground has access to information and resources that law-abiding security administrators won’t be aware of.
There is a whole industry of books and classes aimed at teaching network security by educating people about hacker tricks, tools and techniques. The idea is that by knowing exactly how hackers operate and the tools they use an administrator will be able to prepare a better defense and recognize when their network has been compromised. Why should virus security be different? Security through obscurity (see Security Through Obscurity article) is a failed model that offers no real security at all. Hiding how viruses are created from the mainstream won’t help to proactively defend against the next generation of threats.
It is through experimentation of this nature that brilliant new discoveries are achieved. If Thomas Edison was told that he could learn all he needed to know about light by studying a candle and that it was illegal for him to try and develop light himself we wouldn’t have light bulbs. If Albert Einstein was told that he could learn all he needed to know about physics by studying those that came before him we would not have the Theory of Relativity and physics would still be where it was a century ago.
In order to progress and move forward you have to take what has already occurred as a foundation and move beyond it. In the case of great discoveries like the light bulb, the airplane, the telephone, etc. it sometimes requires breaking the mold and experimenting with new solutions in spite of what the currently accepted boundaries are. If we didn’t have people that think outside the box and look for new answers we would still think the Earth is flat and that the Sun orbits the Earth.
Can you learn what you need to know about existing viruses in order to defend against them by simply reverse-engineering them and looking at how they work- absolutely. But, will you make a discovery that becomes a quantum leap in programming to stop the next generation of viruses by dissecting the existing viruses- doubtful. In this virus / antivirus chess game the bad guys have always had the first move and the security experts are constantly reacting. I applaud the efforts of the University of Calgary to try and create a new breed of security experts who can take the initiative and make the first move for a change.