Argument For A 'Good' Virus
By MidNyte[UC]
April 1999

Introduction.

Vesselin Bontchev has (fairly) famously published an article stating that 'good' viruses are 'still a bad idea'. He failed to mention that this is just his opinion, and that he has no authority to decide this other than his own arrogance. I have decided to show how I think a good virus is possible, but I will not be insisting that this is a good virus, simply that Bontchev and his followers are wrong in the assumption that no virus could be 'good'. The scope of the original article in my opinion was not wide enough to cover all eventualities.

Background.

The conditions listed by Bontchev for defining whether or not a virus is beneficial are as follows. For a virus to be considered 'good', it must not compromise a single one of these.

-QUOTE-

1. Lack of Control.

Once released, the person who has released a computer virus has no control on how this virus will spread. It jumps from machine to machine, using the unpredictable patterns of software sharing among the users. Clearly, it can easily reach systems on which it is not wanted or on which it would be incompatible with the environment and would cause unintentional damage. It is not possible for the virus writer to predict on which systems the virus will run and therefore it is impossible to test the virus on all those systems for compatibility. Furthermore, during its spread, a computer virus could reach even a system that had not existed when that virus has been created - and therefore it had been impossible to test the virus for compatibility with this system.

The above is not always true - that is, it is possible to test the virus for compatibility on a reasonably large number of systems that are supposed to run it. However, it is the damaging potential of a program that is spreading out of control which is scaring the users.

2. Recognition Difficulty.

Currently a lot of computer viruses already exist, which are either intentionally destructive or otherwise harmful. There are a lot of anti- virus programs designed to detect and stop them. All those harmful viruses are not going to disappear overnight. Therefore, if one develops a class of beneficial viruses and people actually begin to use them, then the anti- virus programs will have to be able to make the difference between the "good" and the "bad" viruses - in order to let the former in and keep the latter out.

Unfortunately, in general it is theoretically impossible even to distinguish between a virus and a non-viral program ([Cohen89]). There is no reason to think that distinguishing between "good" and "bad" viruses will be much easier. While it might be possible to distinguish between them using virus-specific anti-virus software (e.g., scanners), we should not forget that many people are relying on generic anti-virus defences, for instance based on integrity checking. Such systems are designed to detect modifications, not specific viruses, and therefore will be triggered by the "beneficial" virus too, thus causing an unwanted alert. Experience shows that the cost of such false positives is the same as of a real infection with a malicious virus - because the users waste a lot of time and resources looking for a non-existing problem.

3. Resource Wasting.

A computer virus would eat up disk space, CPU time, and memory resources during its replication. A computer virus is a self-replicating resource eater. One typical example is the Internet Worm, accidentally released by a Carnegie-Mellon student. It was not designed to be intentionally destructive, but in the process of its replication, the multiple copies of it used so much resources, that they practically brought down a large portion of the Internet.

Even when the computer virus uses a limited amount of resources, it is considered as a bad thing by the owner of the machine on which the virus is doing it, if it happens without authorisation.

4. Bug Containment.

A computer virus can easily escape the controlled environment and this makes it very difficult to test such programs properly. And indeed - experience shows that almost all computer viruses released so far suffer from significant bugs, which would either prevent them from working in some environments, or even cause unintentional damage in those environments.

Of course, any program can (and usually does) contain bugs. This is especially true for the large and complex software systems. However, a computer virus is not just a normal buggy program. It is a self-spreading buggy program, which is out of control. Even if the author of the virus discovers the bug at a later time, there is the almost untreatable problem of revoking all existing copies of the virus and replacing them with fixed new versions.

5. Compatibility Problems.

A computer virus that can attach itself to any of the user's programs would disable the several programs on the market that perform a checksum on themselves at runtime and refuse to run if modified. In a sense, the virus will perform a denial-of-service attack and thus cause damage.

Another problem arises from some attempts to solve the "lack of control" problem by creating a virus that asks for permission before infecting. Unfortunately, this causes an interruption of the task being currently executed until the user provides the proper response. Besides of being annoying for the user, it could be sometimes even dangerous. Consider the following example.

It is possible that a computer is used to control some kind of life- critical equipment in a hospital. Suppose that such a computer gets infected by a "beneficial" computer virus, which asks for permission before infecting any particular program. Then it is perfectly possible that a situation arises, when a particular program has to be executed for the first time after the virus has appeared on the computer, and that this program has to urgently perform some task which is critical for the life of a patient. If at that time the virus interrupts the process with the request for permission to infect this program, then the caused delay (especially if there is no operator around to authorise or deny the request) could easily result in the death of the patient.

6. Effectiveness.

It is argued that any task that could be performed by a "beneficial" virus could also be performed by a non-replicating program. Since there are some risks following from the capability of self-replication, it would be therefore much better if a non-replicating program is used, instead of a computer virus.

(Ethical and Legal Reasons - The following arguments against the "beneficial virus" idea are of ethical or legal kind. Since neither ethics, nor the legal systems are universal among the human society, it is likely that those arguments will have different strength in the different countries. Nevertheless, they have to be taken into account.)

7. Unauthorised Data Modification.

It is usually considered unethical to modify other people's data without their authorisation. In many countries this is also illegal. Therefore, a virus which performs such actions will be considered unethical and/or illegal, regardless of any positive outcome it could bring to the infected machines. Sometimes this problem is perceived by the users as "the virus writer claims to know better than me what software should I run on my machine".

8. Copyright and Ownership Problems.

In many cases, modifying a particular program could mean that copyright, ownership, or at least technical support rights for this program are voided.

We have witnessed such an example at the VTC-Hamburg. One of the users who called us for help with a computer virus was a sight-impaired lawyer, who was using special Windows software to display the documents he was working on with a large font on the screen - so that he could read them. His system was infected by a relatively non-damaging virus. However, when the producer of the software learned that the machine was infected, they refused any technical support to the user, until the infection was removed and their software - installed from clean originals.

9. Possible Misuse.

An attacker could use a "good" virus as a means of transportation to penetrate a system. For instance, a person with malicious intent could get a copy of a "good" virus and modify it to include something malicious. Admittedly, an attacker could trojanise any program, but a "good" virus will provide the attacker with means to transport his malicious code to a virtually unlimited population of computer systems. The potential to be easily modified to carry malicious code is one of the things that makes a virus "bad".

10. Responsibility.

Declaring some viruses as "good" and "beneficial" would just provide an excuse to the crowd of irresponsible virus writers to condone their activities and to claim that they are actually doing some kind of "research". In fact, this is already happening - the people mentioned above are often quoting Dr. Fred Cohen's ideas for beneficial viruses as an excuse of what they are doing - often without even bothering to understand what Dr. Cohen is talking about.

(Psychological Reasons - These arguments are of psychological kind. They are usually a result of some kind of misunderstanding and should be considered an obstacle that has to be "worked around".)

11. Trust Problems.

The users like to think that they have full control on what is happening in their machine. The computer is a very sophisticated device. Most computer users do not understand very well how it works and what is happening inside. The lack of knowledge and uncertainty creates fear. Only the feeling that the reactions of the machine will be always known, controlled, and predictable could help the users to overcome this fear.

However, a computer virus steals the control of the computer from the user. The virus activity ruins the trust that the user has in his/her machine, because it causes the user to lose his/her belief that s/he can control this machine. This may be a source of permanent frustrations.

12. Negative Common Meaning.

For most people, the word "computer virus" is already loaded with negative meaning. The media has already widely established the belief that a computer virus is a synonym for a malicious program. In fact, many people call "viruses" many malicious programs that are unable to replicate - like trojan horses, or even bugs in perfectly legitimate software. People will never accept a program that is labelled as a computer virus, even if it claims to do something useful.

-UNQUOTE-

An Example Of A Good Virus.

It is my opinion that Bontchev misses a major point in all of this. This assumes that a virus is judged to be beneficial (or not) on one level. This is a glaring lack of scope. What if a virus is designed in such a way as to be a 'bad' virus working for a 'greater good'? Let me explain. Everyone agrees that freedom is a basic right that people should be born with and that oppression is 'bad', but what about criminals who are caught and imprisoned? They have their freedom taken for the greater good of every other person. If we were not open to this idea of a 'greater good' then we would think that locking someone in a room for years was appalling, but because we are saving many people from possible further crimes the act of taking away this person's freedom was 'good'. In fact most people would be appalled if this person was not imprisoned.

Can we apply this to a virus? I think we can. How about (as an example) a virus that is designed to test the defences/vulnerability of a network or system? Sure, the virus itself would compromise some (not all) of the conditions set out earlier, but then some of them would be invalid in this case due to being poorly chosen (ie, lack of foresight/scope). Something that is fundamentally 'bad' can sometimes be used for a 'good' purpose. Some vaccines for example contain a trace amount of exactly what they immunise against, giving the body time to create antibodies to combat a 'real' infection, thus ultimately being 'good'.

From here on in, I will refer to the proposed (theoretical) good virus as 'MGG' (MidNyte's Greater Good Virus), and will assume it to be running on a fairly large network of a fairly large company who have decided to use it. So how would MGG be beneficial? It would be used to subject the network to a 'controllable' virus to demonstrate weaknesses in the network, and to help develop defences against 'bad' viruses from the wild. It is effectively a utility of the so-called 'disaster-drill' type.

MGG would have the following features:

• Keeps a log of the last 100 names of programs it infected and serial numbers of the drive on which that program resides.
• On activation checks a specific file for instructions. This will be 'permission to infect' or 'disinfect now'. MGG will do as it is asked. If nothing is found in this file it will return control back to the host without taking any action.
• No payload.

Let's go through the points that Bontchev made in his article, and see how they apply to MGG.

1. Lack of Control.

-QUOTE-

"Once released, the person who has released a computer virus has no control on how this virus will spread."

-UNQUOTE-

True, but then that's what a 'real' virus would do, so that's what we want to MGG to do so we can learn from it. Also, we can stop the spreading of MGG dead by simply editing a file in a pre-specified place (ie, MGG could check for the command 'REM MGG-PERMISSION GRANTED' in the autoexec.bat file in the root of the C: drive. This would not affect the functioning of autoexec because of the REM). If found, MGG runs as normal. If not found, MGG does nothing. If MGG finds the line 'REM MGG-DISINFECT' it disinfects the host and does not re-infect. This line would make the virus spreadable only when MGG did have permission to spread, and this permmision is given or denied in an un-obtrusive way. This system also acts as a failsafe, in that if the autoexec.bat file was somehow deleted, the default behaviour of MGG is to do nothing.

2. Recognition Difficulty.

-QUOTE-

"If one develops a class of beneficial viruses and people actually begin to use them, then the anti-virus programs will have to be able to make the difference between the "good" and the "bad" viruses - in order to let the former in and keep the latter out."

-UNQUOTE-

This doesn't really come into it in this particular case. From the point of view of the anti-virus program, MGG *is* a bad virus and should be detected and reported as such. This will show the users how well their system of using the anti-virus software (ie, Once a day scanning/Once a week scanning/memory resident scanning etc) is working. Also, when using MGG to simulate an undetectable (new) virus, the anti-virus software would be switched off.

3. Resource Wasting.

-QUOTE-

"A computer virus would eat up disk space, CPU time, and memory resources during its replication. A computer virus is a self-replicating resource eater. Even when the computer virus uses a limited amount of resources, it is considered as a bad thing by the owner of the machine on which the virus is doing it, if it happens without authorisation"

-UNQUOTE-

So would a normal virus. MGG is simulating what would happen. MGG is 'bad' in this limited scope, but remember we are trying to look at the behaviour of a system under virus attack. Showing this flaw is 'good' in the wider scope. It will also show users exactly how much or little resources are wasted, and show administrators whether users actually notice the difference or not.

4. Bug Containment.

-QUOTE-

"Some viruses suffer from significant bugs, which would either prevent them from working in some environments, or even cause unintentional damage in those environments. A computer virus is not just a normal buggy program. It is a self-spreading buggy program, which is out of control. Even if the author of the virus discovers the bug at a later time, there is the almost untreatable problem of revoking all existing copies of the virus and replacing them with fixed new versions."

-UNQUOTE-

As long as MGG doesn't spread without the permission message, it is not out of control. At any time MGG can be halted by denying permission, which will prevent further spreading. The bugs can then be fixed. Furthermore, bugs are a lot less likely as MGG will be used by someone who knows what system MGG is designed for, as opposed to a normal virus travelling through random computer systems.

5. Compatibility Problems.

-QUOTE-

"A computer virus that can attach itself to any of the user's programs would disable the several programs on the market that perform a checksum on themselves at runtime and refuse to run if modified. In a sense, the virus will perform a denial-of-service attack and thus cause damage."

-UNQUOTE-

Again, so would a real virus. MGG is pointing out which programs would not work under such circumstances. For example, if it was an essential program that stopped working when infected, MGG would be demonstrating a serious flaw in a system which relied on that program. (Note: the other paragraphs of the original point 5 are dealt with separately. Please see below.)

6. Effectiveness.

-QUOTE-

"It is argued that any task that could be performed by a "beneficial" virus could also be performed by a non-replicating program. Since there are some risks following from the capability of self-replication, it would be therefore much better if a non-replicating program is used, instead of a computer virus."

-UNQUOTE-

In this case, no. A simulator would simulate what the virus did, and may make a mistake under some unfavourable conditions such as a split in the network. MGG is a real virus and so would act as one.

This is also an invalid argument, as any future task should not be automatically assumed to be possible by another means. If you don't know what the task is yet, you cannot possibly know whether it is possible by conventional means or not.

7. Unauthorised Data Modification.

-QUOTE-

"It is usually considered unethical to modify other people's data without their authorisation. In many countries this is also illegal. Therefore, a virus which performs such actions will be considered unethical and/or illegal, regardless of any positive outcome it could bring to the infected machines. Sometimes this problem is perceived by the users as 'the virus writer claims to know better than me what software should I run on my machine'".

-UNQUOTE-

If MGG doesn't have permission in the form of the autoexec.bat line, it won't infect. If the line is there, the person who put it there must assume responsibility for doing so.

8. Copyright and Ownership Problems.

-QUOTE-

"In many cases, modifying a particular program could mean that copyright, ownership, or at least technical support rights for this program are voided."

-UNQUOTE-

We have witnessed such an example at the VTC-Hamburg. One of the users who called us for help with a computer virus was a sight-impaired lawyer, who was using special Windows software to display the documents he was working on with a large font on the screen - so that he could read them. His system was infected by a relatively non-damaging virus. However, when the producer of the software learned that the machine was infected, they refused any technical support to the user, until the infection was removed and their software installed from clean originals."

The test's administrator would simply remove the permission message, and the next running of the program would remove MGG. As previously stated though, the administrator would accept responsibility when using MGG, just they would if using a conventional program to test a system.

9. Possible Misuse.

-QUOTE-

"An attacke could use a 'good' virus as a means of transportation to penetrate a system. For instance, a person with malicious intent could get a copy of a 'good' virus and modify it to include something malicious. Admittedly, an attacker could trojanise any program, but a 'good' virus will provide the attacker with means to transport his malicious code to a virtually unlimited population of computer systems. The potential to be easily modified to carry malicious code is one of the things that makes a virus 'bad'".

-UNQUOTE-

If MGG were to be used on a system, the administrator would have to validate it's integrity just as they would have to validate the integrity of any other program to be sure it wasn't trojanised.

10. Responsibility.

-QUOTE-

"Declaring some viruses as 'good' and 'beneficial' would just provide an excuse to the crowd of irresponsible virus writers to condone their activities and to claim that they are actually doing some kind of 'research'. In fact, this is already happening - the people mentioned above are often quoting Dr. Fred Cohen's ideas for beneficial viruses as an excuse of what they are doing - often without even bothering to understand what Dr. Cohen is talking about."

-UNQUOTE-

This is hearsay and irrelevant. It is possible, but everyone who made a virus along the lines of MGG would have to prove it to be 'good' before they were trusted. The excuses of irresponsible people do not make a difference to this virus being 'good' or 'bad'.

11. Trust Problems.

-QUOTE-

"The users like to think that they have full control on what is happening in their machine. The computer is a very sophisticated device. Most computer users do not understand very well how it works and what is happening inside. The lack of knowledge and uncertainty creates fear. Only the feeling that the reactions of the machine will be always known, controlled, and predictable could help the users to overcome this fear.

However, a computer virus steals the control of the computer from the user. The virus activity ruins the trust that the user has in his/her machine, because it causes the user to lose his/her belief that s/he can control this machine. This may be a source of permanent frustrations."

-UNQUOTE-

This could contribute to a viruses chances of spreading and/or being reported to an administrator who could do something to stop it. This should be a part of the test. On the other hand, if a user knew of the test with MGG, it may belay some of those fears. This is irrelevant however, as the administrator is free to not use it if they do not trust it, this does not change whether it's good or bad.

12. Negative Common Meaning.

-QUOTE-

"For most people, the word 'computer virus' is already loaded with negative meaning. The media has already widely established the belief that a computer virus is a synonym for a malicious program. In fact, many people call 'viruses' many malicious programs that are unable to replicate - like trojan horses, or even bugs in perfectly legitimate software. People will never accept a program that is labelled as a computer virus, even if it claims to do something useful."

-UNQUOTE-

This is also irrelevant to the issue. MGG is a virus. It is there for a specific purpose. It is designed to be a virus with a 'safety feature'. It will only be used in very specific circumstances from which it cannot escape without permission. It should be accepted as such. If it is not trusted, it will not be given permission to infect and therefore not used on a system.

Practical Use Of MGG.

Each copy of MGG will provide a list of the last 100 hosts of that particular 'family', and the serial number of the drive on which that host resides. This will provide an accurate path of how the virus spread and point out any jumps from disk to disk. This could be valuable information for stopping the spreading of a 'bad' virus. This information about virus spreading could not be reliably emulated as simply as just releasing MGG. For this purpose, in this scenario, using MGG has provided accurate and useful information without causing ill effects. It removes itself at the end of the test. It does nothing 'bad', but does some 'good' things. I fail to see how this could be classed as a 'bad' virus.

Jon Gorney, the Executive Vice President of the National City Corporation Bank (one of the largest banks in the American Midwest) had an encounter with a virus, as recounted in 'Bank Battles Virus', a paper that can be found in VDAT. He is quoted as saying 'it was the best experience we could have had.' The bank needed the help of IBM to eradicate the virus, which took three days. During this time, they never had the ability to 'switch off' the attack. MGG would have given all the benefits of the real attack (without the risk of major damage), plus a few more that a 'real' virus wouldn't provide such as the logging of the infected files.

A Few Notes To Everyone Reading.

The fact that the scope of the original statement was too limited has meant that this use of a virus was not anticipated. This means Bontchev's entire article is missing a vital point and must be re-evaluated. Please take the time to re-examine his article with the proposed use of MGG in mind and see who you think is right. Remember though that Bontchev is stating categorically that no virus can be 'good', and I am simply stating that it is possible under some circumstances, and the idea should not be discounted.

A Few Notes To People Who Back Bontchev's Claim.

Bontchev quotes (in point five):

-QUOTE-

"Another problem arises from some attempts to solve the 'lack of control' problem by creating a virus that asks for permission before infecting. Unfortunately, this causes an interruption of the task being currently executed until the user provides the proper response. Besides of being annoying for the user, it could be sometimes even dangerous. Consider the following example:

It is possible that a computer is used to control some kind of life- critical equipment in a hospital. Suppose that such a computer gets infected by a 'beneficial' computer virus, which asks for permission before infecting any particular program. Then it is perfectly possible that a situation arises, when a particular program has to be executed for the first time after the virus has appeared on the computer, and that this program has to urgently perform some task which is critical for the life of a patient. If at that time the virus interrupts the process with the request for permission to infect this program, then the caused delay (especially if there is no operator around to authorise or deny the request) could easily result in the death of the patient."

-UNQUOTE-

This statement is so absurd that I just have to comment. There is not a single hospital around that would connect such equipment to an open network, and even if there was, MGG does not ask permission, it checks to see if permission has been pre-arranged which is entirely different. Please, when evaluating something like this, be sure to disregard this kind of hearsay, after all, a court would dismiss that in a second. (And yes, I did actually ask a lawyer to verify what parts of Bontchev's claim were likely to be regarded as hearsay according to the law.) I know it's only an example, but if you can't think of a reasonable example then it follows that it's probably not a reasonable statement.

Conclusion.

Please remember that this is only my opinion. However, do not forget that Bontchev's opinion is only his opinion too, a fact that he neglected to mention through his arrogance. He is not a god, he does not lay down the law just because of his expertise in the field.... he merely voices his opinion. I have merely voiced mine and welcome any feedback on it.

Also, I have no plans to actually write MGG, as just this explanation of it's functioning sufficient to prove my point. MGG uses no features/techniques that couldn't be programmed easily in practice using techniques currently known. It is also possible to expand this virus to check a second line to get advanced instructions, such as what files to infect, how many to infect per run, whether or not to go memory resident etc. This means it can be expanded to be useful on a variety of systems, not just a small number.

- MidNyte [Ultimate Chaos Public Relations & Virus Research]

As always, I welcome ANY feedback, good or bad, as long as it is reasonable.

midnyte01@excite.com | www.ultimatechaos.org/midnyte | surf.to/midnyte