Since the late 1990s, outbreaks of malicious computer viruses and worms like LoveLetter have grown increasingly common and have caused billions of dollars in damage and lost productivity. Where do these invasive programs come from? How does the computer industry combat these threats? What are the legal implications of writing or distributing malicious computer software?
Invasive Software Overview
Invasive programs (i.e. viruses, worms, and Trojan horses) are constructed using the same basic computer logic that underlies traditional application programs such as games, word processors, or spreadsheets. Like other programs, invasive software must be written by people, and it must be intentionally designed and programmed to perform specific actions.
Invasive programs act without the computer user's knowledge or permission and may cause a variety of intentional and unintentional damage. Viruses, worms, and Trojan horses that cause intentional damage to computer systems are said to deliver a "payload" when a certain "trigger" condition is met. For example, common payloads include sending files or passwords to the originator of the invasive software or deleting the user's files. Common triggers include a certain date on which files may be deleted, or the user's act of logging on to the Internet (at which point the user's password may be sent to the attacker). A specific consecutive computer action could also trigger a payload—for example, the hard disk may be automatically reformatted upon the tenth system reset after infection, thus losing all saved programs and data.
Although virtually all Trojan horses attempt to cause harm or steal information from a computer system, more than 70 percent of all computer viruses and worms are designed only to self-replicate. Although they are not intentionally malicious, such invasive programs are still quite dangerous, because they can cause system crashes, clog the Internet and e-mail systems, and generally compromise productivity.
Currently, all invasive software can be categorized into three broad categories: viruses, worms, and Trojan horses.
A virus is a computer program that is designed to replicate itself from one file to another (or one disk to another) on a single computer. Viruses spread quickly to many files within a computer, but typically spread slowly between computer systems because they require people to exchange infected files over a network, floppy disk, or in e-mail.
The Pakistani Brain virus, discovered in 1986, is widely believed to be the first computer virus. During the late 1990s, the number of viruses skyrocketed to more than 50,000. Despite the thousands of virus strains, few viruses ever find their way out of research labs and on to end-user computers. Based on industry statistics, less than 1,000 of the more than 50,000 known computer viruses are in circulation at any one time.
Viruses are often classified by the type of file or disk that they infect. The most common types are application viruses, which infect common computer application files, and macro viruses, which infect documents and spreadsheet files.
The average computer virus works as follows:
- The user runs infected program A.
- Program A executes the virus logic.
- The virus locates a new program, B, for infection.
- The virus checks to see if program B is already infected. If infected, the virus goes back to step 3 to locate another program.
- If B is not infected, the virus inserts a copy of its logic into program B.
- The virus then runs program A's original logic (so the user does not suspect any malicious activities).
A worm is a computer program that automatically spreads itself over a computer network from one computer to another. While viruses spread from file to file on a single computer, worms infect as many computers as possible over a network. Virtually all modern computer worms spread through e-mail, sending themselves via Internet e-mail programs.
Usually, a worm infects (or causes its logic to run on) a target system only once. After infecting a computer, the worm attempts to spread to other computers on the network. Because computer worms do not rely on humans to spread themselves between computers, they spread much more rapidly than do computer viruses. The infamous Melissa and LoveLetter threats are both categorized as computer worms.
The first computer worms were written at Xerox Palo Alto Research Center in 1982 to understand how self-replicating logic could be leveraged in a corporation. However, a bug in the worms' logic caused computers on the Xerox network to crash. Xerox researchers had to build the world's first "anti-virus" solution to remove the infections. In 1988 the famous "Internet" worm spread itself to roughly 10 percent of the fledgling Internet (about 6,000 computers).
Like viruses, computer worms can be written in virtually any computer language. While there have been few script language-based virsuses, a high percentage of computer worms have been written in scripting languages like Visual Basic due to the ease of writing self-propagating software with these scripting systems. The stereotypical computer worm works as follows:
- The user unknowingly runs a worm program.
- The worm accesses a "directory" source, such as an e-mail address list, to obtain a list of target computers on the network.
- The worm sends itself to each of the target computers.
- A user on the target computer unknowingly receives a copy of the worm in e-mail, unintentionally runs the worm e-mail attachment, and repeats the process.
Trojan horses are programs disguised as normal computer programs that instead cause damage to the host computer when run. Most commonly, Trojan horses either steal information (such as passwords or files) from the computer or damage the contents of the computer (e.g., delete files).
With the increased popularity of the Internet, the latest generation of Trojan horses has been designed to exploit the Internet. Some of these Internet-enabled Trojan horses can be used to control remotely infected computers or record video/audio from the computer and send it to the attacker. In addition, hackers have used so-called "Zombie" Trojan horse programs to launch large-scale Denial of Service (DoS) attacks against popular Internet web sites.
Trojan horses are not classified as viruses or worms because they do not replicate themselves. However, like viruses and worms, Trojan horses can be written in virtually any language.
Various techniques exist for detecting invasive programs, yet the primary mechanism used by most anti-virus software is called "fingerprint scanning." The anti-virus software maintains a database of thousands of known identification characteristics, or fingerprints, from invasive programs, not unlike a police fingerprint database. When scanning a computer for viruses, the anti-virus program compares the fingerprint of each file on the computer to those in its database. If any of the fingerprints match, the anti-virus program reports the infection and can repair any damage. Since new invasive programs are created daily, anti-virus vendors send fingerprint updates to users as often as once per day.
Legality of Writing Intrusive Programs
Although writing malicious software is not illegal in the United States, willfully spreading such programs is considered a crime punishable by fine or imprisonment. In the United States, some virus authors have argued that writing computer viruses is analogous to exercising free speech. In contrast, countries outside the United States have drafted computer crime laws that are far stricter than those in the United States. For instance, Germany has laws restricting mass exchange of computer viruses for any reason and Finland has recently made writing a computer virus an illegal act.
see also Privacy; Security; Viruses.
Atkins, Derek, et al. Internet Security, Professional Reference. Indianapolis, IN: New Riders Publishing, 1996.
Cohen, Frederick B. A Short Course on Computer Viruses, 2nd ed. New York: John Wiley & Sons, 1994.