Date: Wed, 3 Mar 1993 23:04:03 +0100 (MET) From: bontchev@INFORMATIK.UNI-HAMBURG.DE(Vesselin Bontchev) Subject: File 4--comments on proposed virus writing contest (Bontchev) Mark Ludwig's virus writing contest is yet another attempt to incite the creation of computer viruses that hides behind seemingly legitimate reasons. Just like his book and newsletter, which hide behind the right of the US citizens of freedom of expression, the "legitimate" reasons of the contest fall apart, if you look carefully at them. Let's consider some questions which naturally arise when reading a proposal like that. What are the values/dangers of such contests? In the beginning of the proposal, the author boasts that he needs the virus for the second volume of his book, which will discuss "the scientific applications of computer viruses, and their use in artificial life research". However, actually the contest it for writing the shortest possible non-overwriting MS-DOS COM file infector. What does this have in common with artificial life? What are the scientific applications of such a silly (but small) virus? And what does all this have to do with "research" in general? Actually, it is nothing more than a contest to hack the smallest program that performs given actions - nothing more. In fact, the author even addresses the potential participants of the contest as "hackers", not as researchers or scientists. And indeed, the goal of the contest has nothing to do with scientific research. The result of this contest is easily predictable. A few hundreds of kids will write hundreds of smart, not so smart, and completely buggy viruses. One of them will win the $100 prize. The others will have to decide what to do with the viruses in their disposition that have not won the contest. In all probability, they will upload them to the nearest virus exchange BBS, where other irresponsible people will be able to download and spread them further. "K00l dudez, I've got one of the participants in Mark Ludwig's contest for you"... The winner of the contest will have his name, or more probably, his handle, mentioned in the book, which will stimulate his ego and incite hundreds of others to imitate him and to create more viruses. Of course, all those viruses will end up in the hands of the anti-virus researchers, who will have to update their scanners to be able to recognize them, just in case some of them accidentally "escapes". And, since most of those researchers don't work for free, the users of their anti-virus programs will have to pay for yet another update. Who wins of all that? Mr. Mark Ludwig sells a new volume of his book, a few irresponsible kids get their ego teased, a few anti-virus researchers spend a few nights to disassemble silly viruses, and all of you have to pay - pay for updates of your scanners, pay for the data and time lost in an outbreak of a silly and buggy virus, and so on. Indeed, what a service does Mr. Mark Ludwig to the society! In fact, the outcome of the first volume of his book already proves that the above reasoning is correct. There are already at least 7 different variants of the silly Timid virus, published in the book... How do we distinguish between "benign" and "malevolent" virus writers? Some people like to speak about the possibility to develop "benign" and even "beneficial" viruses and about how much this kind of research will make our life easier. In fact, all that began with Dr. Fred Cohen and his papers on the subject. Dr. Cohen means something very particular, something that most people will never call a virus. Unfortunately, in his papers he tends to use formulae, instead of easily understandable language, so it is no wonder that many people are misunderstanding him. I cannot decide whether Mr. Mark Ludwig has indeed misunderstood Dr. Cohen's ideas, or if he intentionally misuses the general misunderstanding of the subject, in order to masquerade his virus writing contest as something legitimate. However, fact is, that what he proposes has nothing to do with Dr. Cohen's ideas for beneficial viruses, will have absolutely no positive value, and will rise yet another wave of stupid viruses written across the world. Actually, there is no such thing as "benign" or even "non-destructive" virus, as Mr. Mark Ludwig seems to understand it. The virus that is proposed in his contest will infect real, executable programs. The author of the virus has absolutely no way to know how will his virus behave in some situations. In fact, it may turn to be even highly destructive in some of these situations. Just an example. One of the first versions of Microsoft Word (1.0, I think) used to checksum itself, and, if the checksum didn't match, displayed a message on the screen (something like "The tree of evil has bitter fruits; crime does not pay") and trashes the current disk. Obviously, if it becomes infected with the virus described in the contest, this destructive code will trigger - with sad consequences. Several other self-checking programs will not react that violently, but will simply refuse to run when infected. Thus, the virus will be guilty for denial of services - maybe lost time, money, business... Even worse, the virus author is not able to predict the future, so he has no way to know how his virus will behave in situations that simply don't exist yet. Maybe it will turn out to be highly destructive - recall what the "benign" Stoned virus does with high-capacity floppies that have been simply not available at the time it has been written... Is there any educational value in those contests? Mr. Mark Ludwig claims to write his book for educational reasons. But what does actually he teach his readers? How to write viruses? Even if we leave alone the doubtful value of this knowledge, there are already a few books and many more electronic articles, circulating in the underground, that teach exactly that. Maybe he wants to teach his readers to write good assembly language programs? But, at least his first book, does not discuss the good programming practices at all, and in fact contains many samples of sloppy and clumsy code. So, maybe he wants to teach his readers about the top technology employed by viruses to bypass the different security systems? Even this is not true - he does not address such modern concepts as armouring, polymorphism, slow viruses, fast infectors, multi-partite viruses, or even fully stealth file infectors... For instance, nowhere in the book there is a discussion of the different kinds of attacks that can be employed by viral programs to circumvent discretional access controls, integrity-based systems, and so on. All we see is a bunch of silly MS-DOS viruses that barely work. This rises yet another question - are the virus writers able to teach the security specialists to something that the latter don't know already? Many virus writers sincerely believe that; for instance Mark Washburn has written his V2Px series of viruses, in order to "prove" that scanning is unreliable virus defense. However, it turns out that in all cases the security specialists are aware of the problems since a long time. Even the concept of a computer virus and the difficulties connected with its detection and prevention have been first invented by a security specialist - Dr. Fred Cohen, not by John Random Virus Writer... In all cases when the virus writers have come up with something new and original, the security specialists have thought about it since a long time, but have been ethical enough to only discuss it in closed circles, instead of implementing it and releasing it to damage other people's data... At last, one could ask the question whether Mr. Ludwig's contest is legal. In the text he boasts it as an "international" contest. However, this demonstrates an amazing ignorance of the local law in some countries. Participating the contest and writing viruses for it may be illegal in some countries, as the recent arrests of the ARCV virus writing group in the UK have proven. Freedom of expression is a wonderful right, but Mr. Ludwig should be aware that the US constitution does not apply to the whole Universe and thus, some things allowed by it might be illegal in some other countries. Therefore, anybody who decides to participate Mr. Ludwig's contest, is strongly advised to consult a local lawyer. Of course, it would be much better to ponder a bit how unethical the whole thing is and to refuse to participate the contest at all... But maybe Mr. Ludwig is not that ignorant, after all. The text of the contest encourages the participants to use handles and other forms of anonymity. Maybe this is because Mr. Ludwig understands that those people might be hold legally responsible in some countries for such activities? In this case, his contest is nothing more than an incitement to commit a crime (in those countries where virus writing is considered illegal). I wonder whether some of them have extradition treaties with the USA... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Downloaded From P-80 International Information Systems 304-744-2253