« What can homeland security teach us about IT security? | Main | Microsoft OneCare: The Wrong Security Model »

May 11, 2005

Evolving viruses

The May edition of Virus Bulletin has an interesting analyses of a virus called Zellome ("It's zell(d)ome the one you expect"). Zellome is unique in that it uses a genetic algorithm (GA) to generate decryptor routines for its polymorphic engine. Essentially, it generates a population of possible decryptors (arithmetic expressions), and mutates and combines them to find one that successfully decrypts the encoded data - which has been generated using a random quadratic function.

As the analysts point out, there are much easier ways to do the decryption, and the GA is time consuming (it can take as much as half a day to find a decryptor) and computationally intensive. Furthermore, the virus still contains an unobfuscated decryption loop, so it is easy to generate a signature for Zellome, and the polymorphism does nothing to affect this.

Although Zellome may be a rather useless application of GAs, the idea of an evolving virus is an intriguing one. In fact, the analysts speculate that the author of Zellome may have had the intention of evolving more than just the decryptor, because a 10MB buffer is allocated for the decryptor, which is large enough to easily contain the complete code - around 1.5MB.

There is already an evolutionary process that happens with computer viruses, but humans are closely tied into the loop, at several levels. Humans generate the viruses initially, and other humans define the fitness functions by devising means of eliminating viruses. Mutation is also implemented by humans - a typical virus will have many variants, which are essentially mutations of the original virus.

The polymorphism that we see today is not quite full mutation, because it is only the superficial appearance of some parts of the virus code that change; the functionality of the code does not change, and there are always some non-changing sections for the decryptor. The key to a truly automated mutating virus is one that has the ability to mutate its functionality, just as virus writers often change the functionality when they write the next variant of a virus.

As virus writers develop ways of mutating functionality, so the evolutionary process is likely to become increasingly automated. It will no longer suffice for an Antivirus vendor to develop a signature for a particular instance of a virus, because from one copy to the next, that signature will change - there will be no constant decryptor section to latch onto. This will require more automated response mechanisms that don't rely on detailed human analysis of the virus, because there will be too many variants to cope with. The consequence is that the automated response systems will provide an implicit fitness function for powering the evolutionary process.

We can imagine this ecosystem growing ever more complex and lifelike over time. One possible extension is using crossover: when a virus infects a new host, it scans for other viruses, and if it finds them, it uses parts of the other virus code to generate offspring. Of course, this idea could be taken much further - the virus could use bits of code from any program on the system, sort of like gene swapping in bacteria.

True mutation, crossover and gene-swapping could result in viruses that are completely autonomous, in that they survive without human intervention - in fact, even in the face of humans attempting to get rid of them. Currently, if virus writers stopped producing viruses, it wouldn't take very long for all the viruses out there to die out, because true virus novelty comes from the virus authors, not from an automated evolutionary process.

Truly autonomous viruses will really be alive, and it is fascinating to explore the consequences of this. Viruses will have to exist in a hostile world, where both human users and defense software are trying to eliminate them. Viruses will no doubt evolve to be adaptable, spread rapidly, and evade defenses.

But another bizarre consequence is that some viruses may evolve to be useful: just as our bodies have incorporated bacteria that once may have been parasitic (such as mitochondria), so computer systems may incorporate code from viruses that once were destructive. The key is that the selective pressure in these systems favors co-operation, so any virus that has useful functionality, or modifies existing programs in useful ways, will survive and prosper. For example, imagine a virus that evolves a new way of compressing code in order to transmit itself more efficiently - that compression algorithm would soon become extremely widespread.

Mutating viruses may not be all bad.

Comments

Post a comment