I encountered an old acquaintance today. Tip of the hat to Peter Radatti for pointing me towards an article by John Breeden II that proposes a very familiar idea: the Good Virus. (One that also often pops up in the form of the Good Worm, such as the various hues of Code that were proposed as ways of mitigating the impact of the infamous Code Red.) 

Dr. Fred Cohen, who even now casts a long shadow over the anti-malware scene, suggested there "could be … useful applications of viruses" in his "Short Course on Computer Viruses" and "It's Alive!", while the even more influential Dr. Vesselin Bontchev covered more or less all the objections when he asked "Are 'Good' Viruses Still a Bad Idea?", though he made a strong case for automatic AV updating as a viral model. Pretty much how we do it nowadays, too. So is Mr. Breeden on the right track? Well let's look at his idea:

This as-yet unnamed program (I might call it White Knight) would be a self-replicating stealth virus that would only affect computers without virus protection.

Well, the idea of protecting users who aren't protecting themselves might have merit, though you could certainly argue that not having an AV program is not always the same thing as being unprotected (certainly I can see whitelisters, Linux fans and the like making such a claim). But why does it have to be a stealth virus? I guess Breeden is assuming that not having protection is an active decision, not a passive absence of action, which is no doubt true in some cases, but then presupposes White Knight's right to insist that all machines should be protected. Ethically, that is an interesting debate: since the owner of an unprotected but connected machine risks the well-being not only of his own system, but of others, there is an argument that he should be forced to protect his machine (with or without his knowledge). I don't say it's an unequivocally correct argument, but it's certainly a defensible position.

Legally, it's another matter. Of course, legislation to counter malicious action/software can vary immensely from country to country, and even from region to region within a single country. However, it's usual for such legislation to outlaw unauthorized access and/or unauthorized modification, so installation by stealth would, in many jurisdictions, fall at the first hurdle.

In fact, what's being proposed isn't actually full stealth, to use a venerable classification system. Whereas most malware stealth mechanisms are designed to hide from security programs, White Knight wouldn't be intended to hide from AV: Breeden actually suggests that AV companies could be given the code "so that they could protect against it." However, that doesn't meet the legal objection. And in fact, it could be said to compromise the effectiveness of the idea: just as recognizing the EICAR test file doesn't tell you that AV is fully functional, correctly configured and fully updated, nor would recognizing White Knight.

So what would White Knight do? Apparently, it would "protect the registry, the root directory and the memory from other viruses….[and]…common attacks like stack overflows." Well, that sounds like a good idea in principle, but I'm afraid it's very difficult to implement that sort of protection in such a way that it will work safely on any system. And while "standard heuristics-based" security software may indeed do some or or all of this, it usually does a great many other things. Such programs are designed, implemented and maintained by teams because it's too big a job for one guy to do in his spare time any more.

It's true that some of the biggest names in AV research did get into the field by writing their own software to begin with, but those days are gone: the problem is just too big now. And I don't think any of them tried to do it with self-replicating goodware: there are just too many practical problems.

And rather than reinvent the wheel here, I'll summarize some of Bontchev's objections to the "anti-virus virus", though I'll modify his terminology slightly to suit the specifics of this proposal:

  1. Once the virus is released, the author can't control it.
  2. Security software that doesn't use program-specific detection (a signature, if you like) won't be able to discriminate between the 'good' virus and 'real' viral malware.
  3. The third objection is specific to a parasitic virus, and may not be applicable in this case. Mr. Breeden doesn't really discuss his replication mechanism.
  4. In the event of problems with the code, there is no guaranteed method for locating/removing/fixing all instances of the virus. [I'd say, in fact, that this follows from objection 1.]
  5. It's liable to cause compatibility issues.
  6. Even if it functions purely generically, it can't function as effectively by stealth as it would under the control of the user. 
  7. It would be unauthorized. Yes, it's possible to ask permission to "come aboard" and make modifications (some malware has actually done this), but the initial request is unauthorized and potentially disruptive. And that, in any case, is not the stealth proposal in the Breeden article.
  8. Any modification of copyrighted programs is also a legal violation, quite distinct from the user's authorization.
  9. Potential for misuse by modification so as to carry a malicious payload.
  10. It adds weight to the claims of authors of real malware when they claim to be doing something beneficial. In an age of fake antivirus, this is even more pertinent than it was at the time the paper was written.

There's a lot more to the work of Cohen and Bontchev than this, and I recommend heartily that anyone with even a passing interest in the topic should check them out: it's astonishing how the principles they outlined still hold true in the very different threatscape of 2011.

As for White Knight, well, I hate to pour cold water on a well-intended suggestion, but a better name might be Red Queen. While the objections in Dr. Bontchev's paper are not all insurmountable, implementation would take an awful lot of running in order to stay in the same place.

ESET Senior Research Fellow

Author David Harley, ESET

You might also be interested in:

  • lyecdevf

    Indeed not having an AV does not mean one is not protected as long as he or she knows what they are doing.  I have such a set up right now on my windows 7.  I browse the net from a limited account and I am protected by comodo firewall as well as a firewall on the router.  I have also been thinking of installing deepfreez but at the moment that is on hold since I use only freeware programs on my computer and I have been thinking of keeping it that way.
    Your Red Queen would probablly infect my computer since I do not have an AV except the windows defender that already came with windows 7 and I some times use it.  Comodo firewall and windows defender I think do a good enough of a job and I believe more security applications would cause just a greater confusion at least for the average user. 
    I remember inspecting my sisters laptop after she came home from studiying abroad.  She had three AV's in whole.  She installed Mcfee since she installed flash player and did not unclick the Mcfee AV during instalation process.  The second was the windows defender and the third was the "main" AV which I told her to install it because I was afraid that she would not get her laptop infected with malware.  It looked to me such a mess that I removed Mcfee and the previous AV with a new version of NOD 32. :)
    So any way I do not believe that more security applications are the answer if people do not even know that they are on the computer or do not bother to use them.  People should learn to create a limited account on there windows machines and browse the net with those or windows should come with one of those by default just like you have so on linux. 
    P.S. Great article by the way.  The idea of a good virus is not bad I think but maybe it should try and do things that most AV's do not cover.

    • David Harley

      I certainly wouldn’t recommend multiple AVs, especially if they’re all running on-access at the same time. AV does add complexity and overhead, but still adds a significant layer of security in the context of how most people use their PCs, which is relatively insecurely in a very dangerous environment. Which doesn’t mean that AV is All You Need of course, or the only approach to security. I am a great believer in the principle of least privilege: it would be a good idea to do more to discourage people from running admin accounts by default.

      What sort of thing might a viral AV do better than conventional AV, would you say? (Leaving aside the question of whether the advantage would compensate for the lack of control.)

  • lyecdevf

    I was thinking about some thing that would monitor for odd ports and communication to determine if there was a rootkit, trojan,…on a computer.  The Red queen would collect the data and then automatically send out an e-mail to the ISP that the trojan, rootkit,… is connecting with the needed data for the ISP to act upon the infringing user. 
    P.S. A few years ago I did alert a couple of ISP's about possible hackers amongst there users.  Of course I was not informed about what kind of actions if any they took against them. 

Follow us

Copyright © 2015 ESET, All Rights Reserved.