[genesis of the virus] cohen and other pioneers

Robert Lemos, of CNET News.com, on November 25, 2003, had an interesting article on the genesis of the computer virus, which I found in researching Fred Cohen and abridge here:


"Of all the accomplishments in the annals of technology, Fred Cohen's contribution is undeniably unique: He introduced the term "virus" to the lexicon of computers.

The University of New Haven professor used the phrase in a 1984 research paper, in which he described threats self-propagating programs pose and explored potential defenses against them. When he asked for funding from the National Science Foundation three years later to further explore countermeasures, the agency rebuffed him.

Two decades later, countless companies and individuals are still paying for that mistake … Little has been documented about the origins of the virus. Its early iterations were not created by malcontent teenagers or antisocial geeks but by campus researchers, system administrators and a handful of old-school hackers who thought that the ability to reproduce their programs automatically was a neat trick.

The result is a tale of technical genius, academic naivete, bureaucratic arrogance and humans' penchant for tearing down institutions simply for the sake of doing so.

Sarah Gordon, senior research fellow at Symantec Security Response, says:

"Even if (viruses) are not designed to be intentionally malicious or dangerous, if they get outside of a controlled environment, there can be unexpected results."

That was precisely what happened with the fathers of the computer virus. Cohen had an inkling of much of the future when he first thought up the idea in November 1983 as a University of Southern California graduate student. During a weekly seminar on computer security, he conceived of a program that could infect other systems with copies of itself.

"All at once, a light bulb came on, and I said, 'Aha!'" Cohen recalled. "Within a few seconds, I knew how to write the program and that it would work."

His adviser at the time, Len Adleman--well known as a creator of public-key encryption and the "A" in a popular form of the security technology known as RSA (Rivest, Shamir & Adleman)--suggested that the programs were the digital analogy of viruses. The name stuck.

The birth of a concept

In a paper published the next year, he defined a virus as "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." Cohen proved that such a virus could spread through any system that allows information to be shared, interpreted in a general manner and given away, despite the presence of security technologies.

To demonstrate its potential dangers, Cohen created a test program to see how quickly the virus could spread and undermine the security of a mainframe computer system. He implanted the program in a command that presents Unix file structures graphically, then conducted five attack runs.

The virus managed to "gain system rights"--essentially seizing control of the computer--within an average of half an hour. The shortest run took five minutes.

"It could spread with all the security technologies out there at the time," Cohen said. "The concept showed that the least trusted user is the weakest link, and the program can quickly spread up to the most trusted user."

Cohen's work provided a concrete definition of a virus and showed how other programs, such as worms, are a subset of that definition.

Von Neumann

But a few viruslike programs existed before his research, and many of its theoretical underpinnings were established by John von Neumann, one of the founding fathers of computer science.

Born in Hungary in 1903, von Neumann was responsible for seminal work in many branches of computer science, mathematics and physics, including logical analysis of a strategy called game theory and the newly born branch of quantum physics. Between 1948 and 1956, he extended much of the work of one of his peers, computer scientist Alan Turing.

Turing established many of the theoretical foundations of computers when he created the Universal Computer, a logical construct that could solve a wide variety of problems by using a processor and a tape to store programs and data. Computers still use the basic division of labor Turing identified: processors and storage.

Von Neumann expanded Turing's concept to the creation of a universal constructor, a system that could replicate itself. This self-reproducing automaton, as he called it, used tens of thousands of elements--each of which could be in any of 29 states--to create another automaton on an imaginary grid. The system was so complex that it took more than 40 years for even a limited version of it to be implemented in hardware.

Survival of the fittest program

In August 1961, researcher Victor Vyssotsky invented a game, dubbed "Darwin," in which small programs competed with one another to dominate a digital landscape. His colleague Douglas McIlroy programmed much of the game, including the code that would run the simulation. The third researcher, Robert Morris Sr., created a lethal digital creature that evolved and passed along its successful attack to its progeny.

"It was clear that by tinkering the rules to introduce a bit of uncertainty into the game, we could have revived it after Morris' devastating entry, but we had other things to do," said McIlroy, now an adjunct professor in the computer science department at Dartmouth College. The game ran on an IBM 7090 system and was largely forgotten, [running] in artificial environments. It took a different game to help introduce viruses to computers and spread infections worldwide.

The real thing

That game was "Animal," a program akin to "20 Questions," which became highly popular among mainframe computer operators in the 1970s. The game would ask a person to think of an animal and then ask questions for clues as to the type of creature it was. If the program guessed wrong, it would ask the player to provide a question and an answer that would differentiate the new animal.

John Walker, a UNIVAC (Universal Automatic Calculator) systems programmer for a large multinational firm, created his own version of the game in 1974, improving it so that erroneous information one player enters could eventually be corrected by another. The game was an immediate hit.

"It … got me thinking on how best to distribute the game. That's when I thought about making it self-reproducing."

In January 1975, Walker created another program, "Pervade," which would hitch a ride with a new version of "Animal." Any time someone played the "Animal" game, Pervade would also start running to check directories, duplicate itself in any directory that didn't already have a copy and overwrite any older versions.

Walker recalls reflecting on the implications of the program for a couple of months to ensure that he hadn't made any damaging errors. Then he released it.

Within a week, UNIVAC administrators at another corporate office started reporting that "Animal" had suddenly appeared on their system. Weeks later, other companies discovered the program on their systems as well.

"A few months later, a lot of people started talking about it, and that meant more people were asking for it," Walker said. "It propagated as much by word of mouth as by copying itself to new directories."

The Pervade program stopped working when UNIVAC released a new version of the operating system that changed its directory structure. But Walker insists that a modified copy of his program could have easily overcome its new security features.

"UNIVAC was putting forth all these security methods, and here was an example of a threat that all the defenses couldn't do anything about," he said in comments Cohen would echo a decade later.

Walker went on to found Autodesk in the early 1980s, and he remains the largest individual stockholder in the company.

The new generation

Rich Skrenta was a Pittsburgh-area ninth-grader in 1982, he knew a lot about the Apple II and loved to use software to play practical jokes on his classmates. The then-teenager supplied his friends with Apple II programs to which he had added some custom "features," such as the machine's ability to shut down automatically after being used just a few times or to display a taunting message.

"After I had done this a number of times, no one would take games from me anymore," said Skrenta, now the president of his own, soon-to-be-launched search start-up, Topix.net. "And so, I was puzzling on how to get my tricks onto their disks."

That's when he got the idea to write a self-propagating program that would infect Apple II disks. Skrenta's idea for "cloner" programs--he didn't employ the term virus--would infect a popular command on the system disks used by the Apple II. The program he created, called Elk Cloner, counted how often a disk had been used and, on every fifth run, made the computer shut down or perform some other "trick." Every 50th time the computer started up, Elk Cloner would display a little poem.

Four years later, two Pakistani brothers, Amjad and Basit Farooq Alvi, created the first computer virus to infect IBM PCs. Known as the Brain virus, the brothers used the program as a piece of true viral marketing: Each copy caused a message to flash on the screen, advertising the brothers' company, Brain Computer Services of Lahore, Pakistan.

By the end of 1990, about 200 viruses had been identified. Today, that number has jumped to more than 70,000. Although less than 1 percent of those viruses have compromised computers on the Internet, more than 80 percent of companies suffered a digital infection, according to the Computer Security Institute.

Symantec's Gordon said most virus creators--not unlike their predecessors--still don't understand the ability of the programs to spread throughout the Internet. "They tend to be curious--often articulate individuals with a variety of relationship and interaction styles," she said.

Cohen, however, said the scientific heavy lifting for today's Internet viruses was done in the 1980s. Everything else, he said, is just mechanics.

"Everything that we know now was known then," he said. "Everything we see now is just an engineering solution based on old science.""