Ripped by AaLl86


THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE
By Peter Szor
Publisher: Addison Wesley Professional
Pub Date: February 03, 2005
ISBN: 0-321-30454-3
Pages: 744
Table of
Contents
• Index
•

Sym ant ec's chief ant ivirus researcher has writ t en t he definit ive guide t o
cont em porary virus t hreat s, defense t echniques, and analysis t ools. Unlike
m ost books on com put er viruses, Th e Ar t of Com pu t e r Vir u s Re se a r ch
a n d D e fe n se is a reference writ t en st rict ly for whit e hat s: I T and securit y
professionals responsible for prot ect ing t heir organizat ions against
m alware. Pet er Szor syst em at ically covers everyt hing you need t o know,
including virus behavior and classificat ion, prot ect ion st rat egies, ant ivirus
and worm - blocking t echniques, and m uch m ore.
Szor present s t he st at e- of- t he- art in bot h m alware and prot ect ion,
providing t he full t echnical det ail t hat professionals need t o handle
increasingly com plex at t acks. Along t he way, he provides ext ensive
inform at ion on code m et am orphism and ot her em erging t echniques, so
you can ant icipat e and prepare for fut ure t hreat s.
Szor also offers t he m ost t horough and pract ical prim er on virus analysis
ever publishedaddressing everyt hing from creat ing your own personal
laborat ory t o aut om at ing t he analysis process. This book's coverage
includes

Discovering how m alicious code at t acks on a variet y of plat form s
Classifying m alware st rat egies for infect ion, in- m em ory operat ion,
self- prot ect ion, payload delivery, exploit at ion, and m ore
I dent ifying and responding t o code obfuscat ion t hreat s: encrypt ed,
polym orphic, and m et am orphic
Mast ering em pirical m et hods for analyzing m alicious codeand what t o
do wit h what you learn
Reverse- engineering m alicious code wit h disassem blers, debuggers,
em ulat ors, and virt ual m achines
I m plem ent ing t echnical defenses: scanning, code em ulat ion,
disinfect ion, inoculat ion, int egrit y checking, sandboxing, honeypot s,
behavior blocking, and m uch m ore
Using worm blocking, host - based int rusion prevent ion, and net worklevel defense st rat egies


Copyright
Many of t he designat ions used by m anufact urers and sellers t o dist inguish t heir product s are
claim ed as t radem arks. Where t hose designat ions appear in t his book, and t he publisher was
aware of a t radem ark claim , t he designat ions have been print ed wit h init ial capit al let t ers or in all
capit als.
The aut hor and publisher have t aken care in t he preparat ion of t his book, but m ake no expressed
or im plied warrant y of any kind and assum e no responsibilit y for errors or om issions. No liabilit y is
assum ed for incident al or consequent ial dam ages in connect ion wit h or arising out of t he use of
t he inform at ion or program s cont ained herein.
Sym ant ec Press Publisher: Linda McCart hy
Edit or in Chief: Karen Get t m an
Acquisit ions Edit or: Jessica Goldst ein
Cover Designer: Alan Clem ent s
Managing Edit or: Gina Kanouse
Senior Proj ect Edit or: Krist y Hart

Copy Edit or: Christ al Andry
I ndexers: Cheryl Lenser and Larry Sweazy
Com posit or: St ickm an St udio
Manufact uring Buyer: Dan Uhrig
The publisher offers excellent discount s on t his book when ordered in quant it y for bulk purchases
or special sales, which m ay include elect ronic versions and/ or cust om covers and cont ent
part icular t o your business, t raining goals, m arket ing focus, and branding int erest s. For m ore
inform at ion, please cont act :
U. S. Corporat e and Governm ent Sales
( 800) 382- 3419
corpsales@pearsont echgroup.com
For sales out side t he U. S., please cont act :
I nt ernat ional Sales
int ernat
Visit us on t he Web: www.awprofessional.com
Library of Congress Num ber: 2004114972
Copyright © 2005 Sym ant ec Corporat ion
All right s reserved. Print ed in t he Unit ed St at es of Am erica. This publicat ion is prot ect ed by
copyright , and perm ission m ust be obt ained from t he publisher prior t o any prohibit ed


reproduct ion, st orage in a ret rieval syst em , or t ransm ission in any form or by any m eans,
elect ronic, m echanical, phot ocopying, recording, or likewise. For inform at ion regarding
perm issions, writ e t o:
Pearson Educat ion, I nc.
Right s and Cont ract s Depart m ent
One Lake St reet
Upper Saddle River, NJ 07458
Text print ed in t he Unit ed St at es on recycled paper at Phoenix BookTech in Hagerst own,
Maryland.

First print ing, February, 2005

Dedication
t o Nat alia


About the Author
Pet er Szor is a world renowned com put er virus and securit y researcher. He has been act ively
conduct ing research on com put er viruses for m ore t han 15 years, and he focused on t he subj ect
of com put er viruses and virus prot ect ion in his diplom a work in 1991. Over t he years, Pet er has
been fort unat e t o work wit h t he best - known ant ivirus product s, such as AVP, F- PROT, and
Sym ant ec Nort on Ant iVirus. Originally, he built his own ant ivirus program , Past eur, from 1990 t o
1995, in Hungary. Parallel t o his int erest in com put er ant ivirus developm ent , Pet er also has years
of experience in fault - t olerant and secured financial t ransact ion syst em s developm ent .
He was invit ed t o j oin t he Com put er Ant ivirus Researchers Organizat ion ( CARO) in 1997. Pet er is
on t he advisory board of Virus Bullet in Magazine and a founding m em ber of t he Ant iVirus
Em ergency Discussion ( AVED) net work. He has been wit h Sym ant ec for over five years as a chief
researcher in Sant a Monica, California.
Pet er has aut hored over 70 art icles and papers on t he subj ect of com put er viruses and securit y
for m agazines such as Virus Bullet in , Chip, Source, Windows NT Magazine, and I nform at ion
Securit y Bullet in, am ong ot hers. He is a frequent speaker at conferences, including Virus Bullet in,
EI CAR, I CSA, and RSA and has given invit ed t alks at such securit y conferences as t he USENI X
Securit y Sym posium . Pet er is passionat e about sharing his research result s and educat ing ot hers
about com put er viruses and securit y issues.


Who Should Read This Book
Over t he last t wo decades, several publicat ions appeared on t he subj ect of com put er viruses, but
only a few have been writ t en by professionals ( " insiders" ) of com put er virus research. Alt hough
m any books exist t hat discuss t he com put er virus problem , t hey usually t arget a novice audience

and are sim ply not t oo int erest ing for t he t echnical professionals. There are only a few works t hat
have no worries going int o t he t echnical det ails, necessary t o underst and, t o effect ively defend
against com put er viruses.
Part of t he problem is t hat exist ing books have lit t leif anyinform at ion about t he current com plexit y
of com put er viruses. For exam ple, t hey lack serious t echnical inform at ion on fast - spreading
com put er worm s t hat exploit vulnerabilit ies t o invade t arget syst em s, or t hey do not discuss
recent code evolut ion t echniques such as code m et am orphism . I f you want ed t o get all t he
inform at ion I have in t his book, you would need t o spend a lot of t im e reading art icles and papers
t hat are oft en hidden som ewhere deep inside com put er virus and securit y conference
proceedings, and perhaps you would need t o dig int o m alicious code for years t o ext ract t he
relevant det ails.
I believe t hat t his book is m ost useful for I T and securit y professionals who fight against com put er
viruses on a daily basis. Nowadays, syst em adm inist rat ors as well as individual hom e users oft en
need t o deal wit h com put er worm s and ot her m alicious program s on t heir net works.
Unfort unat ely, securit y courses have very lit t le t raining on com put er virus prot ect ion, and t he
general public knows very lit t le about how t o analyze and defend t heir net work from such at t acks.
To m ake t hings m ore difficult , com put er virus analysis t echniques have not been discussed in any
exist ing works in sufficient lengt h before.
I also t hink t hat , for anybody int erest ed in inform at ion securit y, being aware of what t he
com put er virus writ ers have " achieved" so far is an im port ant t hing t o know.
For years, com put er virus researchers used t o be " file" or " infect ed obj ect " orient ed. To t he
cont rary, securit y professionals were excit ed about suspicious event s only on t he net work level.
I n addit ion, t hreat s such as CodeRed worm appeared t o inj ect t heir code int o t he m em ory of
vulnerable processes over t he net work, but did not " infect " obj ect s on t he disk. Today, it is
im port ant t o underst and all of t hese m aj or perspect ivest he file ( st orage) , in- m em ory, and
net work viewsand correlat e t he event s using m alicious code analysis t echniques.
During t he years, I have t rained m any com put er virus and securit y analyst s t o effect ively analyze
and respond t o m alicious code t hreat s. I n t his book, I have included inform at ion about anyt hing
t hat I ever had t o deal wit h. For exam ple, I have relevant exam ples of ancient t hreat s, such as 8bit viruses on t he Com m odore 64. You will see t hat t echniques such as st ealt h t echnology
appeared in t he earliest com put er viruses, and on a variet y of plat form s. Thus, you will be able t o

realize t hat current root kit s do not represent anyt hing new! You will find sufficient coverage on
32- bit Windows worm t hreat s wit h in- dept h exploit discussions, as well as 64- bit viruses and
" pocket m onst ers" on m obile devices. All along t he way, m y goal is t o illust rat e how old
t echniques " reincarnat e" in new t hreat s and dem onst rat e up- t o- dat e at t acks wit h j ust enough
t echnical det ails.
I am sure t hat m any of you are int erest ed in j oining t he fight against m alicious code, and
perhaps, j ust like m e, som e of you will becom e invent ors of defense t echniques. All of you should,
however, be aware of t he pit falls and t he challenges of t his field!
That is what t his book is all about .


What I Cover
The purpose of t his book is t o dem onst rat e t he current st at e of t he art of com put er virus and
ant ivirus developm ent s and t o t each you t he m et hodology of com put er virus analysis and
prot ect ion. I discuss infect ion t echniques of com put er viruses from all possible perspect ives: file
( on st orage) , in- m em ory, and net work. I classify and t ell you all about t he dirt y lit t le t ricks of
com put er viruses t hat bad guys developed over t he last t wo decades and t ell you what has been
done t o deal wit h com plexit ies such as code polym orphism and exploit s.
The easiest way t o read t his book is, well, t o read it from chapt er t o chapt er. However, som e of
t he at t ack chapt ers have cont ent t hat can be m ore relevant aft er underst anding t echniques
present ed in t he defense chapt ers. I f you feel t hat any of t he chapt ers are not your t ast e, or are
t oo difficult or lengt hy, you can always j um p t o t he next chapt er. I am sure t hat everybody will
find som e part s of t his book very difficult and ot her part s very sim ple, depending on individual
experience.
I expect m y readers t o be fam iliar wit h t echnology and som e level of program m ing. There are so
m any t hings discussed in t his book t hat it is sim ply im possible t o cover everyt hing in sufficient
lengt h. However, you will know exact ly what you m ight need t o learn from elsewhere t o be
absolut ely successful against m alicious t hreat s. To help you, I have creat ed an ext ensive
reference list for each chapt er t hat leads you t o t he necessary background inform at ion.
I ndeed, t his book could easily have been over 1,000 pages. However, as you can t ell, I am not

Shakespeare. My knowledge of com put er viruses is great , not m y English. Most likely, you would
have no benefit of m y work if t his were t he ot her way around.


What I Do Not Cover
I do not cover Troj an horse program s or backdoors in great lengt h. This book is prim arily about
self- replicat ing m alicious code. There are plent y of great books available on regular m alicious
program s, but not on com put er viruses.
I do not present any virus code in t he book t hat you could direct ly use t o build anot her virus. This
book is not a " virus writ ing" class. My underst anding, however, is t hat t he bad guys already know
about m ost of t he t echniques t hat I discuss in t his book. So, t he good guys need t o learn m ore
and st art t o t hink ( but not act ) like a real at t acker t o develop t heir defense!
I nt erest ingly, m any universit ies at t em pt t o t each com put er virus research courses by offering
classes on writ ing viruses. Would it really help if a st udent could writ e a virus t o infect m illions of
syst em s around t he world? Will such st udent s know m ore about how t o develop defense bet t er?
Sim ply, t he answer is no…
I nst ead, classes should focus on t he analysis of exist ing m alicious t hreat s. There are so m any
t hreat s out t here wait ing for som ebody t o underst and t hem and do som et hing against t hem .
Of course, t he knowledge of com put er viruses is like t he " Force" in St ar Wars. Depending on t he
user of t he " Force," t he knowledge can t urn t o good or evil. I cannot force you t o st ay away from
t he " Dark Side," but I urge you t o do so.


Acknowledgments
First , I would like t o t hank m y wife Nat alia for encouraging m y work for over 15 years! I also
t hank her for accept ing t he lost t im e on all t he weekends t hat we could have spent t oget her while
I was working on t his book.
I would like t o t hank everybody who m ade t his book possible. This book grew out of a series of
art icles and papers on com put er viruses, several of which I have co- aut hored wit h ot her
researchers over t he years. Therefore, I could never adequat ely t hank Eric Chien, Pet er Ferrie,

Bruce McCorkendale, and Frederic Perriot for t heir excellent cont ribut ions t o Chapt er 7 and
Chapt er 10.
This book could not be writ t en wit hout t he help of m any friends, great ant ivirus researchers, and
colleagues. First and forem ost , I would like t o t hank Dr. Vesselin Bont chev for educat ing m e in
t he t erm inology of m alicious program s for m any years while we worked t oget her. Vesselin is
fam ous ( " infam ous?" ) for his religious accuracy in t he subj ect m at t er, and he great ly influenced
and support ed m y research.
A big t hank you needs t o go t o t he following people who encouraged m e t o writ e t his book,
educat ed m e in t he subj ect , and influenced m y research over t he years: Oliver Beke, Zolt an
Hornak, Frans Veldm an, Eugene Kaspersky, I st van Farm osi, Jim Bat es, Dr. Frederick Cohen,
Fridrik Skulason, David Ferbrache, Dr. Klaus Brunnst ein, Mikko Hypponen, Dr. St eve Whit e, and
Dr. Alan Solom on.
I owe a huge t hanks t o m y t echnical reviewers: Dr. Vesselin Bont chev, Pet er Ferrie, Nick
Fit zGerald, Halvar Flake, Mikko Hypponen, Dr. Jose Nazario, and Jason V. Miller. Your
encouragem ent s, crit icism s, insight s, and reviews of early handbook m anuscript s were sim ply
invaluable.
I need t o t hank Janos Kis and Zsolt Szoboszlay for providing m e access t o in- t he- wild virus code
for analysis, in t he days when t he BBS was t he cent er of t he com put ing universe. I also need t o
t hank Gunt er May for t he great est present t hat an east European kid could get a C64.
A big t hanks t o everybody at Sym ant ec, especially t o Linda A. McCart hy and Vincent Weafer, who
great ly encouraged m e t o writ e t his book. I would also like t o t hank Nancy Conner and Chris
Andry for t heir out st anding edit orial work. Wit hout t heir help, t his proj ect sim ply would never
have finished. I also owe a huge t hanks t o Jessica Goldst ein, Krist y Hart , and Christ y Hackerd for
helping m e wit h t he publishing process all t he way.
A big t hanks t o all past and present m em bers of t he Com put er Ant ivirus Researchers Organizat ion
( CARO) , VFORUM, and t he Ant iVirus Em ergency Discussion ( AVED) List for all t he excit ing
discussions on com put er viruses and ot her m alicious program s and defense syst em s.
I would like t o t hank everybody at Virus Bullet in for publishing m y art icles and papers
int ernat ionally for alm ost a decade and for let t ing m e use t hat m at erial in t his book.
Last but not least , I t hank m y t eacher parent s and grandparent s for t he ext ra " hom e educat ion"

in m at h, physics, m usic, and hist ory


Contact Information
I f you find errors or have suggest ions for clarificat ion or m at erial you would like t o see in a fut ure
edit ion, I would love t o hear from you. I am planning t o int roduce clarificat ions, possible
correct ions, and new inform at ion relevant t o t he cont ent of t his work on m y Web sit e. While I
t hink we have found m ost of t he problem s ( especially in t hose paragraphs t hat were writ t en lat e
at night or bet ween virus and securit y em ergencies) , I believe t hat no such work of t his
com plexit y and size can exist wit hout som e m inor nit s. Nonet heless, I m ade all t he effort s t o
provide you wit h " t rust wort hy" inform at ion according t o t he best of m y research knowledge.
Pet er Szor,
Sant a Monica, CA
pszor@acm .org
ht t p: / / www.pet erszor.com


Part I: STRATEGIES OF THE ATTACKER
Chapt er 1. I nt roduct ion t o t he Gam es of Nat ure
Chapt er 2. The Fascinat ion of Malicious Code Analysis
Chapt er 3. Malicious Code Environm ent s
Chapt er 4. Classificat ion of I nfect ion St rat egies
Chapt er 5. Classificat ion of I n- Mem ory St rat egies
Chapt er 6. Basic Self- Prot ect ion St rat egies
Chapt er 7. Advanced Code Evolut ion Techniques and Com put er Virus Generat or Kit s
Chapt er 8. Classificat ion According t o Payload
Chapt er 9. St rat egies of Com put er Worm s
Chapt er 10. Exploit s, Vulnerabilit ies, and Buffer Overflow At t acks



Chapter 1. Introduction to the Games of
Nature
" To m e art is a desire t o com m unicat e."
Endre Szasz
Com put er virus research is a fascinat ing subj ect t o m any who are int erest ed in nat ure, biology, or
m at hem at ics. Everyone who uses a com put er will likely encount er som e form of t he increasingly
com m on problem of com put er viruses. I n fact , som e well- known com put er virus researchers
becam e int erest ed in t he field when, decades ago, t heir own syst em s were infect ed.
The t it le of Donald Knut h's book series1 , The Art of Com put er Program m ing, suggest s t hat
anyt hing we can explain t o a com put er is science, but t hat which we cannot current ly explain t o a
com put er is an art . Com put er virus research is a rich, com plex, m ult ifacet ed subj ect . I t is about
reverse engineering, developing det ect ion, disinfect ion, and defense syst em s wit h opt im ized
algorit hm s, so it nat urally has scient ific aspect s; however, m any of t he analyt ical m et hods are an
art of t heir own. This is why out siders oft en find t his relat ively young field so hard t o underst and.
Even aft er years of research and publicat ions, m any new analyt ical t echniques are in t he cat egory
of art and can only be learned at ant ivirus and securit y vendor com panies or t hrough t he personal
associat ions one m ust forge t o succeed in t his field.
This book at t em pt s t o provide an insider's view of t his fascinat ing research. I n t he process, I hope
t o t each m any fact s t hat should int erest bot h st udent s of t he art and inform at ion t echnology
professionals. My goal is t o provide an ext ended underst anding of bot h t he at t ackers and t he
syst em s built t o defend against virulent , m alicious program s.
Alt hough t here are m any books about com put er viruses, only a few have been writ t en by people
experienced enough in com put er virus research t o discuss t he subj ect for a t echnically orient ed
audience.
The following sect ions discuss hist orical point s in com put at ion t hat are relevant t o com put er
viruses and arrive at a pract ical definit ion of t he t erm com put er virus.


1.1. Early Models of Self-Replicating Structures
Hum ans creat e new m odels t o represent our world from different perspect ives. The idea of selfreplicat ing syst em s t hat m odel self- replicat ing st ruct ures has been around since t he HungarianAm erican, Neum ann JE1nos ( John von Neum ann) , suggest ed it in 1948 2, 3, 4 .

Von Neum ann was a m at hem at ician, an am azing t hinker, and one of t he great est com put er
archit ect s of all t im e. Today's com put ers are designed according t o his original vision. Neum ann's
m achines int roduced m em ory for st oring inform at ion and binary ( versus analog) operat ions.
According t o von Neum ann's brot her Nicholas, " Johnny" was very im pressed wit h Bach's " Art of
t he Fugue" because it was writ t en for several voices, wit h t he inst rum ent at ion unspecified.
Nicholas von Neum ann credit s t he Bach piece as a source for t he idea of t he st ored- program
com put er 5 .
I n t he t radit ional von Neum ann m achine, t here was no basic difference bet ween code and dat a.
Code was different iat ed from dat a only when t he operat ing syst em t ransferred cont rol and
execut ed t he inform at ion st ored t here.
To creat e a m ore secure com put ing syst em , we will find t hat syst em operat ions t hat bet t er
cont rol t he different iat ion of dat a from code are essent ial. However, we also will see t he
weaknesses of such approaches.
Modern com put ers can sim ulat e nat ure using a variet y of m odeling t echniques. Many com put er
sim ulat ions of nat ure m anifest t hem selves as gam es. Modern com put er viruses are som ewhat
different from t hese t radit ional nat ure- sim ulat ion gam e syst em s, but st udent s of com put er virus
research can appreciat e t he ut ilit y of such gam es for gaining an underst anding of self- replicat ing
st ruct ures.

1.1.1. John von Neumann: Theory of Self-Reproducing Automata
Replicat ion is an essent ial part of life. John von Neum ann was t he first t o provide a m odel t o
describe nat ure's self- reproduct ion wit h t he idea of self- building aut om at a.
I n von Neum ann's vision, t here were t hree m ain com ponent s in a syst em :

1 . A Universal Machine
2 . A Universal Const ruct or
3 . I nform at ion on a Tape
A universal m achine ( Turing Machine) would read t he m em ory t ape and, using t he inform at ion on
t he t ape, it would be able t o rebuild it self piece by piece using a universal const ruct or. The
m achine would not underst and t he processit would sim ply follow t he inform at ion ( blueprint

inst ruct ions) on t he m em ory t ape. The m achine would only be able t o select t he next proper piece
from t he set of all t he pieces by picking t hem one by one unt il t he proper piece was found. When
it was found, t wo proper pieces would be put t oget her according t o t he inst ruct ions unt il t he
m achine reproduced it self com plet ely.
I f t he inform at ion t hat was necessary t o rebuild anot her syst em could be found on t he t ape, t hen


t he aut om at a was able t o reproduce it self. The original aut om at a would be rebuilt ( Figure 1.1 ) ,
and t hen t he newly built aut om at a was boot ed, which would st art t he sam e process.

Figu r e 1 .1 . Th e m ode l of a se lf- bu ildin g m a ch in e .

A few years lat er, St anislaw Ulam suggest ed t o von Neum ann t o use t he processes of cellular
aut om at ion t o describe t his m odel. I nst ead of using " m achine part s," st at es of cells were
int roduced. Because cells are operat ed in a robot ic fashion according t o rules ( " code" ) , t he cell is
known as an aut om at on. The array of cells com prises t he cellular aut om at a ( CA) com put er
archit ect ure.
Von Neum ann changed t he original m odel using cells t hat had 29 different st at es in a t wodim ensional, 5- cell environm ent . To creat e a self- reproducing st ruct ure, he used 200,000 cells.
Neum ann's m odel m at hem at ically proved t he possibilit y of self- reproducing st ruct ures: Regular
non- living part s ( m olecules) could be com bined t o creat e self- reproducing st ruct ures ( pot ent ially
living organism s) .
I n Sept em ber 1948, von Neum ann present ed his vision of self- replicat ing aut om at a syst em s. Only
five years lat er, in 1953, Wat son and Crick recognized t hat living organism s use t he DNA m olecule
as a " t ape" t hat provides t he inform at ion for t he reproduct ion syst em of living organism s.
Unfort unat ely, von Neum ann could not see a proof of his work in his life, but his work was
com plet ed by Art hur Burks. Furt her work was accom plished by E.F. Codd in 1968. Codd sim plified
Neum ann's m odel using cells t hat had eight st at es, 5- cell environm ent s. Such sim plificat ion is t he
base for " self- replicat ing loops" 6 developed by art ificial life researchers, such as Christ opher G.
Langt on, in 1979. Such replicat ion loops elim inat e t he com plexit y of universal m achine from t he



syst em and focus on t he needs of replicat ion.
I n 1980 at NASA/ ASEE, Robert A. Freit as, Jr. and William B. Zachary 7 conduct ed research on a
self- replicat ing, growing lunar fact ory. A lunar m anufact uring facilit y ( LMF) was researched, which
used t he t heory of self- reproducing aut om at a and exist ing aut om at ion t echnology t o m ake a selfreplicat ing, self- growing fact ory on t he m oon. Robert A. Freit as, Jr. and Ralph C. Merkle recent ly
aut hored a book t it led Kinem at ic Self- Replicat ing Machines. This book indicat es a renewed
scient ific int erest in t he subj ect . A few years ago, Freit as int roduced t he t erm ecophagy, t he
t heoret ical consum pt ion of t he ent ire ecosyst em by out of cont rol, self- replicat ing nano- robot s,
and he proposed m it igat ion recom m endat ions8 .
I t is also int erest ing t o not e t hat t he t hem e of self- replicat ing m achines occurs repeat edly in
works of science fict ion, from m ovies such as Term inat or t o novels writ t en by such aut hors as
Neal St ephenson and William Gibson. And of course, t here are m any m ore exam ples from beyond
t he world of science fict ion, as nanot ech and m icroelect rical m echanical syst em s ( MEMS)
engineering have becom e real sciences.

1.1.2. Fredkin: Reproducing Structures
Several people at t em pt ed t o sim plify von Neum ann's m odel. For inst ance, in 1961 Edward Fredkin
used a specialized cellular aut om at on in which all t he st ruct ures could reproduce t hem selves and
replicat e using sim ple pat t erns on a grid ( see Figure 1.2 for a possible illust rat ion) . Fredkin's
aut om at a had t he following rules 9 :
On t he t able, we use t he sam e kind of t okens.
We eit her have a t oken or no t oken in each possible posit ion.
Token generat ions will follow each ot her in a finit e t im e fram e.
The environm ent of each t oken will det erm ine whet her we will have a new t oken in t he next
generat ion.
The environm ent is represent ed by t he squares above, below, t o t he left , and t o t he right of
t he t oken ( using t he 5- cell- based von Neum ann environm ent ) .
The st at e of a square in t he next generat ion will be em pt y when t he t oken has an even
num ber of t okens in it s environm ent .
The st at e of a square in t he next generat ion will be filled wit h a t oken if it has an odd

num ber of t okens in it s environm ent .
I t is possible t o change t he num ber of st at es.

Figu r e 1 .2 . Ge n e r a t ion 1 , Ge n e r a t ion 2 , a n d…Ge n e r a t ion 4 .


Using t he rules described previously wit h t his init ial layout allows all st ruct ures t o replicat e.
Alt hough t here are far m ore int erest ing layout s t o explore, t his exam ple is t he sim plest possible
m odel of self- reproducing cellular aut om at a.

1.1.3. Conway: Game of Life
I n 1970, John Hort on Conway 10 creat ed one of t he m ost int erest ing cellular aut om at a syst em s.
Just as t he pioneer von Neum ann did, Conway researched t he int eract ion of sim ple elem ent s
under a com m on rule and found t hat t his could lead t o surprisingly int erest ing st ruct ures. Conway
nam ed his gam e Life. Life is based on t he following rules:
There should be no init ial pat t ern for which t here is a single proof t hat t he populat ion can
grow wit hout lim it .
There should be an init ial pat t ern t hat apparent ly does grow wit hout lim it .
There should be sim ple init ial pat t erns t hat work according t o sim ple genet ic law: birt h,
survival, and deat h.
Figure 1.3 dem onst rat es a m odern represent at ion of t he original Conway t able gam e writ t en by
Edwin Mart in 11 .

Figu r e 1 .3 . Edw in M a r t in 's Ga m e of Life im ple m e n t a t ion on t h e M a c
u sin g " Sh oot e r " st a r t in g st r u ct u r e .


I t is especially int erest ing t o see t he com put er anim at ion as t he gam e develops wit h t he so- called
" Shoot er" st art ing st ruct ure. I n a few generat ions, t wo shoot er posit ions t hat appear t o shoot t o
each ot her will develop on t he sides of t he t able, as shown in Figure 1.4 , and in doing so t hey

appear t o produce so- called gliders t hat " fly" away ( see Figure 1.5 ) t oward t he lower- right corner
of t he t able. This sequence cont inues endlessly, and new gliders are produced.

Figu r e 1 .4 . " Sh oot e r " in Ge n e r a t ion 3 5 5 .


Figu r e 1 .5 . Th e glide r m ove s a r ou n d w it h ou t ch a n gin g sh a pe .

On a t wo- dim ensional t able, each cell has t wo pot ent ial st at es: S= 1 if t here is one t oken in t he
cell, or S= 0 if t here is no t oken. Each cell will live according t o t he rules governed by t he cell's
environm ent ( see Figure 1.6 ) .

Figu r e 1 .6 . Th e 9 - ce ll- ba se d M oor e e n vir on m e n t .


The following charact erist ics/ rules define Conway's gam e, Life:
Bir t h : I f an em pt y cell has t hree ( K= 3) ot her filled cells in it s environm ent , t hat part icular
cell will be filled in a new generat ion.
Su r v iv a l: I f a filled cell has t wo or t hree ( K= 2 or K= 3) ot her filled cells in it s environm ent ,
t hat part icular cell will survive in t he new generat ion.
D e a t h: I f a filled cell has only one or no ot her filled cells ( K= 1 or K= 0) in it s environm ent ,
t hat part icular cell will die because of isolat ion. Furt her, if a cell has t oo m any filled cells in
it s environm ent four, five, six, seven, or eight ( K= 4, 5, 6, 7, or 8) , t hat part icular cell will
also die in t he next generat ion due t o overpopulat ion.
Conway originally believed t hat t here were no self- replicat ing st ruct ures in Life. He even offered
$50 t o anyone who could creat e a st art ing st ruct ure t hat would lead t o self- replicat ion. One such
st ruct ure was quickly found using com put ers at t he art ificial int elligence group of t he
Massachuset t s I nst it ut e of Technology ( MI T) .
MI T st udent s found a st ruct ure t hat was lat er nicknam ed a glider . When 13 gliders m eet , t hey
creat e a pulsing st ruct ure. Lat er, in t he 100 t h generat ion, t he pulsing st ruct ure suddenly " gives

birt h" t o new gliders, which quickly " fly" away. Aft er t his point , in each 30 t h subsequent
generat ion, t here will be a new glider on t he t able t hat flies away. This sequence cont inues
endlessly. This set up is very sim ilar t o t he " Shoot er" st ruct ure shown in Figures 1.3 and 1.4.
Gam es wit h Com put ers, writ t en by Ant al Csakany and Ferenc Vaj da in 1980, cont ains exam ples
of com pet it ive gam es. The aut hors described a t able gam e wit h rules sim ilar t o t hose of Life. The
t able gam e uses cabbage, rabbit s, and foxes t o dem onst rat e st ruggles in nat ure. An init ial cell is
filled wit h cabbage as food for t he rabbit s, which becom es food for t he foxes according t o
predefined rules. Then t he rules cont rol and balance t he populat ion of rabbit s and foxes.
I t is int erest ing t o t hink about com put ers, com put er viruses, and ant iviral program s in t erm s of
t his m odel. Wit hout com put ers ( in part icular, an operat ing syst em or BI OS of som e sort ) ,
com put er viruses are unable t o replicat e. Com put er viruses infect new com put er syst em s, and as
t hey replicat e, t he viruses can be t hought of as prey for ant ivirus program s.
I n som e sit uat ions, com put er viruses fight back. These are called ret ro viruses. I n such a
sit uat ion, t he ant iviral applicat ion can be t hought t o " die." When an ant iviral program st ops an
inst ance of a virus, t he virus can be t hought t o " die." I n som e cases, t he PC will " die" im m ediat ely
as t he virus infect s it .
For exam ple, if t he virus indiscrim inat ely delet es key operat ing syst em files, t he syst em will crash,
and t he virus can be said t o have " killed" it s host . I f t his process happens t oo quickly, t he virus
m ight kill t he host before having t he opport unit y t o replicat e t o ot her syst em s. When we im agine
m illions of com put ers as a t able gam e of t his form , it is fascinat ing t o see how com put er virus and
ant iviral populat ion m odels parallel t hose of t he cabbage, rabbit s, and foxes sim ulat ion gam e.


Rules, side effect s, m ut at ions, replicat ion t echniques, and degrees of virulence dict at e t he balance
of such program s in a never- ending fight . At t he sam e t im e, a " co- evolut ion" 12 exist s bet ween
com put er viruses and ant ivirus program s. As ant ivirus syst em s have becom e m ore sophist icat ed,
so have com put er viruses. This t endency has cont inued over t he m ore t han 30- year hist ory of
com put er viruses.
Using m odels along t hese lines, we can see how t he virus populat ion varies according t o t he
num ber of com put ers com pat ible wit h t hem . When it com es t o com put er viruses and ant iviral

program s, m ult iple parallel gam es occur side by side. Viruses wit hin an environm ent t hat consist s
of a large num ber of com pat ible com put ers will be m ore virulent ; t hat is, t hey will spread m ore
rapidly t o m any m ore com put ers. A large num ber of sim ilar PCs wit h com pat ible operat ing
syst em s creat e a hom ogeneous environm ent fert ile ground for virulence ( sound fam iliar?) .
Wit h sm aller gam e boards represent ing a sm aller num ber of com pat ible com put ers, we will
obviously see sm aller out breaks, along wit h relat ively sm all virus populat ions.
This sort of m odeling clearly explains why we find m aj or com put er virus infect ions on operat ing
syst em s such as Windows, which represent s about 95% of t he current PC populat ion around us
on a huge " grid." Of course t his is not t o say t hat 5% of com put er syst em s are not enough t o
cause a global epidem ic of som e sort .

N ot e
I f you are fascinat ed by self- replicat ing, self- repairing, and evolving st ruct ures, visit t he
BioWall proj ect , ht t p: / / lslwww.epfl.ch/ biowall/ index.ht m l.

1.1.4. Core War: The Fighting Programs
Around 1966, Robert Morris, Sr., t he fut ure Nat ional Securit y Agency ( NSA) chief scient ist ,
decided t o creat e a new gam e environm ent wit h t wo of his friends, Vict or Vyssot sky and Dennis
Rit chie, who coded t he gam e and called it Darwin. ( Morris, Jr. was t he first infam ous worm writ er
in t he hist ory of com put er viruses. His m ark on com put er virus hist ory will be discussed lat er in
t he book.)
The original version of Darwin was creat ed for t he PDP- 1 ( program m ed dat a processing) at Bell
Labs. Lat er, Darwin becam e Core War, a com put er gam e t hat m any program m ers and
m at hem at icians ( as well as hackers) play t o t his day.

N ot e
I use t he t erm hacker in it s original, posit ive sense. I also believe t hat all good virus
researchers are hackers in t he t radit ional sense. I consider m yself a hacker, t oo, but
fundam ent ally different from m alicious hackers who break int o ot her people's
com put ers.


The gam e is called Core War because t he obj ect ive of t he gam e is t o kill your opponent 's


program s by overwrit ing t hem . The original gam e is played bet ween t wo assem bly program s
writ t en in t he Redcode language. The Redcode program s run in t he core of a sim ulat ed ( for
exam ple, " virt ual" ) m achine nam ed Mem ory Array Redcode Sim ulat or ( MARS) . The act ual fight
bet ween t he warrior program s was referred t o as Core Wars.
The original inst ruct ion set of Redcode consist s of 10 sim ple inst ruct ions t hat allow m ovem ent of
inform at ion from one m em ory locat ion t o anot her, which provides great flexibilit y in creat ing
t ricky warrior program s. Dewdney wrot e several " Com put er Recreat ions" art icles in Scient ific
Am erican 13 , 14 t hat discussed Core War, beginning wit h t he May 1984 art icle. Figure 1.7 is a
screen shot of a Core War im plem ent at ion called PMARSV, writ t en by Albert Ma, Na'ndor Sieben,
St efan St rack, and Mint ardj o Wangsaw. I t is int erest ing t o wat ch as t he lit t le warriors fight each
ot her wit hin t he MARS environm ent .

Figu r e 1 .7 . Cor e W a r s w a r r ior pr ogr a m s ( D w a r f a n d M I CE) in ba t t le .

[View full size image]

As program s fight in t he annual t ournam ent s, cert ain warriors m ight becom e t he King of t he Hill
( Kot H) . These are t he Redcode program s t hat out perform t heir com pet it ors.
The warrior program nam ed MI CE won t he first t ournam ent . I t s aut hor, Chip Wendell, received a


t rophy t hat incorporat ed a core- m em ory board from an early CDC 6600 com put er 14 .
The sim plest Redcode program consist s of only one MOV inst ruct ion: MOV 0,1 ( in t he t radit ional
synt ax) . This program is nam ed I MP, which causes t he cont ent s at relat ive address 0 ( nam ely t he
MOV, or m ove, inst ruct ion it self) , t o be t ransferred t o relat ive address 1, j ust one address ahead
of it self. Aft er t he inst ruct ion is copied t o t he new locat ion, cont rol is given t o t hat address,

execut ing t he inst ruct ion, which, in t urn, m akes a new copy of it self at a higher address, and so
on. This happens nat urally, as inst ruct ions are execut ed following a higher address. The
inst ruct ion count er will be increm ent ed aft er each execut ed inst ruct ion.
The basic core consist ed of t wo warrior program s and 8,000 cells for inst ruct ions. Newer revisions
of t he gam e can run m ult iple warriors at t he sam e t im e. Warrior program s are lim it ed t o a
specific st art ing size, norm ally 100 inst ruct ions. Each program has a finit e num ber of it erat ions;
by default , t his num ber is 80,000.
The original version of Redcode support ed 10 inst ruct ions. Lat er revisions cont ain m ore. For
exam ple, t he following 14 inst ruct ions are used in t he 1994 revision, shown in List ing 1.1.

List in g 1 .1 . Cor e W a r I n st r u ct ion s in t h e 1 9 9 4 Re vision
DATA0
MOVA0
ADDA0
SUBA0
MULA0
DIVA0
MODA0
JMPA0
JMZA0
JMNA0
DJNA0
CMPA0
SLTA0
SPLA0

data
move
add
subtract

multiply
divide
modula
jump
jump if zero
jump if not zero
decrement, jump if not zero
compare
skip if less than
split execution

Let 's t ake a look at Dewdney's Dwarf t ut orial ( see List ing 1.2) .

List in g 1 .2 . D w a r f Bom bin g W a r r ior Pr ogr a m
;name
;author
;version
;date
;strategy

Dwarf
A. K. Dewdney
94.1
April 29, 1993
Bombs every fourth instruction.

ORG

1 ; Indicates execution begins with the second
; instruction (ORG is not actually loaded, and is

; therefore not counted as an instruction).

DAT.F

#0, #0

; Pointer to target instruction.


ADD.AB
MOV.AB
JMP.A

#4, $-1
#0, @-2
$-2, #0

; Increments pointer by 4.
; Bombs target instruction.
; Loops back two instructions.

Dwarf follows a so- called bom bing st rat egy. The first few lines are com m ent s indicat ing t he nam e
of t he warrior program and it s Redcode 1994 st andard. Dwarf at t em pt s t o dest roy it s opponent s
by " dropping" DAT bom bs int o t heir operat ion pat hs. Because any warrior process t hat at t em pt s
t o execut e a DAT st at em ent dies in t he MARS, Dwarf will be a likely winner when it hit s it s
opponent s.
The MOV inst ruct ion is used t o m ove inform at ion int o MARS cells. ( The I MP warrior explains t his
very clearly.) The general form at of a Redcode com m and is of t he Opcode A, B form . Thus, t he
com m and MOV.AB # 0, @- 2 will point t o t he DAT st at em ent in Dwarf's code as a source.
The A field point s t o t he DAT st at em ent , as each inst ruct ion has an equivalent size of 1, and at 0,

we find DAT # 0, # 0. Thus, MOV will copy t he DAT inst ruct ion t o where B point s. So where does B
point t o now?
The B field point s t o DAT.F # 0, # 0 st at em ent in it . Ordinarily, t his would m ean t hat t he bom b
would be put on t op of t his st at em ent , but t he @ sym bol m akes t his an indirect point er. I n effect ,
t he @ sym bol says t o use t he cont ent s of t he locat ion t o where t he B field point s as a new point er
( dest inat ion) . I n t his case, t he B field appears t o point t o a value of 0 ( locat ion 0, where t he
DAT.F inst ruct ion is placed) .
The first inst ruct ion t o execut e before t he MOV, however, is an ADD inst ruct ion. When t his ADD
# 4, $- 1 is execut ed, t he DAT's offset field will be increm ent ed by four each t im e it is execut edt he
first t im e, it will be changed from 0 t o 4, t he next t im e from 4 t o 8, and so on.
This is why, when t he MOV com m and copies a DAT bom b, it will land four lines ( locat ions) above
t he DAT st at em ent ( see List ing 1.3) .

List in g 1 .3 . D w a r f's Code W h e n t h e Fir st Bom b I s D r oppe d
0
1 ->
2
3
4
5
6
7
8
9

DAT.F #0, #8
ADD.AB 4, $-1
MOV.AB #0, @-2 ; launcher
JMP.A $-2, #0
DAT ; Bomb 1

.
.
.
DAT ; Bomb 2
.

The JMP.A $- 2 inst ruct ion t ransfers cont rol back relat ive t o t he current offset , t hat is, back t o t he
ADD inst ruct ion t o run t he Dwarf program " endlessly." Dwarf will cont inue t o bom b int o t he core
at every four locat ions unt il t he point ers wrap around t he core and ret urn. ( Aft er t he highest
num ber possible for t he DAT locat ion has been reached, it will " wrap" back around past 0. For
exam ple, if t he highest possible value were 10, 10+ 1 would be 0, and 10+ 4 would be 3.)


At t hat point , Dwarf begins t o bom b over it s own bom bs, unt il t he end of 80,000 cycles/ it erat ions
or unt il anot her warrior act s upon it . At any t im e, anot her warrior program m ight easily kill Dwarf
because Dwarf st ays at a const ant locat ionso t hat it can avoid hit t ing it self wit h friendly fire. But
in doing so, it exposes it self t o at t ackers.
There are several com m on st rat egies in Core War, including scanning, replicat ing, bom bing, I MPspiral ( t hose using t he SPL inst ruct ion) , and t he int erest ing bom ber variat ion nam ed t he vam pire.
Dewdney also point ed out t hat program s can even st eal t heir enem y warrior's very soul by
hij acking a warrior execut ion flow. These are t he so- called vam pire warriors, which bom b JMP
( JUMP) inst ruct ions int o t he core. By bom bing wit h j um ps, t he enem y program 's cont rol can be
hij acked t o point t o a new, predefined locat ion where t he hij acked warrior will t ypically execut e
useless code. Useless code will " burn" t he cycles of t he enem y warrior's execut ion t hreads, t hus
giving t he vam pire warrior an advant age.
I nst ead of writ ing com put er viruses, I st rongly recom m end playing t his harm less and int erest ing
gam e. I n fact , if worm s fascinat e you, a new version of Core War can be creat ed t o link bat t les in
different net works and allow warrior program s t o j um p from one bat t le t o anot her t o fight new
enem ies on t hose m achines. Evolving t he gam e t o be m ore net worked allows for sim ulat ing
worm - like warrior program s.



1.2. Genesis of Computer Viruses
Virus- like program s appeared on m icrocom put ers in t he 1980s. However, t wo fairly recount ed
precursors deserve m ent ion here: Creeper from 1971- 72 and John Walker's " infect ive" version of
t he popular ANI MAL gam e for UNI VAC15 in 1975.
Creeper and it s nem esis, Reaper, t he first " ant ivirus" for net worked TENEX running on PDP- 10s at
BBN, was born while t hey were doing t he early developm ent of what becam e " t he I nt ernet ."
Even m ore int erest ingly, ANI MAL was creat ed on a UNI VAC 1100/ 42 m ainfram e com put er running
under t he Univac 1100 series operat ing syst em , Exec- 8. I n January of 1975, John Walker ( lat er
founder of Aut odesk, I nc. and co- aut hor of Aut oCAD) creat ed a general subrout ine called
PERVADE16 , which could be called by any program . When PERVADE was called by ANI MAL, it
looked around for all accessible direct ories and m ade a copy of it s caller program , ANI MAL in t his
case, t o each direct ory t o which t he user had access. Program s used t o be exchanged relat ively
slowly, on t apes at t he t im e, but st ill, wit hin a m ont h, ANI MAL appeared at a num ber of places.
The first viruses on m icrocom put ers were writ t en on t he Apple- I I , circa 1982. Rich Skrent a 17 , who
was a nint h- grade st udent at t he t im e in Pit t sburgh, Pennsylvania, wrot e " Elk Cloner." He did not
t hink t he program would work well, but he coded it nonet heless. His friends found t he program
quit e ent ert ainingunlike his m at h t eacher, whose com put er becam e infect ed wit h it . Elk Cloner
had a payload t hat displayed Skrent a's poem aft er every 50 t h use of t he infect ed disk when reset
was pressed ( see Figure 1.8 ) . On every 50 t h boot , Elk Cloner hooked t he reset handler; t hus, only
pressing reset t riggered t he payload of t he virus.

Figu r e 1 .8 . Elk Clon e r a ct iva t e s.

Not surprisingly, t he friendship of t he t wo ended short ly aft er t he incident . Skrent a also wrot e
com put er gam es and m any useful program s at t he t im e, and he st ill finds it am azing t hat he is