inadvertant computer virus

Factual Questions
1

Given: Computer programs consist of changing memory (‘memory’ meaning RAM, disc, etc on your computer or any computer linked to your computer) values. Computer viruses are certain values for memory locations, which cause those memory values to be replicated elsewhere in memory. (correct me if wrong)
that said, is it possible for a computer virus to simply arise, on the systems we have today? that is, Windows, Unix, MAc OS X, Linux, etc.

like, suppose i pulled up a jpeg (uninfected by viruses, worms, etc). my OS reads the file and pops some pixel values into memory. how likely is it that the combination of values responsible for pixels in, say, row 17 would, upon loading into memory, cause itself to be replicated elsewhere in memory?

as in processing becoming a primordial soup.

unlikely, not bloody likely, damn near impossible?

anyone know if anyone has discussed this before (in Science fiction or peer-reviewed journal)?

thanks,

jb

2

I would say that it’s not impossible, but if it did happen, it would have to be the result of bugs in applications not addressing memory properly; when you load an image, a chunk of memory is allocated to contain it; if something went wrong with that process (like the program or operating system miscalculating the amount of space required), then some bytes could spill over; the same thing can happen in some applications if a variable exceeds the storage space that the programmer considered would be sufficient(in such cases a program can overwrite parts of itself, but only in memory, not on the disk).

It’s almost certain that such a scenario would either simply cause the program (and possibly the OS) to crash, or it would be in an unused part of the memory, or a part of the program that wasn’t going to be called that time and nothing at all would happen…

But there is just the very very tiniest chance that the spurious bytes would modify an active program in such a way as to cause it to do something valid but outside of it’s original design, there’s an even tinier chance that this would involve writing something to disk and an almost vanishingly small chance that what ended up written to disk would be a self-replicating program.

So yes, it’s possible but sooooooo unlikely.

Very good idea for a SF story though; so god in fact that I’d be surprised if it hasn’t already been done. It is analogous to biogenesis.

3

I agree that it’s, very very unlikely, but then again, the number of computers and amount of RAM and disk space available has been growing exponentially - infinite monkeys and all that.

However, from what I’ve read about the history of the Tierra artificial evolution program, self-replicating pieces of code did unexpectedly arise, from other self-replicating pieces of code overwriting each other, creating “parasitic” chunks of code that were also self-replicating, provided they had a host to help them replicate. In other words, your scenario did exist, but only in an environment that was set up with a view to fostering this kind of evolutionary process (IIRC the environment was set up to create mutations).

4

More information about Tierra.

5

very, very, very, very unlikely…

Let us make a quick back-of-the-envelope calculation:

What is the smallest possible viable virus? In the Tierra scenario that jimm links to there is a 45 byte virus, but that is in a very specific environment. I believe that today with 32 bit CPUs, it would be very hard to write a virus shorter than 100bytes.
But let us for the sake of the argument assume that it would be possible to write a viable virus 45 bytes long. All we need to find out is how many other combinations there could be of the same 45 bytes or 360 bits: 2[sup]45*8[/sup]=2[sup]360[/sup] = 2 * 10[sup]108[/sup] which is 200 million freaking googols.

Even assuming that there are 1 billion PCs worldwide, all of them flipping bits in a 45 byte block at random 1 million times per second, it would still take 2*10[sup]93[/sup] seconds, or 7 * 10[sup]85[/sup] years to come up with what we originaly supposed was the shortest possible virus. Any longer pattern would take exponentially longer.

Let me say that again:
very, very, very, very unlikely.

(unless of course I made some silly error above, in which case I’m sure someone will correct me soon…)

6

I’m waiting for a creationist driveby to the effect “See, it’s mathematically impossible that life on Earth could have arisen by chance”

7

Ooogh - what fun! A chance to write about viruses!

There are a lot of points to make - I am just skimming the surface with this brain-dump.

  1. Definition of a virus.

Self-replication comes into it - but it is not as easy as a ‘set of memory locations which can reproduce itself’. Polymorphic viruses, for instance, reproduce a bit string which is completely different - but which is the ‘same’ virus. And how about ‘hoax’ viruses, self-replicating and changing rumours and things of that kind? Nevertheless - I think we all understand what you mean. I just wanted to point out that there would be quite an argument as to what constituted a virus at the limit. See 2) below.

  1. Random creation and minimum size.

JPGs and other bit strings processed in computers are rarely random - they have characteristic structures, which are not like code. So a fragment of video memory or database innards would be very unlikely to happen to function as a virus if it were treated as code. Anything may happen at a boundary, of course, but this will usually occur on a byte junction, and modern systems tend to have large buffers, so you are more likely to get 2k sized chunks of…well… swap file is probably the most common thing to end up in memory. Much of this will be executable code, so the best chance of getting a new virus is if you are processing very similar code already.

As a point of interest, there was a short period in the 1990s when virus writers tried to write the smallest possible virus. Without looking up in detail I remember the ‘Tiny’ family of viruses, which were between 100-200 bytes. Mark Ludwig proposed a 7 byte memory-resident overwriter as part of a discussion about ‘artificial life’ arising - reference here:

http://www.arn.org/docs/newman/rn_artificiallife.htm

In fact, this reference covers a lot of what you mighht want to know.

  1. Mechanisms for creation

Last bit - honest!

Virus writers have developed a few techniques for ‘evolving’ or making new viruses. These have been uniformly unsuccessful in their aim of making virus detection impossible. Examples are the binary virus, and polymorphic techniques such as the Mutation Engine.

One unexpected effect from the creation of Macro viruses is ‘virus breeding’. This occurs when two macro viruses infect the same system - the virus macros both overwrite the central store (normal.dot?) and depending on the order in which they do so, a working virus made up of a combination of the two may be the result. (usually, the whole thing falls over).

All of the above is generally known. A last point is an issue which is not so well understood - that of ‘random’ bit changes in memory. I have never seen this happen, but I have had it reported to me by one professional virus researcher - Alan Solomon. You will appreciate that, to be sure that a bit has changed for no reason, you have to have an unusual set-up - a system where you are monitoring all aspects of the memory and processing, and where you can show that no intended change has occurred. You only find this sort of thing in a Virus Lab, and Alan told me one day that they had isolated an instance where a bit changed value for no obvious reason. He theorised that this may actually happen quite often - ionising cosmic rays or other particles may hit a chip, failing memory, or poor connections may all cause a bit to change. If you are running without parity this will not be noticed during normal running.

This explains some of the situations where the same virus is found with odd single bit changes in a non-critical area - what virus researchers often call varients. A good proportion of these are obviously intentionally modified to avoid detection, but some are pretty inexplicable.

end dump - need to work!

8

Hm, I don’ t think computer programs consist of changing memory values. Computer programs themselves do not change. As a matter of fact they should not, unless they are self-modifying, which include some viruses.

9

interesting thought, jb.

it kinda reminds me of the “million monkeys typing on a million type-writers: what is the chance that they type a word or sentence in english” theory. i’m sure that has been discussed by scientists, so if you can dig up some info on that theory you might find parallels.

10

As was touched upon by Mangetout, while one may say that computer programs are sequences of bits, not every sequence of bits is a computer program. In order for that sequence to cause anything at all to happen, it has to be interpreted as instructions to the processor. The exact same sequence of bits will cause absolutely nothing to happen if it is treated simply as data.

So simply the prescence of what may be a virus in memory is not enough to say that that system is infected, that virus code must also be executed. That was the point of all the talk about overflowing buffers and stuff.

I don’t mean to step on your toes, Mangetout, but I thought that that was a useful clarification of what you were saying.

11

My take on this is, unlike evolution, programs will not mutate into viruses. For that to happen, a whole sequence of bytes at the right location must somehow “mutate” to preciously a set of values that a) are a set of valid instructions b) function as a virus when taken as a whole.

An important thing is data stored in a computer do not “mutate.” Consider RAM for example. You can view dynamic RAM used in computers today as a huge grid of tiny capacitors. Supposed a fully charged capacitor has the value of “1” and a discharged one has the value of “0.”

Somehow a capacitor must be charged or discharged to change the value of a byte. This is just the beginning of it however. Not all values are valid instructions. The changes must also be in a suitable region. Not the entirely of main memory are used, large parts of it can be unused. This is especially true of secondary storage (HDD etc.).

There exists a very small chance that this can happen, but this chance is no bigger than a cell spontaneously come into being.

12

Hmm. Would a decent metaphor be that the odds of a virus arising spontaneously are akin to a cell mutating into a cancer cell in a mammal?

13

No, no, no. A cancer mutation is quite likely. That’s a case where we already have something capable of doing everything that the cancer cell does, it just has controls in place to prevent it. If the controls break down, you get cancer.

For a virus to spontaneously arise, you need to first get things writing to a place that they shouldn’t be writing to. This will never be allowed on a well-designed operating system, but most OSs will allow it occasionally. Then, those misplaced bits need to be in a place that will cause them to be run. Then, the sequence of bits must be at least (using Popup’s conservative estimate) 45 bytes long or so, which is rather unlikely, and (and this is the key part), that sequence of bits must be the exact right sequence of bits to make a virus, and it’d be an understatement to say that the odds against that are astronomical.

By the way, I’ve seen spontaneous memory change, myself. It occured in a program I wrote myself, so I know exactly what should have been able to cause it, and none of that was present. It was at most one byte that was changed, though, and all it did was zero it. Of course, a sequence of all zeros is not a viable virus.

14

One of the dire warnings that comes with some programming languages is not to exceed bounds; some languages will catch an attempt to write to the 11th position of a 10 position array, others will simply not bother checking (for speed of execution and on the assumption that you know what you are about) and push the bytes into memory in the place where the 11th position would be if there was one; This can result in parts of a loaded program or data being overwritten unexpectedly which can cause odd things to happen. But as I said before, it would be very unlikely indeed that a sequence of such events could accidentally construct something useful.

There are also languages which are deliberately self-modifying but they aren’t mainstream.