The Virus Wars

Guided by an inspired analogy with the human immune system, IBM scientists have developed the next generation of defenses against computer bugs.

IN December of 1987 an electronic message named "CHRISTMA EXEC" arrived at IBM's flagship Thomas J. Watson Research Laboratory, in Yorktown Heights, New York. Steve R. White, a theoretical physicist, was working on an unrelated computer-security problem when the communiqué first unfolded on a colleague's screen, slowly tapping out keyboard characters in the shape of a pine tree and then signing off with the salutation "Merry Christmas."

Any enchantment, though, turned to worry as the visitor accessed the colleague's electronic address book and sent a copy of itself -- ostensibly from the colleague -- to the 1,500 or so entries in the database. A magician doing a disappearing act, CHRISTMA EXEC then erased itself. People were stunned. Loudspeakers blared a warning not to run the rogue program, but it was too late. The holiday message was a Scroogelike virus that replicated itself hundreds of thousands of times, clogging up the company's internal E-mail system for nearly a day. Long before all the damage reports were in, however, White had dropped what he was doing to concentrate on the invader. "You realize as soon as this happens that it's something bad," he recalls. "I said, 'That's it, I'm not working today. I'm going to watch this happen, because this is a seminal event in history.'"

This was an early battle in the Virus Wars, a struggle between good and evil that affects a million computer users every year and threatens to intensify in the age of Internet communications and commerce, when viruses can be passed rapidly around the globe. With huge bets placed on the future of E-business, and with virtually every virus aimed at IBM computers and compatibles (such machines running Microsoft's DOS and Windows operating systems today account for some 90 percent of all personal computers), few companies take the threat as seriously as IBM does. In 1987 perhaps three digital viruses existed. Today, every day, six to ten PC viruses stream into the Anti-Virus Center at IBM's Hawthorne Laboratory, an extension of the Watson lab a few miles down the road from its parent. So far the IBM group has battled about 20,000 separate invaders.

And that's not even the half of it. Until recently the enemy at least seemed contained: once IBM's investigators or their counterparts in a few other organizations turn their attention to a virus, it typically takes less than twenty-four hours to decipher the code and divine a cure. But with millions of people swapping files and conducting Internet business around the clock, once-sluggish mutant codes can go global in well under a day.

On a recent visit to the Hawthorne Lab, White took me to a two-room suite a couple of floors above the Anti-Virus Center. Here, sealed off from the outside world by computer firewalls and other defenses against hackers, resides a prototype of what IBM thinks might be the savior of the Net. It's called the Digital Immune System. The idea is to create digital white blood cells -- much as human beings develop antibodies to biological agents -- that will be permanently available on line. In theory, automatic virus-scouting programs will transmit suspect codes directly to the immune center, where they will be analyzed and debugged and the cure beamed back before mere mortals even know there's a problem. "If the Internet is going to survive," White says, "we're going to need an automated response on this rapid time scale."

A COMPUTER virus is a bit of software code that gets into a machine -- typically through a disk or an electronic message -- and co-opts its host's resources, making copies of itself and ordering up aberrant behavior ranging from posting an innocuous message to wiping out hard drives. Although the theory behind viruses goes back at least to the 1970s, they did not emerge in the "wild" until the late 1980s. They speedily became an everyday menace. Annual sales of anti-virus software are expected to surpass $1 billion next year.

Nearly as soon as viruses came into existence, myths emerged about virus writers. In TV shows and movies they are brilliant iconoclasts who run circles around hapless corporations. No such romanticism affects IBM's twenty-five-person anti-virus team, however. Viral codes are rife with bugs -- and none of their writers would land a job with IBM. "The writers might think that they're showing off their programming prowess," says Jeffrey O. Kephart, an instrumental figure in IBM's anti-virus fight. "But in most cases they're displaying their ineptitude to the world." Though few good studies of virus writers exist, the available evidence indicates that they're almost always male, usually in their teens or early twenties, and have an attitude. A pair of file cabinets inside the Anti-Virus Center hold boxes of diskettes bearing copies of every virus the lab has tackled. A few samples from this morgue illustrate the point.

One is Wazzu, which in its heyday, in 1997, infected Microsoft Word files by randomly shuffling words and inserting its name into text, as in "Now is wazzu the country to come to the aid of your time." Form, another demon, caused keyboards to make an annoying clicking sound on the twenty-fourth of each month. Inside his errant code, where only debuggers would see it, Form's creator left this message: "Virus sends greetings to everyone who's reading this text. Form doesn't destroy data! don't panic. F---ings go to corinne."

These creations may seem like harmless pranks, but anti-virus researchers warn that there's no such thing as a benign virus. Take Wazzu. "You might think it's a funny virus unless you're writing the Israeli-Palestinian peace treaty," White says. Even Form is far from harmless, since a virus's very presence means that a computer's standard operations have been disrupted, increasing the risk of crashes and tainted files. And without naming names, White tells horror stories of corporate mergers in which one company infected another because viruses got into the spreadsheets they exchanged.

Which explains why IBM opened the Anti-Virus Center in early 1989, barely a year after CHRISTMA EXEC hit. Working initially with IBM corporate customers, and later expanding into the consumer sector with its IBM AntiVirus software package, the center's team has not only assembled a collection of viruses but also classified each according to what it attacks -- files, the operating system, and so forth -- and tracked its incidence rate. Setting the stage for the coming showdown in cyberspace, White identifies five epochs in the war against viruses.

(1982-1988). The real Cambrian Period saw an explosion of multicellular invertebrate life. Viruses are not quite the same but close enough. By the mid-1980s the personal computer had evolved from an oddity into a productive tool -- and long-theorized viruses became a reality. Toward the end of the period CHRISTMA EXEC arrived at IBM.

(1988-1992). Invertebrates were joined by great beasts. Some were file infectors, so named because they infected individual files, or applications. An early arrival was the Jerusalem virus, which on every Friday the thirteenth put black rectangles on screens and erased any files executed that day. A programming error allowed the virus to invade files multiple times, adding 1,813 bytes of data with every re-infection: programs infected repeatedly would no longer fit in memory.

Around the same time, boot infectors arose. They were activated when users started up, or "booted," their computers with a floppy diskette. From 1990 to 1992 the Stoned virus was the world's most prevalent. The only consequence of the virus was that one out of every eight times a user booted up from a floppy disk, it flashed the message "Your PC is now Stoned!"

(1992-1995). File infectors were the first casualty. Their decline coincided with Microsoft's segue out of DOS and the growing popularity of its Windows 3.1 operating system, which wouldn't work with infected files. Thus the file infectors' environment was made unlivable, just as asteroids or comets striking Earth may have made it unlivable for the dinosaurs.

Boot infectors, however, co-existed perfectly with Windows. Early in 1992 viruses were elevated to national prominence by the discovery of Michelangelo, set to be activated on March 6 -- the artist's birthday. The widely publicized virus -- even Nightline did a segment on it -- raised the specter of computer Armageddon, because it promised to erase hard disks on a specific day. Lines ran around the block outside some stores selling anti-virus software.

Michelangelo proved largely a dud. Anxious scanning of disks for signs of the virus turned up scores of other boot infectors -- but these viruses mounted a comeback that lasted nearly three years. Then Windows 95 had its debut. Thanks to a design quirk, it refused to spread boot viruses -- making the environment uninhabitable for these agents, much as Windows 3.1 had for the file infectors. Boot infectors, too, went the way of the dinosaurs.
(1995-1999). A new predator evolved: the macro virus. Far more nimble than the file- and boot-osaurs, it hid inside "macros," the little programs inside Microsoft Word documents and Excel spreadsheets that busy themselves with formatting and other subtasks. These viruses, including Wazzu and contemporaries dubbed Npad and Paix, thrived with the widespread sharing of files by way of E-mail -- where such exchanges take place far more readily than they do through disks. For the first time, the tools of executives were affected. A CEO might dash off an electronic memo to all employees and contaminate every computer in the company.

The first macro virus, Concept, arrived just as boot infectors suffered their mortal blow, late in 1995. Its one overt act was to put up a message box containing the number 1. A message in the macro code, at the spot that could have included instructions for more-damaging action, read, "This should be enough to show the concept."

The period 1996 through 1998 was a brief golden time for anti-virus forces. Even the stealthiest new beasts rarely lasted longer than twelve months. The telling factor seemed to be anti-virus software, as IBM and others grew increasingly adept at putting out timely updates, and people seemed more willing to use them.

(1999-?). But then the Internet blossomed. As long as viruses replicated chiefly through disk exchanges, it could take a year for one to spread around the world. That left plenty of time to install anti-virus updates. In the age of E-mail and macro viruses, infections could become global in a month -- still a reasonable amount of time to fortify defenses. But now viruses can travel worldwide in twenty-four hours. "The compression of the time scales from a year to a month to a day changes everything," White says. "Basically, the way the anti-virus industry is trying to solve the problem right now just breaks down."

IN 1990, when the Anti-Virus Center was only a year old, White discussed the need to automate virus hunting with Jeffrey Kephart, who was then a newly arrived expert in nonlinear dynamics. This concern ultimately persuaded Kephart to join the Virus Wars.

"Patterns and connections have always thrilled me," Kephart told me recently. "For the past decade or so I've had lots of fun exploring analogies between large, decentralized computer systems and things like ecosystems, biological systems, and economies." Almost as soon as White started talking to him on that day nine years ago, the analogy bells started ringing for Kephart. He began musing about how human beings ward off biological bugs by building up antibodies, and wondering whether a similar system could be contrived to fight digital viruses -- especially ones that had yet to be seen.

The first step was to understand viruses better. The lab began compiling its elaborate database of attacks on IBM's corporate customers. Armed with the location and date of each incident, the number of infected PCs, and the type of virus involved, researchers employed techniques from mathematical epidemiology to figure out how viruses replicated and spread. In addition to watching for alterations in key parts of memory and other hallmarks of virus activity, most scanning programs today roam hard drives or disks looking for specific pieces of known viral code. These codes typically run a few dozen bytes in length. Drawing on pattern-matching techniques from computational biology, the IBM group was eventually able to spot known viruses from snippets as small as three to five bytes -- speeding up detection. Identifying unknown agents was tougher. But the fact that a single signature often characterizes whole virus "families" proved crucial: since these set code patterns are directly linked to function, a wide variety of viruses could be recognized -- and cured -- even though they had never been seen before.

In the end, it took nine patents and seven years for what came to be called the Digital Immune System to materialize in the two-room suite at Hawthorne. The inner sanctum holds a series of computers and components stacked floor to ceiling. In the outer room, equipped with a large sofa, a kickboxing bag, and more computers, a small research group monitors the system and labors to perfect it.

The basic concept is that anti-virus clients will be networked directly to the prototype's central computer. Monitoring programs on clients' PCs will beam a copy of any suspicious program to the system's analysis engine, which will make a quick guess as to what kind of virus might be arriving. From there the sample will be passed to what the team describes as a series of digital petri dishes -- a separate collection of computers fitted with decoy, or "goat," programs that simulate the kinds of environments viruses like to invade. Goats can be run in different languages, and since certain dates -- Friday the 13th, for example -- might trigger certain viruses, it's even possible to rapidly simulate all the days of the year, and also different hours of each day. Because the starting condition of each goat is known, the system can track the exact path of any infection, determine the invader's traits, develop rules for removing the virus -- and, with luck, undo any damage it has done. The immune system will then copy the virus and test its assumptions to make sure its cure works. The resulting "antibodies" will be transmitted back to the infected client and to any other machines on the network, and will become a permanent part of their memories. Eventually every customer will receive a copy through regular updates.

IBM publicly demonstrated the Digital Immune System in October of 1997, at the International Virus Bulletin Conference, a gathering of the world's top virus fighters and their customers, held that year in San Francisco. Kephart and a few colleagues brought a virus-plagued PC onstage, and the delighted audience watched as errant code was transmitted to Hawthorne, a cure derived, and the solution beamed back -- in just over three minutes. Since then, field trials have been scheduled, with a commercial rollout planned for later this year. Last year the company announced a deal to give Symantec Corporation, the California-based maker of the market-leading Norton AntiVirus, rights to its anti-virus work -- thereby fusing Norton's strong market position with IBM's technology.

Without an immune-system-like defense, White says, viruses threaten to "stop the forward progress of computing." But that's not to say he thinks the days of the computer virus are numbered. Even as the Digital Immune System was being readied for field trials, a renegade program for automating macro-virus production was circulating in the virus-writing community. It also appears that today's rapid-fire file exchanges, which often involve passing data among various applications, can cause viruses to mutate and take on properties more damaging than even their creators intended.

In short, just as there is no end to the human battle against biological bugs, the campaign against their digital counterparts endures. White says, "This is going to be a problem that stays with humanity as long as we use computers."

Robert Buderi is a former technology editor at Business Week and the author of (1996).

Illustration by Giacomo Marchesi

The Atlantic Monthly; April 1999; The Virus Wars; Volume 283, No. 4; pages 32 - 37.