Fog Creek Software
Discussion Board




Why no really destructive virus?

There are reports on the various tech news sites about yet another Outlook attachment virus going around. Not really interesting in itself, but it made me wonder why no one has written a really destructive variation on the Outlook attachment virus yet.

By really destructive I mean a virus with behavour like:
1. Attempt to propigate using the usual methods.
2. Wait an hour or so.
3. Delete all the files on the computer.

My low opinion of human nature, and in particular the people who release viruses, suggests that such a thing would have been written long ago. Yet it hasn't. Why not?

And as an aside, I take some shameful joy in imagining MS PR trying to handle the fallout from such a virus.

Bill Tomlinson
Friday, June 06, 2003

I have always wondered the same thing. Spreading the virus is the challenging part, so why not add some simple code to "format c:"? Maybe virus writers ARE in it for the glory, not the destruction..?

runtime
Friday, June 06, 2003

Just like Ebola, viruses that have a high mortality rate don't spread very far.

On the contrary, the AIDS causing virus spreads all over the place, because it keeps the host healthy for years.

Not that they think or anything...

--
ee

eclectic_echidna
Friday, June 06, 2003

A "successful" virus is one that manages to reproduce a lot. That's not possible if you kill your host soon after infection. Everything's a tradeoff. If your virus kills the PC after a few hours, people will learn _very quickly_ that they've been infected, and they'll tell their friends, and the Antivirus companies will come up with a cure _very quickly_. If the virus waits for days before killing the PC, then in general anyone with antivirus software will catch it before it acts. Intuitively, I feel that the _less_ damage a virus does, the _greater_ its chance of reproducing successfully.

It might be instructive to consider the ramifications of a biological microbe that killed its hosts a few hours after infection. I suspect that it wouldn't spread very far.

Adrian Gilby
Friday, June 06, 2003

I remember the readme.exe virus slowly replacing every file on our server we touched with a copy of itself until the server filled up and we were forced to reboot. That's when it got "root" access and started to really get nasty.

Maybe it wasn't as bad as a format c: but it was pretty damn close.

www.MarkTAW.com
Friday, June 06, 2003

Why do people continue to use Outlook, especially corporations who should know better by now?

T. Norman
Friday, June 06, 2003

Our company just switched from Outlook to Lotus Notes, and everyone agrees it's much worse than Outlook was. In Notes, appointment reminders don't work reliably, if someone forwarded a business card to you, you cannot insert it into your address book, menu commands are not where you expect them, and in general the UI is so slow (you forgot what you were doing while you are waiting for a view to open after you clicked on something).

I think Outlook is used as it is very convenient for the user, not necessarily more secure or technically sophisticated on the back end.

dat
Friday, June 06, 2003

"Our company just switched from Outlook to Lotus Notes, and everyone agrees it's much worse than Outlook was. "

What led your company to switch to what is apparently a much worse product?

Thomas
Friday, June 06, 2003

I used Lotus Notes. Now I use Outlook. Outlook is not bad.

What is really terrible and stupid about Outlook is that it installs the feature that I suspect that very few people really use BY DEFAULT.

That feature is "automation" of email.

The really annoying thing about this problem is that it is so easy to fix: don't install the automation stuff by default.

If the user really wants it, have them install it from another CD. Thus, no viruses (at least, viruses at a much smaller rate).

The fix for this is SO OBVIOUS, that I suspect that MS really wants viruses to happen.



njkayaker
Friday, June 06, 2003

Adrian and ee both made the point about "keeping the host alive so the virus can spread more". But I'm not so sure about this, particularly in regards to Outlook attachment viruses.

The pathology of Outlook attachment viruses is that they spread very quickly throughout a company or not at all. Once the virus has sent a copy of itself to everyone in the infected host's address book, quitely waiting a week and then sending again isn't likely to make any difference. Those people dumb enough to open an attachment did so on the first attempt; and those that didn't aren't likely to on the second attempt.

And you could still combine both destruction and delayed propagation if you wanted to. Just program the virus so that half the time it wipes the computer clean and the other half it waits around and tries to propagate.

Bill Tomlinson
Friday, June 06, 2003

I think it was mainly the fact that the parent company is using it, and that, in the future, other (company-specific) databases than just email/calendar/contacts can be integrated. (Maybe that flexibilty is what makes it slow?) Maybe also the security of Notes is better, I don't know.

dat
Friday, June 06, 2003

There was an article about this in Tech Review. The author seems to think that some worms are proof of concepts. They use well known exploits for proof of concept and then discover their own exploits.

Unknown exploit + "Destructive" payload = Bad Times

Dude
Friday, June 06, 2003

I have thought about this question also. I believe the reason traces back to the nature of the virus writer. Is the writer really intending to cause mass destruction? I dont think so, I think its a weak attempt to gain a few seconds of anonymous self gratifying fame.

moses whitecotton
Friday, June 06, 2003

This reminds me of a great idea for a virus payload that I read somewhere a while ago (but I can't remember where).

So the virus propagates in the usual fashion. An Outlook attachment virus would be a good choice.

But after propagating, the virus searches the computer for excel files. In each spreadsheet, it replaces one, just one, "7" with a "2". Then it removes all trace of itself, just so you can never be entirely sure if the computer was compromised.

Just think of the subtle mayhem this would cause the business world.

Bill Tomlinson
Friday, June 06, 2003

The trouble with Outlook is that you don't even have to open any attachments.  Merely viewing the mail in the preview pane is enough to have malicious code executed.

T. Norman
Friday, June 06, 2003

I honestly believe that the reason that we don't see more destructive viruses is because many of them are written by the anti-virus software companies.  It is in their best interests to constantly have viruses in the news, even when those viruses don't do a whole lot of anything other than spread.  This probably helps people feel like the anti-virus software works since they never lose any data.

Anonymous
Friday, June 06, 2003

Now if it could only replace a 2 with a 700 in an database... at a bank... where I have 2,000.00 in a checking account.

www.MarkTAW.com
Friday, June 06, 2003

The CIH or Chernobyl virus wiped out approximately one third of all the hard drives in Saudi Arabia in one day (26.04.1999) and in many other cases is also reported to have trashed the BIOS where that could have been updated.

And that was when the internet in Saudi had only been in operation a few weeks, and there was scarcely anybody connected.

With the internet the virus would have got caught well before its payload could have become effective.

There are some fairly nasty viruses around, but often their nastiness doesn't come into effect because of sloppy programming. In order to format somebody's C drive one hour after you have sent a load of email to everybody you need to get the guy to click on the attachment, and for that you need good social engineering.

So you need 1) social engineering skills + 2) decent code writing capabilites + 3) a grudge + 4) a load of luck

Many viruses are produced for a reason. The bate of Viagra and other spam you have been getting lately is because for the last few months worms have been taking over millions of machines to allow for free mailing. The Win32 magister virus was almost certainly produced by somebody who was hoping to destroy or subvert judicial records in a Spanish speaking country - or at the very least tapiwa's Spanish brother!

Stephen Jones
Friday, June 06, 2003

Bill, I don't think I made my point very well. Consider a company infected with a virus that either does nothing after an infection, or waits a while and then trashes the hard drive -- each option having 50% probability. As soon as the first hard-drive-trashing occurs, everyone will be told not to touch their email, contingency plans will be activated to remove new viruses, anti-virus software will be purchased and installed if it wasn't already, etc. The virus can no longer exist within the company. Yes, it's a bit of a simplification, but the general point stands I think.

Adrian Gilby
Friday, June 06, 2003

Adrian,

I worked at a huge multinational corporation.

How do you tell every employee to not check their e-mail, except via e-mail?

www.MarkTAW.com
Friday, June 06, 2003

A big company usually runs its own mailserver....so just switch it off :)

FullNameRequired
Friday, June 06, 2003

Who profits from viruses? Antivirus editors! Reminds me of the kid breaking glasses and a minute later Chaplin offering his services to replace them :-)

dd
Saturday, June 07, 2003

Of course, Antivirus editors need to have your computer bootable in order to install their "cleaner". IMHO, that's why viruses are usually soft.

dd
Saturday, June 07, 2003

I just got a virus in my mailbox, apparently through a music mailing list I'm on. It was formatted as if it had to do with music - the subject was "re: rehearsal" or something.

In any case, I looked up the attachment, which was "John Doe Resume.doc.scr" where John Doe was the name of the hapless guy who sent it out, or supposedly sent it out.

I looked up "resume.doc.scr" and it turns out it's the bugbear virus.

Therefore, I propose that someone should create a virus named after every D&D character class and monster. They can then battle it out over the Internet as the ultimate battle between good and evil.

Or as a variation, maybe a LOTR virus. A Gandalf Virus will take out a Balrog virus, and save the Frodo virus in the process....

mwa ha ha ha ha, my plan for world domination one CPU at a time is finally coming together.

Then we can destroy the white house with a "laser beam" and demand.... One Million Dollars!

www.MarkTAW.com
Saturday, June 07, 2003

what has always surprised me is that email viruses that go through the inbox looking for addresses always go and use the same 10 or 12 reply lines.  I would have thought that if they replied to the email in the inbox, they would probably get read.  Or just confirm to the spammers that the address was 'live'...

Nice
Tuesday, June 10, 2003

I generally think of users as idiots when they start complaining about "email virus". Did nobody realizes that there is _no such thing_ as an email virus? We should start calling it "Outlook exploits", because they affect exclusively this hell spawn of a mail user agent.

In case any reader suspects that I hate Outlook, well, it's true, but for another cause.

Leonardo Herrera
Tuesday, June 10, 2003

*  Recent Topics

*  Fog Creek Home