РусскийEnglishУкраїнськаDeutschEspañolFrançaisItalianoPolski

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Donate Forum

Movement of Viruses

Sung Yang
September 1999

[Back to index] [Comments (0)]

Computer virus (computer organism) movement may be one of the most important phenomena of computer viruses, but there was almost no study and no interest on this issue. So this subject is very much unknown, and especially about the self-movement. Computer viruses or worms move in two different ways, self-activated and nonself-activated means. In other words, internal and external cause. Normally virus movement refer to self-movement instead of nonself-movement. Most viruses move by nonself-activated means (nonself-movement).

Nonself-movement is subdivided into delivery and duplication. Delivery is a means of nonself-movement, and doesn't involve growth of virus in number as a result of the movement but (physical) delivery of storage media such as ROMs and disks. An early example of delivery is the trojan hose AIDS information that was mailed to many medical researchers under name of Cyborg Corporation in 1989. The one, a consultant in Virginia, who sent out the AIDS information disk containing the trojan horse over mail was arrested a year after the incident. The trojan horse has no ability to move itself, thus, it has no self-movement capability. Mostly the program was moved by delivery of disks. It shows that how the nonself-activated means of movement can effectively penetrate aimed destinations. Another example of delivery occurred in 1988 December. In Montreal, a virus called MacMag was planted into two computers according to the MacMag publisher. On a day of March of the following year 350,000 computers around the globe showed a message written by the publisher of MacMag magazine, and immediately eliminated themselves from the computers. In order to display a message on 350,000 Macintosh computers, the virus had to move to become far more in number; from 2 Macintoshes in Montreal, they spread to hundreds thousands of Macintoshes around world, within 3 months. The virus mostly moved by delivery.

Duplication is another nonself movement, including emailing, downloading, uploading, etc. Since popular use of the Internet, many viruses spread over emails and downloading. For example, on July 24th, 1994, Usenet users unknowingly began to download a virus known as Kaos4, which was posted as an attachment on Usenet news group alt.binaries.pictures.erotica. Also viruses known as macro viruses (in today 1998) are mostly spread by duplication.

The common self-movement is wandering, which is random and nondirected movement, which have no specifically defined destination. All viruses (In the time of this writing 1998) have wandering property, however, ability of the self-movement is very weak, most of the time, they even could not escape out of a computer by themselves. However, worms like program, Christmas Card, and Internet Worm exhibited very powerful movement of wandering though it was not considered sophisticated. Cruise is a kind of self-movement known since 1996, is the directed movement from a source to a defined destination. Hunt is a newly known self-movement, is chasing-like movement.

HUNT

Hunt is chasing-like movements, is distinguished from cruise. Cruise movement stops upon arriving at the (static) destination, but hunt movements only stop upon arriving at the vertex where target is found. Hunt has a set of dynamic destinations. Hunt movements begin toward hypothetical destination where the target is believed to be found. If the target is not found in the hypothetical destination, then the hypothetical destination is adjusted to a new vertex. In this way, hunt movement is capable of finding either static or moving target.

A series of movements is hunt if and only if:

1. There is a hypothetical (or dynamic) destination. (destination may be changed during movements.),
2. Movements stop upon arriving at the vertex where the unique and specifically defined target is found,
3. Trip from source to destination is intentional, and
4. The number of movements is finite. (assumed that the target is reachable).

Hunt is defined by h=(G, N, v_s, v_d, o>) where

G is a graph, comprising a finite set of vertices V,

D Í V is a finite set of destinations,

T Í V is a finite set of vertices where a target is found,

N is a finite set of natural numbers,

v_t Î T is a vertex where the target is currently found,

v_s Î V is the source vertex,

v_d Î V is the current destination vertex, and

o:N ® V is an ordering function that determines the path of cruise. o(0) = v_s,, o(n) = v_t.

MOVEMENT AND MODELS

Computer viruses have traditionally been defined in TM (Turing Machine) or a finite automaton while virus movement requires more than the computational models (a finite automaton or TM) to describe. The computational models may describe certain properties of viruses, however, the model can not sufficiently describe virus movement because the movement involves something that occurs out of the model such as delivery of storage media, which may result movement of a virus. In this reason, virus movement has been out of sight and appears to be an odd within the traditional view of computer viruses.

Limited movement of viruses had been explained based upon an epidemiological model, originally devised for biological ones. Virus movement, however, is not as simple as spreading of the infectious biological agents. A virus can have cruise property, which allows a computer virus to travel from a source to a destination instead of spreading (wandering) while infectious biological agents do not have cruise property and are tend to spread in all directions. So epidemiological models are also insufficient to explain virus movement.