VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Future Viruses and Operating System Development


[Back to index] [Comments]


"The best prophet of the future is the past."


Since the beginning of documented times man has been trying to simplify things. This process requires abstract thinking. Coming up with new ideas outside of the norms.


This process has caused humanity to advance far beyond its roots of basic needs and survival. Although living in a world based on technology, new problems have arose. The rate seems faster than our ability to solve and correct the obstacles. Has the modern society created a problem with no solution? A world of striving towards perfecting a system that should instead be torn down...


The new millennium. 2001. Space odyssey my ass. None the less its been an interesting year for the modern world...

Encryption, networking, theft, espionage, destruction, demonstration protest. These are just a few of the topics i will explore here. I will attempt to touch on what has been happening over the past few years, and cover where i feel the trend will take us. The topics of the anti virus industry and the consumer are covered. I have also included several of my viral ideas which i will never actually get around to implementing. For all you programmers out there, this is an open invitation to do so yourself.

This paper is not meant to be viewed as a complete guide. Its just a simple implementation of my personal ideas as theory. This should not be taken as anything more or less.

A Brief Past

The 80's. The turning point for computing. This is the decade the personal computers were creeping into the homes of america. The commadore64, tandy machines with tandy dos, ibm with their pc-dos, apple 1 and 2 e's. The list goes on and on. In the early days of home computing there was much more variety. Nothing had really dominated the market like today.

This was also the decade the first computer viruses were found in the wild. The technology was simple. Basic mbr/bs infection. With the idea in the minds of computer users around the world, programmers became interested. The advancement of the computer virus had grown from sector infection to various file types and even directory infection. Different schemes for spreading, stealth, encryption and other self modifying code were implemented. The virus and anti virus community grew together. The virus programmers were, and still are, always a step ahead.

Various dos distributions did what they thought was the right thing. Ibm and msdos started including versions of their own anti virus software. A good step, but in the wrong direction. A way to boost a new industry? Whenever developers create software for an operating system, it increases the user base. I really hope this didnt play as a factor... and its far too late to ever know.

Why not start enforcing a set of rules on the dos os. It was obvious that a read only attribute was not enough. The systems allowed any piece of code to take complete control. Seems like it was doomed from the start. Why continue development keeping the same base. It was totally possible to change the kernel to restrict what goes on. They didnt have to change the file format. They didnt have to change the interrupt system. Only the way the kernel executed software. Why give complete control to something that really doesnt need it. Even more interesting, why not fix a problem that everyone knew would continue to affect the future.

I could rant for 300 kb about the history of viruses... but i wont. That would be way too much effort and a huge waste of time. If you want your history, go get it. The information is freely available via the internet. Read up. Be aware of where your coming from.

The Present Virus Trend

Times are strange. The microsoft os based virus writing movement is in a major change for the first time since the start of the game. Over the past five years we have seen a change in the trend of 16 bit and 32 bit virus production. People who are new to the scene are usually releasing win32 pe infectors instead of dos com appenders as their first virus. What was once saved as a "later learning" item has now become standard in the field. Microsoft has been working dos out, and virus writers have been working win32 in.

This 32 bit platform has opened up a whole new world of opportunity. Not only did it increase the amount of executable formats one could infect, it also released more power. Thirty two bit applications have allowed more effective ways of encryption, trapping of other applications, effective tcp/ip packet building, so on and so forth. The os is much more robust. As an expected result, except by microsoft, the virus technology is much more advanced.

Just look at a wildlist ( ) from february 1997 and then take a glance at the august 2001 edition. The first thing you should notice is the frequency of os specific code. In february 1997, two years after the release of windows 95, about 95 percent of the viruses "reported" to be in the wild are dos based viruses. Of the 239 viruses on the list, 28 are microsoft office based, and a few others are win16 ne infectors. Notice that Dir_II.A is still on this list. A virus that cannot spread on machines running anything above msdos 4.*. Now go back to august 2001. Of the 208 viruses "reported" to be in the wild, about 15 are dos based viruses. That is a drastic change in a matter of 5 years when its compared to the change between 1995 and 1997. Not to mention the sharp rise in the amount of viruses that are software dependent. As stated before, the count jumps from 28 in the wild in 1997, to about 155 in 2001. So the technology has been around for a few years. It just takes a little while for it to be widely implemented.

The present virus trend is really based around what other virus writers are doing. Just like a bad fashion. A new idea is implemented. If it gets enough attention, either by the media or other programmers, it will be used again. This is not really a bad thing, but it does not give rise to originality. The main problem with this in the virus world is that most programmers dont write code that even puts a spin on the old idea. Its just written in different style code and released again.

The Present OS Trend

Microsoft Windows based operating systems. When i say windows based i mean everything from 95 to nt to win2k. Think generic for a while.

Enterprise computing is the strong point of the current market. This has lead to need, of course, for enterprise software. The business world has been backed by mainframe computing and different flavors of unix like operating systems. The windows nt family has been pushing iis for a while, but microsoft has always been lacking enterprise software. Over the past few years there has been a strong development of other services targeted to business, not desktop, computing on the windows platform. I feel the future is bleak for variety in the business world. Windows has had a stronghold on the desktop market for a while now. Trading in stability and functionally for ease of use turned out to be a great marketing scheme. I hope that windows doesnt take hold of the server market as well. That is not the direction i want to go in with this paper though so i just leave that topic alone.

Linux on the desktop has gained momentum. Every day we see some useful advance. There is also finally major backers of linux. Look around the subway flats in new york city. IBM has ads plastered everywhere of their "peace, love, and linux" campaign. Not to mention its price. Big business is starting to look at linux for a free solution for their once expensive to replace servers. We are also seeing FreeBSD and other major players in the unix and server os world to slowly become more geared for desktop use. There have also been twists on that rule like macintosh using a bsd like kernel as the base for their latest os release. I wish i could say i knew where all this was headed for better or for worse. We will have to wait and see what the next move is.

The buzz word has changed from "internet" to "multimedia" in the new millennium. From web content, to video on demand, to old technologies being widely implemented such as voice over ip. Eye and ear candy. Everything is gui and everything makes a stupid bling noise when you click on it. Mention "real time" and its all over. I think its a shame that its so difficult to get people to develop for operating systems other than windows. Think about what could have happened with BEos with a better marketing campaign and contracted software development. Think about what could happen if it was shipped with any major pc manufactures. Everyone blames microsoft, including me, because its easy. Im not saying they played well, or even fair, with others. I am saying its a world wide problem. Its up to software developers. Its up to home and business users. Its up to the people who are shipping their latest pc deal without any option of os. Rome could only last for so long...

All in all, its a safe bet to say that windows will continue to be the industry standard for desktop computing over the next several years. The current change only seems to be what people are doing with their "desktop" computers. With the availability of broad band growing, people are using their home computers to offer network services to the internet. Mainly in the form of web servers, but many home computers are also offering things like smtp, nfs, and other hard disk and file sharing services. This has changed the way the internet functions. It has changed the way networking functions. It has changed the way viruses function.

Current Virus Technology

Now we have seen what has changed in the virus and operating system world. We have also reviewed the software thats currently being ran on these systems. Lets now look at the virus techniques that are currently being implemented. I will try and keep this generic and not sway too much into what technologies have been implemented in what file format or software package. This will be brief and will only cover a few of the basics.

Encryption and polymorphism. Household terms in the virus writing world. No virus seems to be complete without. The MtE changed the way anti virus software had to perform. From simple scan strings to the world of heuristic and emulation. Protection from prying eyes. I feel the use of strong cryptography is the future. People like spanska took a step when IDEA was implemented in viral code. However, this has not become standard practice. The only real problem is where to hide the key. It doesnt matter if its RSA or an 8 bit xor loop. Both algorithms have become equal when there is a pointer directly to the key. There are several ways to obscure this, but all in all, its a trivial task to decrypt viruses for that reason. This is why other self modifying code techniques are so important.

Polymorphism is a perfect example. Lets say your engine writes a different style and size decrypter for several different algorithms it can choose from. Lets also say that it retrieves its keys from different places on disk. That alone creates a whole new world of problems for those that want to decrypt your code. Again, this will only delay someone who understands anything about current microsoft based operating systems. There is still nothing keeping someone from taking a snapshot of the decrypted virus code from memory. Another massive weak point. Even if the virus only decrypts instructions a step before they are executed, they can still be copied. Not to say this isnt a good idea. Its been done in the past and been proved very effective. A great way to make it difficult to examine a program, even after its discovery.

Anti debugging, anti heuristics, anti emulation, fooling with the stack, attacking common disassemblers, and other such protection techniques will also only delay the process of effective detection. These are all viable techniques, but dont seem to be implemented as much as they should. Its basic protection. I feel that stability and effective protection are the keys to a long life in the wild. Propagating is almost a secondary issue.

I have failed to mention stealth methods for a good reason. Almost all of the well know stealth technology was for the ms dos operating system. These techniques no long work under windows. The new device drivers and api system has taken priority away. Im not saying there are not ways to stealth things under window anymore, just that its not practical. Its the same as master boot record and boot sector infection. The medium these viruses used to spread is no longer in widespread use. Think when the last time you gave a file to someone via floppy disk. Even better is to think about the last time you tried to boot off of a dos based floppy, or left one in your machine. I feel that boot sector infection has almost become another way of sustaining the existence of a discovered infection.

Networking enabled viruses have become a standard issue item. What once has been saved for strictly worm code has now been implemented as a basic component in viruses. Im sure i speak for all of us when i say if i see one more virus exploiting outlook in the media im going to vomit. This is a logical step though. Nobody can deny that. The growth of home networking proves the point. Long gone are the days when people needed to pass files through physical means. Why wait when you dont have to. Why send text through the post office. It takes weeks for a response. Sending text and other forms of media via electronic methods can be done over tcp/ip in a matter of seconds. Not to mention that its much more cost efficient.

Back to the subject, its not just ms outlook thats being exploited. IRC clients have also been popular to exploit. Mirc and pirch are the main targets. There are many viruses that are aware of network drives and other remote devices. Another common attack has been to infect web content. Java class files, html, and other web elements have been infected. The latest media blast was centered around the code red worm. This piece of code used a buffer overflow in microsofts iis to infect servers. The threat of network enabled viruses grows every year and is only going to become a bigger problem. One of the more interesting things ive seen happen is the advent of what has been dubbed "espionage enabled" viruses. I first saw this from a macro virus from opic that stole secret pgp keyrings and uploaded them to a web server. Similar practice has been used to steal unix passwd files, windows pwl files, and other such wanted material.

The current virus glut is compiled of hybrids of the past. Using old techniques with cutting edge ideas. There are a handful of thinkers that are on the forefront of the game. New infection routines bundled with new ways of obscurity. However, most viruses are just recycled material from years ago.

The Future OS

The future of operating systems has always been built around user demands. Most commercial developers are not interested in the good of mankind or computing. Programming is a paycheck. It does not really matter how well the product is coded. Its just a matter of meeting user needs. To sell. To keep the boss happy, the stocks high, and the people buying. Once a user base is established the goals are limited. All that is needed is to keep them interested in buying upgrades and marketing to new users. Its a lot easier said than done, but that's all that really matters. Getting new clients and keep the ones you already have. It does not matter if you create a whole new set of problems when consumers feel like they dont have another option. This is not only an issue with operating systems, but the software that runs on them as well. If the same commonly used multimedia, word processing, and database systems were offered on non windows systems, things would change. I dont think it would be an immediate change. Over time though, people would understand that learning operating systems based on the linux kernel is just as easy as learning to use windows based operating systems. Its hard for people to let go of something they are comfortable with to use a product they know little about and cannot get the software packages they know.

I feel that most operating systems are going to lean closer to integrating the common forms of digital media. This ranges from basic audio and video, to things like voice recognition software. Windows has been working on this for years. Apple has continued to use this as the majority of their marketing scheme. The integration of various multimedia packages in linux distributions plays huge factor. I feel that linux is going to be a major player in the change of the market. As more development is done to meet basic user needs, the draw to the operating system will grow. Cost alone is enough to hold me as a believer. Success will be determined by meeting the home users needs. As long as strong kernel development is taking place, larger range of hardware support is added, and developers continue to write applications for the platform, things can only grow. Once there is a large enough base of free equals to popular products, the market will open up. Nobody enjoys paying for something they can have for free.

The open source movement will grow to become the largest resource of software. There will always be people around who are interested in programming for a hobby. Most of those people in the open source community have no desire to make money off their work. Development can happen at a much faster rate when the code is made public, and there are thousands of people world wide looking at your problems. Others can pick up on something you have overlooked. Its not even a matter of being outsmarted. Its just the result of having a different perspective. Look at all the hands that dig into the freebsd project. From my experience, this is the most stable and best optimized kernel in the open source software community. This feat was not achieved by holding tight to ones ideas. If such effort went into software to run on these free platforms..

Windows must start over and change the way software is executed. Its obvious that the file permissions are not working out. Microsoft felt that viruses would not survive in the win32 environment. This is a problem that is not going away by simple obscurities. It will take a total rework of the system base to change anything. Even if this means they have to release an operating system that is not backwards compatible with their existing products. They do not seem to have a problem doing this with software packages. The system could be released parallel to whatever technology is currently on the market. Push it as "the future of computing" or some other gravely bold statement. Give users the option. People might not grab it at first. It will take years of software development to really push the platform. Its not an impossible task. You can move mountains.

Eventually there is going to be more effort in kernel protection. The linux kernel patch from the openwall project is a perfect example. This implements such features as a non executable user stack, and will not allow shared memory segments that are not in use by a process. This solves two major problems in the linux world. Both would require a total reconstruction to implement on the windows platform. I think its sad that microsoft left the brain of their os bare. There is no end to what you can do to kernel32.dll after the system boots. Yet again, it would not be such a large issue if the platform restricted what the software running under it could do.

Local and network security will finally be looked on as a critical function in a systems performance. This is a field that was hardly touched by microsoft until the nt series was released. At least then basic user rights could begin to be enforced. Something the mainframe and unix systems have been doing for decades. People are now using computers for one other major reason besides multimedia. Communication. In any situation where people are connected, there are going to be problems. Be it physical, or through distributed environments. Most major systems are built to be connected to the internet. Everything can talk to everything. I feel this is great, but without proper security, its just going to add to the problem. Any system that is build with these two things in mind will do well.

Processor architecture is soon to change. Once the ia64 chips are really pushed, they will take over the home computing market. The 64 bit memory addressing will open up new doors for speed and calculations per clock cycle. The actual chip speed in megahertz will mean less than it does now. This also gives major software developers a chance to start over. New processor, new platform, and new software. Build again from the ground up. What if man had continued on trying to perfect the horse drawn buggy instead of working on developing the internal combustion engine. I truly hope microsoft sees how important and how big of a chance this really is. When your software powers 90 percent of the worlds computers, its only ethical to start looking out for the best interest of the user. Something that they have ignored for well over a decade.

The Future Virus

This is the real motivation for this paper. The part i find to be most interesting. Using the base i have just set, i will go into detail of where i feel things should go. Some of it can and will be implemented in the not so far future. The rest we will just have to wait and see. All in all, i have two main goals for this chapter. First, i hope to open up writers to new programming techniques. Second, i hope to set in peoples minds that this is a problem thats only going to get bigger. Until the populace takes action and rights years worth of wrong, these problems are not going away. To those who think they are in control, hold on. Its going to be a wild ride.

Lets start with what is hot in the media right now. Viruses and worms being used to exploit network services. This is a trend that i feel will continue for years to come. Im actually surprised this has not already been a wide spread practice. It just makes sense. Millions of people connected together. Its too easy. The internet has given virus writers one large petri dish. The internet has replaced physical media. The original exchange that gave rise to widespread viral infection. This comes back to darwin, evolution, and survival. Nature will find a way. Its proved itself over and over, and now its going to flex in the meta world. This can lead us down many different paths.

The world is run on information exchange. The biggest activity of the united states secret service is intelligence gathering. Viruses and worms that collect information. Why isnt (or is it?) this being used by governments? Im sure getting a file into a remote computer is a million times easier than recruiting a mole. Not to mention the safety factor. It would keep an agent out of risk, and lets face it. Computer crimes are hard to track. People make mistakes, people make computers, computers make mistakes. Using various forms of disinformation, its trivial to point the finger to someone else. One can easily create a front and use it to exploit any given target. We all know the united states government is pretty lax when it comes to network security. Most other nations are equally as poor. Its only logical that this sort of attack will take place. Welcome to the age of the digital spy.

The espionage enabled virus. Covert data theft. We now live in a world where the computer virus can easily implement other functions. In the past its been pretty bland. We have seen various forms of graphics and sound, simple messages, and destructive activity as the norms of virus payloads. I hope this is a trend of the past. Networking now opens the door to so much more material. Viruses that target the credit card databases of any given windows based online shopping package. All the little dot coms being ran from home iis servers off cable modems are perfect targets for such activity. Next you must consider all the other software packages that can be exploited in such a fashion. Data of all flavors can be harvested. Dont forget the other things many home users have on their machines. I like the idea of viruses that steal dial up access information. If you can get the login, password, and at least who the provider is, your fine. Finding dns servers, phone numbers, and such is usually public information. Alot of smaller dial up providers still offer unix shells with the package which is an added bonus.

This practice isnt limited to public affairs. What about viral code in the workplace? One can write code that will only infect machines on a local network. This way you could perform tasks in a controlled environment. Collect the wanted information and send it to a remote source. One could avoid detection by such means as setting a date to scan available drives and remove your viral code. This wont help much with the backups, but most businesses back up once a week or so. A week is a very large window to get what you need and clean up your tracks.

The foundation of civilization is communication. Our day to day life can be throw upside down by even minor data flow disruptions. Think about how much you are bothered when your cell phone drops a call or your isp goes down for routine maintenance. These are not very critical examples but they are situations most of us have encountered. Lets say you have a wide spread virus. Most of the machines infected will be home users. Most of those users access the internet. Most of those users will never have a clue if their pc is attacking various networks via denial of service attacks. This technique has been used in the past on targets ranging from child pornography sites to the white house. Programmers can now use code as a form of protest. Im sure that it will only get negative results like more media hype for kiddies and crackers, and maybe jail time for the programmer. We all have seen the harm done by webpage defacing for "political" reasons. I can never see denial of service attacks resulting in anything positive. I must say that this is a problem that will be implemented more. There is no way around it. Im not so fond of this topic so im going to say, nuff said.

I would like now to touch on the idea of plug-ins for viruses. We can thank vecna for this (any many other) technique. Start with a simple virus shell. Basic code for effective spreading, evasion, and networking. No big deal. Implement module support. Now stop laughing and shaking your head. Imagine how things would have been if CIH had some sort of module support. The virus checking various servers for updates to perform all sorts of tasks. Each client could not only receive updates for payloads, but for performance, bug fixes, alternate contact information, and so on. This would be very interesting if the project was open source and invited others to write their own modules. Why not document what your engine can do, and release simple examples to get programmers attention. Set a standard protocol for virus modules. It could get quite messy.

Every year a programmer infects a file format that has been long overlooked. Various microsoft office documents, data files, and other such media is exploited. I cant help but wonder how far this can go. An idea i have always wanted to implement is to infect several files with different parts of a virus. Infect an executable file with just code to copy the virus body from a different file to memory and execute it. Store the virus body in a media file that is never scanned by default with most anti virus products. The standard JPEG file format is usually overlooked because its not an executable file. Its a perfect target to hold such code. You can leave the JPEG header alone and tack megs worth of information to the end. I have never seen this practice affect the way any program views the picture. Its much easier to tweak PE files to scan as clean when they do not contain actual viral code.

There has also been greater virus activity on various unix and free "unix like" platforms. Much more on the latter. There have been several papers published on infecting the elf format. Better documentation of the linux interrupt system has also been made available. This i find very interesting. Not just because its new, but because its taken this long for people to catch on that linux is not perfect either. Although it can still be exploited, the difference is the default environment does not allow it. Simple things like limiting what an executable file can do, and restricting what can take place in memory, have curbed this so it will never become a major problem. It will most likely always continue to be an issue, but i cannot see unix viruses propagating in the wild.

On another note, i see a problem with network enabled hardware. Its bad enough that people leave devices like printers and routers with their default settings or no password at all. This has not been a problem as far as viruses go, but times are changing. Video game consoles are being shipped with hard drives and pentium processors. With the advent of networked games on these devices, its just a matter of time before its exploited. The xbox is based on x86, has a hard disk, ram, and a built in network support. After kritz being spread on a dreamcast cd, i cant help but wonder when the console itself is going to be the host.

I think that the future virus will be molded around networks. Virus code will use more of the resources that have been available for years. Programmers will continue to exploit things that have been ignored. The future virus will be shaped by user ignorance. It will take advantage of a generation of point and clickers. Evolution. Growth. Survival.


A piece of art to show flaw. An exploit on the problems of its host. The industry complains about viruses with the argument that "If kids wouldn't code them, then it wouldn't be a problem". This is only half true. The problem would still exist. Why? Because its interesting. There will always be people who want to look into the matter, to figure out just how it works, and to implement the idea themselves. Once such an exploit is known, its not going away on it's own. When such problems are found in the security industry, something is done about it. People don't just say "hey, we found a root exploit in (fill-in-the-blank), but we will just ignore it and hope nobody uses it. So why has microsoft and other operating systems allowed such problems to continue?

I feel that virus programmers will always look for new problems to exploit. New places to hide. New ways of giving operation systems that have chosen to ignore security the finger. The technology that has evolved with viruses is advancing at an alarming rate. Until something drastic is done, this will be a issue that will continue to grow.

Such practice of data collection, disruption, and disinformation can be used in so many different ways and motivations. The possibilities are frightening.

Things have changed. The desktop operating system has changed. The networks have changed. Business has changed. Right now things could go in any direction. The future is not yet written. It is up to us to say what happens next... To write the next chapter.

The power is in our hands.


Feel free to contact me.

email [email protected]
irc *
Version: PGP 6.5.8

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka