O'Reilly logo

Malicious Mobile Code by Roger A. Grimes

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Malicious Code-Writing Subculture

The television idea of an isolated hacker sitting alone in a room, surrounded by Cheetos™ and empty Dr. Pepper™ cans in front of the midnight glow of a computer screen is a bit outdated. Well, at least the isolated part. Hackers today are more often adolescents and young adults with an entire cyber support system. They hang out in Internet chat rooms, newsgroups, and mailing lists, ingesting anything they can learn about their computer interests. They are out to learn everything they can about stretching their own abilities and their computer’s abilities, while only a few individuals mean real harm. Twenty years ago it might have been hard for a hacker to name a dozen people who shared their same interest. Today, there are thousands of online resources, and the hacker can name a dozen people in his school who like to hack.

Inside the Malicious Hacker’s Mind

Why do people write malicious programs? Richard Skrenta was a ninth grader when he wrote the first PC virus, Cloner, in 1981. Now, a CEO for an impressive Internet company, his virus-writing days have been over for nearly 20 years. I asked him what motivated him to write a computer virus? Here’s what he said:

I had played a trick on a classmate by altering a disk with a hot new pirated game to self destruct after a few boots. I gave him the disk, which he eagerly accepted, and he got to play [it] a few times before my booby trap sprung and the game erased itself. I enjoyed the success of this trick, but clearly it couldn’t be repeated, since he would be wary of my gifts from that point.

It then occurred to me that I could load something into a booted Apple II in the school, which would hide in the background, and then alter the next disk that was put in and used. The point was to get my booby trap onto a disk that a classmate wouldn’t let me handle. Even though I couldn’t handle his disk, I could leave behind code that could get its “hands” on it.

At this point I made the jump that if the booby trap was the infection code itself, it could be self-propagating. The tricked classmate would be unwittingly brought into service infecting others with the self-propagating booby trap. There was no telling how far it could go.

The idea was a rush, and I was intensely curious to see if it would actually work. So I coded it up and gave it a good start by infecting as many people as I could. I gave infected disks to others from my high school. A friend and I also made a trip to the “Apple Pitts,” a local user group in Pittsburgh (mostly a software piracy group). I’d say “Can I look through your disks?”, boot a Cloner disk, and then catalog each of the victim’s disks, to infect them.

I infected many disks at this hub of piracy, so it’s not a surprise that Cloner got out and around as much as it did. It even made it back to my high school math’s teacher’s system, and he was quite angry, believing that I had directly infected him, although I hadn’t.

I specifically did not want to cause damage, although the code caused a variety of annoying tricks every five boots or so. I didn’t consider Cloner to be especially virulent. You had to boot with the infected disk; simply running a program or copying data off the disk would not bring the virus into the running computer. And many people started their systems from a copy-protected “Master Boot Disk,” so those folks were safe. As it turned out, however, Cloner managed to get around pretty well, and due to interactions with future versions of Apple’s DOS code, it could cause data loss in some cases.

I asked him how a ninth grader learned enough about assembly language programming and computer booting to write a virus. Here’s his reply:

I got my Apple II in the seventh grade and quickly taught myself Basic. The Apple II was a great system for learning programming, and had built-in tools to poke around in 6502 machine code. I had a book that was a “map” of the Apple II monitor ROM, showing all the entry points for the various DOS operations. I used a disk sector editor and located some unused space on the disk to insert my code.

Typical Virus Writer

No doubt about it, Skrenta was a bright ninth grader. What is it that makes an obviously intelligent individual write a software program designed to sneak into other people’s systems? The subject has been fully explored in dozens of popular computer and psychology books. Antivirus expert Sara Gordon has written extensively on the subject of virus writers. She has several research papers available on the Internet, including some at Virus Bulletin (http://www.virusbtn.com) about the subject. For many malicious hackers it is a rite of passage, a stage of maturity that is explored when learning about all the incredible things a computer can do. Most eventually outgrow their rogue program-writing hobby and start doing something that advances themselves and society for the greater good. It’s nothing more than a phase of maturity and learning for a certain segment of our society.

Mike Ellison, a former virus writer, eventually decided to publicly come clean about his past in a cathartic paper presented at a San Francisco antivirus conference. He included several confessions that back up the typical malicious code writer stereotype. He wrote, “I...was rebellious and antiestablishment...viruses had a dark, forbidden allure which at that age is hard to resist...I wrote viruses for the knowledge, the challenge, and admittedly, the fame.” He started writing computer viruses at the age of 14 and by the time he was 20 he wanted to work in the professional sector, but it was tough for him to overcome the stigma of having been a known virus writer.

The most talented hackers, the ones not simply duplicating someone else’s work or ideas, write malicious mobile programs just to show it can be done. There are lots of malicious programs coded to show a newly found system weakness without implementing any type of intentional damage. The Caligula MS Word macro virus attempts to steal a PGP™ user’s private encryption key by FTPing it to a hacker’s web site. Virus writers and antivirus researchers, alike, understood that this was done just to prove a point. Unfortunately, many of these “demonstrations” end up incorporated into someone else’s widespread and malicious program.

Protesting with Malicious Code

Today, using malicious code or hacking as an organized protest tool is commonplace. Hundreds of viruses contain damage routines designed to go off on a particular day celebrating a political event, holiday, or even someone’s birthday. The Bloody! virus goes off on June 4 announcing that the Chinese Tiananmen Square massacre of June 4, 1989 will not be forgotten. It is now normal for government- run web sites to be hacked in protest. During World Trade Organization (WTO) talks in December 1999, there was a week of organized protests against the WTO’s perceived lack of environmental consideration. Not all the protests were in person. The WTO reported that their web site was probed nearly 700 times during the same week, with over 50 serious hack attempts. The ongoing Middle East conflict prompted the FBI to send out an advisory (NIPC Assessment 00-057) about the increase in cyber attacks on both Palestinian- and Israeli-related web sites.

Other online protests try to change corporate policy. eToys, an online toy seller, was suing an artistic web site, etoy.com, for trademark infringement, even though etoy.com had been on the Internet for years before eToys.com. An organized online protest was started and thousands of hackers around the world began to hack eToys.com throughout the 1999 Christmas season. Although eToys.com stated that the online hacks only disrupted about 10 percent of their services, eToys.com eventually withdrew their lawsuit and even paid the court costs of the defendants. None of the hackers were ever charged with a crime.

Malicious Mobile Code for the Social Good?

Some computer enthusiasts believe that malicious mobile code can be used for the greater good. When used in this context they are often called agents or bots . Agents can be coded to do mundane administrative tasks like file cleanup, file searching, or even cleaning up other viruses. And I think that is fine as long as they run where they are with permission. Most malicious mobile code hides. A great example of the blurred lines that sometimes exist is that of the Distributed.net Bymer worm. Distributed.net™ is an organization (http://www.distributed.net) dedicated to cracking an encryption puzzle through the use of distributed computing. Participants run a small program on their PC, which downloads a small piece of the puzzle (same concept as SETI@home ™ would later use). The computer’s extra processing power is used to computationally solve the smaller puzzle piece and upload results back to Distributed.net. The Bymer worm was written to roam the Internet looking for Windows PCs that share hard drives without a password, which can be common on PCs with broadband connections. When the worm finds a host PC, it enters the PC and copies and executes files to participate in the Distributed.net program. The exploited PC’s extra computing cycles are then used to solve the puzzle. The results are then uploaded to Distributed.net to give the worm writer computational credit.

Some would say this worm isn’t malicious. I disagree. At the very least it unknowingly uses computer resources it doesn’t have permission to use. It will slow down the host PC to some degree as it borrows and monitors CPU cycles. It opens up the PC to further exploits by programs with more harmful intent. And lastly, it can make the PC unstable by modifying aspects of the system without bug testing. Apparently, I’m not alone with my feelings. Distributed.net has disallowed the worm writer’s computational work and banished him for life.

Hacker Clubs, Newsletters, and Contests

Malicious hackers wouldn’t nearly be the threat they are today without a subculture support system. They have their own web site, newsletters, contests, and leaders, with their own dialect. The typical hacker joins a hacking club as a “newbie” or a “wannabe.” He often has very little understanding of how to hack, or what it really entails. She usually has mastered (really, she only thinks she’s mastered) her home computer’s operating system and applications. There is an alpha-male mentality to the hacking subculture. A newbie often invites the wrath of his more knowledgeable brethren by asking questions like “How do I hack?” or “What is the best tool for hacking?” If he’s lucky, a hacker within the club will tell him what to start reading and where to learn. They usually read the hacking technical documents in the online library, and do a lot of listening and experimenting.

Eventually, the newbie learns enough to start writing and doing her own exploits. They usually practice on their own computers, working out the bugs, and then start playing with friends. Only if they’ve been successful to this point do they start looking to exploit strangers’ systems. A newbie gets promoted when he writes something original and uploads it to the club. The fastest way to become a leader is to write something malicious that does something no one else has done before. Once they have done that, they have arrived.

The brightest and most experienced write the programs. The less creative spread the code. This also helps legally protect the malicious code writer. The author can successfully claim that he didn’t intentionally write the obviously destructive code to actually hurt anyone, and the spreader can claim to be clueless that the program was destructive. This has worked time and time again in the legal system, and was used as the defense in the recent Melissa virus case. Fortunately for us, the court systems didn’t buy the Melissa virus author’s defense and he was found guilty.

Bulletin boards and Internet sites dedicated to viruses are referred to as VX sites. VX stands for Virus Exchange, but in practice stands for any type of malicious mobile code. VX sites have dozens of programming and virus-writing tutorials dedicated to writing destructive code. They contain dozens of different virus-writing newsletters, interviews with successful malicious code hackers, essays, tutorials (Cross Infection Tutorial for Office 97, Part I and II, for example), construction kits, encryption engines, and a list of VX clubs. Some even contain a hypertext database containing everything significant that has been written about viruses by hackers, surrounded by an easy-to-use table of contents.

Of course, VX sites usually contain thousands of malicious files, detailed source code, and even contests. One contest, called the Spammies, offered a can of the mixed meat product for whoever could write the most successful destructive program. While it obviously wasn’t a huge monetary award, the winner would win the respect of all his fellow hackers. Different virus-writing groups often war with each other to see who can generate the most creative bug. This competitive spirit introduces more and more malicious programs to the unsuspecting public. The following excerpt was taken from a virus club’s newsletter index:

0101  --  Introduction 
0102  --  Credits 
0201  --  Lesson 3 The Memory Resident Virus Primer 
0202  --  Quiz #3
0203  --  Challenge 3
0204  --  Back To The Basics by SPo0ky 
0205  --  An effort to help the naked virus. Encryption: Part 2 By: Sea4 
0206  --  *** AVOIDING DETECTION **** By Arsonic[Codebreakers] 
0207  --  Virus "Add-Ons" Tutorial by Opic [Codebreakers,1998] 
0301  --  Fact virus [Source] 
0302  --  Zombie.747 Disassembly by Darkman/29A 
0303  --  EMS.411 Virus Dissassembly by Vecna/29A 
0401  --  Interview with RaiD from SLAM by Opic 
0502  --  In the News
0503  --  Greetings & Gripes 
0504  --  Final Notes
Files included:
Name                datestamp         size
CB-MCB exe          03/06/98 17:00     51531
WART COM            03/18/98 09:11    112
Wart asm            03/18/98 09:10   786
EMS411 asm          01/23/98 13:45   7113
MarkedX asm         03/19/98 07:51    4184
Zombie747 asm       01/23/98 13:51    12811
fact asm            01/23/98 13:53    1450
TASM EXE            10/29/90 02:01    105651
TLINK EXE           10/29/90 02:01    53510
EMS411 EXE          03/19/98 07:41    929
FACT COM            03/17/98 13:22    55
MARKEDX COM         03/19/98 07:51    355
ZOMBI747 COM        10/06/96 00:01    767

As you can see it contains a selection of virus tutorials, defense mechanisms, personality spotlights, source code, and actual viruses. Luckily, antivirus researchers have their own similar newsletters, research papers, and web sites. Two outstanding sources of advanced antivirus information are http://www.peterszor.com and http://www.f-prot.com/~bontchev/ .

Malicious Code Tutorial Books

As you might have already guessed, in most countries, it is not illegal to write destructive code, only to intentionally cause others harm with it. There are several books in publication that tutor budding programmers in the intimacies of writing destructive code. Each malicious code example includes the warning that this particular bug is only for educational purposes and shouldn’t be used to harm anyone. That always makes antivirus types laugh. And if the reader is too anxious to retype in code examples, she can usually just run the virus off the accompanying CD-ROM.


This book includes many example excerpts of malicious mobile code. They are included only to explain a particular concept or to familiarize the reader with a particular malicious code statement. All examples have been purposefully modified so they will not work or cause harm if compiled.

How Does Malicious Code Spread?

There are many ways to spread malicious code, but here is the most popular scenario: the author writes the rogue program and posts it to a VX site. A spreader downloads the program and sends it to a legitimate, unsuspecting site. It can be sent as a Trojan file or emailed as an attachment to an email list group. The unsuspecting users execute the file, which can then infect other files or take control of their systems. The users email the malicious code to another friend or acquaintance and continue the cycle. With malicious Internet content, an unsuspecting user surfs across a malicious web page, and her browser downloads the malicious code. The code can start taking action right away, or go into a sleep mode waiting for a preprogrammed event. There have been lots of viruses spread from commercial software companies. They didn’t know they were infected, and they end up sending out hundreds to thousands of copies before they find out. Microsoft shipped Concept , the first widespread macro virus, on their 1995 CD-ROM entitled, “Windows 95 Software Compatibility Test.” This was right before any of us thought macro viruses would be a viable threat.

The history of malicious mobile code has shown us that it will spread as fast as technology will let it. The bigger lesson to commit to memory is that viruses, worms, and Trojans have been around longer than most of us have been using computers, and probably will be around when we hit our last keystroke. The best any of us can hope to do is to close known holes and avenues for infection, while preparing for the next round of attacks. Although I want to leave this lesson on a positive note, no malicious code bug has ever caused more than a week of major problems. Nothing has been developed, or probably will be developed, that will cause long-lasting significant problems.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required