Computer viruses as a paradigm for infectious diseases T. Wassenaar and M.J. Blaser* Molecular Microbiology and Genomics Consultants Zotzenheim, Germany.

Computer viruses as a paradigm for infectious diseases

T. Wassenaar and M.J. Blaser*Molecular Microbiology and Genomics Consultants

Zotzenheim, Germany

*School of Medicine, New York University NY

Introduction

Viral diseases will be compared to computer viruses.

To see their similarities, infectious diseases are viewed in an abstract manner.

Basic principles of infectious diseases can so be illustrated and explained by day-to-day computer experiences.

This can lead to a better understanding of underlying principles of infections, and to better treatment of both biological and cyberspace infections.

What is a virus?

A virus is a living organism, containing DNA or RNA

It parasitizes on a host

It can only replicate when inside a host

It follows the biological laws of mutation and selection

What is a virus?

A computer virus is a program

It parasitizes on an operating system

It can only replicate through an operating system

It follows laws of mutation and selection

You have new mail

What is what?

Computer viruses are man-made programs that perform harmful operations (destroy data, files, software) and can reproduce and spread new copies. Specialists' definitions:

WORM = a self-replicating program that spreads copies between computers in a network (internet!) with little or no user interactionVIRUS = a harmful program that plants itself in a program it can modify, and spreads to files within a computer or (with user interaction) between computersTROJAN HORSE = a program in disguise (game, tool) that makes a computer available to non-authorized users. Non-replicative.

In view of the biological infectivity of worms, computer worms should have been called viruses, as they are in common languag

The life cycle of a virus

A virus enters the host through an opening after passively being breathed in, swallowed, or via direct contact.

A virus has to have the correct host and tissue specificity to gain a foothold in a host.

A virus replicates at the cost of the host. Damage in the form of disease causes pain, suffering, and sometimes death.

Transfer to a next host is required for offspring replicates. The host will (unknowingly) secrete virus particles by coughing, sneezing, fecal shedding.

Entry

Foothold

Replication& Damage

Transfer to next host

The life cycle of a virus

A virus enters the system passively, through an activity of the operator (inserting an infected disk, opening an infected mail attachment).

A virus has to be compatible with the system to gain a foothold.

A virus replicates at the cost of computer speed. Damage causes loss or inaccessibility of files, and sometimes loss of the complete hard disk.

Transfer to the next computer can occur automatically when computers are interconnected, or requires human activity such as sharing of diskettes.

Entry

Foothold

Replication& Damage

Transfer to next host

You have new mail

Response of the host

Viruses have evolved with their hosts. The host responds to viral infections with defense strategies, which the virus tries to evade. The host response and the viral answer to this evolve together. The result may look like a 'planned' strategy but is the result of mutation and selection.

Response of the host

Animals have evolved immune systems that largely protect against a broad range of pathogens. It comprises of two mechanisms:

•Innate immunity: recognition of stereotypic patterns associated with microbes•adaptive immunity: involves learning from exposures and improved responses with recall.

The response targets on destruction of the virus. This has costs and risks. Since host response and virus evolve together, a host response can not make a virus extinct.

Response of the host

Computer users protect their computers with anti-virus programs, which scan files and discs for known viruses.

This largely resembles the innate immunity of animals. Adaptive immunity which learns from exposure is under development. In part it is already operational against polymorphic viruses.

The response targets on destruction of the virus. This has costs and risks. Since host response and virus evolve together, anti-virus programs can not make a virus extinct.

You have new mail

Did you know?

An Email without an attachment until recently could not be a virus, and could not do harm. Virus attachments that were not opened until recently could not cause harm. Hardware is never damaged by viruses (although hard disks can become inaccessible).

A Hoax is an Email that warns against a non-existing virus. Hoaxes are a nuisance because they take up resources but, until recently, they were harmless. You should always check if a message is a hoax before forwarding it.

Response of the virus

Viruses escape host defenses by accumulative mutations and selection of the best survivors. Repeat of this process over time has resulted in many serotypes.

In cyberspace, successful viruses are rapidly copied by malicious programmers who change sufficient parameters to make the anti-viral screens ineffective. Viruses can now change their subject and attachment name automatically during replication. The anti-viral programs recognize these polymorphic viruses.

Hygiene

Good hygiene practice can prevent the spread of (viral) infections.

Disinfection and sterilization are routine measures in a hospital.

Regular virus checks with update anti-viral programs should be just as routinely applied by every computer user.

A used needle is just as suspicious as an unexpected attachment with a non-professional name or an unknown extension. Both should be discarded immediately.

Our body can heal, but our hard disc can be replaced. Regular backups will limit the damage in the event of a virus attack.

Immunity has costs

Immunity uses resources and energy and thus is costly for the host.

Similarly, computer-virus awareness is costly in terms of time and resources:

•making back-ups •routine screening of attachments and discs •requesting confirmation from sender before opening an attachment

Immunity has risks

When immunity runs out of control, immune diseases result in self-damage

•allergic reactions are immune responses against harmless agents

•auto-immunity degrades 'self' instead of pathogens

Allergic reactions

Anti-virus programs may respond to .exe programs that are not viruses. Compare this to an allergic reaction to a harmless particle (hay fever).

•The user must know when to abide the request to inactivate anti-virus programs when downloading from internet

•Allergies are an inavoidable consequence of immunity

Hoaxes and Auto-immunity

Hoaxes are usually harmless, but a new generation has similarity to immune disorders:

•A hoax may warn for an unseen virus, infecting a particular file which you will find on your computer. Deleting this file in response, you delete part of your system and cause harm to it. Compare this to auto-immunity

•A virus hidden in a 'patch' to repair identified security leaks--a classical example of self-destruction

•Severe automutilation due to hoaxes/patches is a new threat

Similarities

A toxin becomes harmful above a toxic dose. Toxins can not multiply but have to be produced. Compare a Denial-of-Service attack (DoS): a harmless operation (attempt to enter a website) becomes harmful above a critical amount. DoS can not replicate but have to be sent by a programmer.

Biological viruses can be socially transmitted, i.e. spread through (passive) social contacts, or sexually transmitted. Computer viruses (not worms) are like an STD since they require human activity for transmission. Worms are similar to socially transmitted infections.

Spam (unwanted but harmless emails) resemble opportunistic pathogens that can injure the host only under specific conditions--spam can hinder downloading mail through an expensive modem connection

Evolutionary speaking, STD's probably predate socially transmitted diseases. In the virtual world, viruses also predate worms

More similarities Host specificity limits the spread of biological

viruses. Different operating systems (PC, Mac, UNIX) are

barriers for further transmission (and often barriers to damage as well) and in that way show host-specificity as biological viruses do.

The young and elderly are most vunerable, in vivo and in silico

An open wound is a portal of entry for infectious organisms.

An unprotected internet connection (or poorly protected Email programs such as MS Outlook) can do the same to your computer.

How virulence evolves

Pathogens do not re-invent the wheel but 'steal' virulence genes. These genes often spread through bacterial populations as 'pathogenicity islands'

Combinations of successful properties can lead to new successes.

The same is true in cyberspace. For instance, 'ILOVEYOU' and 'Melissa' are a combination of a Trojan Horse and a worm. The Trojan Horse helps the Worm to spread. The latest fasion: a virus producing spam

Virulence must be dosed

Reuse of formerly proven effective (and infective) information is frequently seen in computer viruses. However, virulence must be properly dosed to be successful.

An example:

Code Red + SirCam Nimda (W32/Nimda.A-mm)

Nimda sends itself by e-mail, as SirCam does, and also scans for, and infects Web servers, as Code Red does. It combines the strongest properties of both.

Nimda

Nimda • spreads without an Email attachment, by clicking on the subject line of an

infected Email (e.g. to delete it) or by visiting a website of an infected server

• spreads extremely fast

A weak point was the uncommon subject line of the Email, such as "xboot" or "desktopsamplesdesktopsamples" or "samples" (a better script nowadays 'steals' a name of recently opened files for subject line)

So why didn't see the world a cyberspace disaster after it was launched (exactly 1 week after the terrorist attack in the US)?

Because it is 'too' virulent

Nimda

"This worm was so fast moving, so potentially dangerous, that people saw it right away and responded."

Antiviral companies quickly released alerts advising systems administrators to scan all incoming email for the "readme.exe" which blocked the virus from spreading rapidly only hours after the release. By the end of day 1 it's spread had slowed down.

Compare this with the rapid and deadly, but always small outbreaks, of hemorrhagic fevers (Ebola): an outbreak is so rapidly recognized that measures can be taken quickly.

History1981 first Apple virus spreads through Texas A&M via pirated computer games

1983 definition of a computer virus (Fred Cohen)

1988 first major outbreaks (all Macs)

1990 Symantec launches Norton AntiVirus

1991 first polymorphic virus

1994 first hoax

1995 Word viruses predominate

1996ff Windows viruses predominate

1999 Melissa, first mass-mailing worm. (Author sentenced 20 months (2002))

1999 first virus activated by opening email rather than attachment

You need an immune system for a hoax (auto-immunity) to workThe effect of monoculture

History1981 first Apple virus spreads through Texas A&M via pirated computer games

1983 definition of a computer virus (Fred Cohen)

1988 first major outbreaks (all macs)

1990 Symantec launches Norton AntiVirus

1991 first polymorphic virus

1994 first hoax

1995 Word viruses predominate

1996ff Window viruses predominate

1999 Melissa, first mass-mailing worm. (Author sentenced 20 months (2002)

1999 first virus activated by opening email rather than attachment

History (contd.)2000 Lovebug. Stage = first virus with attachment disguised with .txt suffix. DoS become en vogue

2001 Nimda SirCam Code Red

2002 Klez Bugbear

2003 first virus-generated spam

2004 MyDoom

Viruses become extinct when their hosts (OS) do

Lovebug. Estimated costs: $ 5-15 billion

MyDoom Estimated costs: $ 40 billion

Conclusions

Computer viruses are a human invention.

Nevertheless does their evolution follow routes similar to biological diseases

•relatively harmless ancestors gradually or step-wise evolve into virulent 'pathogens'•simultaneously enforced defense mechanisms of the host evolve•successful strategies are reused and combined•this in turn solicits new virus 'variants' and 'strains'

Eventually an equilibrium will result in which the cost of infection is limited to an acceptable level by the host.

Comparing cyberspace "microbes" with their biological counterparts is beneficial to the combat of both.