Monday, December 04, 2006

old viruses never die

the wildlist is often seen as the definitive reference for what viruses are in the wild, so much so in fact that a special form of 'in the wild' (ItW) that has become synonymous with in the wild according to the wildlist...

not long ago, however, i heard and interesting and fairly reasonable criticism of the wildlist that brought it back down to earth... that criticism was something along the lines of there being a reporting bias in the wildlist where some viruses, though active in the wild, aren't reported on the wildlist because anti-virus products remove them without incident when they're encountered... when you consider the fairly finite list of trusted people who report to the wildlist and the fact that there's really no reason to draw the attention of any of them to a virus that any trained monkey (armed with an anti-virus product) can get rid of it's easy to see how many viruses could go unreported on the wildlist...

this means that the lifespan of a virus can not really be measured by how long it stays on the wildlist... this in turn means that a virus that is on the wildlist for two years did not necessarily last longer than a virus that only stayed on the list for one year...

my favourite example of a long lived virus is stoned.empire.monkey; it was on the wildlist for over 10 years, few viruses can boast such longevity... one of the reasons it stayed on the list so long is because monkey was not as simple to remove as other viruses (especially other boot sector viruses) in it's day - the generic advice involving fdisk had unintended consequences (loss of access to your data) where monkey was concerned because monkey moved and encrypted the original uninfected MBR... this meant that instances of monkey infected computers were much more likely to be brought to the attention of a wildlist reporter somewhere...

however monkey disappeared from the wildlist sometime in late 2003, presumably because the environments in which it could thrive were gone (boot sector infectors generally can't spread in the 32bit windows environment that was introduced some 8 years prior to monkey's disappearance from the wildlist)... in spite of anti-virus products being able to detect and remove monkey for almost if not the entire time it was on the wildlist, av programs did not seem to be able to drive it into extinction any more than the fox could drive the rabbit to extinction in the classical biosphere models found in highschool biology textbooks... instead, loss of habitat seems to have had the biggest effect in killing off not just monkey but the entire class of boot sector infectors...

it's entirely likely that monkey is not alone in this respect... if detection and removal couldn't drive monkey to extinction, why should they drive any other virus to extinction?... given the reporting bias of the wildlist suggested earlier, it's quite likely that many viruses still go about happily infecting unprotected computers and being easily zapped when they encounter av so that there's no report of their activity - that they continue spreading just under the radar until the environment on which they operate is gone and for most virus classes that kind of loss of habitat hasn't actually happened yet...

in fact, it's debatable whether there's even been complete loss of habitat for boot sector infectors like monkey... just last night this blog was visited by someone doing a google search on the keywords 'stoned.empire.monkey.a removal' (i hope they found killmonk, the dedicated monkey removal tool)... my guess is that, since boot sector viruses are considered extinct, nobody bothers with the safe hex steps that mitigate the risk of boot sector infection (ie. changing the boot sequence for the computer) so old floppy disks are re-introducing the virus to active machines, and/or maybe (just maybe) some of the machines out there are still running dos...

1 comments:

Anonymous said...

Ya may be true,
I think due to newer viruses hitting the market No one cares about old one :) because they are outdated/expired