How Computer Viruses Really Work: Israel's Viral Historian Explains

Computer scientist Ran Levi, author of ‘Battle of Wits: The History of Malicious Computer Viruses,’ talks artificial intelligence, geeks and Viagra.

Ayelett Shani
Send in e-mailSend in e-mail
Ayelett Shani

How did it start, this whole computer virus thing? Somebody just sat down and said: “Now I’m going to write a program that destroys other computers?”

It wasn’t on purpose. People wrote programs, ran into a certain problem, searched for solutions and said: “Wait a minute, if my program could replicate itself, that would solve my problem.” They didn’t think of it as a virus, but that’s precisely the definition of a virus.

It’s interesting to think about it in biological terms. In evolutionary terms.

Biologically speaking, we’re talking about an entity that undergoes a certain degree of evolution, like its counterparts in the natural world. However, this is not random evolution, because every writer of a virus upgrades and improves upon previous ideas, so it’s a deliberate, human-directed evolution. But the same principles of natural selection operate here quite well. A good and effective virus will survive in nature. There are viruses that emerged 10 years ago and are still present on the Internet and are being passed from computer to computer. A poor-quality virus will not be copied or disseminated, and will die.

This can teach us something about hypothetical scenarios, as happened with the massively popular computer game World of Warcraft.

This is a classic example of an analogy between an epidemic in the computer world and one in the real world. You’ve got a computer game with millions of users. Each user has a character in the virtual world, and together they’re playing a fantasy game. In 2006, there was a bug in the game; one of the spells became corrupted and went viral. Anyone who came under the spell infected others, and as in the real world, it began to spread among millions of users.

It was crazy. You could see masses of dead bodies, like in the Black Plague.

Dead bodies lying around, cities emptying out, just like the Black Plague. Some users decided to run away, some tried to help and to cast spells that would help. And others, out of curiosity, entered the tainted areas, and when they came out they infected many others.

And this incident served as a basis for scientific research.

Yes. An Israeli researcher at Ben-Gurion University realized that one could study how plagues spread in laboratory conditions. He actually studied this virus, and published an article about it, and it essentially marked the start of a new field of medical research.

I want to understand something: What motivates these people who write computer viruses?

Basically, it breaks down into two categories. You have the geeks, for whom it’s an intellectual challenge. These people were very dominant until the early 2000s. They basically started the whole virus scene, and mainly did it for the challenge. Since that time, as the Internet has gained momentum, new players have entered the arena.

And that’s where the big turning point occurred in the history of viruses.

Money entered the equation. The economy began to play a role. Criminal elements realized that you could use viruses to make money. They took over this field, and now they are the dominant power. They buy viruses from the geeks who write them.

For a lot of money. And then the geeks’ motivation changed, too.

Yes, a lot of money − $40,000-$50,000 for a good virus, in fact.

And how does someone make money from a virus?

Usually, it works like this: You look for a company that’s not too big, a few dozen employees, because these are the sorts of companies that don’t have a serious information security system. You find out who the account manager is and you send him an email with an inquiry and a price quote.

The email comes with a PDF attachment that contains the malicious program you bought for $50,000. He opens the PDF and then the virus starts to install things and bide its time behind-the-scenes in the computer. That’s all at the beginning. Nothing else happens; the virus is just waiting. The computer looks and acts exactly the same. A week goes by and the account manager, as part of his job, goes into the bank’s website.

And now the virus suddenly wakes up.

Exactly. As soon as the virus recognizes that he’s going into the bank’s site, it launches what you could call a decoy site: a virtual site that pops up as a buffer between the account manager and the actual bank website. And it looks just like it.

The manager thinks he’s in the bank website, but he’s not.

Right. He goes about using the site. He enters his user name and password, and the virus takes the user name and password, and relays them to the criminal, who bought the virus for $50,000. Now he has access to the company’s bank account. He has lots of possibilities open to him. He could go into the account management program and register a fictitious employee on the company’s payroll.

When salaries are transferred to all the employees, a salary also goes to the fictitious employee − to the attacker’s bank account. It could end up totaling hundreds of thousands of dollars, but the sum is deliberately not all that high, so as not to arouse the suspicion of the bankers handling the transfer.

It’s usually discovered a day or two later, but by then it’s too late. Another way to make money is from spam. That’s a very profitable business.

People actually make money from sending those emails that say “Enlarge your penis!” or advertising a pack of Viagra for $2.99?

Not only are there buyers for this stuff – and it’s quite a thriving business on its own – but there’s a whole behind-the-scenes economy here that’s developed, in which these fake pharmacies fill the orders for customers.

Really? I order Viagra and I’ll actually receive Viagra?

You’ll receive Viagra – or something like it. Experience shows that for the most part, criminals have a clear economic interest in supplying you with a product that you’ll be pleased with.

They have quite the service mentality. What is the real return on all this spam?

The accepted statistic is something like 1 per 1,000. You send out a million emails and you make a lot of money. There’s a very interesting theory that pretty much explains why most of the headlines of these emails are so unbelievable. If it says “Get a Rolex watch for $5” − 999 out of 1,000 people will say: “Who would sell a Rolex watch for $5? Maybe I’ll ask about it, but this must be wrong.” That becomes a burden for the criminal, on the spammer: He doesn’t want to have to deal with 1,000 people who realize it’s a bluff. He wants that one person who truly believes he’s buying a Rolex for $5.

Natural selection, just in reverse. What about law enforcement? The law says that somebody who edits or writes a virus can face three years in prison. And five years for spreading a virus.

There’s no way to enforce the law. It’s software that spreads independently most of the time. Only a few dozen people are apprehended all over the world each year.

If the technology is so quick and effective, couldn’t it be used for good things? Is there such a thing as a good virus?

That’s an idea that’s been entertained nearly from the first time anyone thought about a virus. But it’s a very bad idea in the real world. A virus is something you set free in the world and then you have no control over it.

You mean, it’s like a monkey with a razor in its hand.

Exactly. Just imagine that you released a good virus but then infected a computer in a hospital that’s connected to a respirator, and now this computer shuts down the respirator.

Let’s talk about viruses for smartphones. Just today Symantec issued a warning about a smartphone virus. I understand that this field is still in its infancy, relatively speaking. How do you explain that?

We only began using smartphones six years ago. True, that is quite a long time in the world of technology, but [computer] viruses as a whole have only been around for 30 years, so they are still in a process of getting more advanced. Now, a large portion of the phones in use today are iPhones, and Apple’s philosophy is not to let any software into the phone if it has not been approved first. And this has been extremely effective in blocking viruses. I don’t know of any virus capable of entering an iPhone or iPad that hasn’t been unblocked. For now, even though the antivirus companies are very eager for us to buy their antivirus products for telephones, if I’m a criminal it doesn’t really pay for me, because the vast majority of people still use their PC to do their banking transactions, and the PC is a very convenient target.

Even though the information stored on iPhones includes bank and HMO-related apps, for example, it’s not the same as dealing with a commercial entity.

Right. So for now there isn’t much motivation. But this is gradually changing. There’s the verification of identification if you want to enter a certain account; sometimes you receive a text message and reply with a number to get in. This is what the virus wants to catch, as part of its attempt to penetrate your bank account. The other thing that’s become more popular is the use of social networks, which provide an excellent platform for the spread of malicious software.

The so-called likejacking.

Yes. It’s a technique where they try to convince you to click “like” on something where the actual aim is just to spread the malicious software or link to your friends.

Now we’re exploring something deeper − the way viruses exploit our psychology.

Absolutely. One of the most successful viruses ever was written in 2003. It was a fairly simple virus called I Love You. The trick was that the subject line of the email that spread it was I Love You. That was enough.

A very simple psychological trick was enough to cause a lot of people to stop and wonder: “Hmmm, who loves me? Who sent me a love letter?” When they opened it, the virus spread itself to their entire contact list.

How sad. Everybody just wants to be loved a little.

What’s sad is how well it succeeded. These simple techniques of social engineering are the most effective.

How is artificial intelligence connected with viruses?

Virus writers are very interested in artificial intelligence. Since you can’t have full control of your virus at any given moment, you want to give it the maximum autonomous capability.

A classic example in recent years is something called the Storm Worm, which in a dynamic and completely independent way was able to identify if an investigator from academia or the police or an antivirus company was trying to penetrate the network created by it. And then it would attack right back and try to bring down the network from which the attempt came in order to scare you, to warn you against messing with it.

That’s an example of a rather minimal use of artificial intelligence: to enhance the software’s self-defense abilities. It was also really the first time that people were afraid to try to decipher a virus, to get into it and see how it works, because it endangered their entire network.

And let’s say I’m surfing some porn website and suddenly this chat message pops up and it’s somebody’s saying: “Hi there darling, I’m tall and handsome, let’s talk.”

“That’s relatively cutting edge. We’ve already seen a case of a virus that spreads via instant messaging and social networks. It tries to start a chat with you and to extract personal information. So it might disguise itself as a person speaking − not a particularly smart one even, since artificial intelligence is still somewhat limited, but it doesn’t need to convince you that it’s Einstein. It just has to convince you into thinking it’s a real human long enough to get you to trust it, and to give it the information it’s looking for.

The chats on these sites aren’t usually discussions of string theory.

There was one very famous case in which a well-known artificial intelligence researcher fell into this sort of trap.

What’s the limit here? What is this all going to look like 10 years from now?

It’s hard to know, but virus writers have a clear motivation to insert as many artificial intelligence tricks as possible into the software they write.

This ties in to your argument that, essentially, the only barrier against viruses right now is the user.

Yes. The antivirus programs today are sophisticated enough to prevent most malicious software from penetrating your computer without some interaction involving the user. You have to give it permission to do something. But if the human being is a link in the chain, he’s also the weak link in the chain, and virus writers are getting better and better and exploiting human psychology to their benefit.

Let’s talk about the most sophisticated virus there is: Stuxnet.

Stuxnet is a malware program created by a state, not by criminals or amateurs, as a weapon of war. It wasn’t the first, but it was certainly a breakthrough in terms of its sophistication, and it gave us a glimpse − a very unsettling one − into the destructive potential of such programs in the hands of someone willing to invest a lot of time and money to develop them.

Stuxnet was introduced into the computers of Iran’s nuclear program in order to destroy centrifuges used for uranium enrichment.

Whoever created it knew exactly what he was looking for, to the level of a single chip in the computers that control the centrifuges. An enormous financial investment was involved, and a great deal of intelligence information was needed. The implication is clear: Vital infrastructure systems such as water, banking, energy and so on are much more vulnerable than anyone expected, because the Iranians were certainly doing their utmost to guard their nuclear facilities. It wasn’t even connected to the Internet, and that didn’t help them at all.

In the next war between two countries with advanced capabilities, vital infrastructures are going to incur damage, even if no actual shells are fired. This is especially worrisome for Western nations, since we are extremely dependent upon our computer infrastructure. As soon as governments get involved in this, viruses start to become weapons.

Ran Levi.Credit: Gali Eytan



Automatic approval of subscriber comments.
From $1 for the first month

Already signed up? LOG IN


Charles Lindbergh addressing an America First Committee rally on October 3, 1941.

Ken Burns’ Brilliant ‘The U.S. and the Holocaust’ Has Only One Problem

The projected rise in sea level on a beach in Haifa over the next 30 years.

Facing Rapid Rise in Sea Levels, Israel Could Lose Large Parts of Its Coastline by 2050

Tal Dilian.

As Israel Reins in Its Cyberarms Industry, an Ex-intel Officer Is Building a New Empire

Queen Elizabeth II, King Charles III and a British synagogue.

How the Queen’s Death Changes British Jewry’s Most Distinctive Prayer

Newly appointed Israeli ambassador to Chile, Gil Artzyeli, poses for a group picture alongside Rabbi Yonatan Szewkis, Chilean deputy Helia Molina and Gerardo Gorodischer, during a religious ceremony in a synagogue in Vina del Mar, Chile last week.

Chile Community Leaders 'Horrified' by Treatment of Israeli Envoy

Queen Elizabeth attends a ceremony at Windsor Castle, in June 2021.

Over 120 Countries, but Never Israel: Queen Elizabeth II's Unofficial Boycott