Presentation on theme: "Computer viruses as a paradigm for infectious diseases T. Wassenaar and M.J. Blaser* Molecular Microbiology and Genomics Consultants Zotzenheim, Germany."— Presentation transcript:
Computer viruses as a paradigm for infectious diseases T. Wassenaar and M.J. Blaser* Molecular Microbiology and Genomics Consultants Zotzenheim, Germany *School of Medicine, New York University NY
Introduction Viral diseases will be compared to computer viruses. To see their similarities, infectious diseases are viewed in an abstract manner. Basic principles of infectious diseases can so be illustrated and explained by day-to-day computer experiences. This can lead to a better understanding of underlying principles of infections, and to better treatment of both biological and cyberspace infections.
What is a virus? m A virus is a living organism, containing DNA or RNA m It parasitizes on a host m It can only replicate when inside a host m It follows the biological laws of mutation and selection
What is a virus? m A computer virus is a program m It parasitizes on an operating system m It can only replicate through an operating system m It follows laws of mutation and selection You have new mail
What is what? Computer viruses are man-made programs that perform harmful operations (destroy data, files, software) and can reproduce and spread new copies. Specialists' definitions: WORM = a self-replicating program that spreads copies between computers in a network (internet!) with little or no user interaction VIRUS = a harmful program that plants itself in a program it can modify, and spreads to files within a computer or (with user interaction) between computers TROJAN HORSE = a program in disguise (game, tool) that makes a computer available to non-authorized users. Non-replicative. In view of the biological infectivity of worms, computer worms should have been called viruses, as they are in common languag
The life cycle of a virus A virus enters the host through an opening after passively being breathed in, swallowed, or via direct contact. A virus has to have the correct host and tissue specificity to gain a foothold in a host. A virus replicates at the cost of the host. Damage in the form of disease causes pain, suffering, and sometimes death. Transfer to a next host is required for offspring replicates. The host will (unknowingly) secrete virus particles by coughing, sneezing, fecal shedding. Entry Foothold Replication & Damage Transfer to next host
The life cycle of a virus A virus enters the system passively, through an activity of the operator (inserting an infected disk, opening an infected mail attachment). A virus has to be compatible with the system to gain a foothold. A virus replicates at the cost of computer speed. Damage causes loss or inaccessibility of files, and sometimes loss of the complete hard disk. Transfer to the next computer can occur automatically when computers are interconnected, or requires human activity such as sharing of diskettes. Entry Foothold Replication & Damage Transfer to next host You have new mail
Response of the host Viruses have evolved with their hosts. The host responds to viral infections with defense strategies, which the virus tries to evade. The host response and the viral answer to this evolve together. The result may look like a 'planned' strategy but is the result of mutation and selection.
Response of the host Animals have evolved immune systems that largely protect against a broad range of pathogens. It comprises of two mechanisms: Innate immunity: recognition of stereotypic patterns associated with microbes adaptive immunity: involves learning from exposures and improved responses with recall. The response targets on destruction of the virus. This has costs and risks. Since host response and virus evolve together, a host response can not make a virus extinct.
Response of the host Computer users protect their computers with anti-virus programs, which scan files and discs for known viruses. This largely resembles the innate immunity of animals. Adaptive immunity which learns from exposure is under development. In part it is already operational against polymorphic viruses. The response targets on destruction of the virus. This has costs and risks. Since host response and virus evolve together, anti-virus programs can not make a virus extinct. You have new mail
Did you know? An Email without an attachment until recently could not be a virus, and could not do harm. Virus attachments that were not opened until recently could not cause harm. Hardware is never damaged by viruses (although hard disks can become inaccessible). A Hoax is an Email that warns against a non-existing virus. Hoaxes are a nuisance because they take up resources but, until recently, they were harmless. You should always check if a message is a hoax before forwarding it.
Response of the virus Viruses escape host defenses by accumulative mutations and selection of the best survivors. Repeat of this process over time has resulted in many serotypes. In cyberspace, successful viruses are rapidly copied by malicious programmers who change sufficient parameters to make the anti-viral screens ineffective. Viruses can now change their subject and attachment name automatically during replication. The anti-viral programs recognize these polymorphic viruses.
Hygiene Good hygiene practice can prevent the spread of (viral) infections. m Disinfection and sterilization are routine measures in a hospital. m Regular virus checks with update anti-viral programs should be just as routinely applied by every computer user. m A used needle is just as suspicious as an unexpected attachment with a non-professional name or an unknown extension. Both should be discarded immediately. m Our body can heal, but our hard disc can be replaced. Regular backups will limit the damage in the event of a virus attack.
Immunity has costs Immunity uses resources and energy and thus is costly for the host. Similarly, computer-virus awareness is costly in terms of time and resources: making back-ups routine screening of attachments and discs requesting confirmation from sender before opening an attachment
Immunity has risks When immunity runs out of control, immune diseases result in self-damage allergic reactions are immune responses against harmless agents auto-immunity degrades 'self' instead of pathogens
Allergic reactions Anti-virus programs may respond to.exe programs that are not viruses. Compare this to an allergic reaction to a harmless particle (hay fever). The user must know when to abide the request to inactivate anti-virus programs when downloading from internet Allergies are an inavoidable consequence of immunity
Hoaxes and Auto-immunity Hoaxes are usually harmless, but a new generation has similarity to immune disorders: A hoax may warn for an unseen virus, infecting a particular file which you will find on your computer. Deleting this file in response, you delete part of your system and cause harm to it. Compare this to auto- immunity A virus hidden in a 'patch' to repair identified security leaks--a classical example of self-destruction Severe automutilation due to hoaxes/patches is a new threat
Similarities A toxin becomes harmful above a toxic dose. Toxins can not multiply but have to be produced. Compare a Denial-of-Service attack (DoS): a harmless operation (attempt to enter a website) becomes harmful above a critical amount. DoS can not replicate but have to be sent by a programmer. Biological viruses can be socially transmitted, i.e. spread through (passive) social contacts, or sexually transmitted. Computer viruses (not worms) are like an STD since they require human activity for transmission. Worms are similar to socially transmitted infections. Spam (unwanted but harmless emails) resemble opportunistic pathogens that can injure the host only under specific conditions-- spam can hinder downloading mail through an expensive modem connection Evolutionary speaking, STD's probably predate socially transmitted diseases. In the virtual world, viruses also predate worms
More similarities m Host specificity limits the spread of biological viruses. m Different operating systems (PC, Mac, UNIX) are barriers for further transmission (and often barriers to damage as well) and in that way show host- specificity as biological viruses do. m The young and elderly are most vunerable, in vivo and in silico m An open wound is a portal of entry for infectious organisms. m An unprotected internet connection (or poorly protected Email programs such as MS Outlook) can do the same to your computer.
How virulence evolves Pathogens do not re-invent the wheel but 'steal' virulence genes. These genes often spread through bacterial populations as 'pathogenicity islands' Combinations of successful properties can lead to new successes. The same is true in cyberspace. For instance, 'ILOVEYOU' and 'Melissa' are a combination of a Trojan Horse and a worm. The Trojan Horse helps the Worm to spread. The latest fasion: a virus producing spam
Virulence must be dosed Reuse of formerly proven effective (and infective) information is frequently seen in computer viruses. However, virulence must be properly dosed to be successful. An example: Code Red + SirCam Nimda (W32/Nimda.A-mm) Nimda sends itself by e-mail, as SirCam does, and also scans for, and infects Web servers, as Code Red does. It combines the strongest properties of both.
Nimda spreads without an Email attachment, by clicking on the subject line of an infected Email (e.g. to delete it) or by visiting a website of an infected server spreads extremely fast A weak point was the uncommon subject line of the Email, such as "xboot" or "desktopsamplesdesktopsamples" or "samples" (a better script nowadays 'steals' a name of recently opened files for subject line) So why didn't see the world a cyberspace disaster after it was launched (exactly 1 week after the terrorist attack in the US)? Because it is 'too' virulent
Nimda "This worm was so fast moving, so potentially dangerous, that people saw it right away and responded." Antiviral companies quickly released alerts advising systems administrators to scan all incoming email for the "readme.exe" which blocked the virus from spreading rapidly only hours after the release. By the end of day 1 it's spread had slowed down. Compare this with the rapid and deadly, but always small outbreaks, of hemorrhagic fevers (Ebola): an outbreak is so rapidly recognized that measures can be taken quickly.
History 1981 first Apple virus spreads through Texas A&M via pirated computer games 1983 definition of a computer virus (Fred Cohen) 1988 first major outbreaks (all Macs) 1990 Symantec launches Norton AntiVirus 1991 first polymorphic virus 1994 first hoax 1995 Word viruses predominate 1996 ff Windows viruses predominate 1999 Melissa, first mass-mailing worm. (Author sentenced 20 months (2002)) 1999 first virus activated by opening email rather than attachment You need an immune system for a hoax (auto-immunity) to work The effect of monoculture
History 1981 first Apple virus spreads through Texas A&M via pirated computer games 1983 definition of a computer virus (Fred Cohen) 1988 first major outbreaks (all macs) 1990 Symantec launches Norton AntiVirus 1991 first polymorphic virus 1994 first hoax 1995 Word viruses predominate 1996 ff Window viruses predominate 1999 Melissa, first mass-mailing worm. (Author sentenced 20 months (2002) 1999 first virus activated by opening email rather than attachment
History (contd.) 2000 Lovebug. Stage = first virus with attachment disguised with.txt suffix. DoS become en vogue 2001 Nimda SirCam Code Red 2002 Klez Bugbear 2003 first virus-generated spam 2004 MyDoom Viruses become extinct when their hosts (OS) do Lovebug. Estimated costs: $ 5-15 billion MyDoom Estimated costs: $ 40 billion
Conclusions Computer viruses are a human invention. Nevertheless does their evolution follow routes similar to biological diseases relatively harmless ancestors gradually or step-wise evolve into virulent 'pathogens' simultaneously enforced defense mechanisms of the host evolve successful strategies are reused and combined this in turn solicits new virus 'variants' and 'strains' Eventually an equilibrium will result in which the cost of infection is limited to an acceptable level by the host. Comparing cyberspace "microbes" with their biological counterparts is beneficial to the combat of both.