Are "Good" Computer Viruses Still a Bad Idea?


Vesselin Bontchev
Research Associate
Virus Test Center
University of Hamburg
Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
[email protected] [Editor\'s note: Vesselin\'s
current email address is [email protected]]

During the past six years, computer viruses have caused unaccountable amount of
damage - mostly due to loss of time and resources. For most users, the term
"computer virus" is a synonym of the worst nightmares that can happen on their
system. Yet some well-known researchers keep insisting that it is possible to
use the replication mechanism of the viral programs for some useful and
beneficial purposes.

This paper is an attempt to summarize why exactly the general public appreciates
computer viruses as something inherently bad. It is also considering several of
the proposed models of "beneficial" viruses and points out the problems in them.
A set of conditions is listed, which every virus that claims to be beneficial
must conform to. At last, a realistic model using replication techniques for
beneficial purposes is proposed and directions are given in which this technique
can be improved further.

The paper also demonstrates that the main reason for the conflict between those
supporting the idea of a "beneficial virus" and those opposing it, is that the
two sides are assuming a different definition of what a computer virus is.

1. What Is a Computer Virus?

The general public usually associates the term "computer virus" with a small,
nasty program, which aims to destroy the information on their machines. As usual,
the general public\'s understanding of the term is incorrect. There are many
kinds of destructive or otherwise malicious computer programs and computer
viruses are only one of them. Such programs include backdoors, logic bombs,
trojan horses and so on [Bontchev94]. Furthermore, many computer viruses are not
intentionally destructive - they simply display a message, play a tune, or even
do nothing noticeable at all. The important thing, however, is that even those
not intentionally destructive viruses are not harmless - they are causing a lot
of damage in the sense of time, money and resources spent to remove them -
because they are generally unwanted and the user wishes to get rid of them.

A much more precise and scientific definition of the term "computer virus" has
been proposed by Dr. Fred Cohen in his paper [Cohen84]. This definition is
mathematical - it defines the computer virus as a sequence of symbols on the
tape of a Turing Machine. The definition is rather difficult to express exactly
in a human language, but an approximate interpretation is that a computer virus
is a "program that is able to infect other programs by modifying them to include
a possibly evolved copy of itself".

Unfortunately, there are several problems with this definition. One of them is
that it does not mention the possibility of a virus to infect a program without
modifying it - by inserting itself in the execution path. Some typical examples
are the boot sector viruses and the companion viruses [Bontchev94]. However,
this is a flaw only of the human-language expression of the definition - the
mathematical expression defines the terms "program" and "modify" in a way that
clearly includes the kinds of viruses mentioned above.

A second problem with the above definition is its lack of recursiveness. That is,
it does not specify that after infecting a program, a virus should be able to
replicate further, using the infected program as a host.

Another, much more serious problem with Dr. Cohen\'s definition is that it is too
broad to be useful for practical purposes. In fact, his definition classifies as
"computer viruses" even such cases as a compiler which is compiling its own
source, a file manager which is used to copy itself, and even the program
DISKCOPY when it is on diskette containing the operating system - because it can
be used to produce an exact copy of the programs on this diskette.

In order to understand the reason of the above problem, we should pay attention
to the goal for which Dr. Cohen\'s definition has been developed. His goal has
been to prove several interesting theorems about the computational aspects of
computer viruses [Cohen89]. In order to do this, he had to develop a
mathematical (formal) model of the computer virus. For this purpose, one needs a
mathematical model of the computer. One of the most commonly used models is the
Turing Machine (TM). Indeed, there are a few others (e.g., the Markoff chains,
the Post Machine, etc.), but they are not as convenient as the TM and all of
them are proven to