Milestone: Software Evolution In The Wild?

By Schofield in Technology
Sat May 11, 2002 at 07:10:08 PM EST
Tags: Software (all tags)

A significant milestone in computer history may have occurred. One virus has infected another virus, says an article by Will Knight of NewScientist.com. The story states that this this infection happened in the wild. It's very possible we have just seen the spontaneous evolution of computer code.

comments (24)
The article states, in part:

"Anti-virus software makers say some versions of the widespread computer virus Klez.h hide a mutation of a very destructive virus first seen in 1998 and known as Chernobyl or CIH. The Chernobyl virus variant automatically infects files and programs files on computers running Microsoft Windows.

"'Klez is just another Windows program,' says Graham Cluley of the UK anti-virus firm Sophos. '[CIH] just infects the executable file, whereupon Klez then forwards itself around in a double infected state.'"

The CIH virus has become a parasite on Klez.h, using Klez.h's superior mobility to travel further. It seems to be the exact analog of the burrs which, hoping to fall somewhere fertile, insert themselves into my socks when I walk through a field.

It's important not to overstate the importance of this event. We're not going to see a "Terminator - like" world anytime in the forseeable future. Still, this mutatation will be seen later as a milestone -- the first time this kind of evolution has taken place in the wild. (Virii "mutate" all the time -- when virus-writers create new varients. And there are virii that are programmed to change themselves in pre-set ways. But this is the first time to my knowledge that a true mutation has happened spontaneously, in the wild.)

It's also important to note the effect of this mutation on computer security. If you have anti-virus software and you update it regularly, you don't have anything to worry about. If you don't have anti-virus software, you are more likely to get CIH than you were before, and CIH is much more damaging than the widely-traveled but fairly innocuous Klez.h. Still, any system with no up-to-date virus protection is wide open anyway, so I'm not sure what the net effect is.

* A Disclaimer: I'm not an artificial-life expert of any kind. I'm just an interested layman.


Milestone: Software Evolution In The Wild? | 30 comments (20 topical, 10 editorial, 0 hidden)
Not a mutation. (4.80 / 5) (#3)
by xriso on Fri May 10, 2002 at 08:01:50 PM EST

Chernobyl sounds like an executable infector, and Klez sounds like a system infector. It is interesting, but not too suprising, that this happened.

To me, the biological analogy is more like a boat accidentally bringing foreign organisms into some remote island, thus disturbing the ecosystem. However, the organisms also had parasites in them which also infected the ecosystem. I don't think anybody would call this a mutation of either the organism or the parasite.

Klez saddens me however. IIRC, it is a 120k program. What ever happened to the days of 1k infectors? 120k seems to be the appropriate size of an Application! Indeed, the .exe extension would seem to indicate this. At least, CIH thought so. :-)
Yes... (4.00 / 1) (#7)
by fluffy grue on Fri May 10, 2002 at 11:40:37 PM EST

And it's really goddamned annoying how many copies of Klez I've received (I seem to get 8-10 a day; fortunately I read my email from a shell account on a fat pipe but I feel sorry for anyone who has to download all their mail over dialup).

What's really weird is that every single one has been sent to the same email address, and it's an address I haven't used in years (but which I still receive mail from, but it goes to my probable-spam folder).
8-10 a day? (none / 0) (#30)
by rusty on Tue May 14, 2002 at 12:29:54 AM EST

You lucky bastard. When will this one end? It's really annoying. Not least because they're so damn big, and don't display anything on netscape mail. It's gotten so when the downloading of a message goes on for more than about 3/10 of a second, I automatically hit delete.

Not the real rusty
Not a Mutation II (5.00 / 2) (#13)
by calle555 on Sat May 11, 2002 at 01:48:32 AM EST

I agree with xriso and other posters that this is not a mutation, but the combination itself puts evolutionary pressure on the parasite to be nice to its host and not hamper the hosts ability to reproduce.

In rare cases the parasite may even improve the host's chances of survival compared to hosts without the parasite. Combinations like that have proven to be very powerful. Examples of symbiotic relationships that may have parasitic origins include viruses in parasitic wasps, mycorrhizae, chloroplasts and mitochondria.

When CIH-infected Klez worms become better at reproducing than non-infected ones we should watch out ...

Now this gives me ideas... (4.00 / 3) (#4)
by ksandstr on Fri May 10, 2002 at 08:02:19 PM EST

So it turns out that when there are two major ways for a virus and/or a worm to spread themselves, one would start using the other as a spring-board for its own distribution. Hardly surprising, but interesting in any case -- how long until we see an IIS worm/piggyback/e-mail worm hybrid, man-made or otherwise?

This idea by itself makes me kind of glad that my operating system of choice doesn't allow system binaries to be modified by just anyone, and that my MUA of choice isn't integrated with a One True Scripting Facility.

Actually this isn't the first evolution moment (4.60 / 5) (#6)
by khallow on Fri May 10, 2002 at 09:43:06 PM EST

I think they first discovered an unexpected interaction some time in the early 90's. I don't recall the full story, but here's the technical details I remember. The two viruses would infect the same executable. One would prepend itself to the file, then the second would prepend some jump command to code it appended to the same file. Finally, the original virus would come back, "detect" the file wasn't infected (the beginning having been modified), and reinfect again. This was now a stable infection since each virus looks at different places to determine whether the file was infected (front or back).

Stating the obvious since 1969.

I also remember macro virii doing that. (3.33 / 3) (#25)
by static on Sun May 12, 2002 at 01:30:44 AM EST

When I looked after anti-virus software acquisition, I recall two macro virii colliding to create a new variant. Removing them wasn't hard as at the time, macro virii removal was in its early stages, so it had to be done manually anyway. Wade, who, just for the fussy, was taught many years ago that the plural of "virus" is "virii".

[ Parent ]
I am not getting the point. (3.50 / 4) (#9)
by blakdogg on Sat May 11, 2002 at 12:36:44 AM EST

Klez.h is benign Windows virus, which apparently consists of an executable file. CIH is an older file sector ? virus that infects executable file. Why is it news that CIH would infect Klez.h ? And why would any one think that this infection counts as a mutation ? If the scanner can pick up a CIH infection on explorer.exe it would/should be able to do the same for the Klez.h executable. And how does AI enter into the equation ?
Woe be onto the United Nations, there nothing but a front.
Move along folks, nothing to see here (4.22 / 9) (#10)
by jabber on Sat May 11, 2002 at 12:40:15 AM EST

Klez isn't a virus, it's a worm. From the artificial life metaphor perspective, it's just another animal. Rats have fleas, fleas have intestinal microbial parasites, which have viruses.. It's not a quantum leap of any sort. It's simply a virus infecting a program like any other.

When a bug SPONTANEOUSLY jumps platforms, or ON ITS OWN mutates to just disable anti-virus software, then we'll have a quantum leap.

This is nothing more than a coincidence. Hmmm... Unless it happens again, soon, and with increasing frequency. Then I'll worry. :)

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"

nothing mutates on its own (4.50 / 2) (#28)
by kubalaa on Mon May 13, 2002 at 12:47:05 PM EST

This is the perfect example to demystify biological evolution. In biology, interesting things don't spontaneously happen on their own either. Rather, it is exactly this sort of thing; a component developed for one task is accidentally combined with something else and happens to do something completely new.

This spontaneous combination wasn't intended by either program -- any more than your genes intended to make you -- but it happened and it happens to be more effective than either virus on its own. Evolution doesn't happen in quantum leaps, but we do have here an exciting warning of things to come.

[ Parent ]

Why this is so special. (5.00 / 4) (#12)
by Farq Q. Fenderson on Sat May 11, 2002 at 01:15:57 AM EST

This isn't a mutation, it's not evolution of bodies, but perhaps it is the creation of an ecosystem. This is the first (observed) occurance of something so cooperative between two such bodies of code.

Now, given that Klez happens to be good at running around the net, it seems to be the perfect vessel for lesser apt, but more specialized bodies of code to perpetuate. Older viruses aren't much in circulation, probably because an infected program would become noticed as a culprit and then be wiped or disinfected, once the infection was detected.

A worm, however, is special in that it spreads on its own. It doesn't reside on your harddrive so much as it is a phenomenon that occurs across the net. You can't isolate it to your harddrive, and you can't rid yourself of it simply by removing it because it will probably come to you again. You can protect yourself from it, however, but that's not important to my argument.

I have to wonder, though, which kind of virus would be able to best take advantage of the phenomenon. A destructive virus might destroy all of the participating hosts and wipe itself out. A moderately destructive one might manage to stay alive longer. The more I think about it, though, the more I believe that, provided the virus doesn't wreak havoc immediately, any degree of damage can be done and, aside from drawing more attention to itself, it is in little danger of causing its own extinction.

Just when I was considering getting back into writing redcode.

farq will not be coming back

Internet- organism/ecosystem (3.66 / 3) (#16)
by pedrobeltrao on Sat May 11, 2002 at 09:41:23 AM EST

It doesn't look like much, but maybe it hints at the potential. I've always looked at the internet has the next step in our evolution ... something like the sum of humankind (BORG anyone). Internet, or whatever we will call it, may one day be something like an organism ... (and there we go again into the matrix paradigm).
The future is here. It's just not evenly distributed yet." William Gibson
Stephen Wolfram's new book (2.00 / 1) (#19)
by medham on Sat May 11, 2002 at 06:23:27 PM EST

Will prove that we are living in a simulation and that the singularity occured at some time in the unknowable past, I believe.

If Wolfram's book doesn't prove this, then I for one will find it a good deal less interesting.

The real 'medham' has userid 6831.

Question? (none / 0) (#21)
by LukeyBoy on Sat May 11, 2002 at 07:48:17 PM EST

I'm intererested - which book specifically? A New Kind of Science?

[ Parent ]
That's the one (none / 0) (#22)
by medham on Sat May 11, 2002 at 07:50:07 PM EST

Let me know if you want to hear about transhumanist ethics. Or the use and abuse of history.

The real 'medham' has userid 6831.
[ Parent ]

Definately (none / 0) (#23)
by LukeyBoy on Sat May 11, 2002 at 07:55:20 PM EST

Fire me an e-mail if you like.

[ Parent ]
I won't do that (5.00 / 1) (#24)
by medham on Sat May 11, 2002 at 09:04:13 PM EST

But I'll tell you the worst thing that's ever happened to me.

I used to live on Pemberton Place with Jessup and the three helots. We drank tranquilizers until early in the evening, often opening Shade Gates. One day a fly was nosily dying in a cobweb. I went over to look at it, AND I REALIZED RIGHT THEN THAT WE WERE THE FLY!

The real 'medham' has userid 6831.
[ Parent ]

I'm 350 pages into it... (none / 0) (#27)
by KnightStalker on Mon May 13, 2002 at 12:38:16 PM EST

...and it doesn't seem to prove that so far. All it seems to say is that cellular automata and other simple programs can often provide a good approximation of nature. Of course, the first 300 pages pretty much boiled down to "look at these cool cellular automata." And I found a couple nifty ways to produce Sierpinski curves that I didn't know about before. Maybe the proof that we're living in a simulation will come later on. I hope so. I'll post a review when I'm done if I really really feel like it.

Yeah, I know the book won't be "released" until tomorrow. That's the great thing about working at a bookstore. :-)

[ Parent ]

For the last freakin' time.. (3.75 / 8) (#20)
by kitten on Sat May 11, 2002 at 07:47:50 PM EST

I'm usually not pedantic about this sort of thing, but for chrissake: The word is "viruses", not "virii".
mirrorshades radio - darkwave, synthpop, industrial, futurepop.
"In The Wild?" (4.25 / 4) (#29)
by Lagged2Death on Mon May 13, 2002 at 01:38:02 PM EST

The article seems to assume that the klez/CIH combo just happened by coincidence - that some poor slob got his PC infected with both, and shazam, a new virus is born. But is there any evidence for this?

There's no reason it couldn't have happened that way, of course, but it could, on the other hand, have been a deliberate act by someone not clever enough to write their own virus.

And now that it's all over the geek press, we may be in store for a slew of imitators.

Starfish automatically creates colorful abstract art for your PC desktop!

