Wednesday, December 8, 2010

The Perfect Virus principle #14: Stealth

As indicated in my post of Monday, 11/22/2010, I am extrapolating Jeff Walker's Principles for the Perfect Application into a discussion of The Perfect Virus. Since Jeff's monograph on the subject did not anticipate stealth or suicide mechanisms, any errors or lapses into stupidity are solely my additions and should not reflect poorly on what I consider to be the biggest single contribution to software application design since the invention of computers. And Jeff, thanks for giving me permission to do surgery on your baby.
THE PRINCIPLE OF STEALTH: The Perfect Virus is invisible before, during, and even after it pulls the proverbial trigger to deliver its payload. The destructive aspects of the payload will closely enough resemble a fully formed virus that postmortem forensics will be fooled into thinking that the still-virulent payload was indeed the virus, but the real delivery system will either seed itself invisibly or outright destroy itself to avoid detection and analysis. For those of you who have done your homework and watched the DVD movie Zombieland, this is "Zombie Killer Rule #2: Doubletap." When you shoot a zombie, do it at least twice if you know what's good for you. Ditto for systems your virus is infecting.

Characteristics and methodology of how The Perfect Virus achieves Stealth depend upon adherence to the preceding 13 principles, as well as to the remaining 8 as follows:

  1. I will paraphrase Stephen Wolfram's assertion in his book A NEW KIND OF SCIENCE that modern mathematics is unequipped to even consider the more interesting problems, instead relegating itself to the rather pedestrian tasks of normalizing equations for manual solution. Similarly, The Perfect Virus will completely elude the signature-recognition processes employed by anti-virus companies like Symantec and McAfee, or the concept of "whiteboarding" promoted by the new wave of venture-funded companies with the stated mission of putting corporations and governments at ease. These companies can't begin to solve the "interesting" problems. Because The Perfect Virus presents itself as a Native (principle #9) and trusted application.
  2. Because The Perfect Virus presents itself as Native (principle #9) and with unsurpassable Performance (principle #4), its nominal use of machine clock cycles makes it virtually undetectable, even during periods of geometric spawning discussed in Feral Fertility (principle #2). This also demonstrates "Zombie Killer Rule #1: Cardio" wherein fat slow humans are overtaken by Zombies first. It also demonstrates "Zombie Killer Rule #7: Travel Light."
  3. Also owing to Feral Fertility (principle #2) and Black Box Portability (principle #7), The Perfect Virus can sense the availability of non-species/non-computer technologies such as USB devices, wireless networks, BlueTooth systems, etc. to jump from Internet-connected systems to isolated and supposedly protected systems (a la Stuxnet to Iranian nuclear centrifuges). And because it exhibits Self Awareness (principle #3), it can use Mutation Control (principle #6) to customize itself on the fly for the most hostile environments. This demonstrates "Zombie Killer Rule #18, Liimber Up."
  4. The Perfect Virus can "hide in plain sight" just as Bill Murray did in the unstated but implied "Zombie Killer" rule by…yep…making the other Zombies think he was one of them. An illustrative but by no means the only way to hide in plain sight is illustrated in the following scenario: (a) seed your virus in a photo image (such as a screen saver or .jpg/.gif/.eps file) that will be decoded and acted upon by (b) drop-through code secreted in trusted software or operating systems that have been compromised by your (c) breaking in to the source-code management systems of major software suppliers such as Adobe (king of the hill for a Swiss Cheese source management system), Apple, Cisco, IBM, Lenovo, Microsoft, Oracle, etc. Hiding in plain sight demonstrates "Zombie Killer Rule #3: Beware of Bathrooms" because if you look for a hiding place, the zombies will search those hiding places.
  5. As a further elaboration on point 4c preceding, there is no way even the smartest source-code examination or machiine-code decompilation can spot a multiple-level drop-through scenario, where three or more conditions must be met before invoking expected/trusted behavior in badly startling and unexpected/untrustworthy ways. So it is with due respect that I must cast a suspicious eye on the Chinese company Huawei and that anybody in the UK and BT in particular would risk using them, no matter what assurances (including source code) might be provided. Sorry guys, but the way Chinese hackers are hammering my little Linux "honey pot" system, that's a lot of risk any Huawei customer is assuming. The only mitigating circumstance is that China and Huawei may be acting like the old mob protection goons, who show up on the doorstep selling "fire insurance" to a Brooklyn merchant; if the merchant doesn't buy the fire insurance, he's most certainly going to have a fire.
  6. The Perfect Virus will make its first order of business, upon penetration of a system, to look for DNA fragments of previous virus killings and/or suicides and/or aborted mutations, in compliance with Feral Fertility (principle #2) and Mutation Control (principle #6). This also demonstrates "Zombie Killer Rule #31: Check the Back Seat." Any sign of a hardened system, The Perfect Virus will get the word out to the ultimate dashboard controller spoken of in Prosumption (principle #11). This, of course, is analogous to "Zombie Killer Rule #22: When in Doubt, Know Your Way Out."
  7. If The Perfect Virus needs some serious computing power and if the system is connected to the Internet, you can be in compliance with the  Performance directive (principle #4) by offloading MIPS to either your own server farm, a captive Mathematica server, or to the Wolfram|Alpha computational asset. 
  8. The Perfect Virus cannot be stopped by anything there ever was or anything there ever will be (Openness, principle #8).
  9. Because it appears to be a Native Implementation (principle #9) with No Common Denominator (principle #10) in that it uses unique features that may only be available in one system on the earth (the one in which it resides), The Perfect Virus is exceptionally Stealthy.
  10. The Implicit Sophistication (principle #12) of requiring no IT support further enhances the feature of Stealth.
In summary, The Perfect Virus will always execute a so-called "Zero Day" exploit, and never a signature one. It can't be blocked by Whitelisting because it Seamlessly Migrated (principle #5) with trusted applications. Admittedly, this Stealth discussion gives just a few illustrative examples. And with respect, I've taken some pretty direct shots at conventional wisdom that accounts for billions of dollars in revenue to companies like Symantec, McAfee, and Huawei, not to mention the global aspirations of China. If I've mistakenly, short-sightedly or stupidly taken a position, please write it off to the fact that I'm a mathematician/novelist thinking out loud. Let me know about such egregious lapses and I'll publicly correct them in this blog. My cyber privateer idea, which started out as a plot element in my novel, has now taken on a life of its own as I use this blog for "displacement activity" between writing and other of life's adventures.

Not to mention that I am still well and truly irritated at China's cyber militancy toward my little Linux box, and more convinced than ever that existing US law enforcement couldn't do anything even if they wanted to (see today's Computerworld story that our highly motivated government can't even shut down Wikileaks).

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?