CPSC 527 or: How I Learned to Start Worrying and Write a Virus

Just over a decade ago my university started to offer a controversial course known as “CPSC 527 Computer Viruses and Malware”. Or as I refer to it: the Virus course.

The virus course has a reputation which proceeds it. I first heard of it in second year. Word was that there existed a course held in a locked and isolated lab. No internet and no electronics allowed. Only fourth year students could enrol and an essay was required.

So fast forward to late third year when I and a friend have set our minds on this mythical course. Said friend managed to uncover the controversy dating back to 2003 over the  introduction of our viruses course.

Most of the resulting articles and press releases can still be found through a quick search. Most notable were two press releases from the Anti-Virus Manufacturers: Sophos and F-Prot. Both give an insight into why the course was not received well by all:

I just wanted to make sure that you are aware of the effects that participation in the course may have on the students’ future career. Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work. What this means is that in the event that the students actually learn something useful in the course, they will most likely not be able to obtain employment in the anti-virus industry due to their participation in the course, and thus not be able to contribute to actually solving the virus problem.– Fridrik Skulason of F-Prot

Sadly it seems the university is developing courses according to what it believes will be most attractive to potential students rather than focusing on skills that will be useful to them in the security industry. One wonders if the University will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users. — Graham Cluley of Sophos

What struck me is the assumption both responses hold: it is Anti-Virus companies which bring relief from viruses.

I disagree. Security, and thus relief from viruses, instead derives from your ecosystem and your operating system. Which gets to my interest in the course:

  1. Have fun
  2. Becoming a better systems programmer

I have no interest in becoming a researcher for the Anti-Virus industry. Instead I want to create systems which will minimize vulnerabilities and reduce any ground a virus can win in finding a vulnerability. Meanwhile all Anti-Virus software can do is slow down your computer, take your money, and tell you it is time to reinstall Windows

Now Mr. Cluley and Mr. Skulason do raise a good question: why should you create a new virus? To answer that let us look back to 2007 during my tenure at the local McDonalds. In our flashback I am a new employee and my boss has taken time out of her day to instruct me on proper method for cleaning dishes. You see the drive through is right across from the washing station and thus it is the task of order takers to clean dishes while waiting for cars. Now I wasn’t a patient lad and protested against a practical demonstration. I asked her if she could instead just tell me how to wash dishes. To this she said:

You’ll only learn something once you’ve done it. — My boss circa 2007

Which is thus the core reason why CPSC 527 must be about writing new viruses. Similar themed courses at other universities may teach virues the way Mr. Cluley and Mr. Skulason wish them to be taught: by dissecting existing viruses. Granted Mr. Cluley is correct, this approach would better serve students going into the Anti-Virus industry. Dissecting existing viruses is the major task when writing an Anti-Virus scanner.  Thus prospective job applicants to Sophos or F-Prot would be well served by practicing their new job while in school.

Except I have no interest in the Anti-Virus industry. Instead I want to learn to think like a virus writer. I want to look over a system’s design and notice “Hey, I can abuse that!”. Not for the purpose of abuse, but to bake security into what I create.

To that end I can say CPSC 527 was a fantastic course: I wrote a virus, an exploit for a buffer overflow vulnerability, and for the final assignment a virus scanner for the other 10 group’s viruses.

All virus work was done in the virus lab: a locked lab with no internet access on machines which required a second student to vouch for your identity before you could login. The machines themselves were linux boxes running FreeBSD in a locked down virtual machine. Even if a malicious student did brings the virsues out of the lab there would be no targets to infect!

The virsues we wrote were not complex or modern. My current value to the Russian Mafia is still about zero dollars.

With that said my virus did win the prize for best virus, which in this course means it was the worst and most annoying virus.

What my virus did was launch a rootkit into kernel space. This rootkit would then sit and count how many files a thread opened. Once the thread has opened N files it got marked as an anti-virus. Then instead of killing the undesirable scanner, we would deny all write requests. Thus a scanner would work for the files in /bin but any warnings of virsues in /sbin or /usr/bin would be silenced. The net effect was to make programmers think their scanner was broken!

The rootkit was so effective even I got caught by it! My scanner would find the infected files in /bin but not the ones I knew were in /usr/bin.

Beyond pride, writing the rootkit was enjoyable, fulfilling that goal. Spying on the scanners required hooking BSD’s system calls and stuffing data into unused fields of the thread’s task struct. I even booby trapped the system calls table: any attempt at unloading my rootkit would leave non-NULL yet invalid pointers in the system call table. Thus any calls to open or write to files would crash the kernel.

Towards the intangible goal of improving my systems programming I am now quite paranoid. My programs now enjoy user input escaping far beyond anything reasonable. I found myself escaping even the input I got from the kernel! The kernel being the program which runs my program and already controls the entire computer.

As for systems design, my fervour for mobile and Firefox OS has only increased. We need to replace the Win32 ecosystem with an ecosystem that can be sandboxed and we need to do it without throwing user freedom to the dogs. To that end the web is perfect. Web browsers have undergone years of security stress testing in the most hostile environments imaginable. The web represents an ecosystem developed from the begining to be sandboxed, it is not even possible to self modify binaries!

In general we need more programmers to take courses like 527. University students no longer write virsues for fun or to prove a point. Instead we have rogue governments attacking their own people. The risk in teaching students virus writing is now far outweighed by the benefits. We need programmers who will make security a priority. At Microsoft I learned that “UAC is not a security boundry“. What this means is that any vulnerability allowing bypassing of UAC will not get patched. They’ve resorted to this useless stance because there are already many unpatched vulnerabilities. The net effect is users are running under admin accounts which feel like regular non-all-powerful accounts.

So if you have a chance: please enrol in CPSC 527, or a similar course if your university offers one. If enough people take courses like these maybe the next UAC will not happen.

14 thoughts on “CPSC 527 or: How I Learned to Start Worrying and Write a Virus

  1. Jacob

    In the seccond-to-last paragraph, you wrote “courses like 537.” Is this a typo?
    Other than that, a facinating read.

    Reply
  2. DIrk

    I really liked this, it’s re-piqued my interest and I think I’m going to finish reading a book that’s been sitting on the shelf for a bit 🙂

    Reply
    1. danieru Post author

      Yup, U of C. Or University of Calgary which I realize I’ve yet to write once in the post.

      Reply
      1. Chris

        Well thank you for the insight. As a third year cpsc student at u of c whose still somewhat on the fence as to what they’d like to specialize in, this was a great read.

        Reply
    1. danieru Post author

      Assembly two was okay but useful. We’ve redone it to use raspberry pi’s so it should be *much* more fun. The virus course is awesome but next year we’ll only be running the adware and spamware courses instead, still taught by Dr. Aycock so it should be good. 457, databases, was ok since I made an existing todo list item into my group’s project. If you have friends good at programming then you should consider taking it with them.

      I’m taking the games course, 585, right this week. It is intense at 8 hours per day for 5 days but if you should try it. I’m also taking 411, compilers, and I expect it do be good. Next year it might be taught by Dr. Aycock which should be work but fun.

      Hope that helps.

      Reply
      1. Chris

        I found assembly to be boring but yes, useful. I took 457 with Dr. Locasto (a lot of work, but amazing. Just missed out on the rasp pi’s). I think I’ll most likely take the spyware and adware courses next fall, unless I fall in love with human computer interaction this winter. Did you enjoy 453? I’m kinda on the fence about whether or not to take it. I’ve heard 585 is pretty awesome. Although I had the same prof last semester for programming paradigms and although I did well, I found the prof pretty awful. Although its probably less of an issue since 585 is a lot more self directed.

        Reply
        1. danieru Post author

          I heard Dr. Locasto was harsher this semester with the 457 assignments than my semester, congrats on taking it with him.

          The professor does not do much in 585, it is all the instructors and our TA. I was meh over my section of 453 but I hear a better professor is teaching it now so you might like it better.

          Reply
          1. Chris

            People complained a lot but it wasn’t too bad as long as you started early (specifically on one part of the assignment where you had to do some modification of the system call table, not unlike what the virus you wrote does, except we were allowed to modify the kernel) it took quite a bit of time and a lot of research, but it was totally doable. Thanks for the insight. It’s always nice talking to other students about courses. Can’t really get that sort of information out of a course outline.

          2. danieru Post author

            I think I remember some friends working on that assignment. It sounded like tons of drudge work!

Leave a Reply to danieru Cancel reply

Your email address will not be published.