TR-666: A pact with the Devil

Today, Tuesday 6/6/6, Mike Bond and George Danezis published our department’s 666-th technical report titled “A pact with the Devil”. In this devious research paper, they explore the risks of a whole new generation of malware that exploits not only computer users’ inexperience to propagate, but also their greed, malice and short-sightedness.

For immediate release

For many years now, anti-virus software vendors and users have seemed to form a united front when combating electronic malware. But will this remain so? Are viruses restricted to merely propagate through automated exploits of software bugs and users’ credulity? Mike Bond and George Danezis, until recently computer-security researchers at the University of Cambridge Computer Laboratory, dust off their black hats and explore more sophisticated, or some may say more evil, propagation strategies that viruses and other e-pests may already be using. (Through a fitting coincidence, their report “A pact with the Devil” was published today, on 6 June 2006, and was assigned the Computer Laboratory’s technical report serial number UCAM-CL-TR-666.)

Bond and Danezis predict that tomorrow’s computer viruses will seek the help of users to survive and propagate, by enticing them with benefits. Such viruses take advantage of the fact that they already reside on some computers, to allow newly infected users access to pirate content, such as music or video, or the ability to violate other users’s privacy, such as being able to read their emails or confidential documents. Users will be faced with incentives to install the virus if, in their eyes, the benefits outweigh the drawbacks and risks. Once installed, a virus can entrench itself by providing disincentives to the user against removing it: threats to reveal personal information, or just the fact that the user has actively benefited from the virus, might be sufficient. “The ‘Satan Virus’ turns the user into an ally, and pursues its nefarious activities, such as spamming or attacking third party systems, through a calm symbiosis with the user – who has little to gain, and a lot to lose, if it is removed”, says Bond.

How far away into the future are these sinister e-creatures? Bond and Danezis argue that a lot of software today, bundled with adware and spyware functions, already contains traits of the Satan Virus. A user has to put up with dis-utility to reap the benefits. Similarly, peer-to-peer systems are based on a model where the user gives part of her resources to the “network”, to get some benefit in return. It is only a small, but significant, conceptual leap to extend already deployed strategies to also include electronic bribery and blackmail. The Satan Virus “would not simply infect a user’s machine, but would truly aim to infect the user’s mind”, says Danezis.

About Markus Kuhn

I'm a Senior Lecturer at the Department of Computer Science and Technology, working on hardware and signal-processing aspects of computer security.

5 thoughts on “TR-666: A pact with the Devil

  1. Pingback: POSIWID
  2. A fairly robust defence against these viruses should come from entrapment.

    Alice, or Bob, or the coporate security division, or other ‘friendly’ malware, might run a sting program that offers fake (or in the case of third-party malware, real) access to a victim’s files but cuts the access and reports the offence immediately.

    The attractiveness of a pact with the devil is the idea that otherwise unobtainable rewards really are available in the short term, which in turn requires trust — there is no literary genre of people selling their souls to politicians or used-car salesmen.
    More prosaically, police sting operations are quite effective at discouraging prostitution or low-level drug trafficking in a targeted areas.

    A few well-publicised cases of people being fired after being tricked into looking for porn on co-workers computers could do a world of good.

    “Conscience is the little voice that tells you someone might be watching”

  3. I’m a little disappointed that such unscientific panic-making comes from the celebrated Markus Kuhn of Cambridge University.

  4. Thomas, yes I agree that entrapment can be a powerful tool in fighting and manipulating certain sorts of behavior. However there are ethical considerations for entrapment, and the circumstances that it is used in real life law enforcement, I would argue, are quite limited.

    Sting operations to discourage prostitution have some particular characteristics: they are performed in targeted areas which do not affect the whole population, or bring the whole population into unnecessary temptation. Furthermore there may be rules about exactly how much provocation is fair.

    Thus if malware can use a propogation channel which it is unethical to perform entrapment via, then it is free of direct interference. What we are left with is not defence by entrapment, but defence by education (George and I describe a specific example of this in the paper… “viral prophets”).

    As an example ethical dilemma for fighting viruses by entrapment: suppose a 10 year old child types the word “porn” into a search engine on a school computer. It may be very well for the school IT system to return a scalding message (or just an educational one).

    But now suppose the 10 year old is sent an email saying “Here, wouldn’t you like to see pictures of people with no clothes on”, with a link. To appeal to the child’s natural curiosity in this way, and then to hit them with a scalding (even educational) message seems to me a bit out of line.

    I think the same problem comes of fighting Satan Viruses using entrapment. Entrapment as a technique is so close to the mark that it’s practically sinking to their level to employ it.

    Timwi. Firstly I believe the criticism should be directed at myself and Dr. Danezis and not to the messenger, who simply posted our press release. Secondly, if you study the paper in detail, in particular the conclusions, you will see that we do not advocate panic. Thirdly, I’m not sure it is fair to describe a paper which is to appear in due course in a peer reviewed publication (NSPW) as unscientific.

    Mike Bond.

Leave a Reply

Your email address will not be published. Required fields are marked *