The expiry date of viruses

By | April 19, 2004

One of the most infamous computer viruses of all time was the Friday 13 virus. The reason it was given this name is very simple: this is the date when it deleted all the files with an .EXE extension from affected computers.

There are many other viruses that, like this one, are named after a significant date, such as April 1st, Christmas, July14 or July 13th. Similarly, there are others that, although their names do not refer to it, activate on a specific date, such as Michelangelo (March 6) or CIH/Chernobyl (April 26). The reason virus authors program their creations to activate at a specific time is easy to understand.

A few years ago, when the Internet was still under development, and only available to the privileged few, the only means of spreading a virus was via floppy disks. This is obviously a very slow means of transmission, too slow if compared with the propagation rate of today´s viruses. To give you an idea, the Friday 13 virus, which appeared at the end of the 80s, took an extremely long time to spread and continued infecting computers for several years. In comparison, in January 2003, the SQLSlammer virus took, according to certain sources, just ten minutes to spread worldwide and wreak havoc across the Internet.

So, when virus authors were going to create a malicious code they calculated the time it needed to spread and then, programmed it to activate on a significant date or a date that they simply liked. This gave the virus an ´incubation period´ in which it would not infect computers, but try to spread as widely as possible until its D-day arrived.

Today´s viruses do not need an incubation period to spread. In fact, as antivirus companies update their signature files every day (unfortunately, some update less frequently) and use systems for detecting new viruses within a few hours after they emerge, they are limited to infecting unprotected computers or computers in which the antivirus protection has not been updated and therefore, the quicker it spreads, the more effective the virus will be.

In spite of this, some viruses that have appeared recently also include a date in their code, but unlike older malicious code that activate on this date, they do quite the opposite: they stop spreading. Virus writers know that they have an excellent tool for rapidly circulating their malicious creations, and therefore they do not need to wait to carry out their damaging actions.

In most cases, the date set for the virus activity to stop is relatively soon after it has been released; a week at the most. However, there are exceptions like the V variant of the Bagle worm, whose author hopes that the virus will stay active until January 1, 2005.

The reason for programming an activation date in the viruses created years back is obvious, but why do today´s viruses have expiry dates, not trigger dates? The most straightforward answer is: to leave room for other hackers to infect the Internet with other malicious code. If several viruses were spreading and infecting a large number of computers at the same time, it would be very difficult for virus authors to assess the consequences of their actions.

Even though some virus writers use their code to exchange insults and threaten one another, this conspiracy brings them even closer together, allowing them to take it in turns to infect users´ computers, in a competition to see who can do the most damage to the information stored on computers.

It is almost as if every virus creator has an allotted time slot for spreading their code, just like planes taking off from airports. If the effects are not carried out during this time, they will be eliminated from the virus contest. Users and administrators can ensure that viruses are quickly eliminated by adopting effective security policies that prevent malicious code from spreading. It is up to us to make sure that these competitions are lost before they start.

Leave a Reply