According to a report in the Japan Times, the Japanese Defense Ministry is considering creating “its first ever computer virus… as a defense measure against cyber attacks.”
Sources in the know have apparently told reports that the Defense Ministry is considering thinking of getting private companies to develop the malware by next March. The aim? To “break into a computer system, hoping such a computer virus could work as a deterrent against cyber attacks.”
The malware, a ministry source told the Japan Times, would not be used for pre-emptive attacks but instead used for defensive purposes.
When I read the report, I was unsatisfied by the lack of detail. I wanted to know more. And I had questions… lots of questions.
Perhaps the first and biggest question though is this: do they really mean a “virus”? The general public still throws around the word “virus” a lot, but perhaps don’t know precisely what it means.
A virus is a piece of executable code that can replicate itself, perhaps by injecting itself into other computer programs or an area of your computer which stores code that gets executed.
And the surprising truth today is that most of the malware we see isn’t actually viral at all. Much of the malicious code analyzed by security labs takes the form of a Trojan horse (a program which does something malicious you weren’t anticipating, perhaps posing as a harmless program) which don’t have an in-built mechanism for spreading.
So, an attacker might spam out a Trojan horse to their intended target, attached to an email which expertly socially-engineers a recipient into clicking on the file.
Alternatively, an unsuspecting user might be duped into clicking on a link to a dangerous website, which silently installs a Trojan onto their PC and opens a backdoor through which hackers can spy upon their victim or steal information and resources.
Viruses have, from time to time, proven very successful – in the past, they have infected swathes of files, and large numbers of computers, rapidly spinning out of control.
But this uncontrolled spreading can in itself be a virus’s downfall. That’s because the malware doesn’t want to draw attention to itself because if it’s noticed it might more easily be countered.
But that isn’t the only reason why writing a virus as a defence measure may not be the smartest idea ever.
For instance, if you let lose a self-replicating piece of code to fight your enemies – what are you going to do when it inevitably requires a bug fix? All programs, including malware, can contain unintended bugs which might have negative consequences. If Japan’s defensive virus needs an urgent bugfix when it’s out in the field, would you release another virus to try and catch up with it to apply the patch?
Remember – you cannot guarantee that the system the virus is running on has access to the internet to download an update from there.
And what happens if the bug in the virus means that it misidentifies its intended target and instead runs on an innocent computer? What if the virus accidentally finds itself on the computer of a Japanese business or – just imagine! – a Japanese military system. Can there be confidence that it won’t cause any harm? Even a “good” virus uses system resources such as disk space, memory, and CPU. On a critical system, such a virus could cause unexpected side effects.
Maybe the boffins in Japan are thinking that a virus could be used for a “good” purpose, such as applying patches to vulnerable computers, servers, and IoT devices that have been hijacked by cybercriminals or an enemy state. They may be imagining a “good virus” that can hop from PC to PC, mopping up infections as it goes.
But again, what do you do when it goes wrong? Could such a virus leave computers in a worse state than they were in the first place? Might a virus spreading to combat a cyber attack prove to be incompatible with some operating systems or – a potentially bigger headache – unable to coexist harmoniously alongside future OS updates.
The truth is that when you release a virus you are taking a big gamble, and it doesn’t just affect you but everyone else in its path.
I suspect that the Japanese don’t need to develop viral code to fight a malware infection. Anything which can be done by viral code can be done “with fewer headaches” by non-replicating software.
If you want to learn more about the pitfalls of using viruses to fight viruses I can recommend reading a lengthy paper written by veteran anti-virus researcher Vesselin Bontchev entitled “Are ‘Good’ Computer Viruses Still A Bad Idea?”
Although written in the early 1990s, Bontchev’s paper is still valid today and gives many explanations about the potential pitfalls of using malware to fight malware. Things may have changed a lot in the world of cybersecurity in the last 25 years, but the fact that so-called “good” malware can have unintended negative consequences doesn’t seem likely to go away.