Slashdot Mirror
Simple Virus For Teaching?
ed1023 writes "Currently I am teaching a 101 class on computers. It is more of a 'demystifying the black box' type of class. The current topic is computer viruses; I am looking for a virus with which I can infect the lab computers (only connected to local network, no outside network connection) that would be easy for the students to remove by hand. Can the Slashdot community point me in any directions? Is there an executable out there that would work, or do I try to write one myself, or is there one that is written that I can compile myself?"
http://en.wikipedia.org/wiki/EICAR_test_file
I don't even know if I'm joking.
You missed a requirement: easy for the students to remove by hand
Stoned is a classic and a pleasure to disassemble. It fits in a boot sector (512 bytes) and it's not particularly malicious, but it has all the elements that a virus needs. I don't know if it would still work on a modern computer, though: Some old viruses used funky instructions that became obsolete (like "POP CS"), and this one seems to have issues working on large-capacity disks.
It sounds instructive, but you will probably get fired for lacking good judgement.
There are plenty of stories where teachers do similar things that end up getting them fired. Teaching students how to write viruses, faking a classroom kidnapping, how to plan a terrorist attack, etc.
Teaching your students how to write a virus is a classic case of bad judgement. Your superiors will tell you "What were you thinking?" and you will get let go.
Teach them verbally how viruses are created, but don't assign anything as homework.
The plural of virus is viruses. Just like the plural of abacus is abacuses, not abacai. Viri (or even worse, virii) annoys the hell out of me.
What do you expect a student to learn from being told "there is a virus on this machine, remove it by hand"?
If they are in the "demystifying the black box" phase, they have no idea what you're talking about.
Teach them that viruses are just programs like Word or Excel, except with a specific malicious purpose. Give them an overview of how a machine or user might be tricked into running malicious software. Teach them about how malicious software might propagate. Use historical examples. Talk about privileges.
Virus is a slang term that brings up all kinds of scare reactions in ordinary people. They immediately assume that machines are vulnerable to bacteria floating around on the wind, or something similar. You need to de-emphasize the term "virus". It's just software. Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.
Write a simple program that copies itself to the Windows folder and starts itself at boot. The program should show an alert box saying "HACKED BY PROFESSOR HANDSOME!!!!" if it sees it is being run from the Windows folder. Put it on a USB key with an autorun.ini, tell them you have placed a virus you wrote on there, and let them sort it out. Just be sure you're on an XP machine and that autorun is enabled.
Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.
It's Windows, so it's easy... just create a CD or USB drive with two files:
autorun.inf :
[autorun]
open=installpopup.bat
installpopup.bat : /k echo "Hi I am a virus"
cmd.exe
copy installpopup.bat "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
Bonus is that it has plenty of legitimate uses for system automation for your little script kiddies as well.
The interrupts and NOPs interfered greatly with the network cards, causing the whole thing to come crashing down when more than a couple of the computers were running at a time. It took at least a couple of days for the sysadmin to sort it out.
RIP George, thanks for introducing me to the Internet and I'm sorry that you didn't get to stick around for Linux and /. I should have taken your Minix class when I had the chance.
Bleh!
Note to tool462, stop using windows.
Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water". Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs". The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states, but I'm pretty sure nobody much thinks of it that clearly when using the word "virus". Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) but only to an instance of that type of virus as it is spreading, or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.
As for whether it annoys you for people to use a latinate word that is both convenient and apt despite its not being precisely Latin, well, tough titty, because apparently the Latin version of it is a mispronunciation of the Proto-Indo-European word for the same gooey mess, so insisting on going only as far back as Latin for the value of correctness of form is false cognitive closure, and that gives everyone else cause to be annoyed at you.
if UAC is enabled, Explorer is not running with privileges that can write to the All Users profile.
For that matter, this will fail on any system where the profile directory isn't in "C:\Documents and Settings", which includes any non-English OS.
Use
copy installpopup.bat "%userprofile%\Start Menu\Programs\Startup" instead
Windows IT guys can be clueless. In a previous job, IT insisted on shutting down my machine and take it away for cleaning because I saved the EICAR test string in cygwin so I could test my Unix boxes' clamav with it. There was no convincing them that the string "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" wasn't a virus.
Not even my creds as the author of the world's first heuristic AV scanner, nor my certifications were believed, because Symantec Antivirus claimed it was a virus, so it had to be.
That ITs internal HP printers LCD panels suddenly started displaying "INSERT COIN" had nothing to do with this, I swear.
Yeah but the odds of running into BO in real life is slim to none, so if you are gonna teach them about bugs, why not something useful? I'd suggest one of the Rogue AV or security tool variants. Those infections are as common as dirt, being in the PC fixit biz I should know, and removal involves all the classics...F8 boot into safe mode, deleting the reg keys, then running a nice CD or USB key scanner (I'd of course recommend CD, as it is cheap and easy). Hell you can have them make their own AV Rescue Disc which then they can take home with them, and is a nice tool to have.
So I guess the real question is if this is gonna be a BS class, where you teach them something that the odds are virtually zipola of running into IRL, or give them a nice overview of how to DIY fixit work? Because while the Security Tool variants freak out the users they are actually pretty damned easy to kill once you know what you are looking for, and pretty much any bug short of a rootkit follows the SOP bugs like Security Tool use. IMHO it would be a good all around lesson, and as long as the machines aren't on the net not a threat. As a bonus you would give them an up close and personal glimpse at how scareware works, which sadly is becoming QUITE popular for malware writers. by knowing the signs and being able to spot the phonies they can actually help their less clueless relatives and be safer themselves.
ACs don't waste your time replying, your posts are never seen by me.
+5, Informative?...REALLY?!?...
OK, let's start with a handily recent post on the Language Log about Latin plurals (the post is about "syllabus", but "virus/viruses/*viri/**virii" show up in the comments).
Now, onward...
Well, if you want to get all prissy about the Latin, then it's incorrect to use the word to describe a single unit of the substance, in the way it's not correct to call a single water molecule "a water".
Actually (and ignoring the somewhat startling categorisation of computer virus as "substance"), not in the same way at all. You can't call a single molecule of water "a water" because "water" is a mass noun in English, and those don't (i) take indefinite articles, and (ii) don't pluralize nicely (inter alia). It's possible that this portion of your argument comes from here, which points out that in Latin, "virus" ("poison") was a mass noun. Of course, in English, "virus" is very clearly a count noun in English, since it can be (and overwhelmingly is) used with an indefinite article.
Id est, since a viral program is itself a cell in the viral infection of many computers, there's no term for it other than "viral program" and no term for several of them other than "viral programs".
You appear in the preceding to be claiming that the word "virus" doesn't exist in English (or perhaps simply that is has no referent) a claim some information security researchers (and doctors!) might take issue with (cue lambasting for the stranded preposition in 3...2..1).
That being said, this raises an interesting point about...something. Maybe the type/token distinction? When someone says "I wrote a virus", we take him (or her, I suppose) to be making a claim about an implementation of some specific algorithm in some specific language, but not to any particular token of it.
The "virus" would be some arbitrarily bounded subset of the population of said viral programs infecting machines, [...]
I don't understand the grounds on which you're making this claim.
[...] which could devolve to a single program infecting a single machine, but would still not be the correct term for that program or, indeed, for the viral infection being suffered by that machine. It could correctly refer to the running program and its data (which in most computers includes its instructions) and the progress of its states,
OK, so the "running program, and its data" counts pretty much as a "single token of the substance" at hand, in my book. So now it sounds like you're contradicting your opening claim.
but I'm pretty sure nobody much thinks of it that clearly when using the word "virus".
As I just mentioned, you seem to be contradicting yourself (although I may just be misreading you), so you'll forgive if I take claims of clear thinking only quasi-seriously.
Nor is it correct to use "a virus" to refer to a type of virus (exempli gratia Stuxnet, Sasser, Hopper, et cetera) [...]
Why is this 'incorrect'? "I wrote a virus. I'm calling it Johnny5." Seems like a perfectly good use of "a virus" to me.
[...] but only to an instance of that type of virus as it is spreading, [...]
Again, isn't this in contradiction to how you started this comment?
or, again, some arbitrary subset thereof, wherein it has its physical expression and aggregate, fluid form.
Aside from the impossibility of "some arbitrary subset" of an instance (I'll assume that was just a typo/thinko), now you're just engaged in verbal wankery. I mean, I suppose you might choose to model the spread of contagion in a network of computers as the flow of a kind of flu
Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun
Yes, because he wants to make sure the "fake" virus he uses for the removal exercise doesn't contain some hidden, actually damaging, payload.
Someone has already suggested the EICAR test file, which is ideal. It pops up a message box, and is easy to remove. He can add links the various windows startup files, the registry, he can go old school and call it from a batch file, and he's safe in the knowledge that he's in no danger of hosing his systems.
Nowhere in the stub did he say he was going to teach the kids about actually writing the virus they were to remove. Reading comprehension fail.
Finally had enough. Come see us over at https://soylentnews.org/
This was both annoying as hell (plenty of syntax errors), and difficult to positively blame on mischief as:
The TSR was called <shift-space>.com and so a cursory perusal of the autoexec.bat would not reveal its presence, as shift-space just looks like a normal space (... but can be the name of a command)
IT spend an entire day trying to re-install Turbo Pascal, and the problem still persisted... (because it was in an independent TSR, not in the Turbo Pascal app itself)
Then, the next day, re-install of the entire system.
Another fun TSR one was the annoying keyboard beep. The TSR had a timetable of the classes build in, so that the keyboard click would be very short and almost unnoticable at the beginning of the class, and then gradually grew longer and longer during the class (first a faint click, than a more obvious click, and by the end of the hour an annoying beeeeeeeeeep). Fun thing is, as it was gradual, nobody really noticed when/how it started, but eventually that background noise was "just there"...
A, those were the days of highschool pranks...
On any tech forum, including slashdot, you have wannabe haxx0rz who ask "how to write teh virus???" They never get a serious answer, obviously.
The OP (ed1023) thinks he can trick slashdot readers with some social engineering into thinking they're really helping someone this time by telling him "how to write teh virus???". Who knows, maybe he will succeed. Maybe he will write teh virus.
Not computer related, but similar.
A friend of mine carried a pager years ago. I wrote a script to send a message to his pager every morning at 3am, saying "Low Battery".
Do you or your partner snore? - Visit www.snoring.com.au