Stan Rost's Anti-Virus Research

CERBERUS and Infected Program Reconstruction
Entries in ISEF '94 and ISEF '96, respectively.
Time frame: Spring 1994, Spring 1996

Remember the times when MS-DOS was still the operating system for PCs and the main means of transferring files from one computer to another were floppy disks? Back in that era, I managed to get my hands on "Computer Virusology," an extremely rare book by N. N. Bezrukov. I was in the 8th grade, I had just learned C and MS-DOS programming a couple of years ago and got very excited about the subject.

One of the major claims made in the book was that it was impossible to invent a universal anti-virus cure. I wanted to disprove that by creating one.

My first attempt was a program called CEREBERUS (named after the multi-headed guardian dog from Greek mythology), which basically was a selective backup-based virus detector (it backed up just the chunks of executables that were most at danger of being modified by a computer virus). With that project, I entered the local Science Fair (Flint Area Science Fair, from here on referred to as FASF) and got a Second Place. As the 2nd place winner, my project was entered into the International Science Fair (ISEF) which in 1996 took place in Birmingham, Alabama. Our trip was paid for by the General Motors and the local science/education funds, and we besides the 1st place winner (Jason Warda, football player who designed a brace to be worn by football players to prevent spine injury) and me, there were also a number of student observers that were sent along with us to see how the ISEF was conducted. The only thing that I can say about that trip to Alabama is that it was one of the most fun trips I had in my life, and I have got the photos to prove it. Unfortunately, due to incriminating nature of these photos, I cannot publish them on the web. As far as the project went, it earned an honorable mention, but did not place.

The loss at ISEF '94 really changed my whole attitude towards the project. I was shown my project's weaknesses and I had seen the stiff competition. So I decided to put a lot of thought and work into my next entry into the science fair, and be more scientific about it. First, I formed somewhat a hypothesis: "When all of the ways for a given operating system which allow the virus to infect the program without corrupting it are known, then it is possible to create a universal anti-virus program." My reasoning was that for a computer virus to become the cause of an epidemic, it has to hide its presence/effects long enough to replicate itself and spread itself. If the viruses' harmful actions are immediately obvious, or if it becomes obvious that the infected program is corrupted soon after the ifnection, then some action will immediately be taken to isolate the infected computer from others and the virus is not going to get very far from the origin computer. So to proliferate itself, the virus has to insert itself into a program in such a way to allow it to function normally. And if there are limited ways of doing that for an operating system, which was the case for MS-DOS, then it is possible to create a universal cure.

Then I researched the literature. As I have come to find out, most of the MS-DOS viruses followed a limited number of patterns for infecting a program precisely because the OS limited their choices for stealthy infection. I then came up with an algorithm called Infected Program Reconstruction, which counteracted most of these patterns. After backing up tiny digests comprised of the contents of your computer's executables onto a floppy disk, it was possible to use these digests not only to detect and purge viruses from your programs and hard drives, but also in some cases vaccinate the infected programs to guarantee that the same virus will not infect it again. And it was all possible without any prior knowledge about particular computer viruses. I wrote a program called PC-Phage which implemented the algorithm. It booted from a floppy containing both a "clean" copy of the operating system and also the backed up chunks of executables on the hard drives. I then obtained 24 of the most advanced computer viruses available at the time (including Mother Fish, Frodo, Michelangelo, Anthrax etc.), infected my computer and ran PC-Page, recording the results of my experiments. The results were very appealing. My program had a 100% percent detection rate, a 95% cleaning rate (it couldn't clean a Windows virus which I used in my test set just to see what happens), and a 62% vaccination rate (some of the viruses used methods to check if a program is already infected that excluded the possibility of vaccination).

With that project, I won 2nd places in FASF, the State Science Fair in Detroit, and I also placed 2nd in the 47th International Science and Engineering Fair in Tucson, Arizona.

Currently, I think that computer viruses are no longer a major issue just because nowadays it takes a very short time to report a virus to an anti-virus company and receive a cure from them over the Internet. It is true that the Internet is a much larger and much more accessible breeding grounds for new viruses, and I keep seeing new kinds of viruses out there, some explicitly tailored to be spread over the Internet. However, in most of the cases the cure is available for download within a factor of days, and not months as it used to be.