2013-07-01
Abstract
‘A series of new factors ... are placing unprecedented evolutionary pressure on the virus/anti virus/operating system triad.' Catalin Cosoi, Bitdefender.
Copyright © 2013 Virus Bulletin
‘For an evolutionary system, continuing development is needed just in order to maintain its fitness relative to the systems it is co-evolving with.’ - L. van Valen (1973)
This oft-quoted phrase is the canonical formulation of the Red Queen theory. When faced with evolving competitors, it says, a species must change at the same pace just to remain within its niche.
This sounds like a recipe for increasing fitness for all participants in the race. Until, that is, you realize that (this being the Looking Glass world, after all) all runners do not have to run in a particular direction – it’s quite possible to develop (or over-develop) characteristics that help deal with a particular competitor yet which have a net negative survival value. Species can evolve themselves out of existence altogether, racing to an evolutionary dead end.
To complicate matters, the virus vs. anti-virus arms race is in fact a three-way match. We can think of the virus as purely parasitic, the anti-virus as a mutualistic symbiont, and the OS as the host organism.
The three compete for system resources – processing power, memory, bandwidth and data – using two main strategies. They try to wipe out competition outright and make better use of existing resources. Of course, there is intra phylum competition as well – various flavours of anti-virus, innumerable strains of viruses, and an increasing, but still comparatively small, variety of operating systems.
Of the three, only viruses and anti-virus programs are locked in a predator-prey arms race. And both are obligate guests – neither can function in the absence of a host OS. Meanwhile, operating systems can do just fine on their own, at least as long as they remain fit for purpose.
The ecological equilibrium is established around a position where operating systems (and their designers and users) find it cheaper, in evolutionary terms, to deal with the resource consumption of both virus and anti virus than to develop better defences of their own. Indeed, overly secure operating systems tend to stray from the equilibrium point by making poor use of resources, while insecure systems lose control of resources altogether, again preventing users from doing useful work.
The anti-virus maintains its niche by being more efficient at fighting threats than its host could ever hope to be without actually losing fitness. The virus uses stealth to hide from its predator and improvements in resource efficiency to avoid smothering its host.
Evolutionary biology also teaches that such equilibria tend to be long-lived, with the actor species random-walking inside their respective phenotypic ranges of variation – for instance, a predator species’ fangs might get longer, then shorter, then longer again.
A well-supported theory, however, holds that such dynamic equilibria are punctuated by short periods of massive evolutionary change, quickly reaching a new equilibrium as new species replace the old.
We may be on the cusp of such a change right now. A series of new factors – migration of software services to the cloud, increasing use of encryption for software authentication, and security and hardware virtualization technologies, to name but a few – are placing unprecedented evolutionary pressure on the virus/anti virus/operating system triad.
The Obad trojan provides a clear-cut example of such co-evolution. This piece of Android malware made use of a previously unknown bug in the operating system to make itself impossible to remove from infected systems. Naturally, as anti-virus software on Android only has the same permissions as other user programs, almost all anti-virus programs were incapable of removing it. Then, of course, anti virus makers found a work-around and Android OS was patched. The story is ongoing, and it remains to be seen what tricks the next iteration of Obad will come up with.
