CODE RED: THE RUBICON CONSPIRACY
Cloaked Worms and Viruses
They’re Not Just for Computers
By Michael Edward
While I was doing some research on computer viruses and worms for a security program I’m developing, something hit me: What if there was a parallel between these computer virus-worms with newly discovered biological viruses found in humans and animals?
In my preliminary research, I began to see various patterns, such as computer virus-worms being discovered or released right before major world events. That was when I decided it would also be important to research the names of these virus-worms.
Although the technical meanings are different, many times a worm is improperly called a virus and vice versa, so it’s important to understand what both computer & biological virus-worms are.
Computer viruses began in the early 1980’s and continued to rampantly spread through the 1990’s. In computer terminology, a virus is a piece of program code that copies itself. It then spreads by attaching itself to a computer host, both altering and damaging the targeted host in the process (just as a biological virus reproduces and damages host cells in the process). The infected host is almost always a computer operating system (i.e., Windows), which then infects the applications it transfers to other computers. Viruses use the host's resources and are deliberately destructive (i.e., erasing files or re-formatting hard drives) or they will allow others to access the machine without authorization.
The name ‘virus’ came from a mid-1970s science fiction novel written by David Gerrold, When H.A.R.L.I.E. was One. The book describes a “fictional” computer program called VIRUS that worked just like a biological virus. It was countered by a “fictional” computer program called ANTIBODY.
The destructive effect of viruses is their uncontrolled self-reproduction, which then overwhelms the computer resources through the host program. Nearly every virus consists of a locator (sometimes called a finder) and a replicator. The locator is responsible for finding new and uninfected files. Every time the virus locator discovers a “normal” file, it calls for the replicator to infect that file.
Most viruses contain some sort of bomb that goes off when a certain condition has been met. A bomb is found at the beginning of the virus program code. It might, for example, erase all files on the computer at a certain date, such as on any friday that happens to be at the 13th day in any month.
To avoid detection from antivirus-software, the newest viruses now en-crypt their code before injecting it. In turn, they must also de-crypt their code before running or executing it. In order to do that, such viruses have a decryption engine at the beginning of their program script and an encryption engine located within their replicator.
While not being able to detect the actual encrypted virus code, most anti-virus software programs can now detect the decryption engine located in the front of the virus program code. To avoid this detection, the latest viruses now mutate their decryption engines for each new copy they propogate. In order to enable this polymorphic code, the virus has to have a mutating engine located somewhere in its encrypted script.
Currently, such a polymorphic virus is nearly impossible to detect, but heuristic analysis anti-virus software seems to be somewhat effective in discovering these mutated viruses.
1981 --- A program called Elk Cloner is credited with being the first computer virus to appear "in the wild" outside the computer or lab where it was created.
1986 --- The Brain Virus emerges. In November, the first SCA Virus appears.
Computer ‘worms’ began to spread rampantly after Y2K even though the first worm appeared outside the lab in 1988 . A computer worm is a self-replicating computer program that is also self-contained. Unlike a virus, a worm does not need to be a part of another program in order to propagate itself.
The name 'worm' was taken from yet another mid-1970’s science fiction novel, The Shockwave Rider, written by John Brunner. The actual name used by Brunner was ‘tapeworm’.
A worm almost always installs a “backdoor” in the computer it infects. These backdoors cloak or hide the actual origin of the worm’s origination. More importantly is that these backdoors are exploited by other worms. The newer worms spread by using the backdoor opened by the previously installed worm.
1988 --- The Morris worm (named after its author) infected machines connected to the Internet becoming the first worm to spread “in the wild.”
2001 --- In July 2001, the Code Red worm was released and specifically targeted the White House website. The Sircam worm was also released during that summer.
2003 --- On January 24, 2003, the (SQL) Slammer worm caused widespread problems on the Internet. In late August 2003, two major worms named the Sobig worm and the Blaster worm began to attack millions of computers.
2004 --- The MyDoom worm emerged in late January, 2004 and now holds the record for the fastest replicating Internet worm. While it was designed to attack certain websites, it’s main purpose is to enable remote control of the PC’s it infects.
Now that we know what computer virus-worms do, let’s take a quick look at biological viruses before comparing the two:
A virus is a small particle which can infect other biological organisms. Viruses are parasites that can only reproduce by invading and taking over other cells, called hosts. This is because they lack the ability to self-replicate. A virus infects both multi-celled and single cell organisms. Viruses carry a small amount of either DNA (which guide the operations) or RNA (through which DNA instructions are expressed).
A virus hijacks its host's cell to create more virus particles. They have a specific host range, usually specific to one species.
Examples of diseases caused by viruses include the common cold, smallpox, AIDS, and even cold sores caused by herpes simplex. Antibiotics are useless against viruses.
A biological worm, such as a tapeworm, is a self-reproducing organism that survives by absorbing nutrients from its host. There are about 15,000 modern species known.
Prions are an example of a micro-biological worm. As a self-reproducing protein structure, they infect and thrive off of biological hosts. It is now commonly accepted that they are responsible for a number of previously known diseases including Scrapie (a disease of sheep), Chronic Wasting Disease in Elk, and Mad Cow Disease (bovine spongiform encephalopathy). These diseases affect the structure of brain tissue and are both fatal and untreatable.
Now that parallels between computer and biological virus-worms are so obvious, let’s take a closer look at the computer virus-worm names and dates in association with world events that took place after the computer virus releases.
Elk Cloner Computer Virus / Chronic Wasting Disease in Elk
The 1982 computer Elk Cloner Virus preceeds the Elk biological Chronic Wasting Disease infection discovery by 2 years, which also spreads to infect deer:
In 1982, Elk Cloner was the first computer virus to be released "in the wild" outside of the (computer) lab.
Chronic Wasting Disease (CWD) affects deer and elk, causing damage to portions of the brain. The disease is fatal.
From 1984-1986, Chronic Wasting Disease (CWD) - caused by an unknown Prion - is first detected in free ranging Deer and Elk in contiguous portions of northeastern Colorado and southeastern Wyoming.
In 1997, CWD is found in South Dakota Elk. In 2001, CWD is found in free ranging deer in areas of Nebraska and also in two wild mule deer in Saskatchewan, Canada.
As of Oct. 11, 2002, a total of 32 Wisconsin white-tailed deer were tested positive for CWD.
Brain & SCA Computer Virus / Prion Infections in Humans & Animals
The 1986 computer Brain Virus emerged right before the SCA Virus. After that, numerous human and animal brain infections and diseases run rampant:
Creutzfeldt-Jakob disease (CJD): Occurs in people and typically strikes late in life. The fatal brain disorder causes a rapid, progressive dementia and associated neuromuscular disturbances. The disease affects both men and women of diverse ethnic backgrounds usually between the ages of 50 to 75 years. CJD has increased rapidly since 1987 to more than 50,000 known cases reported in 2000. Clusters of CJD have flared up in various areas of the United States: Pennsylvania in 1993, Florida in 1994, Oregon and Texas in 1996, and New York in 1999-2000.
Mad Cow Disease (BSE): Affects the brain and spinal cord of cattle. The disease is ultimately fatal for cattle within weeks to months of its onset. Like CWD, it is associated with Prions.
Variant-CJD: A newly recognized form of Creutzfeldt-Jakob disease scientists believe to be the human version of Mad Cow Disease. In contrast to typical cases of CJD, this variant form has affected mainly young patients, and has a relatively long duration of illness as compared to classical CJD.
Spinocerebellar Ataxia (SCA) is a brain disease in humans. In this genetic and sporadic disease, people lose their balance and coordination due to cerebral (brain) deterioration. Since 1987, there has been a sharp increase of the various sporadic (non-genetic) variants worldwide. The cause of the non-genetic SCA variants is not yet known.
Code Red - Sircam - Klez Worms / 911 and the Rubicon Conspiracy
In July 2001, the computer Code Red Worm was discovered. In August 2001, the made-for-television movie Code Red: The Rubicon Conspiracy is aired. On September 11, the World Trade Center towers are destroyed.
The Code Red Worm is classified as a ‘media virus’; a computer virus which catches the attention of the media, but is blown out of proportion as to its actual significance. This worm targeted the White House website.
Code Red: The Rubicon Conspiracy, a television movie by the UPN Network, is aired on August 9, 2001. In this movie, Lt. Peter Doyle is forced to come out of retirement to help a top secret US project which has gone very wrong.
Rubicon: A limit, when passed or exceeded, that results in an irrevocable commitment. The phrase ‘to cross the Rubicon’ signifies a decisive step by which one is committed to a hazardous enterprise from which there is no retreat.
The Rubicon River was the ancient boundary between Italy and Gaul; Caesar's crossing it with his army in 49 BC was an act of war.
The Sircam Worm: SIR CAM (acronyms) = Serious Incident Report Commercial Air Movement. This is a probable reference to the WTC 911 disaster purportedly caused by the two commercial airliners.
The Klez Worm: KL EZ (acronyms) = Karhunen-Loeve (transform) Empire Zone (New York), another probable reference to the World Trade Center.
SoBig - Slammer - Blaster / Terms of Military Engagement
On January 24, 2003, the (SQL) Slammer Worm caused widespread problems on the Internet. Also in early 2003, two major worms named the Sobig worm and the Blaster worm, along with their numerous variations, attacked millions of computers throughout the entire year culminating their combined computer destructive force in the summer.
The Slammer worm probably refers to shutting the door on Iraq with military force, while Sobig may refer to the largest conventional bomb in the U.S. Arsenal revealed in March 2003, called the Massive Ordnance Air Blast, which was nicknamed the Mother of All Bombs. Blaster may refer to the MOAB as well as “Bunker Buster” bombs which destroyed underground fortifications in Baghdad.
The MyDoom Worm / A Warning for 2004?
Since its recent appearance in late January 2004, the MyDoom Worm has multiplied faster than any previous virus or worm. Interestingly, the game Doom III takes place on Mars and is scheduled for release sometime during 2004. According to the game authors, one of the main goals of the Final Doom game is to terrify people (terrorism).
Is all this just a coincidence? The names, dates, and events just fit together too well. I feel that whoever is behind these computer viruses and worms has taken the time to warn us all of what is unfolding in the big picture. With that in mind, the current MyDoom scenario is unsettling, but expected.
I personally believe that a certain group, Faction 2, has taken great lengths to let us know what’s going on in advance. What we are all faced with now is the most important question of our time: What do we do about it?