Printer Friendly

Cyber Autoimmune Disease When the Virtual Life Imitates the Real Life.


"Viruses are the most abundant parasites on Earth" [1]. Well-known viruses, such as the flu virus, attack human hosts, while viruses, such as Sasser, Conficker, and Stuxnet infect computer. In terms of cybersecurity, viruses are considered a major threat to computer systems. Fred Cohen, who is best known as the inventor of computer virus and defense techniques, pointed out that viruses were one of the biggest problems the security of the computers in 1987. Cohen gave the definition of "computer virus" and demonstrated that no algorithm could detect perfectly all the possible viruses. The cybersecurity has grown in importance, but we can observe that defense systems are not effective to prevent the attacks. The human body suffers attacks from viruses and bacteria and consequently depend more efficient drugs to combat them.

It is remarkable proximity between the virtual world and the real world, perhaps because the problems of computing solutions have been inspired by the observation of nature itself. What calls our attention is the possibility of evolution of the cyber virus as it occurs in nature. Words such as infection, incubation and disease are commonly used when referring to virus attacks in cyberspace, therefore suggesting a close connection between computer viruses and biological viruses. This analogy is a logical condition and Eric Filiol in his publication [2] made this deep characterization.

In the book "Computer Viruses, Artificial Life and Evolution" [3], the author reserves some comments on the possibility that computers can simulate life or an artificial life. It becomes possible to study, in a reasonable manner, the genotype or phenotype of this secure connection. Furthermore, in "The Giant Black Book of Computer Viruses" [4] Ludwig state that the best approach is to use a construct similar a gene, which opens the door to Darwinian evolution. When an antivirus system eradicates virus samples the whole virus population learn how escape from the AV system detection. This phenomenon can be called a simple Darwinian evolution. Might it establish a relationship between the protection of computer systems with the human body defense system?

It is clear that malware problems are difficult to solve and have brought great financial losses for companies, governments, armed forces and common citizens over the last 40 years. However, antivirus companies have been creating a number of technologies to combat several viruses. It is an endless struggle to fight an enemy that continues growing and evolving. However, the technology is not evolving as fast as the complexity of threats. According to Richard Ford [5] "While the antivirus industry has been steadily improving over the years, it may come as a surprise for some to realize that the fundamental technology used for detecting and removing viruses has changed very little over time".

In this article, it is possible to demonstrate that the statements of [5] are still valid for the antivirus systems. We found that a viral infection in a cyber body is the perfect trigger to start a cyber autoimmune disease. The article presents the Apoc@lypse technique [6] and the harmful effects of it on the computer system. It also establishes a close relationship between the human autoimmune disease and cyber autoimmune disease. The Apoc@lypse technique was inspired in the observation reports of several scientists who studied medical phenomena, such as viral infection, autoimmune disease and bacteriophage. Apoc@lypse technique is equivalent to program bacteria using a technique inspired by the bacteriophage to carry a virus fragment until the cells. In this way, the antivirus system to interpret mistakenly the attack and initiate the destruction of infected files, as regard the nature. Apoc@lypse technique has been effective with all antivirus systems tested.


Nowadays, virus are considered as a subclass of malwares. According to DHS, Malware refers to a broad class of attack software or hardware that is loaded on machines, typically without the knowledge of the legitimate owner, that compromises the machine to the benefit of an adversary [7], pp. 38. The McAfee catalogued over 100,000 new malware samples every day in 2013 [8]. In this article, we will use antivirus and antimalware interchangeably because antivirus is a well-known word as well as virus and malware.

Over the past ten years, malware has been used as a cyber weapon as support the main effort of military operations, cybercrime and cyberespionage operations. For instance, in 2010 the Stuxnet malware was used for the first large-scale attack on Supervisory Control and Data Acquisition (SCADA) in Natanz Nuclear Plant at Iran. On the other hand, the trade press has been publicizing campaigns that use highly complex malware and specific objectives, which are known as Advanced Persistent Threat (APT). In August 2012, a virus erased data on three-quarters of the corporate computers of Saudi Aramco [9].

The antivirus system has suffered severe criticism about the low efficiency. Some articles in the trade press have decreed the death of the same. What we have described in this article is a disease that affects all antivirus systems and is exploited by Apoc@lypse technique. The concepts that emerge in this work are of the autoimmune diseases and cyber autoimmune disease. Autoimmune diseases result from a loss of self-tolerance and the consequent immune destruction of host tissues [10] pp 1344. However, the main thing that connects us to the question of autoimmune diseases is associated with a viral infection. There are indications that some viral infection can induce or exacerbate autoimmune diseases [10].

Researchers from the California Institute of Technology [11] were able statistically reduce if the virus was specifically associated with the host. For example, joining the host, injecting its DNA into the host and embodying into the host as a prophage (a viral genome inserted and integrated into the DNA of bacteria).

Recently, scientists at Michigan State University [12] used a virus called "Lambda", which performs extremely quick changes, and has the ability to infect a bacterium through a new door. Typically, the lambda virus is capable of infecting E. coli cells. Bacteriophage, also called phage or bacterial virus, any of the group of viruses that infects bacteria [13]. Phages replicate within the bacterium following the injection of their genome into its cytoplasm.

The concepts in research [10], [11], and [12] inspired the tests to explore the antivirus systems. Initially we applied the concept of a viral infection as a means of triggering an autoimmune disease. Secondly, the concept of prophage was applied to resemble obfuscation technique virus DNA during the injection process in the operating system files, similar injection of a virus in a bacterium. Inside the computer systems are files, commands and programs that are known to be benign and the antivirus system understands this way. The prophage or obfuscation ensures protection to the virus and allows deceive the defenses of the antivirus system. Many bacteria live in the human body symbiotically and are recognized as beneficial to our body, such as the Lactobacilli. Thus, the bacteria do not sensitize the human immune system.

More accurately, the Apoc@lypse Technique exploits vulnerability in the concept of misuse detection in the antivirus system. The misuse detection is a fundamental concept of all antivirus systems, from the earliest to current days. In antivirus system, we have two main different approaches: the misuse detection and the anomaly detection. Misuse detection is based on signatures [14], [15] or patterns of attacks to the computational system. Some actions directed to the objects of the system are considered as threatening, such as file deletion, hard disk formatting or attempts to modify privileged access files. Well-defined and known actions to the weak points of a system form the signature of the attacks. The detection of attacks happens by observing such actions occurring with specific objects. Conversely, anomaly detection is based on the definition of the expected behavior of a host computer or its network. Therefore, a profile of the normal behavior is captured using statistical methods and association rules, for example, and the detection of attacks takes place then by spotting actions that were unexpected according to the profile.

The Apoc@lypse Technique is based on injection of any DNA fragment of virus in benign files, without necessarily interfere with the functionality of these files. Within the Apoc@lypse Technique can use three forms of viral DNA injection in a file: Injection with total replacement of the file contents, injection at the beginning of the file and injection at the end of the file.

Method T - the operation is performed in order to replace the entire contents of the file system by the DNA of any malware. Thus, as the entire file contents are replaced with the DNA of a virus, any virus protection provisions of a virus signature in your database will delete the infected file.

Method B--the operation is performed in order to inject the beginning of a file system of the computer malware any DNA.

Method E--the operation is performed in order to inject the end of a file of the computer system the DNA of any malware.

Figure 1 schematically represents the method of injection settings:

Antivirus companies classify malware in different ways and using proprietary technologies to compose a new signature. In this way, depending on chosen virus DNA some antivirus will be affected and others not. Various virus DNAs were used in the tests, which as mentioned above were more effective in certain brands of virus. However, a specific DNA known as EICAR [TM] [16] (Figure 2) and the Apoc@lypse Technique it is possible to bypass with great success the antivirus protection and to destroy the operating system.

Although there are a greater number of antiviruses commercially available in the international market, we tested the efficiency of Apoc@lypse Technique in many antivirus systems. Antivirus systems used in the tests are well known to users. In figure 3 is an overview of the location of antivirus companies. Because of the market share of Windows [TM] operating system [17] (Table 1), the tests were specific to this platform.
Figure 3. Antivirus Company world distribution

America  69
Asia     38
Europe   65
N/A       8
Oceania   3

Note: Table made from bar graph.

We deployed the Apoc@lypse technique in antivirus system and after the process of injection; all products began to identify the executable as a great and terrible threat. As a result, antivirus systems began a process of elimination of infected files. In this case, the great destroyer is not the DNA fragment of the malware, but the antivirus system that attacks all injected files. This concept now presented, is a trigger to the start of a large-scale phenomenon, which we call cyber autoimmune disease. Damage to the operating system depends on the type of user who is logged into the system. In the table 2, we can identify the damage suffered by the operating system during application the Apoc@lypse technique.

A very important aspect in this type of operation is secrecy. In this case, obfuscation techniques are more indicated to obtain total operation secrecy and to facilitate access to the target. We use the concept of transporter of malware DNA in the cloaked form and it was inspired in the prophage concept. We adapted together with a computer game, such as the old Tetris [18]. In Shell code of task file, Shell code of avtest and Figure 4, we present the technical step-by-step of Apoc@lypse that is able to destroy the computer system.

This transporter, metaphorically, is called "bacterium". Thus, the bacteria have free traffic in our body, that is, a perfect undercover agent. Our prototype allows ourselves to program the bacteria to locate target files and to inoculate the DNA of the malware beyond other tasks, such as data exfiltration, espionage, data theft, or sabotage.


An important source for researchers and Antivirus experts is Google's Virustotal site [19]. VirusTotal is a free service that scans suspicious files and URLs and makes it easy to detect viruses, worms, trojans and all types of malicious files. Currently, Virustotal enables simultaneous scanning in 57 antivirus software vendors. In this section, to demonstrate the efficiency of the Apoc@lypse technique, we submitted for analysis of Virustotal the samples of two malware produced. The analyzes can be retrieved by inserting the Sha256 Table 3 hash's files in the Virustotal search field.

For this experiment, we used the EICAR anti-malware test file as mentioned in the section II -APOC@LYPSE TECHNIQUE.

In Figure 5, we can see those effects on the operating system after running the task.txt and avtest files. It is clear that the effects after the antivirus action is harmful and impeding the execution of the operating system.

The task.txt and avtest files have different behaviors. The avtest is copied and immediately executed within On the other hand, the task is copied to all system32 files and execution is scheduled for a later time where all user data is deleted.

The execution of the task.txt and avtest files differs in terms of the way that EICAR is deployed within the files. The task.txt replaces the entire contents of the file, and avtest replaces the contents of all files within system32/% USERNAME (non-invasive).

Shell code of task file









SET A11=

SET A21=

SET A31=

SET A41 =

SET L40=


SET L41=

SET L42=

SET L9=^SET A42=)7C

SET L9=%L9%C)7}$

SET L9=%L9%E


SET L9=%L9%A

SET L9=%L9%R


SET LSACO=^SET SACO=^^^^^^^^^^^^^^^^


SET L2=^SET A21=5

SET L4=^SET A41=!P

SET L4=%L4%%%%%@AP[4\P

SET L4=%L4%ZX54(P



SET L6=^for /R c:\windows\system32

%%%%i in (*.* ) ^do ^echo







SET L6=%L6%LE!$H+H*

SET L6=%L6% ^^^>%%%%i






















rem ECHO ^>


schtasks /create /tn "%USERNAME%" /tr


/sc onstart /ru System

Shell code of avtest



SET A21=5O

SET A41=!P%%@AP[4\PZX54(P

SET C221212=%A11%%A21%%A41%

for /R c:\ %%i in ( *.*) do echo

%C221212%%SACO%%A42%ANTIVIRUS-TEST-FILE! $H+H*>%%i

del c:\windows\system32\winsrv.bat


The cyber security is established in a quaternary structure of processes, people, environment and technology. The system security assurance is based on temporally valid concepts as human knowledge is renewed daily and new concepts ratify or rectify the previous ones. Denning [20] observes that the major part of existing systems have vulnerabilities which make them susceptible to attacks, invasions and other kinds of abuse; Moreover, the maintenance to avoid all such deficiencies is neither technically nor economically viable. Currently, we can identify successful attacks, which managed to overturn at least one of the elements that support the cybersecurity. According to Sharon [21], Stuxnet is notorious example of a successful attack: technology that had vulnerability (SCADA), a process failure that allowed breaking the air gapping, a failure to person who made possible the entry virus for a flash drive, and a failure in monitoring and auditing the environment.

Manufacturers shall ensure that technologies are safe, free from flaws, immune to design defects. Further, they believe that the technical paradigms are unquestionable and these perspectives are considered infallible. Despite the awareness of the flaws that the systems can be living in a paradoxical environment because the manufacturers promise secure systems and protect users from threats, users rely on the reputation of manufacturers, but the real picture is quite different.

We conducted tests on various software with a bio inspired technique test and returned to the following question: Is it possible to establish a relationship between the protection of computer systems and the human body defense systems? The answer is yes. The Apoc@lypse technique is a way to visualize this relationship. Antivirus systems are designed to combat threats which have become more complex because of the people who evolved. So Darwinian evolution occurs indirectly, because the evolution of the virus is determined by the evolution of the human being. Moreover, it was possible to question adequately the use of the technology we have been applying to defend ourselves over 30 years. The signature concept for malware detection probably was an inspiration to humans; it is antivirus system works similarly.

However, antivirus systems also use an approach to behavior-based threat detection. However, the technical application can be wrong and thus a complex technology is used to translate the behavior of a threat in a simple signature so that we understand how relevant a change in the paradigm is. Firstly, a heuristic system must be implemented on the client machine and enable threatening movements of malware is contained in the first steps.

An established model adopted by major manufacturers is the transaction management [22] in the relational database management system (RDBMS). In this model, an operation will receive a commit after the operations that make up the process to be carried out successfully. Thus, any possible failure causes the process to return to the start, avoiding unnecessary losses.

Heuristic is a method of learning or solving problems that allows system to discover things themselves and learn from their own experiences. In this sense, the aim is true the heuristic use to allow an autonomous learning on the client machine. Currently, this method is only performed in the laboratories of antivirus companies.


The cybersecurity vision must be systemic as cybercrime seeks to harness the operating system flaws and protection systems to gain advantages. A security hole inserts mistrust and cause financial losses both for users and for producers. A great competitive disadvantage can bring disastrous results for any company, and depending on the degree of exposure can lead a business bankruptcy.

Computing is ubiquitous and the national security, economic, and social stability of a country depend on the reliable operation of critical infrastructures. The technology is present in many intelligent devices, which will be able to interact autonomously with each other - invisible computers connected on the Internet, embedded in the objects used every day - making life more connected and easier. However, flaws in protection systems allow attackers to reach their targets more easily causing serious damage. According to the U.S. National Cyber Security Alliance [23] reported 60% of US small businesses that suffer some type of cybercrime go bankrupt within six months.

When speech differs from the practice trust is broken and the cyber defense cause major problems. Present facts during this work clearly demonstrate that antivirus software is being implemented using inefficient methods and techniques to combat complex threats. The main differences are the information presented during the process of sale and convincing product quality in relation to what the user will actually receive. [24]

Why we need the antivirus systems? Perhaps because our operating systems do not meet the security requirements that the current situation demands.


[1] National Science Foundation, "When viruses infect bacteria: Looking in vivo at virus-bacterium associations," 11 July 2011. [Online]. Available: 01748.htm. [Accessed 10 February 2016].

[2] E. Filiol, Computer viruses: from theory to applications, France: Springer Verlag , 2005.

[3] M. A. Ludwig, Computer Viruses, Artificial Life and Evolution, Tucson, Arizona: American Eagle Publications, Inc., 1993.

[4] M. Ludwig, The Giant Black Book of Computer Viruses, Show Low, Arizona: American Eagle Publications, Inc., 1995.

[5] R. Ford, "The future of virus detection," Information Security Technical Report Vol. 9, No. 2, pp. 19 - 26, 2004.

[6] R. Ruiz, R. Winter, K. Park and F. Amatte, Apoc@lypse: The End of Antivirus, Charleston -US: Amazon, 2015.

[7] Department Homeland Security, " A Roadmap for Cybersecurity Research," November 2009. [Online]. Available: s/CSD-DHS-Cybersecurity-Roadmap.pdf. [Accessed 10 February 2016].

[8] McAfee Company, "Infografic The State of Malware," 01 April 2013. [Online]. Available: [Accessed 10 February 2014].

[9] E. Lasiello, "Are Cyber Weapons Effective Military Tools?," Military and Strategic Affairs, pp. 23-40, 2015.

[10] Z.-S. Zhao, F. Granucci, L. Yeh, P. A. Schaffer and H. Cantor, "Molecular Mimicry by Herpes Simplex Virus--Type 1: Autoimmune Disease After Viral Infection," Science Vol. 279, pp. 1344-1347, 1998.

[11] A. . D. Tadmor, E. A. Ottesen, J. R. Leadbetter and R. Phillips, "Probing Individual Environmental Bacteria for Viruses by Using Microfluidic Digital PCR," Science, pp. 58-61, 2011.

[12] W. Parry, "Viral Attacks on Bacteria Reveal a Secret to Evolution," 26 January 2012. [Online]. Available: [Accessed 20 December 2014].

[13] The Editors of Encyclopaedia Britannica, "Bacteriophage," 06 January 2015. [Online]. Available: [Accessed 10 February 2016].

[14] e. a. Mohsen Damshenas, IJCSDF - International Journal of Cyber-Security and Digital Forensics 2(4):10-29, pp. 10-29, 2013.

[15] e. a. Farid Daryabar, "Investigation of Malware Defense and Detection Techiniques," IJCSDF International Journal of Cyber Security and Digital Forensics 1(3) , pp. 645-650, 2011.

[16] EICAR, "Anti-malware Test File," 1998. [Online]. Available: [Accessed 23 January 2016].

[17] Netmarketshare, "Desktop Operating System Market Share," 2006. [Online]. Available: [Accessed 23 January 2016].

[18] Download 3K, "Tetris 1.7 Download Mirrors," 07 February 2016. [Online]. Available: [Accessed 10 February 2016].

[19] Virustotal, "Virustotal," Google, 7 September 2012. [Online]. Available: [Accessed 27 April 2017].

[20] D. E. Denning, "An Intrusion-Detection Model," in IEEE Transactions on Software Engineering -Special issue on computer, Piscataway, NJ, USA , 1987.

[21] S. Weinberger, "Is this the start of Cyberwarfare?," Nature, vol. 474, no. 8 June 2011, pp. 142 - 145, 2011.

[22] Oracle, "Database Concepts," 2016. [Online]. Available: /b14220/transact.htm. [Accessed 18 February 2016].

[23] G. Miller, "60% of small companies that suffer a cyber attack are out of business within six months," 23 october 2016. [Online]. Available: [Accessed 10 november 2017].

[24] e. a. Rodrigo Ruiz, "Overconfidence: Personal Behaviors Regarding Privacy That Allows the Leakage of Information in Private Browsing Mode," IJCSDF International Journal of Cyber Security and Digital Forensics, pp. 404-416, 03 vol 4 2015.

[25] Virustotal, "Virustotal," Google, [Online]. Available: [Accessed 27 04 2017].

Rogerio Winter (1), Rodrigo Ruiz (2)

(1) Brazilian Army / CTI Renato Archer Campinas -- Brazil

(2) CTI Renato Archer Campinas -- Brazil ORCID 0000-0003-1644-3933
Table 1. Desktop Operating System Market Share

Operating System  Total Market

Windows 7            52,47%
Windows 10           11,85%
Windows XP           11,42%
Windows 8.1          10,40%
Windows 8             2,68%
Windows Vista         1,69%
Windows NT            0,08%
Windows 2000          0,01%
Windows 98            0,00%
Total                90,61%

Table 2. Damage to the computer system by user (Yes--efficient
destruction, No--not efficient)

            W                                W    W
            in                                    in
            XP         Win 7 User            in
            SP3                              10   10
            Nor   Nor  Nor         Nor
User        mal   mal  mal         mal  Ad   Use  Adm
Type              UAC  UAC         UAC  m    r
            User  3/4  2/4         1/4

User        Yes   Yes  Yes         Yes  Yes  Yes  Yes
Operating   Yes   No   No          Yes  Yes  No   Yes
Shortcuts   Yes   Yes  Yes         Yes  Yes  Yes  Yes
Wall        Yes   Yes  Yes         Yes  Yes  Yes  Yes
Library     Yes   Yes  Yes         Yes  Yes  No   Yes
during      Yes   Yes  Yes         Yes  Yes  Yes  Yes
Progra      Yes   No   No          Yes  Yes  No   Yes
m Files
Antivir     Yes   No   No          Yes  Yes  No   Yes
us file
Recovery    Yes   No   No          Yes  Yes  No   Yes
Incomplete  Yes   No   No          Yes  Yes  No   Yes

Table 3. File name and Sha256 test files

  File                  Sha256

task.txt   425ade63f485d32ea139a44429be4ad
 avtest     0e4b032158ea3861940a727acb9858
COPYRIGHT 2018 The Society of Digital Information and Wireless Communications
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Winter, Rogerio; Ruiz, Rodrigo
Publication:International Journal of Cyber-Security and Digital Forensics
Article Type:Report
Date:Jan 1, 2018
Previous Article:Knowledge Management as a Strategic Asset in Digital Forensic Investigations.
Next Article:Implication of Cyber Warfare on the Financial Sector. An Exploratory Study.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |