Though by night I fight malware alongside the rest of the Malwarebytes research team, by day I work as a doctoral student in Immunobiology at Yale University, where I study the development of the immune system in your bone marrow. This grants me a unique perspective, as I’ve studied both the evolution of malware over the past decade, and the evolution of the microscopic organisms that make us sick.
“Computer virus” has become the catch-all term that people use to describe all types of malicious software—Trojans, ransomware, adware—you name it. When grandma asks for help with her computer, the phrase “I think there’s a virus” likely rings familiar. A similar pattern also emerges when people describe biological infections; we often begrudgingly conclude, “I caught a virus,” as we lay painstakingly on the couch waiting for the fever to break.
Studying these two similarly-named phenomena in parallel had led me to the inevitable question: Are these two types of infections so different? Are there parallels we can draw and learn from between computer security and the human immune system?
Computer viruses vs. biological viruses
I often like to compare digital polymorphic file-infector viruses (such as Virut and Sality, both commonly found throughout the past decade) and biological retroviruses such as HIV. File-infector viruses add malicious data to your computer’s files. We unknowingly spread the viral code to other files by launching our favorite programs and sharing infected files with others.
HIV works in an astonishingly similar way. When humans contract HIV, the virus infects a type of cell in the immune system called a T cell. Not only is it an evolutionary snub that our own immune systems get hijacked by this virus, resulting in AIDS, but the virus literally becomes part of us, inserting its viral code into our own DNA. Even if the virus is destroyed with treatments such as HAART, the treatment is not permanent, since infected cells will produce new copies of the virus. This is why HIV patients must continue to receive treatment for their entire lives—humans do not have the luxury of being able to Format C:.
How to clean up/treat the virus
In the case of a computer virus, or malware, one of the easiest ways to treat an infection is to run a scan with a remediation product (like Malwarebytes). When Malwarebytes does a scan, it takes an incredibly close look at every single file. Is it digitally signed by a known malware author or trying to spoof a digital signature from Google? Does it contain references to known malware websites, perhaps a botnet command and control server? When it finds these indicators, it quarantines the malicious files and prevents them from causing any further damage to your computer.
When we catch a biological virus, our bodies do a similar type of interrogation, trying to find pieces of microbes that look out of place.
We have two major branches of the immune system: first, the innate immune system is far older in evolutionary terms. It acts very quickly to mount broad anti-microbial responses. We have sentinel cells that constantly survey all points of entry, from your respiratory tract to your gut. We have evolved methods of quickly detecting and eliminating various bacteria.
The second branch, the adaptive immune system, evolved more recently (roughly 450 million years ago) and is much slower to act. Yet, it can respond to a nearly unlimited number of specific threats, and perhaps most importantly, it remembers what it has targeted in the past. This memory is why we generally do not get chickenpox multiple times, and how vaccines protect us for decades on end.
The best parallel to this second type of immunity in computer security software is found in newer technologies that utilize machine-learning algorithms to recognize malware based on file-structure or behavioral peculiarities. These technologies constantly improve upon themselves, just as evolution has improved upon previous iterations of organisms since the genesis of life itself.
Protecting against malware and the flu
Fighting malware and fighting off real-life infections share the same quintessential goal: how can one distinguish the harmless from the harmful? Put another way, both our software-based and biological-based defenses must be able to tell the difference between themselves (e.g., Windows system files, your own brain cells) and things that are foreign (e.g., Trojan files, influenza virus). Failure in this process results in false positives.
Software false positives, or identifying something as malicious that is not, can have varying results, from mildly annoying (reinstalling software) to terminal (corrupting Windows itself). Similarly, false positives in our own bodies, when our immune systems erroneously attack themselves, can result in debilitating allergic responses and even autoimmune diseases such as multiple sclerosis or Type 1 diabetes.
Doctors often recite Benjamin Franklin’s quote “an ounce of prevention is worth a pound of cure.” This adage holds true for our computers and ourselves. The damage that viruses wreak on people can be irrecoverable. President Franklin Roosevelt became paralyzed due to poliovirus infection. But the development of potent polio vaccines by Jonas Salk and Albert Sabin compounded with efforts by the Bill and Melinda Gates Foundation half a century later have resulted in the near global eradication of poliovirus.
For our computers’ safety, a similar level of protection is essential, as many of the aforementioned types of malware cause irreparable damage to operating systems, resulting in reformatting the hard drive to fully remove all traces of the infection. Instead we suggest another approach: layers of technology aimed at stopping various types of malware in various stages of attack.
Just as you would use different strategies to promote your own health and prevent disease—from eating healthy to getting active to taking medications to regulate various conditions—using layers of technology increases your chances of preventing damaging infection or theft of sensitive data. From blocking the execution of malicious software, to blocking the mechanisms by which malicious code can exploit vulnerabilities in outdated software, to anticipating the mechanisms that ransomware authors use to seize control of your computer, a layered approach to protection will always be the best method to keep your computer safe.
Thus, the methods that programs such as Malwarebytes for Windows utilize to protect your computer from malicious threats bear a striking resemblance to the mechanisms that have evolved to protect our bodies from bacterial and viral infections. Similarly, the malicious programs that criminal syndicates employ to steal money and identities from unsuspecting people are themselves similar in scope and cowardice to the infection methods that microorganisms have evolved to utilize.
There is much we could learn from how our immune systems work in order to conceptually and practically advance how we protect our computers from the threats of tomorrow.