Yes

A virus is not a virus because it's doing bad things per-se, but because of how it is installed / replicates to other systems. Any computer virus can be modified in such a way where the actions it performs is to block other viruses from being installed or modified on the system. In fact, a virus could be used to simply install anti-virus software on the computers it infects.

Another way the virus could achieve protection is by simply revoking root / administrator permissions from any other programs or users except itself, effectively stopping any further software from being installed on the system.

You could design a piece of software that works this way in PRINCIPLE, but in practice it would have some pretty significant limitations.

The primary problem is that antivirus software relies very heavily on being able to propagate defensive information on new threats and security flaws to the defended machines more rapidly than a threat can infect them. Most security flaws and viruses require some kind of social engineering component to get a human to do something, so that human rate of engagement can slow a virus' spread enough to allow time for the antivirus to analyse the new threat, develop a defense, and distribute it to all protected machines.

Therefore in order to provide a successful defense, your your antivirus-virus (henceforth referred to as AVV), needs to be able to communicate with all instances of itself wherever they are to share information. You can't rely on each instance of AVV learning just from what it's exposed to on that machine. You need EVERY instance of AVV sharing information, and that's a very tricky thing.

In order to successfully propagate, AVV needs to stay small. Huge pieces of code like a standard antivirus application are just too huge to infect machines successfully. This means your antivirus functionality can't rely on definitions per se, because that requires a massive database of known threats. Therefore each instance can't maintain its own local information storage either. Your database of learned behavior therefore needs to be distributed across all the instances of AVV throughout.

You ALSO need a way for the instances of AVV to be able to understand the differences in environments in the machines they've infected and understand which other instances are sharing those environments so they can preferentially share information. E.g. AVV that infects Apple devices has different threats to defend against than those on Android devices, or Windows 10 versus Windows 8, or servers in older powerplants running on NT 4.0 or something gothic like that.

On top of all that, AVV is ALSO going to need to be able to at least partially disable any actual antivirus software that's ALREADY on the machine it's infecting. Having two sets of code trying to protect the same machine at the same time causes LOTS of problems. You may never have had to deal with the fallout from someone trying to use Norton and McAfee at the same time on the same computer, but I have, and it's not pretty.

The real problem is this though: In order to do ANY of that stuff, AVV needs to use up a significant chunk of the processing power and bandwidth on every machine it's installed on. This is, by and large, exactly what ALL viruses do and so, from the point of view of the user, your AVV is going to be as much of a problem as many of the more malicious viruses it's defending against. Sure, AVV is using those CPU cycles and gigabits of bandwidth to stop threats instead of sending Russian porno spam everywhere, but the result on the infected machine is often the same.

Yes.

A worm (which is a type of virus) spreads by exploiting a vulnerability replicating itself, but if that worm is also patching that vulnerability as it goes along, it isn't technically malicious (it can still have deleterious effects though, such as tying up bandwidth, etc...).

For example, in Linux, there have been worms which self-replicate and patch the vulnerability they exploit, preventing more nefarious worms from acting on the vulnerability, which would make them a kind of "white-hat" virus.

What makes a program a "virus" or "antivirus" depends on what its ultimate impacts on a system are. A virus spreads and damages infrastructure, an antivirus prevents this. Under a strict definition though, a virus is technically any self-replicating program. It is thus possible to have a self-replicating antivirus which provides immunity to a specific exploit (as in the self-replicating patch-worm example).

The short answer is yes.

A virus can do whatever it is programmed to do. If you want it to install itself as an anti-virus you can absolutely do that. If you want it to attempt to "infect" other hosts to act as an anti-virus you can use the usual exploits.

But why though? if your Anti-Virus Virus is so good at its job that you want to black-hat it to everyone, why wouldn't you make it an open source download instead. Why would you intentionally trigger already installed anti-malware trying to protect them? What do you gain?

Overall, it is possible. I just fail to see it being worth it.

That has already happened.

The "2012 Internet Census" (known professionally as the Carna botnet) was a virus that infected ~400,000 consumer network hardware devices (like routers or modems) by using default passwords. The author of it eventually gained control over a meaningful percentage of devices in the world, and was able to see internet traffic patterns in realtime from billions of devices (at the time, only ~4 billion devices could be visible on the internet, due to technical limitations).

While doing this, the author says:

We noticed at this time that one of the machines already had an unknown binary in the /tmp directory that looked suspicious. A simple strings command used on that binary revealed contents like synflood, ackflood, etc., the usual abuse stuff one would find in malicious botnet binaries. We quickly discovered that this was a bot called Aidra, published only a few days before.

The Aidra botnet was a botnet created by an Italian hacker, who sold time on it for DDoS attacks (the kind of thing that takes down websites). Aidra is a classic case of a virus, in the sense that you're thinking. It infects devices, and uses them to do bad things.

The author of Carna goes on to say:

Since Aidra was clearly made for malicious actions and we could actually see their Internet scale deployment at that moment, we decided to let our bot [...do some technical things...]. This step was required to block Aidra from exploiting these machines for malicious activity.

Resulting in...

Within one day our binary was deployed to around one hundred thousand devices - enough for our research purposes. We believe Aidra gained a litte[sic] more than half of that amount. The weeks after our initial deployment we were able to build binaries for a few more platforms. We also probed telnet every 24 hours on every IP address. Since many devices restart every few days and needed to be reinstalled again, over time we gained machines that Aidra lost

This means, in a nutshell, that the author of the Carna botnet observed the malicious Aidra virus spreading, and decided to choke it out using his own botnet. A virus fighting a virus. Carna won, and Aidra had little impact on the world.

Yes it's already happened

See Welchia Virus

The Welchia virus downloads itself via the same vulnerability that the Blaster virus used. It then deleted the Blaster virus if found and then installed the patch closing the hole down before spreading to new systems and finally deleting itself.

An antivirus virus.

Real computer worms that close vulnerabilities

There are historical examples of self-spreading network viruses ("worms") that follow the pattern of:

1. exploit a particular vulnerability;


2. "fix" that vulnerability so that it's not exploitable anymore;


3. (optionally) remove other popular malware that uses the same vulnerability and it's likely to be there.

One example like this is Welchia which is considered to be mostly benign (though with "side effects") as it removed the Blaster worm which was popular at the time and installed Microsoft patches; there are also other examples of "anti-worms".

In addition, there are commercial botnet systems that are designed to close down vulnerabilities and clean up the system of other malware (presumably owned/controlled by competitors) so they do remove some bad things (and protect from future infections) so as to have full access to the system resources for their malware. If I recall correctly, some variants of Mirai were doing this, but it's certainly not unique or novel nor that unusual.

The Computer Science term "Virus" was so named because it acts similarly to computers as real virus act with biological life (virus are not technically a life form, but close in most respects). Specifically both viruses inject a host (coumputer/host cell) with a malicious code (binary code/DNA) that hijacks the the output (what ever the computer does/ Cell's DNA reading Ribosomes, usually to make more viruses and kill the cell).

How they are treated is different as biological viruses can be difficult to create a cure for as opposed to using preventative measures (the common cold and HIV are both virus, and finding a cure for both is equally elusive for the same reasons. Most virus you can get are one time deals and your white blood cells can learn to recongize them as viruses and stop them. The problem is that certain virus are prone to frequent mutation, with both the Common Cold and HIV being very prone to this. Cold symptoms are frequent, but that strain that gave it to you will never happen again. HIV not only mutates making targeting DNA with an anti-virus difficult, but they specifically target the white blood cells, which means the strain immunity can't be learned... cause you're dead."

Antivirus's denote a specific cure for virus instance that targets a specific DNA code and are like their computer virus. Antiviral agents are still used for more persistent viruses and are still very specific treatment for things like aids which your body can't learn to fight. Most lesser viruses are dealt with by viracides, which are agents that will target the virus before it can inject the DNA code (the point where stopping a virus is pointless) and but not affect the immune system's ability to handle them. Think of Viruses as the Facehugger from Alien... You can fight it before it hugs your face, but fighting it afterwards isn't gonna help the guy who got hugged get healthier.

Computer Anti-viruses are like Antibiotics, which fight bacterial disease, not viral diseas. In this case, the bacteria is always harmful but if you get your innoculation/patch before you are infected, your body can train to handle the infection. A bacterial infection might come later, but the immune system can identify it. In a computer anti-virus, the software is looking for a specific code sequence in a place where the virus will affect the computer (usually in the executable code and in memory storage) and will be able to identify, and target for deletion any file that matches specific code. But that's only gonna catch viruses that it's been patched. You might be able to patch after infection, but the goal is to stop it getting to that point... and some infections target the kernel (the very important bits of software that make any OS function so it's like the brain or heart of your computer code... messing with it is gonna result in death more often then not) so you really want to prevent.

I'm not entirely sure about the specific coining, but given that biological anti-viruses became more important after the AIDS epidemic, which is around the time computer viruses started to appear, it's kind of a chicken and egg as to which came first, though a biological anti-virus was first used in the 1960s, I'm not sure if it was called that as such. Biological Anti-virus are still harder to develop for treatment then computer counterparts and are tailored to one specific virus and in some cases one strain of a virus. Software can and is frequently patched and can contain a large library of various unrelated viruses to look out for (viracide in biological sense).

Given the nature of how a computer virus works, it's hard to develop a learning anti-virus software because by it's very nature, that is a string of code and can be accessed by a virus written by someone who knows how that code works, effectively having a digital HIV. This is difficult with present antivirus software because it's already taught that the code is bad and to stop it, while a learning antivirus would not initially see it as an infection... and couldn't until it was already too sick to fight.

Even in video games where the system seems like it's adapting to the player's input, it's still not learning. Most games like this "cheat" by having the options available and weighted based on likelyhood of use and by the player and how to generate a counter. One infamous "learning" game is Pokemon, specifically the "Batter Tower" style endgame which will generate a series of teams to battle. As the player moves on the in the sequence, the computer is able to weight it's moves and choose a conbinations from the library that will best counter the move's viability... but it's also relying on the player being locked into the same combinations while it is not (usually three Pokemon with four moves per Pokemon, with at least one of those Pokemon revealed on the first turn). The trick is to hold off swapping your Pokemon out for as long as possible and even then, holding off on as many of each moves you can get. The best case scenario is that if you reveal one new Pokemon and one new move in each battle, it will take the computer 12 battles to know your team's capability... and since the nature of the game means you do have to switch and use multiple attacks could mean the computer is starting to build counter teams... And if you last longer, it's just going for the most broken combos that will give any team a rough day... and then illegal combos (either you can't use that Pokemon as a condition of the Battle Tower rules OR you can, but that Pokemon cannot naturally learn that move (or at least at this point) or the stats are always top tier for that pokemon (the 99 percentile Ratatta). It's not smart, it's just records and cheats by changing the team you can face while you can't. The civilizatiion series long ago openly admited that the difficulty settings adjust the innate benefits and penalties of the player vs. the computer, with players getting more benefits at easier settings over computer penalties settings with those diminishing towards zero as the medium difficulty is approached and reversing as the higher difficulty approaches. And they aren't alone, as "easy" mode will always give natural pluses to player stats. Hard is only hard because the computer has better numbers while you have, at best, no penalties and the computer is only playing better because it's getting the benefits of these stats, not because it's targeting you differently. It's targeting you the same as if the easy mode was on... but now your numbers suck and it's are better.).

Even if you aren't familiar with these games, one of the most popular card games in the world, Blackjack, can use a weighted system to gage the weight of your hand vs. the dealer. Since most games are multi-player vs. dealer (you win by beating the dealer's hand irrespective of your hand vs. another non-dealer player). While many casinos will draw from a deck that is four to 8 standard 52 card decks to discourage card counting, but optimal play does not matter to the deck size but the hand. You could have a deck of one million standard decks and the strategy will still work. Optimal play relies on knowing the hard value of your hand (the total of all cards in your hand, (aces high, all suits are 10) the soft value of your hand (Aces low) and the face up value of the dealer's cards. There may be a few other rules (splitting, doubling down, and surrender options) depending on the rules of the game, but the optimal strategy can be boiled down to three tables that can fit onto a standard 8x11 inch sheet of paper, and can be further reduced to memory, especially if you remember that about one third of all cards in play, regardless of total number of decks, will be worth 10 points (10, Jack, Queen, King). Because Ace can be worth one or 11 to the player's advantage it is impossible to get over 21 points and under 3 points in the opening hand, but the closer you are, the the advantage will change. This method is an optimal loss amount you will likely win with most, but not all, hands if played in this manner. This is sub-optimal for the house because they lose more (and since money bets are involved, they usually make the least possible amount of money off of you. Casinos in most jurisdictions do have to pay out a certain percentage of of what a game takes in (but not to the same person. Slot machines can be programmed to specifically pay out 80% of the cash taken in, but you might run out of cash before it pays out. With the money they stand to make, Casinos can afford to higher some pretty brainy math nerds to ensure their games are optimal to player loss, or as they say in Vegas "The House always wins".). Like the Pokemon example, it isn't learning or rigged against you, it just has the advantages that will see lose money over extended play. Computers cannot learn (as of what we have in near future) and the computation power of a human brain is by and away more capable of adaptive responses then even super-computers. Computers will use other tricks though, including speed and better memory recall to seem like they learn, but they still are prone to error (read about Watson, who one Jeopardy by a combination of faster then human buzzer pressing and access to the web... he still famously gave some pretty wrong answers but it was because he wasn't parsing idioms. Specifically the question of "Its largest airport was named for a World War II hero; its second largest, for a World War II battle" and a category of "U.S. Cities" was a difficult parsing for Watson who gave the answer "What is Toronto?" The answer was deemed correct because there are several cities with the name Toronto, U.S. but the one with the airports named for a war hero and battle from world war II is Toronto, Canada, which the two humans were quickly able to elimiate because they eliminated Toronto Canada as not falling in the U.S. Watson had some issues with that (The likely reason is that the United States of America is a nation on the continent of North America both of which use the denonym of "American" to describe things in those geographies in English (this is very much disliked in Latin America, as they are Americans too... even in South America) the city of Toronto, Canada is an American City with an American League Baseball team and two airports that also have these specific conditions. Watson was likely confused by U.S. English Denonym being identical to the denonym of two contintnets on which the U.S.A is also an American nation. A human might be confused by this, but understands the confusion is related to the word holding two distinct meanings that can only be discerned by context ("Texas and Canada are American States but Canada is not an American State" and be factually true because both instances of "American states" are not identical. Both are American States (as in sovereign states on the continent of North America) but Canada is not a United States of America (Texas was an independent sovereign state at one point in history... but at that point, Canada was still British colonial territory and not a state.). The statement is true, but is written to look logically false without knowing the context is shifting.