That has already happened.

The "2012 Internet Census" (known professionally as the Carna botnet) was a virus that infected ~400,000 consumer network hardware devices (like routers or modems) by using default passwords. The author of it eventually gained control over a meaningful percentage of devices in the world, and was able to see internet traffic patterns in realtime from billions of devices (at the time, only ~4 billion devices could be visible on the internet, due to technical limitations).

While doing this, the author says:

We noticed at this time that one of the machines already had an unknown binary in the /tmp directory that looked suspicious. A simple strings command used on that binary revealed contents like synflood, ackflood, etc., the usual abuse stuff one would find in malicious botnet binaries. We quickly discovered that this was a bot called Aidra, published only a few days before.

The Aidra botnet was a botnet created by an Italian hacker, who sold time on it for DDoS attacks (the kind of thing that takes down websites). Aidra is a classic case of a virus, in the sense that you're thinking. It infects devices, and uses them to do bad things.

The author of Carna goes on to say:

Since Aidra was clearly made for malicious actions and we could actually see their Internet scale deployment at that moment, we decided to let our bot [...do some technical things...]. This step was required to block Aidra from exploiting these machines for malicious activity.

Resulting in...

Within one day our binary was deployed to around one hundred thousand devices - enough for our research purposes. We believe Aidra gained a litte[sic] more than half of that amount. The weeks after our initial deployment we were able to build binaries for a few more platforms. We also probed telnet every 24 hours on every IP address. Since many devices restart every few days and needed to be reinstalled again, over time we gained machines that Aidra lost

This means, in a nutshell, that the author of the Carna botnet observed the malicious Aidra virus spreading, and decided to choke it out using his own botnet. A virus fighting a virus. Carna won, and Aidra had little impact on the world.

Yes it's already happened

See Welchia Virus

The Welchia virus downloads itself via the same vulnerability that the Blaster virus used. It then deleted the Blaster virus if found and then installed the patch closing the hole down before spreading to new systems and finally deleting itself.

An antivirus virus.

Yes

A virus is not a virus because it's doing bad things per-se, but because of how it is installed / replicates to other systems. Any computer virus can be modified in such a way where the actions it performs is to block other viruses from being installed or modified on the system. In fact, a virus could be used to simply install anti-virus software on the computers it infects.

Another way the virus could achieve protection is by simply revoking root / administrator permissions from any other programs or users except itself, effectively stopping any further software from being installed on the system.

Real computer worms that close vulnerabilities

There are historical examples of self-spreading network viruses ("worms") that follow the pattern of:

1. exploit a particular vulnerability;


2. "fix" that vulnerability so that it's not exploitable anymore;


3. (optionally) remove other popular malware that uses the same vulnerability and it's likely to be there.

One example like this is Welchia which is considered to be mostly benign (though with "side effects") as it removed the Blaster worm which was popular at the time and installed Microsoft patches; there are also other examples of "anti-worms".

In addition, there are commercial botnet systems that are designed to close down vulnerabilities and clean up the system of other malware (presumably owned/controlled by competitors) so they do remove some bad things (and protect from future infections) so as to have full access to the system resources for their malware. If I recall correctly, some variants of Mirai were doing this, but it's certainly not unique or novel nor that unusual.

You could design a piece of software that works this way in PRINCIPLE, but in practice it would have some pretty significant limitations.

The primary problem is that antivirus software relies very heavily on being able to propagate defensive information on new threats and security flaws to the defended machines more rapidly than a threat can infect them. Most security flaws and viruses require some kind of social engineering component to get a human to do something, so that human rate of engagement can slow a virus' spread enough to allow time for the antivirus to analyse the new threat, develop a defense, and distribute it to all protected machines.

Therefore in order to provide a successful defense, your your antivirus-virus (henceforth referred to as AVV), needs to be able to communicate with all instances of itself wherever they are to share information. You can't rely on each instance of AVV learning just from what it's exposed to on that machine. You need EVERY instance of AVV sharing information, and that's a very tricky thing.

In order to successfully propagate, AVV needs to stay small. Huge pieces of code like a standard antivirus application are just too huge to infect machines successfully. This means your antivirus functionality can't rely on definitions per se, because that requires a massive database of known threats. Therefore each instance can't maintain its own local information storage either. Your database of learned behavior therefore needs to be distributed across all the instances of AVV throughout.

You ALSO need a way for the instances of AVV to be able to understand the differences in environments in the machines they've infected and understand which other instances are sharing those environments so they can preferentially share information. E.g. AVV that infects Apple devices has different threats to defend against than those on Android devices, or Windows 10 versus Windows 8, or servers in older powerplants running on NT 4.0 or something gothic like that.

On top of all that, AVV is ALSO going to need to be able to at least partially disable any actual antivirus software that's ALREADY on the machine it's infecting. Having two sets of code trying to protect the same machine at the same time causes LOTS of problems. You may never have had to deal with the fallout from someone trying to use Norton and McAfee at the same time on the same computer, but I have, and it's not pretty.

The real problem is this though: In order to do ANY of that stuff, AVV needs to use up a significant chunk of the processing power and bandwidth on every machine it's installed on. This is, by and large, exactly what ALL viruses do and so, from the point of view of the user, your AVV is going to be as much of a problem as many of the more malicious viruses it's defending against. Sure, AVV is using those CPU cycles and gigabits of bandwidth to stop threats instead of sending Russian porno spam everywhere, but the result on the infected machine is often the same.

Yes.

A worm (which is a type of virus) spreads by exploiting a vulnerability replicating itself, but if that worm is also patching that vulnerability as it goes along, it isn't technically malicious (it can still have deleterious effects though, such as tying up bandwidth, etc...).

For example, in Linux, there have been worms which self-replicate and patch the vulnerability they exploit, preventing more nefarious worms from acting on the vulnerability, which would make them a kind of "white-hat" virus.

What makes a program a "virus" or "antivirus" depends on what its ultimate impacts on a system are. A virus spreads and damages infrastructure, an antivirus prevents this. Under a strict definition though, a virus is technically any self-replicating program. It is thus possible to have a self-replicating antivirus which provides immunity to a specific exploit (as in the self-replicating patch-worm example).

The first ever antivirus software (Reaper) was a virus! It was written in 1971 to catch the first ever worm, Creeper. The only way to fully eradicate Creeper was by installing Reaper on all connected PDP-10 mainframes. This was done by having Reaper automatically replicate itself on other machines.

The short answer is yes.

A virus can do whatever it is programmed to do. If you want it to install itself as an anti-virus you can absolutely do that. If you want it to attempt to "infect" other hosts to act as an anti-virus you can use the usual exploits.

But why though? if your Anti-Virus Virus is so good at its job that you want to black-hat it to everyone, why wouldn't you make it an open source download instead. Why would you intentionally trigger already installed anti-malware trying to protect them? What do you gain?

Overall, it is possible. I just fail to see it being worth it.

as @eigenvalue mentioned. Stuxnet was one of a kind virus, which was able to target specific windows machines. These specific machines were targeted because these machines were the machines of the Iranian scientists who were at the time working on Nuclear Reactor.

The special thing about this virus was that it was spread in the wild and if the machine was not who it was looking for it would just sit there idle. From all the machines in the world it was able to figure out which machine it had to be activated on.

In industries and nuclear plants special computers are used called PLC's which are programmed via ladder diagram. Its kind of a drag and drop builder used to program. The virus actually infected the scientist's machine which was connected to the PLC and then changed the ladder diagram and increase the spinning speed of nuclear reactors. Increasing the speed caused resonance which destroyed these reactors, and the virus achieved the desired goal.

Knowing that, I have a follow-up question: Can a virus be made for a
system in a way that acts like an anti-virus? In other words, this
virus would infect computers and instead of causing damage, it would
protect the computer from other viruses?

Yes, once a program gets in it can do pretty much whatever it wants.

If the answer is yes it is possible, could this virus be sophisticated
enough to automatically update its virus definitions? Perhaps an
advanced deep learning algorithm allows this?

Yes, and its not even hard. The AI deep learning part is a bit harder, but still doable.

A lot of viruses spreading is due to users not updating their systems.

Just upload a list of software the computer contains and its version, and download and install the new versions. That and running windows update, apt-get update, zypper dup, or etc for your OS offers a lot of native protection if its ever even used.

After that implementing a firewall for the user, or re-configuring windows firewall would raise the bar even higher.

automatically sandbox know weak programs like web browsers and mail clients.

Download a list of bad IP's and bad behaviors ever day, and doing a black list would offer even more protection.

So the hacker uses a CDN (content distribution network), so you have a main distribution point from a website hosted on a cdn, and that pretty much all you need.

So the program would have a built-in list of IP or website address, and a preset list of files to download.

Said program would wget http://www.goodvirus.com/files.txt
wget http://www.goodvirus.com/blacklists.txt

The files.txt would contain a list of files and versions to download.

If the version is newer than what you have it download the new version.

Your biggest problem and where the AI comes in is problems like specter, melt down, and etc are way hard to detect. Also mitigate has issues, After a few weeks the security will have a patch you can just download and install reboot and your safe.

You have to ask yourself how far this virus is going to go.

An AI which detects, and implements its own solution is going to have to be way smarter. It will takes years to develop and prefect.

However, automated tools from companies already exist, google has sysbotz which throws things at the linux kernel until it breaks. Then said bot compiles a report, and sends it off to the kernel devs for them to fix. More and more of these automated testing platforms are being created and deployed.

More and more smarter testing routines are being developed and tested all the time.

The bigger problem is the difference between program and virus comes down to user consent. Sure your program forcefully propagates every where, but at the end of the day if your program does nothing bad people will willingly allow or install your virus on their computers. Then it's no longer a virus, but a program.

Stuxnet has the code to remove itself after the given date in the future.

A long time ago (2007), someone with a very acute case of the oedipal complex decided that the real problem with IT security was the weak link, i.e.: users. Which was probably the inspiration for this Dilbert strip (source):

So he created a program called Disk Knight that replicated over networks, and it completely disabled USB drives. No more infections from obnoxious relatives plugging their virus-ridden usb drives on your machine to send their work to your printer! YAY!

Only the dude became such a persona non grata that the internet gave him a damnatio memoriae punishment. The only thing left over of the whole story are passing mentions on Microsoft and Norton's pages about the functions of Disk Knight, and how its behavior was unacceptable. Other than that, mentions and mentions in forums on how to remove it, usually in languages other than English.

So you see, if you can write a program to defend the machines of the layspeople, you can protect them from viruses. But if you are not an expert and you don't know what you're doing, you may cause more harm than good. The proper way is still to make yourself a known force against malwares so as to build trust, and in that way you can cooperate with the community in the fight against evil. Fail to do so, and no matter how good your motives, you'll go down in history as a villain.