552 lines
21 KiB
Plaintext
552 lines
21 KiB
Plaintext
|
|
|
|
|
|
COMPUTER VIRUSES: A RATIONAL VIEW
|
|
|
|
by: Raymond M. Glath
|
|
President
|
|
|
|
RG Software Systems, Inc.
|
|
2300 Computer Ave.
|
|
Suite I-51
|
|
Willow Grove, PA 19090
|
|
(215) 659-5300
|
|
|
|
|
|
April 14, 1988
|
|
|
|
|
|
WHAT ARE COMPUTER VIRUSES?
|
|
(a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage)
|
|
|
|
Any software that has been developed specifically for the purpose
|
|
of interfering with a computer's normal operations.
|
|
|
|
|
|
WHAT DO THEY DO?
|
|
|
|
There are two major categories of viruses.
|
|
|
|
Destructive viruses, that cause:
|
|
|
|
Massive destruction...
|
|
ie: Low level format of disk(s), whereby any programs
|
|
and data on the disk are not recoverable.
|
|
|
|
Partial destruction...
|
|
ie: Erasure or modification of a portion of a disk.
|
|
|
|
Selective destruction...
|
|
ie: Erasure or modification of specific files or file
|
|
groups.
|
|
|
|
Random havoc... The most insidious form of all.
|
|
ie: Randomly changing data on disk or in RAM during
|
|
normal program applications, or changing keystroke
|
|
values, or data from other input/output devices,
|
|
with the result being an inordinate amount of time
|
|
to discover and repair the problem, and damage
|
|
that may never be known about.
|
|
|
|
Non-Destructive viruses, intended to cause attention to the
|
|
author or to harass the end user.
|
|
|
|
a. Annoyances...
|
|
ie: Displaying a message, changing display colors,
|
|
changing keystroke values such as reversing the
|
|
effect of the Shift and Unshift keys, etc.
|
|
|
|
|
|
WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS?
|
|
|
|
Lost productivity time !!!
|
|
|
|
In addition to the time and skills required to re-construct
|
|
damaged data files, viruses can waste a lot of time in many other
|
|
ways.
|
|
|
|
With either type of virus, the person subjected to the attack as
|
|
well as many support personnel from the attacked site and from
|
|
various suppliers, will sacrifice many hours of otherwise
|
|
productive time:
|
|
|
|
Time to determine the cause of the attack.
|
|
The removal of the virus code from the system.
|
|
The recovery of lost data.
|
|
The detective work required to locate the original source of
|
|
the virus code.
|
|
|
|
Then, there's the management time required to determine how
|
|
this will be prevented in the future.
|
|
|
|
|
|
WHO DEVELOPS VIRUSES?
|
|
|
|
This individual, regardless of his specific motivation, will most
|
|
probably want to see some form of publicity resulting from his
|
|
handiwork. Anywhere from a "Gotcha" message appearing on the
|
|
computer's screen after the attack, to major press coverage of
|
|
that particular virus' spread and wake of damage.
|
|
|
|
Some of the reasons for someone to spend their time developing a
|
|
virus program are:
|
|
|
|
A practical joke.
|
|
A personal vendetta against a company or another person.
|
|
ie: a disgruntled employee.
|
|
The computer-literate political terrorist.
|
|
Someone trying to gain publicity for some cause or
|
|
product.
|
|
The bored, un-noticed "genius," who wants attention.
|
|
The mentally disturbed sociopath.
|
|
|
|
|
|
IS THE THREAT REAL?
|
|
|
|
Yes, however thus far the destructive ones have primarily been in
|
|
the Academic environment. Several attacks have been documented by
|
|
the press, and, from first hand experience, I can attest to the
|
|
fact that those reported do exist. We have seen some of them and
|
|
successfully tested our Disk Watcher product against them.
|
|
|
|
Reputable individuals have reported additional viruses to us, but
|
|
these have not reached the scale of distribution achieved by the
|
|
now infamous "Lehigh," "Brain," "Israeli," and "MacIntosh"
|
|
viruses.
|
|
|
|
We do expect the situation to worsen due to the attention it's
|
|
received. Taking simple lessons from history, a new phenomenon,
|
|
once given attention, will be replicated by individuals who
|
|
otherwise have no opportunity for personal attention.
|
|
|
|
Now that there are products for defense from viruses, the virus
|
|
writers have been given a challenge; and for those people who
|
|
have always wanted to anonymously strike out at someone but
|
|
didn't know of a method to do so, the coverage has provided a
|
|
"How To" guide.
|
|
|
|
|
|
HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM?
|
|
|
|
A virus may be entered into a system by an unsuspecting user who
|
|
has been duped by the virus creator (Covert entry), or it may be
|
|
entered directly by the creator. (Overt entry.)
|
|
|
|
Examples of Covert entry of a virus into a computer
|
|
system.
|
|
|
|
A "carrier" program such as a "pirate" copy of a
|
|
commercial package that has been tampered with, is
|
|
utilized by the un-suspecting user, and thus
|
|
enters the virus code into the system.
|
|
|
|
Other types of carriers could be programs from
|
|
Bulletin Boards that have been either tampered
|
|
with or specifically designed as viruses, but
|
|
disguised as useful programs. There has even been
|
|
a destructive virus disguised as a "virus
|
|
protection" program on a BBS.
|
|
|
|
The user unknowingly acquires an "infected" disk
|
|
and uses it to boot the system.
|
|
|
|
The virus has been hidden in the system files and
|
|
then hides itself in system RAM or other system
|
|
files in order to reproduce, and later, attack.
|
|
|
|
|
|
Examples of Overt entry into a computer system.
|
|
|
|
An individual bent on harassing the user or
|
|
sabotaging the computer system, modifies an
|
|
existing program on that computer or copies a
|
|
virus program onto someone's disk during their
|
|
absence from their work station.
|
|
|
|
|
|
HOW DOES A VIRUS SPREAD?
|
|
|
|
A virus may reproduce itself by delaying its attack until it has
|
|
made copies of itself onto other disks (Active reproduction,) or
|
|
it may depend entirely on unsuspecting users to make copies of it
|
|
and pass them around (Passive reproduction). It may also use a
|
|
combination of these methods.
|
|
|
|
|
|
WHAT TRIGGERS THE VIRUS ATTACK?
|
|
|
|
Attacks begin upon the occurrence of a certain event, such as:
|
|
|
|
On a certain date.
|
|
At a certain time of day.
|
|
When a certain job is run.
|
|
After "cloning" itself n times.
|
|
When a certain combination of keystrokes occurs.
|
|
When the computer is restarted.
|
|
|
|
One way or another, the virus code must put itself into a
|
|
position to either start itself when the computer is turned on,
|
|
or when a specific program is run.
|
|
|
|
|
|
HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN A PROGRAM OR A
|
|
HARDWARE MALFUNCTION?
|
|
|
|
This can be a tough one. With the publicity surrounding viruses,
|
|
many people are ready to believe that any strange occurrence
|
|
while computing may have been caused by a virus, when it could
|
|
simply be an operational error, hardware component failure, or a
|
|
software "bug."
|
|
|
|
While most commercial software developers test their products
|
|
exhaustively, there is always the possibility that some
|
|
combination of hardware; mix of installed TSR's; user actions; or
|
|
slight incompatibilities with "compatible" or "clone" machines or
|
|
components; can cause a problem to surface.
|
|
|
|
We need to remember some key points here:
|
|
|
|
1. Examine the probabilities of your having contacted a virus.
|
|
|
|
2. Don't just assume that you've been attacked by a virus and
|
|
abandon your normal troubleshooting techniques or those
|
|
recommended by the product manufacturers.
|
|
|
|
3. When in doubt contact your supplier or the manufacturer for
|
|
tech support.
|
|
|
|
4. Having an effective "Virus Protection" system installed may
|
|
help you determine the cause of the problem.
|
|
|
|
|
|
HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES?
|
|
|
|
1. Know and be comfortable with the source of your software
|
|
acquisitions.
|
|
|
|
If you use a BBS (Bulletin Board,) verify that the BBS is
|
|
reputable and that it has satisfactory procedures in
|
|
place to check out its software as well as provisions
|
|
to prevent that software from being modified.
|
|
|
|
Do not use illegitimate copies of software.
|
|
|
|
Be sure that the developer of the software you're using
|
|
is a professional. Note that many "Shareware" products
|
|
are professionally produced. You needn't stop using
|
|
them. Just be sure that you have a legitimate copy of
|
|
the program if you choose to use these products.
|
|
|
|
Don't accept free software that looks too good to be
|
|
true.
|
|
|
|
2. Install a professional virus protection package on your
|
|
computer that will alert you to any strange goings on.
|
|
|
|
3. Provide physical security for your computers.
|
|
ie: Locked rooms; locks on the computers; etc.
|
|
|
|
4. If you're unsure of a disk or a specific program, run it in an
|
|
isolated environment where it will not be able to do any
|
|
damage.
|
|
|
|
ie: Run the program on a "diskette only" computer, and keep
|
|
a write-protect tab on your "System Disk."
|
|
|
|
Run the program with "Virus Protection" software
|
|
installed.
|
|
|
|
5. Establish and maintain a sound Back-Up policy.
|
|
|
|
DO NOT USE ONLY ONE SET OF BACK-UP DISKS THAT ARE
|
|
CONTINUOUSLY WRITTEN OVER.
|
|
|
|
Use at least three complete sets of back-up disks that are
|
|
rotated in a regular cycle.
|
|
|
|
|
|
DO YOU NEED SOME FORM OF PROTECTION FROM VIRUSES?
|
|
|
|
It couldn't hurt !!! You do lock the door to your home
|
|
when you go out, right?
|
|
|
|
Plan in advance the methods you'll use to ward off virus attacks.
|
|
It's a far more effective use of management time to establish
|
|
preventative measures in a calm environment instead of making
|
|
panic decisions after a virus attack has occurred.
|
|
|
|
|
|
IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF?
|
|
|
|
No !!!
|
|
|
|
Any security system can be broken by someone dedicated and
|
|
knowledgeable enough to put forth the effort to break the system.
|
|
|
|
|
|
WHAT LEVEL OF PROTECTION DO YOU NEED?
|
|
|
|
This of course depends on many factors, such as:
|
|
|
|
1. The sensitivity of the data on your PC's.
|
|
2. The number of personnel having access to your PC's.
|
|
3. The security awareness of computing personnel.
|
|
4. The skill levels of computing personnel.
|
|
5. Attitudes, ethics, and morale of computing personnel.
|
|
|
|
A key point of consideration is the threshold for the amount of
|
|
security you can use versus its impact on normal productivity.
|
|
|
|
Human nature must also be considered. If you were to install 10
|
|
locks on your front door and it cost you 5 minutes each time you
|
|
enter your home, I'll bet that the first time that it's
|
|
raining... and you have 3 bags of groceries... you'll go back to
|
|
using the one lock you always used.
|
|
|
|
|
|
HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES?
|
|
|
|
There are several approaches that have been developed.
|
|
|
|
One form is an "inoculation" or "signature" process, whereby the
|
|
key files on a disk are marked in a special way and periodically
|
|
checked to see if the files have been changed. Depending on the
|
|
way in which this is implemented, this method can actually interfere
|
|
with programs that have built-in integrity checks.
|
|
|
|
Another method is to "Write Protect" specific key areas of the
|
|
disk so that no software is permitted to change the data in those
|
|
places.
|
|
|
|
We at RG Software Systems, Inc. believe that preventative
|
|
measures are the most effective. The Disk Watcher system provides
|
|
multiple lines of defense: A "Batch" type program automatically
|
|
checks all active disk drives for the presence of certain hidden
|
|
virus characteristics when the computer is started, and a TSR
|
|
(Terminate and Stay Resident) program monitors ongoing disk
|
|
activity throughout all processing. The "Batch" program
|
|
can also be run on demand at any time to check the disk in a
|
|
specific drive.
|
|
|
|
The TSR program, in addition to its other "Disaster
|
|
Prevention" features, contains a series of proprietary algorithms
|
|
that detect the behavior characteristics of a myriad of virus
|
|
programs, and yet produce minimal overhead in processing time
|
|
and "false alarm" reports. Disk Watcher is uniquely able to tell
|
|
the difference between legitimate IO activity and the IO activity
|
|
of a virus program.
|
|
|
|
When an action occurs indicative of a virus attempting to reproduce itself;
|
|
alter another program; set itself up to be automatically run the next
|
|
time the system is started; or attempting to perform a massively damaging
|
|
act; Disk Watcher will automatically "pop up." The user will then have
|
|
several options, one of which is to immediately stop the computer before any
|
|
damage can be done. Detection occurs BEFORE the action takes place.
|
|
|
|
Other options allow the user to tell Disk Watcher to continue the
|
|
application program and remember that this program is permitted
|
|
to perform the action that triggered the "pop up."
|
|
|
|
Some very important features of Disk Watcher are:
|
|
|
|
Whenever the user selects the "Stop the Computer" option, the
|
|
Application screen image and the Disk Watcher screen image will be
|
|
sent to the system printer before the machine is stopped, so that
|
|
an effective analysis of the problem may be done.
|
|
|
|
Disk Watcher performs an integrity check on itself whenever it runs.
|
|
|
|
The "Destructive" viruses that produce "selective" file
|
|
destruction or "Random Havoc" are the most difficult to defend
|
|
against. The best measures are to prevent them from getting into
|
|
the system in the first place.
|
|
|
|
|
|
WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU?
|
|
|
|
Since the first reports of virus attacks appeared in the press, a
|
|
number of "Virus Prevention" products have quickly appeared on
|
|
the market, produced by companies wishing to take advantage of a
|
|
unique market opportunity. This is to be expected. RG Software
|
|
Systems, Inc. is one of them with our Disk Watcher product.
|
|
|
|
It should be pointed out, however, that as of this writing, only
|
|
a little over 2 months has transpired since the first major
|
|
stories appeared.
|
|
|
|
Those companies that have had to build a product from scratch
|
|
during this limited amount of time have had to design the
|
|
defensive system, write the program code, write the user's
|
|
manual, design the packaging, "Alpha" test, "Beta" test, and
|
|
bring their product through manufacturing to market. A monumental
|
|
task in a miraculously short period of time.
|
|
|
|
Companies that have had products on the market that include virus
|
|
protection, or products that were enhanced to include virus
|
|
protection, such as Disk Watcher, have had extra time and field
|
|
experience for the stabilization of their products.
|
|
|
|
As a professional in this industry, I sincerely hope that the
|
|
quickly developed products are stable in their released form.
|
|
|
|
The evaluation points listed below are usually applied as a
|
|
standard for all types of software products:
|
|
|
|
|
|
*Price
|
|
*Performance
|
|
*Ease of Use
|
|
*Ease of Learning
|
|
*Ease of Installation
|
|
*Documentation
|
|
*Copy Protection
|
|
*Support
|
|
|
|
A "Virus Protection" package, like a security system for your
|
|
home, requires a close scrutiny. You want the system to do the
|
|
job unobtrusively, and yet be effective.
|
|
|
|
TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES:
|
|
|
|
1. Amount of impact the package may have on your computer's
|
|
performance.
|
|
|
|
If the package is "RAM Resident," does it noticeably slow
|
|
down your machine's operations?
|
|
If so, with what type of operation? Are program start-
|
|
ups slowed? Are database operations slowed?
|
|
|
|
|
|
2. Level of dependency on operator intervention.
|
|
|
|
Does the package require the operator to perform certain
|
|
tasks on a regular basis in order for it to be
|
|
effective? (Such as only checking for virus conditions
|
|
on command.)
|
|
Does the package require much time to install and keep
|
|
operational? ie: Each time any new software is
|
|
installed on the system, must the protection package be
|
|
used?
|
|
|
|
3. Impact on productivity... Annoyance level.
|
|
|
|
Does the package periodically stop processing and/or require
|
|
the operator to take some action. If so, does the
|
|
package have any capability to learn its environment
|
|
and stop its interference?
|
|
|
|
4. False alarms.
|
|
|
|
How does the package handle situations that appear to be
|
|
viruses but are legitimate actions made by legitimate
|
|
programs?
|
|
Are there situations where legitimate jobs will have to be
|
|
re-run or the system re-booted because of the
|
|
protection package? How frequently will this occur?
|
|
How much additional end-user support will the package
|
|
require?
|
|
|
|
5. The probability that the package will remain in use?
|
|
|
|
Will there be any interference or usage requirements that
|
|
will discourage the user from keeping the package
|
|
active? (It won't be effective if they quickly desire
|
|
to de-install it and perhaps only pretend they are
|
|
using it when management is present.)
|
|
|
|
6. Level of effectiveness it provides in combatting viruses.
|
|
|
|
Will it be effective against viruses produced by someone
|
|
with an experience level of:
|
|
|
|
Level 1 - "Typical End User"? (Basic knowledge of using
|
|
applications and DOS commands.)
|
|
Level 2 - "Power User"? (Knowledge of DOS Command
|
|
processor, Hardware functions, BASIC
|
|
programming, etc.)
|
|
Level 3 - "Applications Programmer"? (Knowledge of
|
|
programming languages and DOS service calls.)
|
|
Level 4 - "Systems Engineer"? (Knowledge of DOS and
|
|
Hardware internal functions.)
|
|
Level 5 - "Computer Science Professor that develops
|
|
viruses for research purposes"?
|
|
|
|
Which types of intrusion will it be effective against?
|
|
|
|
"Covert Entry"?
|
|
"Overt Entry"?
|
|
|
|
Does it detect a virus attempting to spread or "clone"
|
|
itself?
|
|
|
|
Does it detect a virus attempting to place itself into a
|
|
position to be automatically run?
|
|
|
|
If a virus gets into the computer, which types of virus
|
|
damage will it detect?
|
|
|
|
"Massive Destruction"
|
|
"Partial Destruction"
|
|
"Selective Destruction"
|
|
"Random Havoc Destruction"
|
|
"Annoyance"
|
|
|
|
Does the software detect a virus before or after it has
|
|
infected a program or made its attack?
|
|
|
|
Does the publisher claim total protection from all viruses?
|
|
|
|
|
|
7. Does the software provide any assistance for "post mortem"
|
|
analysis of suspected problems?
|
|
|
|
ie: If a virus symptom is detected and the computer is
|
|
brought to a halt, is there any supporting information
|
|
for analyzing the problem other than the operator's
|
|
recall of events?
|
|
|
|
|
|
8. Impact on your machine's resources.
|
|
|
|
How much RAM is used?
|
|
Is any special hardware required?
|
|
|
|
|
|
9. Is the product compatible with:
|
|
|
|
Your hardware configuration.
|
|
Your Operating system version.
|
|
Your network.
|
|
Other software that you use, especially TSR's.
|
|
|
|
10. Can the package be used by current computing personnel
|
|
without substantial training?
|
|
|
|
What type of computing experience is required to install the
|
|
package?
|
|
|
|
11. Background of the publisher.
|
|
|
|
References... Who is using this or other products from
|
|
this publisher? How is this company perceived by its
|
|
customers? The press?
|
|
|
|
How long has the publisher been in business?
|
|
|
|
Was the product Beta Tested?... By valid, well-known
|
|
organizations or by friends of the company's owner?
|
|
|
|
Was the product tested against any known viruses?
|
|
Successfully?
|
|
|
|
What about on-going support? In what form? At what cost?
|
|
|
|
Does the company plan to upgrade its product periodically?
|
|
|
|
What is the upgrade policy? Expected costs?
|
|
|
|
12. Does the package provide any other useful benefits to the
|
|
user besides virus protection?
|
|
|
|
|