508 lines
16 KiB
Plaintext
508 lines
16 KiB
Plaintext
Date: Sun, 17 Mar 91 12:24 EST
|
|
From: WHMurray@DOCKMASTER.NCSC.MIL
|
|
Subject: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"
|
|
|
|
A NEW STRATEGY FOR COMPUTER VIRUSES
|
|
|
|
|
|
|
|
|
|
|
|
William H. Murray
|
|
|
|
Deloitte & Touche
|
|
Wilton, Connecticut
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A New Strategy for Computer Viruses 1
|
|
|
|
PREFACE
|
|
|
|
|
|
|
|
This presentation was prepared for and delivered to the
|
|
"DPMA 4th Annual Virus and Security Conference" on March 14,
|
|
1991.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Preface 2
|
|
|
|
ABSTRACT
|
|
|
|
|
|
|
|
This presentation argues that it is time for a new strategy
|
|
for dealing with computer viruses. It reviews the present
|
|
strategy and suggests that it was adopted before we knew
|
|
whether or not viruses would be successful. It points out
|
|
that this strategy is essentially "clinical." That is, it
|
|
treats the symptoms of the virus without directly dealing
|
|
with its growth and spread.
|
|
|
|
It presents evidence that at least two computer viruses,
|
|
Jerusalem B and Stoned, are epidemic, that more copies are
|
|
being created than are being killed. It argues that simply
|
|
the growth of the viruses, without regard to their symptoms,
|
|
is a problem.
|
|
|
|
It argues that it is now time for an epidemiological
|
|
approach to viruses. A keystone of such an approach will be
|
|
the massive and pervasive use of vaccine programs. These
|
|
programs are characterized by being resident, automatic,
|
|
getting control early, and acting to resist the very
|
|
execution of the virus program.
|
|
|
|
The presentation notes that there is significant resistance
|
|
to such a strategy and, specifically, to the use of such
|
|
programs. It addresses many of the arguments used to
|
|
justify this resistance. It concludes that we will
|
|
ultimately be forced to such a strategy, but that, given the
|
|
growth of the viruses and the resistance to stragtegy, we
|
|
will not likely act on a timely basis.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Abstract 3
|
|
|
|
STRATEGY
|
|
|
|
|
|
It is time for a new strategy for dealing with computer
|
|
viruses. The present strategy recommended by computer
|
|
manufacturers, the National Institute of Standards and
|
|
Technology (NIST), this author, and others is to:
|
|
|
|
* Practice good computer hygiene
|
|
|
|
* Keep clean copies of programs and data
|
|
|
|
* Scan new programs, all programs periodically
|
|
|
|
* Watch for symptoms
|
|
|
|
* Purge when necessary
|
|
|
|
* Restore programs and data from clean copies as required
|
|
|
|
Because many of us believed that talking about viruses could
|
|
only make the problem worse, there was also a "silence"
|
|
component in the strategy.
|
|
|
|
This strategy was developed more than three years ago. At
|
|
that time, the potential for success of computer viruses was
|
|
still unknown. The concern was for the potential for damage
|
|
to individual users and systems and, to a lesser extent, to
|
|
the health of the institution.
|
|
|
|
Today there is no longer any doubt as to the success of
|
|
computer viruses. There are more than four hundred viruses
|
|
that have been identified and cataloged. Twenty-five of
|
|
these are classified as "common." That is, they are so
|
|
widespread as to be considered both successful and out of
|
|
control. Another sixty-six are classified as "rare." What
|
|
this really means is they are young, and their success is
|
|
not yet demonstrated. However, there are a sufficient
|
|
number of viruses in this class and copies of each of them
|
|
that the future success of some of them is certain.
|
|
|
|
One common virus, Jerusalem B, is estimated to have a
|
|
hundred thousand copies. Since it is known to date from
|
|
November 87, its rate of growth suggests that there may well
|
|
be sixteen million copies by November 91 [TIPP].
|
|
|
|
Most large institutions have now seen one or more viruses.
|
|
Many now report several infections a month. In some,
|
|
infection is now so routine that they no longer bother to
|
|
report. Given this success, it seems certain that all
|
|
organizations will suffer from infection. It is no longer a
|
|
question of whether or not, but only of when and how often.
|
|
|
|
While the concern remains damage to user systems and data,
|
|
this is no longer appropriate. The concern should be the
|
|
epidemic growth, damage to the community, and potential
|
|
damage to necessary trust.
|
|
|
|
Dealing with viruses is now a cost of doing business. You
|
|
|
|
|
|
Page 1
|
|
|
|
must pay. The only questions are whether you pay early or
|
|
late, with disruption or without.
|
|
|
|
Since viruses have demonstrated such rapid growth, they must
|
|
be removed. If they are not removed, ultimately they will
|
|
saturate the space. The requirement to remove them is
|
|
independent of the symptoms that they manifest. That is,
|
|
even if they did nothing other than make copies of
|
|
themselves, you would still have to remove them. Thus,
|
|
replication, all by itself, is a problem. [Some viruses are
|
|
self-limiting.]
|
|
|
|
In other words, while the symptoms of the virus may be
|
|
problematic, mere replication is THE problem. Therefore,
|
|
the strategy must be aimed at preventing replication and
|
|
spread, not simply at limiting and repairing damage. In the
|
|
face of the epidemic growth, the old strategy is the
|
|
equivalent of trying to deal with smallpox by washing your
|
|
hands and treating sores and fever.
|
|
|
|
The old strategy was intended to be conservative. Indeed,
|
|
when it was developed, it was conservative. In the light of
|
|
what we know today, it is merely timid. However, we have
|
|
restated it so many times that the timid are unable to
|
|
abandon it.
|
|
|
|
We were successful in eliminating smallpox from the face of
|
|
the earth only after we had a cheap, effective, and safe
|
|
vaccine. However, the existence and availability of the
|
|
vaccine proved not to have been sufficient; we also had to
|
|
have the will to apply it massively and pervasively.
|
|
|
|
We now have computer software that is the equivalent of a
|
|
number of broad spectrum vaccine. It is capable of
|
|
preventing a specific computer from being infected. More
|
|
important, it is capable of preventing the replication of
|
|
the virus. It is characterized by the fact that it is
|
|
resident and acts early. Some of it acts on the basis of
|
|
detection of the signature of known viruses; some by
|
|
recognizing trusted software. Its intended use is
|
|
distinguished from that of earlier scanning software by the
|
|
fact that it acts before, rather than after, the virus
|
|
executes and replicates. It is distinguished from some
|
|
resident programs by its intent to block execution, rather
|
|
than to block writing.
|
|
|
|
Some have suggested that there is nothing fundamentally
|
|
different about this software. They assert that IBM Scan
|
|
can do anything that this software can do. IBM insists that
|
|
their advice for good hygiene includes the advice that you
|
|
scan all new software BEFORE using. If you were to do that,
|
|
then the effect would be the same as vaccination software.
|
|
|
|
This argument fails to take into account how the viruses in
|
|
question really spread. It assumes that viruses spread when
|
|
people use new software that they know is new and that they
|
|
intend to use. In reality viruses are spreading from
|
|
machine to diskette and diskette to machine without any
|
|
conscious intent to share software. The software that is
|
|
|
|
|
|
Page 2
|
|
|
|
spreading the viruses are things like the loader in the
|
|
diskette boot sector, the operating system (e.g.
|
|
COMMAND.COM), TSRs (terminate-and-stay-RESIDENT programs),
|
|
and the MacIntosh FINDER. These are programs that are
|
|
beneath the level of notice or intent of most users and
|
|
beyond the level of knowledge of many.
|
|
|
|
In a typical scenario, a student enters a laboratory, picks
|
|
a machine at random, inserts a diskette and presses
|
|
Ctl-Alt-Del. With many of the successful viruses, if the
|
|
diskette is infected, the machine becomes infected. If the
|
|
machine was infected, the diskette becomes infected. When
|
|
the diskette is inserted in another machine, that machine
|
|
becomes infected. There was no intent to share software;
|
|
nothing to trigger the use of IBM-Scan in the way that IBM
|
|
recommends.
|
|
|
|
Use of IBM-Scan in the manner that IBM recommends, requires
|
|
both knowledge and intent on the part of the user. While it
|
|
is sufficient to protect any particular user or machine, it
|
|
has not been sufficient to resist the growth and spread of
|
|
viruses.
|
|
|
|
Many have resisted the use of such software on the basis
|
|
that it would not be one hundred percent effective. Those
|
|
vaccines that rely upon their ability to recognize the
|
|
virus, would not be effective against new viruses. While
|
|
this is true in principle, it does not matter much in
|
|
practice. They are effective against the widespread
|
|
viruses. They can be made effective against new viruses in
|
|
less time than those viruses can spread widely, though this
|
|
begs the question of timely distribution and maintenance.
|
|
|
|
Those that rely upon restricting execution to software
|
|
trusted by the user, are vulnerable to the user's being
|
|
duped. While it will always be possible for a user to be
|
|
baited into executing a virus, even in the presence of
|
|
software intended to resist it, the present success of the
|
|
viruses takes place in an environment in which there is no
|
|
resistance at all. It is reasonable to assume that the
|
|
software will be successful in resisting the execution of
|
|
the virus much of the time, perhaps often enough to retard
|
|
the epidemic growth.
|
|
|
|
There are those who resist the use of vaccines on the basis
|
|
that such use would simply encourage new and smarter
|
|
viruses. These viruses would take advantage of knowledge of
|
|
the vaccine to defeat it. This concern is based, in part,
|
|
upon acceptance of the fact that, at least in theory, there
|
|
is no perfect defense against a sufficiently smart virus.
|
|
Of course, this is true about any security measure and any
|
|
threat. Jake's Law asserts that "anything hit with a big
|
|
enough hammer will fall to pieces." However, a security
|
|
measure need not be one hundred percent effective for us to
|
|
use it. We use those that are efficient; those that
|
|
displace sufficient risk or damage to cover their cost. One
|
|
hundred percent effective security measures have infinite
|
|
cost. Therefore, we do not attempt to eliminate risk, but
|
|
rather to limit it. It is not necessary to be one hundred
|
|
|
|
|
|
Page 3
|
|
|
|
percent effective against all viruses all of the time in
|
|
order to resist, limit, or even reverse the growth.
|
|
|
|
Those who would tolerate today's viruses because resisting
|
|
them might make tomorrow's viruses worse, embrace the
|
|
strategy so thoroughly discredited at Munich. It is called
|
|
"let sleeping dogs lie." Unfortunately these dogs, like
|
|
those of war, are not sleeping, they are replicating.
|
|
|
|
Some have suggested that we should ignore the dogs and worry
|
|
about the dragon, the omniscient puissant virus. Of course,
|
|
no one has seen the dragon, but the dogs are here now and
|
|
their numbers are legion. "Oh, but" they say, "if you use
|
|
your arrows on the dogs, you may provoke the dragon into
|
|
existence. The dragon will be created to be specifically
|
|
resistant to your arrows. It will include knowledge about
|
|
your arrows and be so intelligent as to be able to overwhelm
|
|
your compromised defenses."
|
|
|
|
The intelligence of the virus is an issue only if it is
|
|
successful in getting itself executed. The idea behind
|
|
these vaccines is that they prevent the virus from getting
|
|
control in the first place.
|
|
|
|
Viruses are bad enough; we should not frighten ourselves
|
|
into inaction with our own fantasies. While there are
|
|
limits to the effectiveness of any defense against viruses,
|
|
there are also limits to their power. All of the hype to
|
|
the contrary notwithstanding, viruses cannot do magic. A
|
|
virus must succeed in getting itself executed in order to do
|
|
anything. In no circumstance can it make your PC levitate
|
|
off the desk and smash against the wall.
|
|
|
|
Part of the resistance appears to be rooted in a concern
|
|
that one vaccine would be so successful and pervasive as to
|
|
become a target for viruses. This would be unlikely in any
|
|
case. It is particularly unlikely in the face of the number
|
|
of candidates, the variety of strategies that they employ,
|
|
and the success that each has already achieved.
|
|
|
|
Some managers resist the use of this software because of
|
|
cost. Most of these managers are responsible for large
|
|
numbers of systems. When multiplied by these numbers of
|
|
systems, the cost of the software rapidly escalates into the
|
|
thousands of dollars.
|
|
|
|
If there were some question about whether or not their
|
|
systems would be infected, or if there were a limited cost
|
|
to it, this resistance might make sense. As it is, it is
|
|
almost a certainty that they will be infected. The only
|
|
questions are when and how often. The cost of dealing with
|
|
viruses is now a tax on the use of computers. Like other
|
|
taxes, it is inevitable. You will pay. You may pay early
|
|
with limited disruption, or late with unlimited disruption,
|
|
but you will pay.
|
|
|
|
The Jerusalem B virus may infect many of the systems on a
|
|
LAN in hours. The number of copies of Jerusalem B in a LAN
|
|
doubles in minutes to hours, depending upon user privileges.
|
|
|
|
|
|
Page 4
|
|
|
|
If not removed promptly, it may saturate the LAN in days.
|
|
It must be removed. At a minimum, removing it will require
|
|
the scanning and/or purging of all the hard disks. If the
|
|
systems on the LAN are not immunized before restarting the
|
|
file server, then the LAN will be reinfected within hours.
|
|
A few managers have purged a LAN twice. One or two have
|
|
even done it three times. We know of no one that has done
|
|
it four times. The cost of purging a hard drive once
|
|
approaches the cost of the software. The cost is not
|
|
avoidable.
|
|
|
|
We are in the incipient phase of an epidemic. The viruses
|
|
are multiplying at a significant rate. There are tens of
|
|
them and they do not compete until you begin to run out of
|
|
disk space. They are successful in spite of the best that
|
|
we can expect from our present strategy. It is the growth
|
|
of the virus, rather than its symptoms, that is the problem.
|
|
We are rapidly running out of time to cope.
|
|
|
|
We have a number of vaccines that are effective against all
|
|
of the viruses that are patently successful, and most of the
|
|
others. However, they must be applied to a system to
|
|
protect that system. They must be applied massively and
|
|
pervasively to be effective in halting or reversing the
|
|
growth. The earlier the better. It is urgent that we begin
|
|
now. It is time for a new strategy.
|
|
|
|
The new strategy will continue to include good hygiene and
|
|
backup copies of programs and other data. However, it must
|
|
include rapid, massive, and pervasive vaccination of all
|
|
business and academic systems, beginning with those that are
|
|
shared by multiple users. It must include isolation and
|
|
quarantine of unvaccinated systems.
|
|
|
|
No, I am not proposing law or regulation, or even political
|
|
pressure. I am proposing responsible behavior on the part
|
|
of influential people. If you have influence over a large
|
|
number of machines, you should vaccinate them. I am also
|
|
proposing peer pressure; we must influence each other and
|
|
support each other in responsible action.
|
|
|
|
It will require courage. It is difficult to go against the
|
|
conventional wisdom; it persists long after it ceases to be
|
|
wise.
|
|
|
|
I am certain that we will act; in the long run, I do not
|
|
believe that there is a choice. I am not hopeful that we
|
|
will act in time; the short run is all too short, and the
|
|
resistance to change all too high.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Page 5
|