COMPUTER VIRUSES: A RATIONAL VIEW by: Raymond M. Glath President RG Software Systems, Inc. 2300 Computer Ave. Suite I-51 Willow Grove, PA 19090 (215) 659-5300 April 14, 1988 WHAT ARE COMPUTER VIRUSES? (a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage) Any software that has been developed specifically for the purpose of interfering with a computer's normal operations. WHAT DO THEY DO? There are two major categories of viruses. Destructive viruses, that cause: Massive destruction... ie: Low level format of disk(s), whereby any programs and data on the disk are not recoverable. Partial destruction... ie: Erasure or modification of a portion of a disk. Selective destruction... ie: Erasure or modification of specific files or file groups. Random havoc... The most insidious form of all. ie: Randomly changing data on disk or in RAM during normal program applications, or changing keystroke values, or data from other input/output devices, with the result being an inordinate amount of time to discover and repair the problem, and damage that may never be known about. Non-Destructive viruses, intended to cause attention to the author or to harass the end user. a. Annoyances... ie: Displaying a message, changing display colors, changing keystroke values such as reversing the effect of the Shift and Unshift keys, etc. WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS? Lost productivity time !!! In addition to the time and skills required to re-construct damaged data files, viruses can waste a lot of time in many other ways. With either type of virus, the person subjected to the attack as well as many support personnel from the attacked site and from various suppliers, will sacrifice many hours of otherwise productive time: Time to determine the cause of the attack. The removal of the virus code from the system. The recovery of lost data. The detective work required to locate the original source of the virus code. Then, there's the management time required to determine how this will be prevented in the future. WHO DEVELOPS VIRUSES? This individual, regardless of his specific motivation, will most probably want to see some form of publicity resulting from his handiwork. Anywhere from a "Gotcha" message appearing on the computer's screen after the attack, to major press coverage of that particular virus' spread and wake of damage. Some of the reasons for someone to spend their time developing a virus program are: A practical joke. A personal vendetta against a company or another person. ie: a disgruntled employee. The computer-literate political terrorist. Someone trying to gain publicity for some cause or product. The bored, un-noticed "genius," who wants attention. The mentally disturbed sociopath. IS THE THREAT REAL? Yes, however thus far the destructive ones have primarily been in the Academic environment. Several attacks have been documented by the press, and, from first hand experience, I can attest to the fact that those reported do exist. We have seen some of them and successfully tested our Disk Watcher product against them. Reputable individuals have reported additional viruses to us, but these have not reached the scale of distribution achieved by the now infamous "Lehigh," "Brain," "Israeli," and "MacIntosh" viruses. We do expect the situation to worsen due to the attention it's received. Taking simple lessons from history, a new phenomenon, once given attention, will be replicated by individuals who otherwise have no opportunity for personal attention. Now that there are products for defense from viruses, the virus writers have been given a challenge; and for those people who have always wanted to anonymously strike out at someone but didn't know of a method to do so, the coverage has provided a "How To" guide. HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM? A virus may be entered into a system by an unsuspecting user who has been duped by the virus creator (Covert entry), or it may be entered directly by the creator. (Overt entry.) Examples of Covert entry of a virus into a computer system. A "carrier" program such as a "pirate" copy of a commercial package that has been tampered with, is utilized by the un-suspecting user, and thus enters the virus code into the system. Other types of carriers could be programs from Bulletin Boards that have been either tampered with or specifically designed as viruses, but disguised as useful programs. There has even been a destructive virus disguised as a "virus protection" program on a BBS. The user unknowingly acquires an "infected" disk and uses it to boot the system. The virus has been hidden in the system files and then hides itself in system RAM or other system files in order to reproduce, and later, attack. Examples of Overt entry into a computer system. An individual bent on harassing the user or sabotaging the computer system, modifies an existing program on that computer or copies a virus program onto someone's disk during their absence from their work station. HOW DOES A VIRUS SPREAD? A virus may reproduce itself by delaying its attack until it has made copies of itself onto other disks (Active reproduction,) or it may depend entirely on unsuspecting users to make copies of it and pass them around (Passive reproduction). It may also use a combination of these methods. WHAT TRIGGERS THE VIRUS ATTACK? Attacks begin upon the occurrence of a certain event, such as: On a certain date. At a certain time of day. When a certain job is run. After "cloning" itself n times. When a certain combination of keystrokes occurs. When the computer is restarted. One way or another, the virus code must put itself into a position to either start itself when the computer is turned on, or when a specific program is run. HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN A PROGRAM OR A HARDWARE MALFUNCTION? This can be a tough one. With the publicity surrounding viruses, many people are ready to believe that any strange occurrence while computing may have been caused by a virus, when it could simply be an operational error, hardware component failure, or a software "bug." While most commercial software developers test their products exhaustively, there is always the possibility that some combination of hardware; mix of installed TSR's; user actions; or slight incompatibilities with "compatible" or "clone" machines or components; can cause a problem to surface. We need to remember some key points here: 1. Examine the probabilities of your having contacted a virus. 2. Don't just assume that you've been attacked by a virus and abandon your normal troubleshooting techniques or those recommended by the product manufacturers. 3. When in doubt contact your supplier or the manufacturer for tech support. 4. Having an effective "Virus Protection" system installed may help you determine the cause of the problem. HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES? 1. Know and be comfortable with the source of your software acquisitions. If you use a BBS (Bulletin Board,) verify that the BBS is reputable and that it has satisfactory procedures in place to check out its software as well as provisions to prevent that software from being modified. Do not use illegitimate copies of software. Be sure that the developer of the software you're using is a professional. Note that many "Shareware" products are professionally produced. You needn't stop using them. Just be sure that you have a legitimate copy of the program if you choose to use these products. Don't accept free software that looks too good to be true. 2. Install a professional virus protection package on your computer that will alert you to any strange goings on. 3. Provide physical security for your computers. ie: Locked rooms; locks on the computers; etc. 4. If you're unsure of a disk or a specific program, run it in an isolated environment where it will not be able to do any damage. ie: Run the program on a "diskette only" computer, and keep a write-protect tab on your "System Disk." Run the program with "Virus Protection" software installed. 5. Establish and maintain a sound Back-Up policy. DO NOT USE ONLY ONE SET OF BACK-UP DISKS THAT ARE CONTINUOUSLY WRITTEN OVER. Use at least three complete sets of back-up disks that are rotated in a regular cycle. DO YOU NEED SOME FORM OF PROTECTION FROM VIRUSES? It couldn't hurt !!! You do lock the door to your home when you go out, right? Plan in advance the methods you'll use to ward off virus attacks. It's a far more effective use of management time to establish preventative measures in a calm environment instead of making panic decisions after a virus attack has occurred. IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF? No !!! Any security system can be broken by someone dedicated and knowledgeable enough to put forth the effort to break the system. WHAT LEVEL OF PROTECTION DO YOU NEED? This of course depends on many factors, such as: 1. The sensitivity of the data on your PC's. 2. The number of personnel having access to your PC's. 3. The security awareness of computing personnel. 4. The skill levels of computing personnel. 5. Attitudes, ethics, and morale of computing personnel. A key point of consideration is the threshold for the amount of security you can use versus its impact on normal productivity. Human nature must also be considered. If you were to install 10 locks on your front door and it cost you 5 minutes each time you enter your home, I'll bet that the first time that it's raining... and you have 3 bags of groceries... you'll go back to using the one lock you always used. HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES? There are several approaches that have been developed. One form is an "inoculation" or "signature" process, whereby the key files on a disk are marked in a special way and periodically checked to see if the files have been changed. Depending on the way in which this is implemented, this method can actually interfere with programs that have built-in integrity checks. Another method is to "Write Protect" specific key areas of the disk so that no software is permitted to change the data in those places. We at RG Software Systems, Inc. believe that preventative measures are the most effective. The Disk Watcher system provides multiple lines of defense: A "Batch" type program automatically checks all active disk drives for the presence of certain hidden virus characteristics when the computer is started, and a TSR (Terminate and Stay Resident) program monitors ongoing disk activity throughout all processing. The "Batch" program can also be run on demand at any time to check the disk in a specific drive. The TSR program, in addition to its other "Disaster Prevention" features, contains a series of proprietary algorithms that detect the behavior characteristics of a myriad of virus programs, and yet produce minimal overhead in processing time and "false alarm" reports. Disk Watcher is uniquely able to tell the difference between legitimate IO activity and the IO activity of a virus program. When an action occurs indicative of a virus attempting to reproduce itself; alter another program; set itself up to be automatically run the next time the system is started; or attempting to perform a massively damaging act; Disk Watcher will automatically "pop up." The user will then have several options, one of which is to immediately stop the computer before any damage can be done. Detection occurs BEFORE the action takes place. Other options allow the user to tell Disk Watcher to continue the application program and remember that this program is permitted to perform the action that triggered the "pop up." Some very important features of Disk Watcher are: Whenever the user selects the "Stop the Computer" option, the Application screen image and the Disk Watcher screen image will be sent to the system printer before the machine is stopped, so that an effective analysis of the problem may be done. Disk Watcher performs an integrity check on itself whenever it runs. The "Destructive" viruses that produce "selective" file destruction or "Random Havoc" are the most difficult to defend against. The best measures are to prevent them from getting into the system in the first place. WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU? Since the first reports of virus attacks appeared in the press, a number of "Virus Prevention" products have quickly appeared on the market, produced by companies wishing to take advantage of a unique market opportunity. This is to be expected. RG Software Systems, Inc. is one of them with our Disk Watcher product. It should be pointed out, however, that as of this writing, only a little over 2 months has transpired since the first major stories appeared. Those companies that have had to build a product from scratch during this limited amount of time have had to design the defensive system, write the program code, write the user's manual, design the packaging, "Alpha" test, "Beta" test, and bring their product through manufacturing to market. A monumental task in a miraculously short period of time. Companies that have had products on the market that include virus protection, or products that were enhanced to include virus protection, such as Disk Watcher, have had extra time and field experience for the stabilization of their products. As a professional in this industry, I sincerely hope that the quickly developed products are stable in their released form. The evaluation points listed below are usually applied as a standard for all types of software products: *Price *Performance *Ease of Use *Ease of Learning *Ease of Installation *Documentation *Copy Protection *Support A "Virus Protection" package, like a security system for your home, requires a close scrutiny. You want the system to do the job unobtrusively, and yet be effective. TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES: 1. Amount of impact the package may have on your computer's performance. If the package is "RAM Resident," does it noticeably slow down your machine's operations? If so, with what type of operation? Are program start- ups slowed? Are database operations slowed? 2. Level of dependency on operator intervention. Does the package require the operator to perform certain tasks on a regular basis in order for it to be effective? (Such as only checking for virus conditions on command.) Does the package require much time to install and keep operational? ie: Each time any new software is installed on the system, must the protection package be used? 3. Impact on productivity... Annoyance level. Does the package periodically stop processing and/or require the operator to take some action. If so, does the package have any capability to learn its environment and stop its interference? 4. False alarms. How does the package handle situations that appear to be viruses but are legitimate actions made by legitimate programs? Are there situations where legitimate jobs will have to be re-run or the system re-booted because of the protection package? How frequently will this occur? How much additional end-user support will the package require? 5. The probability that the package will remain in use? Will there be any interference or usage requirements that will discourage the user from keeping the package active? (It won't be effective if they quickly desire to de-install it and perhaps only pretend they are using it when management is present.) 6. Level of effectiveness it provides in combatting viruses. Will it be effective against viruses produced by someone with an experience level of: Level 1 - "Typical End User"? (Basic knowledge of using applications and DOS commands.) Level 2 - "Power User"? (Knowledge of DOS Command processor, Hardware functions, BASIC programming, etc.) Level 3 - "Applications Programmer"? (Knowledge of programming languages and DOS service calls.) Level 4 - "Systems Engineer"? (Knowledge of DOS and Hardware internal functions.) Level 5 - "Computer Science Professor that develops viruses for research purposes"? Which types of intrusion will it be effective against? "Covert Entry"? "Overt Entry"? Does it detect a virus attempting to spread or "clone" itself? Does it detect a virus attempting to place itself into a position to be automatically run? If a virus gets into the computer, which types of virus damage will it detect? "Massive Destruction" "Partial Destruction" "Selective Destruction" "Random Havoc Destruction" "Annoyance" Does the software detect a virus before or after it has infected a program or made its attack? Does the publisher claim total protection from all viruses? 7. Does the software provide any assistance for "post mortem" analysis of suspected problems? ie: If a virus symptom is detected and the computer is brought to a halt, is there any supporting information for analyzing the problem other than the operator's recall of events? 8. Impact on your machine's resources. How much RAM is used? Is any special hardware required? 9. Is the product compatible with: Your hardware configuration. Your Operating system version. Your network. Other software that you use, especially TSR's. 10. Can the package be used by current computing personnel without substantial training? What type of computing experience is required to install the package? 11. Background of the publisher. References... Who is using this or other products from this publisher? How is this company perceived by its customers? The press? How long has the publisher been in business? Was the product Beta Tested?... By valid, well-known organizations or by friends of the company's owner? Was the product tested against any known viruses? Successfully? What about on-going support? In what form? At what cost? Does the company plan to upgrade its product periodically? What is the upgrade policy? Expected costs? 12. Does the package provide any other useful benefits to the user besides virus protection?