Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg Page 1 of 8 Computer Virus Myths (8th Edition, March 1992) by Rob Rosenberger with Ross M. Greenberg A number of myths have surfaced about the threat of computer "viruses". There are myths about how widespread they are, how dangerous they are, and even myths about what a computer virus really is. We'd like the facts to be known. The first thing to learn is that a virus is a malicious programming tech- nique in the realm of "Trojan horses." All viruses are Trojan horses, but few Trojan horses can be called a virus. That having been said, it's time to go over the terminology we use when we lecture: BBS Bulletin Board System. If you have a modem, you can call a BBS and leave messages, transfer computer files back & forth, and learn a lot about computers. (What you're reading right now, for example, most likely came to you from a BBS.) Bug an accidental flaw in the logic of a program which makes it do things it shouldn't really be doing. Programmers don't mean to put bugs in their program, but they always creep in. Programmers tend to spend more time debugging their programs than they do writing them in the first place. Inadvertent bugs have caused more data loss than all the viruses combined. Hacker someone who really loves computers and who wants to push them to the limit. Hackers have a healthy sense of curi- osity: they try doorknobs just to see if they're locked, and they tinker with a piece of equipment until it's "just right." The computer revolution itself is a result of hackers. Shareware a distribution method for quality software available on a "try before you buy" basis. You pay for the program only if you find it useful. Shareware programs can be down- loaded from BBSs and you are encouraged to give evaluation copies to friends. Many shareware applications rival the power of off-the-shelf counterparts, at just a fraction of the price. (You must pay for the shareware you continue to use -- otherwise you're stealing software.) Trojan horse a generic term describing a set of computer instructions purposely hidden inside a program. Trojan horses tell a program to do things you don't expect it to do. The term comes from a legendary battle in which the ancient city of Computer Virus Myths Page 2 of 8 Troy received the gift of a large wooden horse. The "gift" secretly held soldiers in its belly, and when the Trojans rolled it into their fortified city.... Virus a term for a very specialized Trojan horse which spreads to other computers by secretly "infecting" programs with a copy of itself. A virus is the only type of Trojan horse which is contagious, like the common cold. If it doesn't meet this definition, then it isn't a virus. Worm a term similar to a Trojan horse, but there is no "gift" involved. If the Trojans had left that wooden horse out- side the city, they wouldn't have been attacked. Worms, on the other hand, can bypass your defenses without having to deceive you into dropping your guard. An example is a program designed to spread itself by exploiting bugs in a network software package. Worms are usually released by someone who has normal access to a computer or network. Wormers the name given to the people who unleash destructive Trojan horses. Let's face it, these people aren't angels. What they do hurts us. They deserve our disrespect. Viruses, like all Trojan horses, purposely make a program do things you don't expect it to do. Some viruses are just an annoyance, perhaps only displaying a "Peace on earth" greeting. The viruses we're worried about are designed to destroy your data (the most valuable asset of your com- puter!) and waste your valuable time in recovering from an attack. Now you know the difference between a virus and a Trojan horse and a bug. Let's get into some of the myths: "All purposely destructive code comes as a virus." Wrong. Remember, "Trojan horse" is the general term for purposely destructive code. Very few Trojan horses actually qualify as viruses. Few newspaper or magazine reporters have a real understand of computer crimes, so they tend to call almost anything a virus. "Viruses and Trojan horses are a recent phenomenon." Trojan horses have been around since the first days of the computer; hackers toyed with viruses in the early 1960s as a form of amusement. Many different Trojan horse techniques emerged over the years to embezzle money, destroy data, etc. The general public didn't know of this problem until the IBM PC revolution brought it into the spotlight. Banks still hush up computerized embezzlements (as they did during the 1980s) because they believe customers will lose faith in their computer systems if the word gets out. "Viruses are written by hackers." Yes, hackers have purposely unleashed viruses, but so has a computer magazine publisher. And according to one trusted military publication, the U.S. Defense Department develops them as weapons. Middle-aged men wearing business suits created Trojan horses for decades before the advent of com- Computer Virus Myths Page 3 of 8 puter viruses. We call people "wormers" when they abuse their knowledge of computers. You shouldn't fear hackers just because they know how to write viruses. This is an ethics issue, not a technology issue. Hackers know a lot about computers; wormers abuse their knowledge. Hackers (as a whole) got a bum rap when the mass media corrupted the term. "Viruses infect 25% of all IBM PCs every month." If 25% suffer an infection every month, then 100% would have a virus every four months assuming the user took no preventive measures -- in other words, every IBM PC would suffer an infection three times per year. This astronomical estimate surfaced after virus expert (and antivirus vendor) Dr. Peter Tippett published "The Kinetics of Computer Virus Replication," a complex thesis on how viruses might spread in the future. Computer viruses exist all over the planet, yes -- but they won't take over the world. Only about 400 different viruses exist at this time and some of them have been completely eliminated "from the wild." (Of course, virus experts retain copies even of "extinct" viruses in their archives.) You can easily reduce your exposure to viruses with a few simple precautions. Yes, it's still safe to turn on your computer! "Only 400 different viruses? But most experts talk about them in the thou- sands." The virus experts who "originate" these numbers tend tto work for antivirus firms. They count even the most insignificant variations of viruses as part of the grand total for advertising purposes. When the Marijuana virus first appeared, for example, it displayed the word "legalise," but a miscreant later modified it to read "legalize." Any pro- gram capable of detecting the original virus will detect the version with one letter changed -- but antivirus companies count them as "two" viruses. Such obscure differentiations quickly add up. "Viruses could destroy all the files on my disks." Yes, and a spilled cup of coffee will do the same thing. If you have adequate backup copies of your data, you can recover from any virus or coffee problem. Backups mean the difference between a nuisance and a disaster. It is safe to presume there has been more accidental loss of data than loss by viruses and Trojan horses. "Viruses have been documented on over 300,000 computers (1988)." "Viruses have been documented on over 400,000 computers (1989)." "Viruses have been estimated on over 5,000,000 computers (1992)." These numbers come from John McAfee, a self-styled virus fighter who craves attention and media recognition. If we assume it took him a mere five minutes to adequately document each viral infection, it would have taken four man-years of effort to document a problem only two years old by 1989. We further assume McAfee's statements include every floppy disk ever infected up to that time by a virus, as well as all of the computers participating in the Christmas and InterNet worm attacks. (Worms cannot be included in virus infection statistics.) McAfee prefers to "estimate" his totals these days. Let's assume we have about 100 million computers of all types & models in use around the world. McAfee's estimate means 1 out of every 20 computers on the planet supposedly has a virus. It sounds like a pretty astronomical number to most other virus experts. Computer Virus Myths Page 4 of 8 "Viruses can hide inside a data file." Data files can't wreak havoc on your computer -- only an executable pro- gram file can do that (including the one that runs when you first turn on your computer). If a virus infected a data file, it would be a wasted effort. But let's be realistic: what you think is 'data' may actually be an executable program file. For example, a "batch file" qualifies as text on an IBM PC, yet the MS-DOS operating system treats it just like a pro- gram. "BBSs and shareware programs spread viruses." Here's another scary myth drummed up in the big virus panic, this one spouted as gospel by many "experts" who claim to know how viruses spread. "The truth," says PC Magazine publisher Bill Machrone, "is that all major viruses to date were transmitted by [retail] packages and private mail sys- tems, often in universities." (PC Magazine, October 11, 1988.) Machrone said this back in 1988 and it still applies to this day. Almost 50 retail companies so far have admitted spreading infected master disks to tens of thousands of customers since 1988 -- compared to only five shareware authors who have spread viruses on master disks to less than 100 customers. Machrone goes on to say "bulletin boards and shareware authors work extra- ordinarily hard at policing themselves to keep viruses out." Reputable sysops check every file for Trojan horses; nationwide sysop networks help spread the word about dangerous files. Yes, you should beware of the soft- ware you get from BBSs and shareware authors, but you should also beware of the retail software you find on store shelves. (By the way, many stores now have software return policies. Do you know for sure you were the only one who used those master disks?) "My computer could be infected if I call an infected BBS." BBSs can't write information on your disks -- the communications soft- ware you use performs this task. You can only transfer a dangerous file to your computer if you let your software do it. And there is no "300bps sub- carrier" that lets a virus slip through a high speed modem. A joker named Mike RoChenle (IBM's "micro channel" PS/2 architecture, get it?) started the 300bps myth when he left a techy-joke message on a public BBS. Unfor- tunately, a few highly respected journalists were taken in by the joke. "So-called 'boot sector' viruses travel primarily in software downloaded from BBSs." This common myth -- touted as gospel even by Australia's Computer Virus Information Group -- expounds on the mythical role computer bulletin boards play in spreading viruses. Boot sector viruses can only spread by direct contact and "booting" the computer from an infected disk. BBSs deal exclu- sively in program files and have no need to pass along copies of disk boot sectors. Bulletin board users therefore have a natural immunity to boot- sector viruses when they download software. We should make a special note about "dropper" programs developed by virus researchers as an easy way to transfer boot sector viruses among themselves. Since they don't replicate, "dropper" programs don't qualify as a virus in and of themselves. Such programs have never been discovered on any BBS to date and have no real use other than to transfer infected boot sectors. Computer Virus Myths Page 5 of 8 "My files are damaged, so it must have been a virus attack." It also could have happened because of a power flux, or static elec- tricity, or a fingerprint on a floppy disk, or a bug in your software, or perhaps a simple error on your part. Power failures and spilled cups of coffee have destroyed more data than all viruses combined. "Donald Burleson was convicted of releasing a virus." Newspapers all over the country hailed a Texas computer crime trial as a "virus" trial. The defendent, Donald Burleson, was in a position to release a destructive Trojan horse on his employer's mainframe computer. This particular software couldn't spread to other computers, so it couldn't possibly have qualified as a virus. Davis McCown, the prosecuting attor- ney, claims he "never brought up the word virus" during the trial. So why did the media call it one? 1. David Kinney, an expert witness testifying for the defense, claimed Burleson had unleashed a virus. The prosecuting attorney didn't argue the point and we don't blame him -- Kinney's bizarre claim probably helped sway the jury to convict Burleson, and it was the defense's fault for letting him testify. 2. McCown gave reporters the facts behind the case and let them come up with their own definitions. The Associated Press and USA Today, among others, used such vague definitions that any program would have qualified as a virus. If we applied their definitions to the medical world, we could safely label penicillin as a biological virus (which is, of course, absurd). 3. McCown claims many quotes attributed to him were "misleading or fab- ricated" and identified one in particular which "is total fiction." Reporters sometimes print a quote out of context, and McCown appar- ently fell victim to it. (It's possible a few bizarre quotes from David Kinney or John McAfee were accidentally attributed to McCown.) "Robert Morris Jr. released a benign virus on a defense network." It may have been benign but it wasn't a virus. Morris, the son of a chief computer scientist at the U.S. National Security Agency, decided one day to take advantage of a bug in the Defense Department's networking soft- ware. This tiny bug let him send a worm through the network. Among other things, Morris's "InterNet" worm sent copies of itself to other computers in the network. Unfortunately, the network clogged up in a matter of hours due to some bugs in the worm module itself. The press originally called it a "virus," like it called the Christmas worm a virus, because it spread to other computers. Yet Morris's programs didn't infect any computers. A few notes: 1. Reporters finally started calling it a worm a year after the fact, but only because lawyers in the case constantly referred to it as a worm. 2. The worm operated only on Sun-3 & Vax computers which employ a UNIX operating system and were specifically linked into the InterNet net- work at the time. 3. The 6,200 affected computers cannot be counted in virus infection statistics (since they weren't infected). 4. It cost way less than $98 million to clean up the attack. An official Cornell University report claims John McAfee, the man behind this wild estimate, "was probably serving [him]self" in an effort to drum up business. People familiar with the case estimated the final figure at under $1 million. Computer Virus Myths Page 6 of 8 5. Yes, Morris could easily have added some infection code to make it a worm/virus if he'd had the urge. 6. The network bug exploited in the attack has since been fixed. 7. Morris went to trial for launching the InterNet worm and received a federal conviction. The Supreme Court refused to hear the case, so his conviction stands. "The U.S. government planted a virus in Iraq military computers during the Gulf War." U.S. News & World Report published a story in early 1992 accusing the National Security Agency of replacing a computer chip in a printer bound for Iraq just before the Gulf War with a secret computer chip containing a virus. The magazine cited "two unidentified senior U.S. officials" as their source, saying "once the virus was in the [Iraqi computer] system, ...each time an Iraqi technician opened a 'window' on his computer screen to access information, the contents of the screen simply vanished." How- ever, the USN&WR story shows amazing similarities to a 1991 April Fool's story published by InfoWorld magazine. Most computer experts dismiss the USN&WR story as a hoax -- an "urban legend" innocently created by the Info- World joke. Some notes: 1. USN&WR has refused to retract the story, but it did issue a "clarifi- cation" stating "it could not be confirmed that the [virus] was ulti- mately successful." The editors broke with tradition and refused to publish any of the numerous letters readers submitted about the virus story. 2. Ted Koppel, a well-known American news anchor, opened one of his "Nightline" broadcasts with a report on the alleged virus. Koppel's staff politely refers people to talk with USN&WR about the story's validity. 3. InfoWorld didn't label their story as fiction, but the last paragraph identified it as an April Fool's joke. "Viruses can spread to all sorts of computers." All Trojan horses are limited to a family of computers, and this is especially true for viruses. A virus designed to spread on IBM PCs cannot infect an IBM 4300 series mainframe, nor can it infect a Commodore C64, nor can it infect an Apple Macintosh. "My backups will be worthless if I back up a virus." No, they won't. Let's suppose a virus does get backed up with your files. You can restore important documents and databases -- your valuable data -- without restoring an infected program. You just reinstall programs from master disks. It's tedious work, but not as hard as some people claim. "Antivirus software will protect me from viruses." There is no such thing as a foolproof antivirus program. Trojan horses and viruses can be (and have been) designed to bypass them. Antivirus products themselves can be tricky to use at times, and they occasionally have bugs. Always use a good set of backups as your first line of defense; rely on antivirus software as a second line of defense. Computer Virus Myths Page 7 of 8 "Read-only files are safe from virus infections." This common myth among IBM PC users has been printed even in some com- puter magazines. Supposedly, you can protect yourself by using the DOS ATTRIB command to set the read-only attribute on program files. However, ATTRIB is software -- and what it can do, a virus can undo. The ATTRIB command seldom halts the spread of viruses. "Viruses can infect files on write-protected disks." Here's another common IBM PC myth. If viruses can modify read-only files, people assume they can modify write-protected floppies. However, the disk drive itself knows when a floppy is protected and refuses to write to it. You can physically disable an IBM PC drive's write-protect sensor, but you can't override it with a software command. We hope this dispels the many computer virus myths. Viruses DO exist, they ARE out there, they WANT to spread to other computers, and they CAN cause you problems. But you can defend yourself with a cool head and a good set of backups. The following guidelines can shield you from Trojan horses and viruses. They will lower your chances of being infected and raise your chances of recovering from an attack. 1. Implement a procedure to regularly back up your files and follow it religiously. Consider purchasing a user-friendly program to take the drudgery out of this task. (There are plenty to choose from.) 2. Rotate between at least two sets of backups for better security (use set #1, then set #2, then set #1...). The more sets you use, the better protected you are. Many people take a "master" backup of their entire hard disk, then take "incremental" backups of those files which changed since the last time they backed up. Incremental backups might only require five minutes of your time each day. 3. Download files only from reputable BBSs where the sysop checks every program for Trojan horses. If you're still afraid, consider getting programs from a BBS or "disk vendor" company which gets them direct from the authors. 4. Let newly uploaded files "mature" on a BBS for one or two weeks before you download it (others will put it through its paces). 5. Consider using a program that searches, or "scans," disks for known viruses. Almost all infections to date involved viruses known to antivirus companies. A recent copy of any "scanning" program will in all probability identify a virus before it gets the chance to infect your computer -- and as they say, "an ounce of prevention is worth a pound of cure." A "scanning" program can dramatically lower your chaces of getting infected by a computer virus in the first place. (But remember: there is no perfect antivirus defense.) 6. Consider using a program that creates a unique "signature" of all the programs on your computer. Run this program once in awhile to see if any of your software applications have been modified -- either by a virus or by a fingerprint on a floppy disk or perhaps even by a stray gamma ray. Computer Virus Myths Page 8 of 8 7. DON'T PANIC if your computer starts acting weird. It may be a virus, but then again maybe not. Immediately turn off all power to your com- puter and disconnect it from any local area networks. Reboot from a write-protected copy of your master DOS disk. Do NOT run any programs on a "regular" disk (you might activate a Trojan horse). If you don't have adequate backups, try to bring them up to date. Yes, you might back up a virus as well, but it can't hurt you if you don't use your normal programs. Set your backups off to the side. Only then can you safely hunt for problems. 8. If you can't figure out what's wrong and you aren't sure what to do next, turn off your computer and call for help. Consider calling a local computer group before you call for an expert. If you need a professional, consider a regular computer consultant first. Some "virus removal experts" charge prices far beyond their actual value. 9. [Consider this ONLY as a last resort.] If you can't figure out what's wrong and you are sure of yourself, execute both a low-level and a high-level format on all your regular disks. Next, carefully re- install all software from the master disks (not from the backups). Make sure the master disks have write-protect tabs! Then, carefully restore only the data files (not the program files) from your backup disks. We'd appreciate it if you would mail us a copy of any Trojan horse or virus you discover. (Be careful you don't damage the data on your disks while trying to do this!) Include as much information as you can and put a label on the disk saying it contains a malicious program. Send it to Ross M. Greenberg, P.O. Box 908, Margaretville, NY 12254. Thank you. Ross M. Greenberg is the author of both shareware and retail virus detection programs. Rob Rosenberger is the author of various phone productivity applications. (Products are not mentioned by name because this isn't the place for advertisements.) They each write for national computer magazines. These men communicated entirely by modem while writing this treatise. Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg Rosenberger can be reached electronically on CompuServe as [74017,1344], on GEnie as R.ROSENBERGE, on InterNet as `74017.1344@compuserve.com', and on various national BBS linkups. Greenberg can be reached on MCI and BIX as `greenber', on UseNet as `c-rossgr@microsoft.com', and on CompuServe as [72461,3212]. You may give copies of this treatise to anyone if you pass it along in its entirety. Publications may reprint it at no charge if they give due credit to the authors and send two copies to: Rob Rosenberger, P.O. Box 643, O'Fallon, IL 62269.