💾 Archived View for spam.works › mirrors › textfiles › virus › glath.vir captured on 2023-06-16 at 21:02:50.

View Raw

More Information

-=-=-=-=-=-=-





                COMPUTER VIRUSES: A RATIONAL VIEW

                      by: Raymond M. Glath
                            President

                    RG Software Systems, Inc.
                       2300 Computer Ave.
                           Suite I-51
                     Willow Grove, PA 19090
                         (215) 659-5300


April 14, 1988


WHAT ARE COMPUTER VIRUSES?
(a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage)

Any software that has been developed specifically for the purpose
of interfering with a computer's normal operations.


WHAT DO THEY DO?

There are two major categories of viruses.

Destructive viruses, that cause:

     Massive destruction...
          ie: Low level format  of disk(s),  whereby any programs
               and data on the disk are not recoverable.

     Partial destruction...
          ie: Erasure or modification of a portion of a disk.

     Selective destruction...
          ie: Erasure  or modification  of specific files or file
               groups.

     Random havoc... The most insidious form of all.
          ie: Randomly changing data on  disk  or  in  RAM during
               normal program applications, or changing keystroke
               values, or  data from  other input/output devices,
               with the result being an inordinate amount of time
               to discover and  repair  the  problem,  and damage
               that may never be known about.

Non-Destructive  viruses, intended  to cause  attention to the
     author or to harass the end user.

     a. Annoyances...
          ie:  Displaying  a  message,  changing  display colors,
               changing  keystroke  values  such as reversing the
               effect of the Shift and Unshift keys, etc.


WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS?

Lost productivity time !!!

In addition to  the  time  and  skills  required  to re-construct
damaged data files, viruses can waste a lot of time in many other
ways.

With either type of virus, the person subjected to the  attack as
well as  many support  personnel from  the attacked site and from
various  suppliers,  will  sacrifice  many  hours   of  otherwise
productive time:

     Time to determine the cause of the attack.
     The removal of the virus code from the system.
     The recovery of lost data.
     The detective work required to locate the original source of
          the virus code.

     Then, there's the management time required to determine  how
          this will be prevented in the future.


WHO DEVELOPS VIRUSES?

This individual, regardless of his specific motivation, will most
probably want to see  some form  of publicity  resulting from his
handiwork.  Anywhere  from  a  "Gotcha"  message appearing on the
computer's screen after the  attack, to  major press  coverage of
that particular virus' spread and wake of damage.

Some of  the reasons for someone to spend their time developing a
virus program are:

     A practical joke.
     A personal vendetta against a company or  another person.
          ie: a disgruntled employee.
     The computer-literate political terrorist.
     Someone  trying  to  gain  publicity  for  some cause or
          product.
     The bored, un-noticed "genius," who wants attention.
     The mentally disturbed sociopath.


IS THE THREAT REAL?

Yes, however thus far the destructive ones have primarily been in
the Academic environment. Several attacks have been documented by
the press, and, from first hand experience, I  can attest  to the
fact that  those reported do exist. We have seen some of them and
successfully tested our Disk Watcher product against them.

Reputable individuals have reported additional viruses to us, but
these have  not reached the scale of distribution achieved by the
now  infamous  "Lehigh,"  "Brain,"   "Israeli,"  and  "MacIntosh"
viruses.

We do  expect the  situation to  worsen due to the attention it's
received. Taking simple lessons  from history,  a new phenomenon,
once  given  attention,  will  be  replicated  by individuals who
otherwise have no opportunity for personal attention.

Now that there are products for  defense from  viruses, the virus
writers have  been given  a challenge;  and for  those people who
have always wanted  to  anonymously  strike  out  at  someone but
didn't know  of a  method to  do so,  the coverage has provided a
"How To" guide.


HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM?

A virus may be entered into a system by an  unsuspecting user who
has been  duped by the virus creator (Covert entry), or it may be
entered directly by the creator. (Overt entry.)

     Examples of Covert  entry  of  a  virus  into  a computer
          system.

          A  "carrier" program  such as  a "pirate" copy of a
             commercial package that has been tampered with, is
             utilized  by  the  un-suspecting  user,  and  thus
             enters the virus code into the system.

             Other types  of  carriers  could  be  programs from
             Bulletin  Boards  that  have  been either tampered
             with  or  specifically  designed  as  viruses, but
             disguised as  useful programs. There has even been
             a  destructive  virus   disguised   as   a  "virus
             protection" program on a BBS.

          The  user  unknowingly acquires an "infected" disk
             and uses it to boot the system.

             The virus has been hidden in  the system  files and
             then hides  itself in  system RAM  or other system
             files in order to reproduce, and later, attack.


     Examples of Overt entry into a computer system.

          An  individual  bent  on  harassing  the  user  or
             sabotaging   the   computer  system,  modifies  an
             existing program  on  that  computer  or  copies a
             virus  program  onto  someone's  disk during their
             absence from their work station.


HOW DOES A VIRUS SPREAD?

A virus may reproduce itself by delaying its attack until  it has
made copies  of itself onto other disks (Active reproduction,) or
it may depend entirely on unsuspecting users to make copies of it
and pass  them around  (Passive reproduction).  It may also use a
combination of these methods.


WHAT TRIGGERS THE VIRUS ATTACK?

Attacks begin upon the occurrence of a certain event, such as:

     On a certain date.
     At a certain time of day.
     When a certain job is run.
     After "cloning" itself n times.
     When a certain combination of keystrokes occurs.
     When the computer is restarted.

One way or  another,  the  virus  code  must  put  itself  into a
position to  either start  itself when the computer is turned on,
or when a specific program is run.


HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN  A PROGRAM  OR A
HARDWARE MALFUNCTION?

This can  be a tough one. With the publicity surrounding viruses,
many people are ready  to  believe  that  any  strange occurrence
while computing  may have  been caused  by a virus, when it could
simply be an operational error, hardware component failure,  or a
software "bug."

While  most  commercial  software  developers test their products
exhaustively,  there  is  always   the   possibility   that  some
combination of hardware; mix of installed TSR's; user actions; or
slight incompatibilities with "compatible" or "clone" machines or
components; can cause a problem to surface.

We need to remember some key points here:

1. Examine the probabilities of your having contacted a virus.

2. Don't  just assume  that you've  been attacked  by a virus and
     abandon  your  normal  troubleshooting  techniques  or those
     recommended by the product manufacturers.

3. When  in doubt  contact your  supplier or the manufacturer for
     tech support.

4. Having  an effective  "Virus Protection"  system installed may
     help you determine the cause of the problem.


HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES?

1.  Know  and  be  comfortable  with  the source of your software
     acquisitions.

     If you use a BBS (Bulletin Board,) verify that the BBS is
        reputable  and  that  it has satisfactory procedures in
        place to check out its software  as well  as provisions
        to prevent that software from being modified.

     Do not use illegitimate copies of software.

     Be  sure that  the developer of the software you're using
        is a professional. Note that many  "Shareware" products
        are  professionally  produced.  You  needn't stop using
        them. Just be sure that you  have a  legitimate copy of
        the program if you choose to use these products.

     Don't  accept  free  software  that looks too good to be
        true.

2.  Install  a  professional  virus  protection  package  on your
     computer that will alert you to any strange goings on.

3.  Provide physical security for your computers.
     ie: Locked rooms; locks on the computers; etc.

4.  If you're unsure of a disk or a specific program, run it in an
     isolated environment  where it  will not  be able  to do any
     damage.

     ie: Run  the program on a "diskette only" computer, and keep
          a write-protect tab on your "System Disk."

         Run  the   program  with   "Virus  Protection"  software
          installed.

5.  Establish and maintain a sound Back-Up policy.

     DO  NOT   USE  ONLY  ONE  SET  OF  BACK-UP  DISKS  THAT  ARE
     CONTINUOUSLY WRITTEN OVER.

     Use at least three complete sets of back-up disks that are
      rotated in a regular cycle.


DO YOU  NEED SOME  FORM OF PROTECTION FROM VIRUSES?

It couldn't hurt !!!  You do lock the door to your home
  when you go out, right?

Plan in advance the methods you'll use to ward off virus attacks.
It's a  far more  effective use  of management  time to establish
preventative  measures  in  a  calm environment instead of making
panic decisions after a virus attack has occurred.


IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF?

No !!!

Any  security  system  can  be  broken  by  someone dedicated and
knowledgeable enough to put forth the effort to break the system.


WHAT LEVEL OF PROTECTION DO YOU NEED?

This of course depends on many factors, such as:

     1. The sensitivity of the data on your PC's.
     2. The number of personnel having access to your PC's.
     3. The security awareness of computing personnel.
     4. The skill levels of computing personnel.
     5. Attitudes, ethics, and morale of computing personnel.

A key point of consideration is the threshold  for the  amount of
security you can use versus its impact on normal productivity.

Human nature  must also  be considered. If you were to install 10
locks on your front door and it cost you 5 minutes each  time you
enter  your  home,  I'll  bet  that  the  first  time  that  it's
raining... and you have 3 bags of groceries... you'll go  back to
using the one lock you always used.


HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES?

There are several approaches that have been developed.

One form  is an "inoculation" or "signature" process, whereby the
key files on a disk are marked in a special  way and periodically
checked to see if the files have been changed.  Depending on the
way in which this is implemented, this method can actually interfere
with programs that have built-in integrity checks.

Another method  is to  "Write Protect"  specific key areas of the
disk so that no software is permitted to change the data in those
places.

We  at  RG  Software  Systems,  Inc.  believe  that  preventative
measures are the most effective. The Disk Watcher system provides
multiple lines  of defense:  A "Batch" type program automatically
checks all active disk drives for the presence  of certain hidden
virus  characteristics  when  the  computer is started, and a TSR
(Terminate and Stay Resident) program monitors  ongoing disk
activity  throughout  all processing. The "Batch" program
can also be run on demand at any time to check the disk in a
specific drive.

The TSR program, in addition to its other "Disaster
Prevention" features, contains a series of proprietary algorithms
that detect the behavior characteristics of a myriad of virus
programs, and yet produce minimal  overhead in processing time
and "false alarm" reports. Disk  Watcher is uniquely able to tell
the difference between legitimate IO  activity and  the IO activity
of a virus program.

When an action occurs indicative of a virus attempting to reproduce itself;
alter  another program; set itself up  to be  automatically run  the next
time the system is started; or attempting to perform a massively damaging
act; Disk Watcher  will  automatically  "pop  up."  The user will then have
several options, one of which is to immediately stop the computer before any
damage can be done. Detection occurs BEFORE the action takes place.

Other options allow the user to tell Disk Watcher to continue the
application program  and remember  that this program is permitted
to perform the action that triggered the "pop up."

   Some very important features of Disk Watcher are:

   Whenever the user selects the "Stop the Computer" option, the
   Application screen image and the Disk Watcher screen image will be
   sent to the system printer before the machine is stopped, so that
   an effective analysis of the problem may be done.

   Disk Watcher performs an integrity check on itself whenever it runs.

The  "Destructive"   viruses   that   produce   "selective"  file
destruction or  "Random Havoc"  are the  most difficult to defend
against. The best measures are to prevent them  from getting into
the system in the first place.


WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU?

Since the first reports of virus attacks appeared in the press, a
number of  "Virus Prevention"  products have  quickly appeared on
the market, produced by companies wishing to take  advantage of a
unique market  opportunity. This  is to  be expected. RG Software
Systems, Inc. is one of them with our Disk Watcher product.

It should be pointed out, however, that as of this  writing, only
a  little  over  2  months  has  transpired since the first major
stories appeared.

Those companies  that have  had to  build a  product from scratch
during  this  limited  amount  of  time  have  had  to design the
defensive  system,  write  the  program  code,  write  the user's
manual,  design  the  packaging,  "Alpha"  test, "Beta" test, and
bring their product through manufacturing to market. A monumental
task in a miraculously short period of time.

Companies that have had products on the market that include virus
protection, or  products  that  were  enhanced  to  include virus
protection, such  as Disk  Watcher, have had extra time and field
experience for the stabilization of their products.

As a  professional in  this industry,  I sincerely  hope that the
quickly developed products are stable in their released form.

The evaluation points listed below are usually applied as a
standard for all types of software products:


         *Price
         *Performance
         *Ease of Use
         *Ease of Learning
         *Ease of Installation
         *Documentation
         *Copy Protection
         *Support

A "Virus Protection" package, like a security system for your
home, requires a close scrutiny.  You want the system to do the
job unobtrusively, and yet be effective.

TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES:

1.  Amount  of  impact  the  package  may have on your computer's
     performance.

     If the package is  "RAM Resident,"  does it  noticeably slow
          down your machine's operations?
     If so,  with what type of operation?  Are program start-
          ups slowed? Are database operations slowed?


2. Level of dependency on operator intervention.

     Does the package require  the  operator  to  perform certain
          tasks  on  a  regular  basis  in  order  for  it  to be
          effective? (Such as only checking for  virus conditions
          on command.)
     Does  the  package  require  much  time  to install and keep
          operational?  ie:  Each  time   any  new   software  is
          installed on the system, must the protection package be
          used?

3. Impact on productivity... Annoyance level.

     Does the package periodically stop processing and/or require
          the  operator  to  take  some  action.  If so, does the
          package have any capability  to  learn  its environment
          and stop its interference?

4. False alarms.

     How  does  the  package  handle situations that appear to be
          viruses but are legitimate  actions made  by legitimate
          programs?
     Are there  situations where  legitimate jobs will have to be
          re-run  or  the  system   re-booted   because   of  the
          protection package? How frequently will this occur?
     How  much  additional  end-user  support  will  the  package
          require?

5. The probability that the package will remain in use?

     Will there  be any  interference or  usage requirements that
          will  discourage  the  user  from  keeping  the package
          active? (It won't be  effective if  they quickly desire
          to  de-install  it  and  perhaps  only pretend they are
          using it when management is present.)

6. Level of effectiveness it provides in combatting viruses.

     Will it be effective  against  viruses  produced  by someone
          with an experience level of:

          Level 1 - "Typical End User"? (Basic knowledge of using
                      applications and DOS commands.)
          Level 2 - "Power  User"?   (Knowledge  of  DOS  Command
                      processor, Hardware functions, BASIC
                      programming, etc.)
          Level 3 - "Applications  Programmer"?  (Knowledge of
                      programming languages and DOS service calls.)
          Level 4 - "Systems  Engineer"?  (Knowledge  of  DOS and
                      Hardware internal functions.)
          Level 5 -  "Computer  Science  Professor  that develops
                         viruses for research purposes"?

     Which types of intrusion will it be effective against?

          "Covert Entry"?
          "Overt Entry"?

     Does  it  detect  a  virus  attempting  to spread or "clone"
          itself?

     Does it  detect a  virus attempting  to place  itself into a
          position to be automatically run?

     If  a  virus  gets  into  the computer, which types of virus
          damage will it detect?

          "Massive Destruction"
          "Partial Destruction"
          "Selective Destruction"
          "Random Havoc Destruction"
          "Annoyance"

     Does the software detect a  virus  before  or  after  it has
          infected a program or made its attack?

     Does the publisher claim total protection from all viruses?


7. Does the software provide any assistance for "post mortem"
    analysis of suspected problems?

     ie:  If a virus symptom is detected and the computer is
     brought to a halt, is there any supporting information
     for analyzing the problem other than the operator's
     recall of events?


8. Impact on your machine's resources.

     How much RAM is used?
     Is any special hardware required?


9. Is the product compatible with:

     Your hardware configuration.
     Your Operating system version.
     Your network.
     Other software that you use, especially TSR's.

10.  Can  the  package  be  used  by  current computing personnel
     without substantial training?

     What type of computing experience is required to install the
          package?

11. Background of the publisher.

     References...  Who  is  using  this  or  other products from
          this publisher?  How is  this company  perceived by its
          customers? The press?

     How long has the publisher been in business?

     Was  the   product  Beta  Tested?...  By  valid,  well-known
          organizations or by friends of the company's owner?

     Was  the  product   tested   against   any   known  viruses?
          Successfully?

     What about on-going support? In what form? At what cost?

     Does the company plan to upgrade its product periodically?

     What is the upgrade policy? Expected costs?

12. Does  the package  provide any  other useful  benefits to the
     user besides virus protection?