💾 Archived View for spam.works › mirrors › textfiles › virus › ibmpaper.vir captured on 2023-06-16 at 21:03:05.
-=-=-=-=-=-=-
Coping with Computer Viruses and Related Problems
Steve R. White
David M. Chess
IBM Thomas J. Watson Research Center
Yorktown Heights, NY
Chengi Jimmy Kuo
IBM Los Angeles Scientific Center
Los Angeles, CA
Research Report (RC 14405)
January 30, 1989
This research report is provided without restriction;
we encourage its redistribution.
Copies may be requested from:
IBM Thomas J. Watson Research Center
Distribution Services F-11 Stormytown
Post Office Box 218
Yorktown Heights, New York 10598
(This report will be available from this address up to
one year after the IBM publication date (up to Jan 1990))
This online version differs from the hardcopy report only
in pagination, and in using *asterisks* for emphasis. It
is formatted to print at 66 lines per page, and 80 or so
characters per line (including a 10 character margin on
either side).
Coping with Computer Viruses and Related Problems
Steve R. White
David M. Chess
IBM Thomas J. Watson Research Center
Yorktown Heights, NY
Chengi Jimmy Kuo
IBM Los Angeles Scientific Center
Los Angeles, CA
Research Report Number RC 14405
January 30, 1989
ABSTRACT
We discuss computer viruses and related problems. Our
intent is to help both executive and technical managers
understand the problems that viruses pose, and to suggest
practical steps they can take to help protect their
computing systems.
Abstract ii
CONTENTS
1.0 Executive Summary . . . . . . . . . . . . . . . . . 1
1.1 What Is a Computer Virus? . . . . . . . . . . . . . 1
1.2 How Can Computer Viruses Affect an Organization? . . 2
1.3 How Serious Is The Problem? . . . . . . . . . . . . 2
1.4 Summary and Recommendations . . . . . . . . . . . . 3
2.0 Coping with Computer Viruses: A Guide for Technical
Management . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 How Viruses Infect Computing Systems . . . . . . . . 5
2.2 How Viruses Differ From Other Security Threats . . . 6
2.3 General Security Policies . . . . . . . . . . . . . 7
2.3.1 User Education . . . . . . . . . . . . . . . . . 7
2.3.2 Backups . . . . . . . . . . . . . . . . . . . . 7
2.4 Decreasing the Risk of Viral Infection . . . . . . . 8
2.4.1 Isolated Systems . . . . . . . . . . . . . . . . 8
2.4.2 Limited-Function Systems . . . . . . . . . . . . 9
2.4.3 Policies for Software Repositories . . . . . . 10
2.4.4 Policies for Production Systems . . . . . . . 11
2.5 Detecting Viral Infections . . . . . . . . . . . . 12
2.5.1 Watching for Unexpected Things Happening . . . 13
2.5.2 Some Symptoms of Known Viruses . . . . . . . . 13
2.5.3 Watching for Changes to Executable Objects . . 15
2.5.4 Using External Information Sources . . . . . . 17
2.6 Containing Viral Infections . . . . . . . . . . . 17
2.6.1 The Importance of Early Detection . . . . . . 17
2.6.2 The Importance of Rapid Action . . . . . . . . 18
2.7 Recovering from Viral Infections . . . . . . . . . 19
2.7.1 Restoration and Backups . . . . . . . . . . . 19
2.7.2 Virus-Removing Programs . . . . . . . . . . . 20
2.7.3 Watching for Re-Infection . . . . . . . . . . 20
2.8 Summary and Recommendations . . . . . . . . . . . 21
For Further Reading . . . . . . . . . . . . . . . . . . 23
Glossary . . . . . . . . . . . . . . . . . . . . . . . 24
Appendix: Viral Infections in PC-DOS . . . . . . . . . 27
Contents iii
PREFACE
While this document has been widely reviewed, and many
helpful suggestions have been incorporated, the authors are
entirely responsible for its present content. It does not
represent the opinions, policies, or recommendations of IBM
or any other organization.
Preface iv
1.0 EXECUTIVE SUMMARY
Computer viruses present a relatively new kind of security
problem in computing systems. The purpose of this section
is to acquaint the senior management of an organization with
the nature of the problem. It also outlines some of the
steps that can be taken to reduce the organization's risk
from computer viruses and other, similar, problems.
Traditional computer security measures are helpful, but new
measures are needed to deal with the problems effectively.
The computer security management of the organization will
play a key role in reducing the risk. But education and
ongoing participation of the users are also vital.
1.1 WHAT IS A COMPUTER VIRUS?
A computer virus is one kind of threat to the security and
integrity of computer systems. Like other threats, a
computer virus can cause the loss or alteration of programs
or data, and can compromise their confidentiality. Unlike
many other threats, a computer virus can spread from program
to program, and from system to system, without direct human
intervention.
The essential component of a virus is a set of instructions
which, when executed, spreads itself to other, previously
unaffected, programs or files. A typical computer virus
performs two functions. First, it copies itself into
previously-uninfected programs or files. Second, (perhaps
after a specific number of executions, or on a specific
date) it executes whatever other instructions the virus
author included in it. Depending on the motives of the
virus author, these instructions can do anything at all,
including displaying a message, erasing files or subtly
altering stored data. In some cases, a virus may contain no
intentionally harmful or disruptive instructions at all.
Instead, it may cause damage by replicating itself and
taking up scarce resources, such as disk space, CPU time, or
network connections.
There are several problems similar to computer viruses.
They too have colorful names: worms, bacteria, rabbits, and
so on. Definitions of them are given in the glossary. Each
shares the property of replicating itself within the
computing system. This is the property on which we will
focus, using viruses as an example. There are also a
variety of security issues other than viruses. Here, we
Executive Summary 1
will deal only with viruses and related problems, since new
measures are required to deal with them effectively.
1.2 HOW CAN COMPUTER VIRUSES AFFECT AN ORGANIZATION?
Let us examine a particular sequence of events, by which a
virus could enter an organization and spread within it.
Suppose that the organization hires an outside person to
come in and perform some work. Part of that person's work
involves working on one of the organization's personal
computers. The person brings in a few programs to aid in
this work, such as a favorite text editor.
Without the person having realized it, the text editor may
be infected with a virus. Using that editor on one of the
organization's machines causes the virus to spread from the
editor to one of the programs stored on the organization's
machine, perhaps to a spreadsheet program. The virus has
now entered the organization.
Even when the outside person leaves, the virus remains on
the machine that it infected, in the spreadsheet program.
When an employee uses that spreadsheet subsequently, the
virus can spread to another program, perhaps to a directory
listing program that the employee keeps on the same floppy
disk as the spreadsheet data files. The listing program is
then infected, and the infection can be spread to other
computers to which this floppy disk is taken. If the
employee's personal computer is connected to the
organization's network, the employee may send the listing
program to another user over the network. In either case,
the virus can spread to more users, and more machines, via
floppy disks or networks. Each copy of the virus can make
multiple copies of itself, and can infect any program to
which it has access. As a result, the virus may be able to
spread throughout the organization in a relatively short
time.
Each of the infected programs in each of the infected
machines can execute whatever other instructions the virus
author intended. If these instructions are harmful or
disruptive, the pervasiveness of the virus may cause the
harm to be widespread.
1.3 HOW SERIOUS IS THE PROBLEM?
Traditional security measures have attempted to limit the
number of security incidents to an acceptable level. A
Executive Summary 2
single incident of lost files in a year may be an acceptable
loss, for instance. While this is important, it only
addresses part of the problem of viruses. Since a single
virus may be able to spread throughout an organization, the
damage that it could cause may be much greater than what
could be caused by any individual computer user.
Limiting the number of initial viral infections of an
organization is important, but it is often not feasible to
prevent them entirely. As a result, it is important to be
able to deal with them when they occur.
Most actual viruses discovered to date have either been
relatively benign, or spread rather slowly. The actual
damage that they have caused has been limited accordingly.
In some cases, though, thousands of machines have been
affected. Viruses can easily be created which are much less
benign. Their *potential* damage is indeed large.
Organizations should evaluate their vulnerability to this
new threat, and take actions to limit their risks.
1.4 SUMMARY AND RECOMMENDATIONS
o A computer virus is a program that can infect other
programs by modifying them to include a copy of itself.
When the infected programs are executed, the virus
spreads itself to still other programs.
o Viruses can spread rapidly in a network or computing
system and can cause widespread damage.
o Unlike many other security threats, viruses can enter a
given computing system without anyone intending them to.
o There are no known ways to make a general computing
system completely immune from viral attacks, but there
are steps you can take to decrease the risks:
- Use good general security practices. (For a more
complete discussion of these points, and some
examples of others, see reference (6).)
-- Keep good backups of critical data and programs.
-- Periodically review overall controls to
determine weaknesses.
-- Use access control facilities to limit access to
information by users, consistent with their job
duties and management policies. Audit accesses
that do occur.
Executive Summary 3
-- Do not use network connections to outside
organizations without a mutual review of
security practices.
-- Consider limiting electronic mail communications
to non-executable files. Separate
communications that must move executable files
from electronic mail, so that they can be
separately controlled.
-- Make security education a prerequisite to any
computer use.
- Put a knowledgeable group in place to deal with
virus incidents.
-- The group may be a formal part of the
organization, or may be an informal collection
of knowledgeable people.
-- The group should be responsible for educating
users about the threat of viruses, providing
accurate information about viruses, responding
to reports of viruses, and dealing with viral
infections when they occur.
-- Make sure each employee who works with a
computer knows how to contact this group if they
suspect a viral infection.
- Develop a plan to deal with viruses *before* there is
a problem.
-- Decrease the risks of an initial infection, from
internal and external sources.
-- Put mechanisms in place to detect viral
infections quickly.
-- Develop procedures to contain an infection once
one is detected.
-- Know how to recover from a viral infection.
- Test the plan periodically, as you would test a fire
evacuation plan.
-- But *do not* use a real virus to test the plan!
Executive Summary 4
2.0 COPING WITH COMPUTER VIRUSES: A GUIDE FOR TECHNICAL
MANAGEMENT
Once an organization makes a commitment to deal with the
problems of computer viruses, there are specific areas which
should receive attention. The purpose of this section is to
acquaint technical management with the problems and to
indicate the actions that can be taken to limit the risks
posed by viruses.
2.1 HOW VIRUSES INFECT COMPUTING SYSTEMS
There are many ways in which a system can become infected
with a virus. Any time a program is run which can alter one
or more other programs, there is the possibility of viral
infection. Any time a user executes a program which is
written by anyone else, compiled by a compiler, or linked
with run time libraries, all the resources to which that
program has access are in the hands of every person who
contributed to that program, that compiler, or those
libraries.
The initial introduction of an infected program can occur
through a large variety of channels, including:
o Software introduced into or used on the system by an
outsider who had access to the system,
o Software used at home by an employee whose home computer
system is, unknown to the employee, itself infected,
o Software purchased from a commercial software company
whose production facilities are infected,
o Software that turns out to be infected that has been
down-loaded from public bulletin boards for business
use, or by employees,
o Software intentionally infected by a malicious or
disgruntled employee,
o *Any* other time that a piece of software (including
programs, operating systems, and so on) is created
within the organization, or brought in from *any*
outside source.
See the appendix for an example of sources and locations of
possible infection for one operating system.
Coping with Computer Viruses: A Guide for Technical
Management 5
2.2 HOW VIRUSES DIFFER FROM OTHER SECURITY THREATS
There are many kinds of threats to security. Threats
traceable to dial-in systems are greatly reduced with the
use of call-back systems. Simple threats created by
disgruntled employees can often be traced to the person
responsible. One important thing that makes the virus
different from all the rest is its untraceability. Except
in rare cases, the only way a virus' author becomes known is
if the author admits to ownership. As a result, an author
can create a virus with reasonable certainty that he will
not be discovered. This allows great latitude in the design
of the destructive portion of the virus.
The only perfect ways to protect against viral infection are
isolation and reduced functionality. A computer system
cannot be infected if it runs only one fixed program, and
cannot have new programs either loaded or created on it.
But this is clearly not very useful in many circumstances.
So there is almost always some exposure. As with other
security concerns, it is a matter of weighing benefits,
practicality, and potential risks, and then taking
cost-effective action to help control those risks.
Viruses exhibit elements of many other security threats.
(See the Glossary for a summary of some of these threats.)
There are important differences, though. Dr. Fred Cohen,
who has done much of the original research on computer
viruses, defines a virus as:
a program that can "infect" other programs by modifying
them to include a possibly evolved copy of itself. (See
reference (1).)
But a virus is more than the part that replicates itself.
There is usually also a potentially damaging portion. This
portion could be a "time bomb" (on November 11th, display a
political message), a "logic bomb" (when it sees a certain
write to disk, it also corrupts the file structure), or
anything else the virus author can design. The variety of
possible effects is part of the reason why the notion of a
virus is so confusing to many people. The term "virus" is
sometimes misused to refer to anything undesirable that can
happen to a computer. This is incorrect. The thing that
makes viruses and related threats different from other
problems is that they spread.
Coping with Computer Viruses: A Guide for Technical
Management 6
2.3 GENERAL SECURITY POLICIES
2.3.1 User Education
Good security policies depend on the knowledge and
cooperation of the users. This is just as true of security
against viruses as it is of policies about password
management. Users should be aware of the dangers that
exist, should know what to do if they suspect they have
found a security problem. In particular, they should know
whom to call if they have questions or suspicions, and
should know what to do, and what not to do, to minimize
security risks. Users should be encouraged to feel that
security measures are things that they want to do for their
own benefit, rather than things that are required for no
rational reason.
A strategy to detect and contain viruses is described below.
An important part of that strategy is for users to know whom
to call if they see a system problem that may be the result
of a virus. Someone should always be available to work with
the user in determining if a problem exists, and to report
the problem to a central source of information if it is
serious. This central source must have the ability to
inform the necessary people of the problem quickly and
reliably, and to set in motion the process of containing and
solving the problem. More detailed suggestions for this
mechanism will be given below, but each stage depends on
education. It is important to educate the end users, the
first-level support people, and management involved at all
levels, since they must take the necessary actions quickly
when a viral infection is detected.
2.3.2 Backups
Even without the threat of viruses, good backups are an
important part of system management. When a program or a
data file is lost, a good set of backups can save many days
or months of work. The potential harm caused by computer
viruses only increases the need for backups.
Although they are necessary for recovery, backups can also
present a place for a virus to hide. When a virus attack
has been stopped, and the virus removed from all software on
the system, the obvious way to recover altered or lost files
is by restoring them from backups. Great care must be taken
not to reintroduce the virus into the system in the process!
Coping with Computer Viruses: A Guide for Technical
Management 7
All backups should be inspected to ensure that the virus is
not present in any file on any backup. Until a backup has
been certified "clean," it should not be used, unless
certain files on it are not recoverable through other means.
Even in this case, it is necessary to be very careful to
restore only objects which the virus did not infect or
otherwise change. The behavior of the virus should be well
understood before any restoration from backup is attempted.
2.4 DECREASING THE RISK OF VIRAL INFECTION
Viruses can spread from one user to another on a single
system, and from one system to another. A virus can enter a
company either by being written within the company, or by
being brought in from the outside. Although a virus cannot
be written accidentally, a virus may be brought in from the
outside either intentionally or unintentionally. Viruses
can enter a company because a program is brought in from
outside which is infected, even though the person who brings
it in does not know it.
Because sharing of programs between people is so
commonplace, it is difficult to prevent an initial infection
from "outside." An employee may take a program home to use
it for business purposes on his or her home computer, where
it becomes infected. When the program is returned to the
workplace, the infection can spread to the workplace.
Similarly, an outside person can bring a set of programs
into a company in order to perform work desired by the
company. If these programs are infected, and they are
executed on the company's systems, these systems may also
become infected.
There are two major ways to prevent infection in the first
place, and to limit the spread of an existing infection:
isolating systems, and limiting their function.
2.4.1 Isolated Systems
Since viruses spread to new users and systems only when
information is shared or communicated, you can prevent
viruses from spreading by isolating users and systems.
Systems that are connected to other systems by a network can
spread a virus across that network. Isolating systems from
the network will prevent their being infected by that
network. If a company maintains connections with other
companies (or universities, or other institutions) by a
Coping with Computer Viruses: A Guide for Technical
Management 8
network, a virus may be able to enter the company through
that network. By isolating the company from such external
networks, it cannot be infected by these networks.
This is a reasonable policy to follow when possible,
especially for those systems which contain especially
sensitive programs and data. It is impractical in many
cases, though. Networks are valuable components of a
computing system. The easy sharing of programs and data
that they make possible can add substantially to the
productivity of a company. You should be aware, however,
that this sharing also increases the risk of viral infection
to these systems. This is especially true if the network
security measures have not been designed with viruses and
related threats in mind.
Your organization may wish to limit the kinds of access to
systems afforded to those outside the organization. In many
cases, users of external systems may be less motivated to be
benevolent to your systems than internal users are. This
may make it worthwhile to limit the ability of external
users to transmit executable files, or have full interactive
access, to internal systems.
Similarly, movement of programs between personal computers
on floppy disks can result in one system infecting another.
If an employee's home computer is infected, for instance,
bringing a program (or even a bootable disk) from home to
work could result in the work computer becoming infected.
You may want to have a policy that employees should not
bring programs or bootable disks between work and home. Or,
you may want to have a policy that employees should use
virus-detection tools on their home computers as well as
their work computers.
2.4.2 Limited-Function Systems
Since viruses must be able to infect other executable
objects in order to spread, you can help prevent viruses
from spreading by eliminating this ability from a computing
system. This can be done in some circumstances by
restricting the ability to add or change programs on a
system.
If general-purpose programming must be done on a system, as
is the case with development systems, it is not possible to
prevent users from creating or adding new programs. On
these systems, it is not possible to prevent the
introduction of viruses under every possible condition.
Coping with Computer Viruses: A Guide for Technical
Management 9
Many companies have computing systems, including
workstations and personal computers, that are not used for
general-purpose programming. A bank, for instance, may use
personal computers as teller stations, to handle a fixed set
of teller transactions. Since the tellers need not program
these systems, it may be possible to strictly limit the
introduction of new programs and thus greatly limit the
introduction of viruses onto them.
This is a prudent policy. Whenever practical, limit the
ability of users to add or change programs on the systems
they use. This ability should be restricted to authorized
personnel, and these personnel should use every means
available to them to check any new programs for viruses
before they are installed in the limited-function systems.
As long as no new programs are introduced, no new viruses
can be introduced onto these systems.
Remember, though, that the trend in personal workstations
has been toward the empowerment of the individual user,
including giving the user the ability to create programs to
suit his or her own needs. Thus, it may not be practical
and competitive in the long run to impose restrictions on
many systems. The risk of viral infection must be weighed
against the benefits of providing power and flexibility to
the individual user.
2.4.3 Policies for Software Repositories
Software repositories are places in which programs reside
which may be used by a number of people. These may be disks
on a mainframe, which can be accessed from a number of
different users' accounts. They may also be disks on a
local area network file server, from which many users get
common programs.
These repositories can pose more of a risk in the spread of
viruses than most "private" program storage locations. If a
commonly-accessed program becomes infected, such as a text
editor used by an entire department, the entire department
can become infected very quickly. So, extra care is
required to prevent infection of repositories.
A policy can be put into place that requires each program
added to a repository to be checked thoroughly for possible
infection. It is helpful, for instance, to use tools to
ensure that it is not infected with any of the already-known
viruses.
Coping with Computer Viruses: A Guide for Technical
Management 10
In cases in which users who access the repository deal with
especially sensitive programs and data, it may be prudent to
enforce even more stringent policies. Programs to be added
may be tested first on isolated systems, to see if they show
any signs of infecting other programs. Or, a repository
team may inspect the source code of the program for viral
code. If no viral code is found, the repository team can
compile the program on an isolated system that has been
certified to be free of viruses. In such a case, the only
object code allowed on the repository would come directly
from the team's compilation on its isolated system.
Repositories can also be helpful in detecting and
controlling viruses. Consider the situation in which most
users run a significant amount of the software that they
execute from a central server to which they do not have
write access, rather than from individual writeable disks.
Since the users do not regularly update this software,
viruses will not be able to spread as quickly between these
users. If a program on a central repository becomes
infected, it may be comparatively simple to replace it with
an uninfected version (or remove it entirely). It may be
more difficult to screen all programs on hundreds of
individual systems. It may also be easier to audit the
usage of, and updates to, a single software repository, as
opposed to a large number of individual systems.
There are a variety of other areas in many organizations
which could spread viruses rapidly, and hence which should
be carefully controlled. Internal software distribution
centers, for instance, could spread a virus widely if they
were infected. Similarly, a software lending library, if
infected, may transmit a virus to many other users before it
is detected. Walk-in demo rooms and educational centers are
also potential problems. In general, any place from which
software is widely distributed, and which has uncontrolled
software importation, needs special attention.
2.4.4 Policies for Production Systems
Production systems are those systems which are used to
prepare internally-developed programs for distribution
either within a company, or for sale to external customers.
If these systems were infected with a virus, the virus could
spread to programs used widely within the company, or to
programs used by the company's customers. In the former
case, this could spread the virus widely throughout the
company. In the latter case, it could damage the reputation
of the company with its customers. There has been
Coping with Computer Viruses: A Guide for Technical
Management 11
documented cases of companies accidentally shipping
virus-infected program products to customers.
Since the infection of production systems could have serious
consequences, you should be especially careful about
protecting them. The key to this is the institution of
stringent change control policies on production systems.
They should be strongly isolated from non-production
systems, so that only known, authorized files can be put
onto the system. Each file should be checked for infection,
to whatever extent possible. Installing object code on
these systems should be avoided whenever possible. Rather,
source code should be installed, and compiled locally with a
trusted compiler. Where the impact of a viral infection
would be particularly large, it may be important to inspect
the source code before it is compiled, to avoid the
introduction of a virus through the source code. If object
code must be installed, its origin should be verified
beforehand. For instance, object code for a personal
computer could be installed only from an original,
write-protected distribution disk, which has been found to
be free of viruses.
In addition, virus-checking programs (see below) should be
run frequently on production systems. On a multitasking
system, it may be possible to run a virus detector
continuously in the background. Further, a policy can be
instituted which ensures that a virus detector will be
executed at least once between the time that new files are
installed on the system, and the time that any files are
exported from the system.
2.5 DETECTING VIRAL INFECTIONS
With the possible exception of isolation, all of the methods
outlined above for preventing viral infections are only
somewhat reliable. Viruses can still reach some systems
despite the implementation of preventative measures.
Indeed, no perfect defense exists that still allows
programming, and sharing of executable information. There
is no "one time fix," as there is for many other computer
security problems. This is a hole that cannot be plugged
completely. Defenses will have to be improved with time to
deal with new classes of viruses. Because of this, virus
*detection* is an important component of system security.
The two most important resources available for the detection
of viruses are watchful users and watchful programs. The
best approaches to virus detection include both. The users
Coping with Computer Viruses: A Guide for Technical
Management 12
should be aware of the possibility of viruses, just as they
are aware of the need for backups, and to know what kinds of
things to watch for. System programs and utilities should
be available to help the users, and the computer center
staff, to take advantage of this awareness.
2.5.1 Watching for Unexpected Things Happening
If users are aware of the kinds of visible things that are
known to happen in systems that are virus-infected, these
users can serve as an important line of defense. Users
should know that odd behavior in a computer system may be a
symptom of penetration by a virus, and they should know to
whom such odd behavior should be reported.
On the other hand, it is a fact that odd behavior is usually
*not* caused by viral penetration. Software bugs, user
errors, and hardware failures are much more common. It is
important to avoid unfounded rumors of viral infections, as
dealing with such "false alarms" can be costly. An actual
infection, however, may require rapid action. So the group
to which users report oddities must have the skill to
determine which reports are almost certainly due to one of
these more common causes, and which merit closer
investigation for possible viral infection. One obvious
choice for such a group is within the computing center or
"help desk," since the computing center staff probably
already has a good idea of what sorts of oddities are
"business as usual."
2.5.2 Some Symptoms of Known Viruses
2.5.2.1 Workstation Viruses
This section lists specific oddities that are known to occur
in workstations infected with particular viruses that have
already occurred. Some of the things in these examples only
occur once the virus is in place, and is triggered to
perform its particular function. Others occur while the
virus is still spreading. Some things users should know to
watch for include:
o Unexpected changes in the time stamps or length of
files, particularly executable files,
Coping with Computer Viruses: A Guide for Technical
Management 13
o Programs taking longer to start, or running more slowly
than usual,
o Programs attempting to write to write-protected media
for no apparent reason,
o Unexplained decreases in the amount of available
workstation memory, or increases in areas marked as
"bad" on magnetic media,
o Executable files unexpectedly vanishing,
o Workstations unexpectedly "rebooting" when certain
previously-correct programs are run, or a relatively
constant amount of time after being turned on,
o Unusual things appearing on displays, including
"scrolling" of odd parts of the screen, or the
unexpected appearance of "bouncing balls" or odd
messages,
o Unexpected changes to volume labels on disks and other
media,
o An unusual load on local networks or other communication
links, especially when multiple copies of the same data
are being sent at once.
It is important to remember, though, that future viruses may
do none of these things. Users should be alert to oddities
in general and should have a place to report them, as
recommended above.
2.5.2.2 Mainframe Viruses
Viruses in multi-user computer systems share some of the
typical behaviors of viruses in single-user workstations.
In particular, lengths or time stamps of executable files
may change, programs may load or execute more slowly,
unusual errors (especially relating to disk-writes) may
occur, files may vanish or proliferate, and odd things may
appear on displays. If the virus is attempting to spread
between users, users may also notice "outgoing mail" that
they did not intend to send, "links" to other user's
information that they did not intentionally establish, and
similar phenomena.
Generally, the same comments apply in this environment as in
the single-user workstation environment. Future viruses may
do none of these things, and users should be sensitive to
suspicious oddities in general, and have a place to which to
report them.
Coping with Computer Viruses: A Guide for Technical
Management 14
2.5.3 Watching for Changes to Executable Objects
Users are not the only line of defense in the detection of
viruses. It is comparatively simple to create programs that
will detect the presence and the spread of the simpler
classes of viruses. Such programs can go a long way in
"raising the bar" against computer viruses.
One effective approach to detecting simple viruses involves
notifying the user of changes to the contents of executable
objects (program files, "boot records" on magnetic media,
and so forth). Users can be provided with a program to be
run once a day which will examine the executable objects to
be checked, and compare their characteristics with those
found the last time the program was run. (This could be run
at the same time as the backup program, for instance.) The
user can then be presented with a list of objects that have
changed. If things have changed that should not have, the
user can contact the appropriate people to investigate. If
certain objects that should seldom or never change (such as
the operating system files themselves) are different, the
user can be specially warned, and urged to contact the
appropriate people.
Often, a central system programming group has control over a
large multi-user computing system. That group can execute
this sort of program periodically, to check for changes to
common operating system utilities, and to the operating
system itself. Because viruses can often spread to
privileged users, they are quite capable of infecting even
those parts of the system that require the highest authority
to access.
The frequency with which virus detectors should be used
depends upon the rate at which executables are transmitted,
and the value of the information assets on the systems.
Workstations that are not connected to networks can exchange
information via floppy disks. The known computer viruses
that propagate by way of floppy disks do so relatively
slowly. It may take days, or weeks, or even months for such
a virus to propagate across a large organization. In this
case, running virus detectors once a day, or once a week,
may be sufficient. For systems connected to networks,
especially large-scale networks, the situation is much
different. Experience has shown network viruses to be
capable of spreading very rapidly across the network. In
some cases, replicating programs have spread across
nationwide networks in a matter of hours or days. In these
cases, it may be important to run virus detectors hourly or
daily.
Coping with Computer Viruses: A Guide for Technical
Management 15
Below is an outline of one possible implementation of a
virus detecting program. It is for illustration only; many
different structures would do the job as well or better.
1. The program obtains a list of files to be checked. For
PC-DOS, for instance, this should include .COM and .EXE
files, any files that are listed as device drivers in
the CONFIG.SYS file, the CONFIG.SYS file itself, and any
other executables such as batch files or BASIC programs.
2. For each of these files, the program
o Determines the time/date and length of the file from
the operating system.
o If desired, actually reads the data in the file, and
performs a calculation such as a CRC (cyclic
redundancy check) on the data. (The number of files
checked in such detail depends on the importance of
the file, the speed of the program, and the amount
of time the user is willing to spend.)
o Compares this file information (time/date, length,
and perhaps CRC or other code) with the database
generated last time the program was run.
o If the file was not present the last time the
program was run, or if the information in the
previous database was different from the information
just obtained, the program records that the file is
new or changed.
3. After checking all relevant files, the program reads all
other known executable objects in the system(1), and
compares their CRC or other codes with the values in the
database, and records any changes.
4. When all the existing objects have been checked in this
way, the program updates the database for next time and
presents all its findings to the user.
5. On the basis of this information, the user can decide
whether any of the reported changes are suspicious, and
worth reporting.
This method is by no means foolproof. A sophisticated virus
could do a variety of things. It could change an executable
object without altering the time, date, length, or CRC code.
It could only alter objects that had been legitimately
changed recently. It could act directly on the database
itself and thus escape detection. More sophisticated
versions of the program outlined here can provide
significantly more foolproof detection. It is advantageous
to have many different virus detectors in place at the same
----------------
(1) For PC-DOS, this would typically include the boot record
on a floppy diskette, and the master and partition boot
records on hard disks. For multi-user operating
systems, this might include "shared system images," or
"IPL datasets" or equivalent objects.
Coping with Computer Viruses: A Guide for Technical
Management 16
time. That way, a virus that can evade one detector may be
caught by another. Nevertheless, user awareness, and
procedures for recovery in the event of an infection that is
not detected until too late, are both still vital.
2.5.4 Using External Information Sources
Software viruses are able to spread because information
flows so quickly in the modern world. That same information
flow can help in the detection of viruses. Newspapers,
magazines, journals, and network discussion groups have
carried significant amounts of material dealing with
computer viruses and other forms of malicious software.
These sources of information can be valuable in maintaining
awareness of what hazards exist, and what measures are
available to detect or prevent specific viruses. This kind
of information can be invaluable to the people in your
organization charged with investigating suspicious events
reported by users, and deciding which ones to follow up on.
On the other hand, these channels also carry a certain
amount of inevitable misinformation, and care should be
taken not to react to, or spread, rumors that seem to have
no likely basis in fact.
2.6 CONTAINING VIRAL INFECTIONS
Having procedures in place to detect viral infection is very
important. By itself, however, it is of little use. The
individual who makes the first detection must have a
procedure to follow to verify the problem and to make sure
that appropriate action occurs. If the information supplied
in the detection phase is allowed to "fall between the
cracks," even for a relatively short time, the benefit of
detection can easily be lost.
2.6.1 The Importance of Early Detection
Computer viruses generally spread exponentially. If a virus
has infected only one system in a network on Monday, and
spread to four by Tuesday, sixteen systems could easily be
infected by Wednesday, and over five hundred by Friday.
(These numbers are just samples, of course, but they give an
idea of the potential speed of spread. See reference (1)
Coping with Computer Viruses: A Guide for Technical
Management 17
for some experiments in which much faster spread was
observed.)
Because viruses can spread so fast, it is very important to
detect them as early as possible after the first infection.
The surest way of doing this is to have every vulnerable
user run the best available virus-detection software as
often as feasible. This solution may be too expensive and
time-consuming for most environments.
In most groups of users, it is possible to identify a number
of "star" users who do a disproportionately large amount of
information-exchange, who generally run new software before
most people do, and who are the first to try out new things
in general. In multi-user systems, some of these people
often have special authorities and privileges. When a virus
reaches one of these people, it can spread very rapidly to
the rest of the community. In making cost/benefit decisions
about which users should spend the most time or effort on
virus-detection, these are the people to concentrate on.
2.6.2 The Importance of Rapid Action
When a virus is detected, every moment spent deciding what
to do next may give the virus another chance to spread. It
is vital, therefore, to have action plans in place *before* an
infection occurs. Such plans should include, for instance:
o Designation of one particular group (whether formal or
informal) as the "crisis team,"
o Procedures for identifying infected systems, by
determining how and from where the infection reached
each system known to be infected,
o Procedures for isolating those systems until they can be
rendered free of the virus,
o Procedures for informing vulnerable users about the
virus, and about how to avoid spreading it themselves,
o Procedures for removing the virus from infected systems,
o Procedures for identifying the virus involved, and for
developing or obtaining specific software or procedures
to combat the virus. These may remove the virus from
infected systems and files, determine whether or not
backups are infected, and so on.
o Procedures for recording the characteristics of the
virus and the effectiveness of the steps taken against
it, in case of later re-infection with the same or a
similar virus.
Some suggestions for recovery are given in the next section.
Coping with Computer Viruses: A Guide for Technical
Management 18
2.7 RECOVERING FROM VIRAL INFECTIONS
Once a virus has been detected and identified, and measures
have been taken to stop it from spreading further, it is
necessary to recover from the infection, and get back to
business as usual. The main objective of this activity is
to provide each affected user with a normal, uninfected
computing environment. For individual workstations, this
means ensuring that no infected objects remain on the
workstation. For more complex environments, it means
ensuring that no infected objects remain anywhere on the
system where they might inadvertently be executed.
The basic recovery activities are:
o Replacing every infected object in the system with an
uninfected version, and
o Restoring any other objects that the virus' actions may
have damaged.
It is of critical importance during these activities to
avoid re-introducing the virus into the system. This could
be done, for instance, by restoring an infected executable
file from a backup tape.
2.7.1 Restoration and Backups
An obvious but incorrect approach to removing the infection
from a system is simply to restore the infected objects from
backups. This is *not* a wise thing to do, however, since
the backups themselves may be infected. If the virus first
entered the system sufficiently long ago, infected objects
may well have been backed up in infected form.
Once the virus has been well understood, in terms of what
types of objects it spreads itself to, three different
categories of objects may be considered for restoration:
o Objects of the type that the virus infects. These
should only be restored from backups if the backed-up
versions are thoroughly and individually checked for
infection by the virus. If it is possible, it is
preferable to restore the objects from more "trusted"
sources, such as original, unwriteable, copies supplied
by the manufacturer, or by recompiling source code.
Even in these cases, it is worthwhile to check once
again for infection after restoration has been done.
Coping with Computer Viruses: A Guide for Technical
Management 19
o Objects of types that the virus does not infect, but
which have been destroyed or altered by the virus'
actions. These can generally be restored from backups
safely, although again it is worth checking the
integrity of the backed-up copies. If the virus has
been in the system long enough, it may have damaged
objects that were later backed up.
o Objects of types that the virus neither infects, nor
damages. If you are very sure that the virus does not
infect or alter certain types of files, there may be no
need to restore those files during the recovery process.
2.7.2 Virus-Removing Programs
Once a virus has been studied, you can write or obtain
programs to help remove that particular virus. One type of
these programs checks for the presence of the virus in a
executable objects. Another type tries to remove the
infection by restoring the object to its previous uninfected
form. "Checking" programs can be extremely valuable during
the recovery process, to ensure that files that are being
restored after infection or damage by the virus are now
"clean." "Removal" programs are somewhat less useful, and
should usually only be used when there is no other practical
way to obtain an uninfected version of the object. Removing
a virus from an executable object can be a complex and
difficult process, and even a well-written program may fail
to restore the object correctly.
2.7.3 Watching for Re-Infection
Once recovery is complete, and all known infected and
damaged objects have been restored to uninfected and correct
states, it is necessary to remain watchful for some time. A
system that has recently been infected by a certain virus
runs an increased risk of re-infection by that same virus.
The re-infection can occur through some obscure, infected
object that was missed in the recovery process. It can also
occur from the same outside source as the original
infection. This is especially true if the original source
of infection is not known.
Vigilance in the use of general virus-detection programs,
like those described above, continues to be important. In
addition, it will often be possible to obtain or write
programs designed to detect the specific virus from which
Coping with Computer Viruses: A Guide for Technical
Management 20
the system has just recovered. Specific virus-detection
programs of this kind are particularly useful at this time.
The same users who use the general virus-detection programs,
and any users who would be specifically vulnerable to the
virus just recovered from, can be given such programs to
run. This increases the probability of detection, should an
infection recur. The programs might also be incorporated
into the backup system for a time, to scan files being
backed up for infection, and even into appropriate places in
networks and file-sharing systems. Because such checks will
introduce extra overhead, there will be a trade-off between
performance and added security in considering how long to
leave them in place.
2.8 SUMMARY AND RECOMMENDATIONS
Computer viruses can pose a threat to the security of
programs and data on computing systems. We have suggested
several means of limiting this threat. They are summarized
below.
o Viruses represent a new kind of threat to the security
of computing systems.
- They can be spread without the intent of the people
who spread them.
- They can spread widely and quickly within an
organization, reaching systems and users well beyond
the initial infection point.
- They can perform virtually any action that their
designer intends.
o The risks posed by viruses can be limited by proper
action.
- Follow good security practices in general.
-- Educate your users about security threats,
including computer viruses.
-- Make sure that good backups are kept of all
important data.
- Take steps to reduce the possibility of being
infected.
-- Where practical, isolate critical systems from
sources of infection, such as networks and
outside programs.
Coping with Computer Viruses: A Guide for Technical
Management 21
-- Where practical, limit the ability to create or
install new programs on those systems which do
not require this ability.
-- Ensure that adequate controls exist on software
repositories, production systems, and other
important areas of your organization. These
include careful change management and the use of
virus detectors.
- Take steps to ensure that virus infections will be
detected quickly.
-- Educate your users about possible warning signs.
-- Use virus detectors, which will inform users of
the unintended modification of programs and
data.
-- Make sure your users know to whom they can
report a potential problem.
- Take steps to contain virus infections that are
detected.
-- A plan to deal with an infection should be put
into place *before* an infection occurs.
-- A "crisis team" should be put into place, which
can respond quickly to a potential problem.
-- Isolate infected systems until they can be
cleaned up, to avoid them infecting other
systems, and to avoid their becoming reinfected.
- Take steps to recover from viral infections that are
contained.
-- Be able to restore critical programs and data
from virus-free backups.
-- Know how to remove viruses from programs if
virus-free backups are unavailable.
-- Watch for a reinfection from that particular
virus.
Coping with Computer Viruses: A Guide for Technical
Management 22
FOR FURTHER READING
(1) Fred Cohen, "Computer Viruses: Theory and Experiment,"
Computers & Security, Vol. 6 (1987), pp. 22-35
(2) Fred Cohen, "On the Implications of Computer Viruses
and Methods of Defense," Computers & Security, Vol. 7
(1988), pp. 167-184
(3) W.H. Murray, "Security Considerations for Personal
Computers," IBM System Journal, Vol. 23, No. 3 (1984),
pp. 297-304
(4) --, "Security Risk Assessment in Electronic Data
Processing Systems," IBM Publication Number
G320-9256-0 (1984)
(5) --, "Good Security Practices for Information Systems
Networks," IBM Publication Number G360-2715-0 (1987)
(6) --, "An Executive Guide to Data Security," IBM
Publication Number G320-5647-0 (1975)
(7) --, "Security, Auditability, System Control
Publications Bibliography," IBM Publication Number
G320-9279-2 (1987)
For Further Reading 23
GLOSSARY
Computer viruses and the like are relatively new
phenomena. The terms used to describe them do not
have definitions that are universally agreed upon. In
this glossary, we give definitions that try to clarify
the differences between the various concepts. These
terms may be used differently elsewhere.
Availability: That aspect of security that deals with
the timely delivery of information and services to the
user. An attack on availability would seek to sever
network connections, tie up accounts or systems, etc.
Back Door: A feature built into a program by its
designer, which allows the designer special privileges
that are denied to the normal users of the program. A
back door in a logon program, for instance, could
enable the designer to log on to a system, even though
he or she did not have an authorized account on that
system.
Bacterium (informal): A program which, when executed,
spreads to other users and systems by sending copies
of itself. (Though, since it does "infect" other
programs, it may be thought of as a "system virus" as
opposed to a "program virus.") It differs from a
"rabbit" (see below) in that it is not necessarily
designed to exhaust system resources.
Bug: An error in the design or implementation of a
program that causes it to do something that neither
the user nor the program author had intended to be
done.
Confidentiality: That aspect of security which deals
with the restriction of information to those who are
authorized to use it. An attack on confidentiality
would seek to view databases, print files, discover a
password, etc., to which the attacker was not
entitled.
Integrity: That aspect of security that deals with
the correctness of information or its processing. An
attack on integrity would seek to erase a file that
should not be erased, alter an element of a database
improperly, corrupt the audit trail for a series of
events, propagate a virus, etc.
Glossary 24
Logic Bomb: A Trojan Horse (see below), which is left
within a computing system with the intent of it
executing when some condition occurs. The logic bomb
could be triggered by a change in a file (e.g. the
removal of the designer's userid from the list of
employees of the organization), by a particular input
sequence to the program, or at a particular time or
date (see "Time Bomb" below). Logic bombs get their
name from malicious actions that they can take when
triggered.
Rabbit (informal): A program is designed to exhaust
some resource of a system (CPU time, disk space, spool
space, etc.) by replicating itself without limit. It
differs from a "bacterium" (see above) in that a
rabbit is specifically designed to exhaust resources.
It differs from a "virus" (see below) in that it is a
complete program in itself; it does not "infect" other
programs.
Rogue Program: This term has been used in the popular
press to denote any program intended to damage
programs or data, or to breach the security of
systems. As such, it encompasses malicious Trojan
Horses, logic bombs, viruses, and so on.
Security: When applied to computing systems, this
denotes the authorized, correct, timely performance of
computing tasks. It encompasses the areas of
confidentiality, integrity, and availability.
Time Bomb: A "logic bomb" (see above) activated at a
certain time or date.
Trojan Horse: Any program designed to do things that
the user of the program did not intend to do. An
example of this would be a program which simulates the
logon sequence for a computer and, rather than logging
the user on, simply records the user's userid and
password in a file for later collection. Rather than
logging the user on (which the user intended), it
steals the user's password so that the Trojan Horse's
designer can log on as the user (which the user did
not intend).
Virus (pl. viruses): a program that can "infect"
other programs by modifying them to include a possibly
evolved copy of itself. Note that a program need not
perform malicious actions to be a virus; it need only
"infect" other programs. Many viruses that have been
encountered, however, do perform malicious actions.
Worm: A program that spreads copies of itself through
network-attached computers. The first use of the term
Glossary 25
described a program that copied itself benignly around
a network, using otherwise-unused resources on
networked machines to perform distributed computation.
Some worms are security threats, using networks to
spread themselves against the wishes of the system
owners, and disrupting networks by overloading them.
Glossary 26
APPENDIX: VIRAL INFECTIONS IN PC-DOS
This section is intended to give an example of the
places in a typical computer system where a virus
might enter. It is intended for a reader with some
knowledge of the workings of PC-DOS, although it may
be instructive to others as well. PC-DOS was chosen
for convenience; many computer systems have similar
vulnerabilities.
Consider the process that is required for you to run a
single program. What is happening? Which parts do
you not bother checking since you have seen it a
million times?
For example, you turn on the power switch and then ...
o You boot off the disk. What code ran to enable
you to boot off the disk?
o You boot off a diskette drive. Again ...
o You run a program. It reads off a disk. What was
actually read in? How was it read in? What did
the reading?
o You compile a program. Are you using any library
files? What is in them?
o When was the last time you looked at your
CONFIG.SYS? AUTOEXEC.BAT?
o You just bought a brand new program. You just
brought it home from the store. What do you know
about the program? About the company that
produced it?
This list is not meant to be all-inclusive nor
thorough. It is meant to be a spark to start
education. Let us continue by examining each of these
cases. (Where found, the symbol "(!)" is used to
designate a potential point of attack for viruses.)
When you turn on the power switch
Before we investigate the different cases above, we
examine the steps that occur when you first flip the
power switch of your IBM PC to the ON position.
Appendix: Viral Infections in PC-DOS 27
Power is given to the system. A section of code known
as POST (Power On Self Test) residing in ROM (Read
Only Memory) starts running. It checks memory,
devices, peripherals, and then transfers control to
any "properly signatured" ROMs found in the I/O
channels. Assuming those pieces run smoothly, control
returns to POST. When POST completes, it searches for
a diskette in the diskette drive. If unsuccessful, it
tries to boot off a hard file. And finally, if
neither works, it starts running the BASIC interpreter
which is found in its ROM.
The first place where programs are read into system
RAM (Random Access Memory) is the hard file or
diskette boot up process. Until then, all the code
that is run has come from ROM. Since these ROMs are
from trusted sources, we must assume that they have
not been created with viruses installed. ROMs, by
their nature, can only be written by special
equipment, not found in your PC. Thus to tamper with
them, they must be removed and/or replaced without
your knowledge. For the purposes of this discussion,
we will assume that this has not happened.
Boot from hard file
When the computer boots off the hard file, it relies
on code which has been placed in two areas on the hard
file. The first location is the master boot
record(!). The master boot record contains code and
information to designate which "system boot record"(!)
to read and run. This is the "active partition."
There are potentially many system boot records, one
for each partition, while there is only one master
boot record.
Boot records on a fixed disk vary. But usually, up to
a whole track is reserved. This is a large amount of
space, most of which is not normally used. The large
empty space provides a potential area for viruses to
hide.
Boot from diskette
For a floppy disk, the boot record is a properly
"signatured" sector at head 0 track 0 sector 1 of the
disk(!). If the machine finds a proper signature, it
takes the bytes stored in that sector and begins
Appendix: Viral Infections in PC-DOS 28
executing them. This code is usually very short.
Usually, one of the first things it does is to tell
the machine where to get other sectors to form a
complete boot up program.
Viruses can hide parts of themselves on either hard or
floppy disks, in sectors that they mark as "bad."(!)
These sectors would require special commands to be
read. This prevents the code from being accidentally
overwritten. They also provide an obvious sign,
should you be looking for them (CHKDSK will report bad
sectors).
PC-DOS, the operating system
The purpose of the boot records is to load the
operating system. This is done by loading files with
the names IBMBIO.COM(!), IBMDOS.COM(!), and
COMMAND.COM(!). These files contain the operating
system.
After the operating system is loaded, it becomes the
integral portion of all system activities. This
includes activities such as reading and writing
files(!), allocating memory(!), and allocating all
other system resources(!). Few applications exist
that do not use the operating system to take advantage
of the system resources. Thus, some viruses change
COMMAND.COM or intercept attempts to request a system
resource.
The purpose of such action would be two-fold. The
first purpose is to place the virus in a common code
path, so that it is executed frequently so that it may
have ample opportunity to spread. The second is to
cause damage, intercepting the proper request and
altering the request.
Running a program
What code runs when you run a program? (!) (The
following list is not meant to be complete. It is to
show you that any link could be a potential point of
attack for a virus. Since the virus' purpose is to be
executed frequently, it would find itself executed
frequently enough if it resided in any of the
following areas.)
Appendix: Viral Infections in PC-DOS 29
o DOS accepts your keystrokes.
- BIOS INT 9H, INT 16H, INT 15H, INT 1BH
- DOS INT 21H keyboard functions, INT 28H
- Any keyboard device driver or TSR (Terminate
and Stay Resident) program.
o DOS loads your program
- BIOS INT 13H, INT 40H, INT 15H
- DOS INT 21H file search functions, memory
allocation, set DTA, disk read, CTRL-BREAK
check, etc.
- Any DOS extension driver or TSR (Terminate and
Stay Resident) program.
o General background functions
- BIOS INT 8 (timer), INT 0FH (printer), INT 1CH
(timer)
- Any system driver or TSR (Terminate and Stay
Resident) program.
All these things happen and more, each time you run a
program.
CONFIG and AUTOEXEC
Every time you boot your system, CONFIG.SYS(!) and
AUTOEXEC.BAT(!) tell the system to load many files and
options before you can start working on the computer.
If a virus decided to attach an extra line of
instruction to one of these files, it would result in
the program being loaded each day. When was the last
time you looked at CONFIG.SYS? AUTOEXEC.BAT? Do you
remember the reason for the existence of each line in
the two files?
Compiling programs, using libraries
When you compile a program, you use several programs.
One is the compiler itself (!). If the compiler is
infected with a virus, the virus may spread to other,
unrelated programs. But it could also spread to the
program being compiled.
When a compiled program is linked to form an
executable program, it is common to link in programs
Appendix: Viral Infections in PC-DOS 30
from libraries(!). These library programs provide
standard operating system interfaces, perform input
and output, and so on. If one or more of the library
programs are infected with a virus, then every program
which is linked with it will be infected.
Appendix: Viral Infections in PC-DOS 31