💾 Archived View for spam.works › mirrors › textfiles › virus › vguide.txt captured on 2023-06-16 at 21:05:11.
-=-=-=-=-=-=-
COMPUTER VIRUSES: A RATIONAL VIEW
by: Raymond M. Glath
President
RG Software Systems, Inc.
2300 Computer Ave.
Suite I-51
Willow Grove, PA 19090
(215) 659-5300
April 14, 1988
WHAT ARE COMPUTER VIRUSES?
(a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage)
Any software that has been developed specifically for the purpose
of interfering with a computer's normal operations.
WHAT DO THEY DO?
There are two major categories of viruses.
Destructive viruses, that cause:
Massive destruction...
ie: Low level format of disk(s), whereby any programs
and data on the disk are not recoverable.
Partial destruction...
ie: Erasure or modification of a portion of a disk.
Selective destruction...
ie: Erasure or modification of specific files or file
groups.
Random havoc... The most insidious form of all.
ie: Randomly changing data on disk or in RAM during
normal program applications, or changing keystroke
values, or data from other input/output devices,
with the result being an inordinate amount of time
to discover and repair the problem, and damage
that may never be known about.
Non-Destructive viruses, intended to cause attention to the
author or to harass the end user.
a. Annoyances...
ie: Displaying a message, changing display colors,
changing keystroke values such as reversing the
effect of the Shift and Unshift keys, etc.
WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS?
Lost productivity time !!!
In addition to the time and skills required to re-construct
damaged data files, viruses can waste a lot of time in many other
ways.
With either type of virus, the person subjected to the attack as
well as many support personnel from the attacked site and from
various suppliers, will sacrifice many hours of otherwise
productive time:
Time to determine the cause of the attack.
The removal of the virus code from the system.
The recovery of lost data.
The detective work required to locate the original source of
the virus code.
Then, there's the management time required to determine how
this will be prevented in the future.
WHO DEVELOPS VIRUSES?
This individual, regardless of his specific motivation, will most
probably want to see some form of publicity resulting from his
handiwork. Anywhere from a "Gotcha" message appearing on the
computer's screen after the attack, to major press coverage of
that particular virus' spread and wake of damage.
Some of the reasons for someone to spend their time developing a
virus program are:
A practical joke.
A personal vendetta against a company or another person.
ie: a disgruntled employee.
The computer-literate political terrorist.
Someone trying to gain publicity for some cause or
product.
The bored, un-noticed "genius," who wants attention.
The mentally disturbed sociopath.
IS THE THREAT REAL?
Yes, however thus far the destructive ones have primarily been in
the Academic environment. Several attacks have been documented by
the press, and, from first hand experience, I can attest to the
fact that those reported do exist. We have seen some of them and
successfully tested our Disk Watcher product against them.
Reputable individuals have reported additional viruses to us, but
these have not reached the scale of distribution achieved by the
now infamous "Lehigh," "Brain," "Israeli," and "MacIntosh"
viruses.
We do expect the situation to worsen due to the attention it's
received. Taking simple lessons from history, a new phenomenon,
once given attention, will be replicated by individuals who
otherwise have no opportunity for personal attention.
Now that there are products for defense from viruses, the virus
writers have been given a challenge; and for those people who
have always wanted to anonymously strike out at someone but
didn't know of a method to do so, the coverage has provided a
"How To" guide.
HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM?
A virus may be entered into a system by an unsuspecting user who
has been duped by the virus creator (Covert entry), or it may be
entered directly by the creator. (Overt entry.)
Examples of Covert entry of a virus into a computer
system.
A "carrier" program such as a "pirate" copy of a
commercial package that has been tampered with, is
utilized by the un-suspecting user, and thus
enters the virus code into the system.
Other types of carriers could be programs from
Bulletin Boards that have been either tampered
with or specifically designed as viruses, but
disguised as useful programs. There has even been
a destructive virus disguised as a "virus
protection" program on a BBS.
The user unknowingly acquires an "infected" disk
and uses it to boot the system.
The virus has been hidden in the system files and
then hides itself in system RAM or other system
files in order to reproduce, and later, attack.
Examples of Overt entry into a computer system.
An individual bent on harassing the user or
sabotaging the computer system, modifies an
existing program on that computer or copies a
virus program onto someone's disk during their
absence from their work station.
HOW DOES A VIRUS SPREAD?
A virus may reproduce itself by delaying its attack until it has
made copies of itself onto other disks (Active reproduction,) or
it may depend entirely on unsuspecting users to make copies of it
and pass them around (Passive reproduction). It may also use a
combination of these methods.
WHAT TRIGGERS THE VIRUS ATTACK?
Attacks begin upon the occurrence of a certain event, such as:
On a certain date.
At a certain time of day.
When a certain job is run.
After "cloning" itself n times.
When a certain combination of keystrokes occurs.
When the computer is restarted.
One way or another, the virus code must put itself into a
position to either start itself when the computer is turned on,
or when a specific program is run.
HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN A PROGRAM OR A
HARDWARE MALFUNCTION?
This can be a tough one. With the publicity surrounding viruses,
many people are ready to believe that any strange occurrence
while computing may have been caused by a virus, when it could
simply be an operational error, hardware component failure, or a
software "bug."
While most commercial software developers test their products
exhaustively, there is always the possibility that some
combination of hardware; mix of installed TSR's; user actions; or
slight incompatibilities with "compatible" or "clone" machines or
components; can cause a problem to surface.
We need to remember some key points here:
1. Examine the probabilities of your having contacted a virus.
2. Don't just assume that you've been attacked by a virus and
abandon your normal troubleshooting techniques or those
recommended by the product manufacturers.
3. When in doubt contact your supplier or the manufacturer for
tech support.
4. Having an effective "Virus Protection" system installed may
help you determine the cause of the problem.
HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES?
1. Know and be comfortable with the source of your software
acquisitions.
If you use a BBS (Bulletin Board,) verify that the BBS is
reputable and that it has satisfactory procedures in
place to check out its software as well as provisions
to prevent that software from being modified.
Do not use illegitimate copies of software.
Be sure that the developer of the software you're using
is a professional. Note that many "Shareware" products
are professionally produced. You needn't stop using
them. Just be sure that you have a legitimate copy of
the program if you choose to use these products.
Don't accept free software that looks too good to be
true.
2. Install a professional virus protection package on your
computer that will alert you to any strange goings on.
3. Provide physical security for your computers.
ie: Locked rooms; locks on the computers; etc.
4. If you're unsure of a disk or a specific program, run it in an
isolated environment where it will not be able to do any
damage.
ie: Run the program on a "diskette only" computer, and keep
a write-protect tab on your "System Disk."
Run the program with "Virus Protection" software
installed.
5. Establish and maintain a sound Back-Up policy.
DO NOT USE ONLY ONE SET OF BACK-UP DISKS THAT ARE
CONTINUOUSLY WRITTEN OVER.
Use at least three complete sets of back-up disks that are
rotated in a regular cycle.
DO YOU NEED SOME FORM OF PROTECTION FROM VIRUSES?
It couldn't hurt !!! You do lock the door to your home
when you go out, right?
Plan in advance the methods you'll use to ward off virus attacks.
It's a far more effective use of management time to establish
preventative measures in a calm environment instead of making
panic decisions after a virus attack has occurred.
IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF?
No !!!
Any security system can be broken by someone dedicated and
knowledgeable enough to put forth the effort to break the system.
WHAT LEVEL OF PROTECTION DO YOU NEED?
This of course depends on many factors, such as:
1. The sensitivity of the data on your PC's.
2. The number of personnel having access to your PC's.
3. The security awareness of computing personnel.
4. The skill levels of computing personnel.
5. Attitudes, ethics, and morale of computing personnel.
A key point of consideration is the threshold for the amount of
security you can use versus its impact on normal productivity.
Human nature must also be considered. If you were to install 10
locks on your front door and it cost you 5 minutes each time you
enter your home, I'll bet that the first time that it's
raining... and you have 3 bags of groceries... you'll go back to
using the one lock you always used.
HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES?
There are several approaches that have been developed.
One form is an "inoculation" or "signature" process, whereby the
key files on a disk are marked in a special way and periodically
checked to see if the files have been changed. Depending on the
way in which this is implemented, this method can actually interfere
with programs that have built-in integrity checks.
Another method is to "Write Protect" specific key areas of the
disk so that no software is permitted to change the data in those
places.
We at RG Software Systems, Inc. believe that preventative
measures are the most effective. The Disk Watcher system provides
multiple lines of defense: A "Batch" type program automatically
checks all active disk drives for the presence of certain hidden
virus characteristics when the computer is started, and a TSR
(Terminate and Stay Resident) program monitors ongoing disk
activity throughout all processing. The "Batch" program
can also be run on demand at any time to check the disk in a
specific drive.
The TSR program, in addition to its other "Disaster
Prevention" features, contains a series of proprietary algorithms
that detect the behavior characteristics of a myriad of virus
programs, and yet produce minimal overhead in processing time
and "false alarm" reports. Disk Watcher is uniquely able to tell
the difference between legitimate IO activity and the IO activity
of a virus program.
When an action occurs indicative of a virus attempting to reproduce itself;
alter another program; set itself up to be automatically run the next
time the system is started; or attempting to perform a massively damaging
act; Disk Watcher will automatically "pop up." The user will then have
several options, one of which is to immediately stop the computer before any
damage can be done. Detection occurs BEFORE the action takes place.
Other options allow the user to tell Disk Watcher to continue the
application program and remember that this program is permitted
to perform the action that triggered the "pop up."
Some very important features of Disk Watcher are:
Whenever the user selects the "Stop the Computer" option, the
Application screen image and the Disk Watcher screen image will be
sent to the system printer before the machine is stopped, so that
an effective analysis of the problem may be done.
Disk Watcher performs an integrity check on itself whenever it runs.
The "Destructive" viruses that produce "selective" file
destruction or "Random Havoc" are the most difficult to defend
against. The best measures are to prevent them from getting into
the system in the first place.
WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU?
Since the first reports of virus attacks appeared in the press, a
number of "Virus Prevention" products have quickly appeared on
the market, produced by companies wishing to take advantage of a
unique market opportunity. This is to be expected. RG Software
Systems, Inc. is one of them with our Disk Watcher product.
It should be pointed out, however, that as of this writing, only
a little over 2 months has transpired since the first major
stories appeared.
Those companies that have had to build a product from scratch
during this limited amount of time have had to design the
defensive system, write the program code, write the user's
manual, design the packaging, "Alpha" test, "Beta" test, and
bring their product through manufacturing to market. A monumental
task in a miraculously short period of time.
Companies that have had products on the market that include virus
protection, or products that were enhanced to include virus
protection, such as Disk Watcher, have had extra time and field
experience for the stabilization of their products.
As a professional in this industry, I sincerely hope that the
quickly developed products are stable in their released form.
The evaluation points listed below are usually applied as a
standard for all types of software products:
*Price
*Performance
*Ease of Use
*Ease of Learning
*Ease of Installation
*Documentation
*Copy Protection
*Support
A "Virus Protection" package, like a security system for your
home, requires a close scrutiny. You want the system to do the
job unobtrusively, and yet be effective.
TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES:
1. Amount of impact the package may have on your computer's
performance.
If the package is "RAM Resident," does it noticeably slow
down your machine's operations?
If so, with what type of operation? Are program start-
ups slowed? Are database operations slowed?
2. Level of dependency on operator intervention.
Does the package require the operator to perform certain
tasks on a regular basis in order for it to be
effective? (Such as only checking for virus conditions
on command.)
Does the package require much time to install and keep
operational? ie: Each time any new software is
installed on the system, must the protection package be
used?
3. Impact on productivity... Annoyance level.
Does the package periodically stop processing and/or require
the operator to take some action. If so, does the
package have any capability to learn its environment
and stop its interference?
4. False alarms.
How does the package handle situations that appear to be
viruses but are legitimate actions made by legitimate
programs?
Are there situations where legitimate jobs will have to be
re-run or the system re-booted because of the
protection package? How frequently will this occur?
How much additional end-user support will the package
require?
5. The probability that the package will remain in use?
Will there be any interference or usage requirements that
will discourage the user from keeping the package
active? (It won't be effective if they quickly desire
to de-install it and perhaps only pretend they are
using it when management is present.)
6. Level of effectiveness it provides in combatting viruses.
Will it be effective against viruses produced by someone
with an experience level of:
Level 1 - "Typical End User"? (Basic knowledge of using
applications and DOS commands.)
Level 2 - "Power User"? (Knowledge of DOS Command
processor, Hardware functions, BASIC
programming, etc.)
Level 3 - "Applications Programmer"? (Knowledge of
programming languages and DOS service calls.)
Level 4 - "Systems Engineer"? (Knowledge of DOS and
Hardware internal functions.)
Level 5 - "Computer Science Professor that develops
viruses for research purposes"?
Which types of intrusion will it be effective against?
"Covert Entry"?
"Overt Entry"?
Does it detect a virus attempting to spread or "clone"
itself?
Does it detect a virus attempting to place itself into a
position to be automatically run?
If a virus gets into the computer, which types of virus
damage will it detect?
"Massive Destruction"
"Partial Destruction"
"Selective Destruction"
"Random Havoc Destruction"
"Annoyance"
Does the software detect a virus before or after it has
infected a program or made its attack?
Does the publisher claim total protection from all viruses?
7. Does the software provide any assistance for "post mortem"
analysis of suspected problems?
ie: If a virus symptom is detected and the computer is
brought to a halt, is there any supporting information
for analyzing the problem other than the operator's
recall of events?
8. Impact on your machine's resources.
How much RAM is used?
Is any special hardware required?
9. Is the product compatible with:
Your hardware configuration.
Your Operating system version.
Your network.
Other software that you use, especially TSR's.
10. Can the package be used by current computing personnel
without substantial training?
What type of computing experience is required to install the
package?
11. Background of the publisher.
References... Who is using this or other products from
this publisher? How is this company perceived by its
customers? The press?
How long has the publisher been in business?
Was the product Beta Tested?... By valid, well-known
organizations or by friends of the company's owner?
Was the product tested against any known viruses?
Successfully?
What about on-going support? In what form? At what cost?
Does the company plan to upgrade its product periodically?
What is the upgrade policy? Expected costs?
12. Does the package provide any other useful benefits to the
user besides virus protection?