💾 Archived View for spam.works › mirrors › textfiles › virus › virus_st.whm captured on 2023-11-04 at 16:04:24.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

Date:  Sun, 17 Mar 91 12:24 EST
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject:  DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"

A NEW STRATEGY FOR COMPUTER VIRUSES





                                           William H. Murray

                                           Deloitte & Touche
                                         Wilton, Connecticut



















































A New Strategy for Computer Viruses                        1

PREFACE



This  presentation  was prepared  for and  delivered to  the
"DPMA 4th Annual Virus and Security Conference" on March 14,
1991.






















































Preface                                                    2

ABSTRACT



This presentation argues that it is time for a new  strategy
for dealing with computer viruses.  It  reviews  the present
strategy  and  suggests that it  was adopted before  we knew
whether or not viruses would be successful.  It  points  out
that this strategy is essentially "clinical."  That  is,  it
treats the  symptoms of the virus  without  directly dealing
with its growth and spread.

It presents evidence  that  at least  two  computer viruses,
Jerusalem  B and Stoned, are epidemic, that more  copies are
being created than are being killed.  It  argues that simply
the growth of the viruses, without regard to their symptoms,
is a problem.

It  argues  that  it  is now  time  for  an  epidemiological
approach to viruses.  A keystone of such an approach will be
the  massive  and pervasive use of  vaccine programs.  These
programs are  characterized  by  being  resident, automatic,
getting  control  early,  and  acting  to  resist  the  very
execution of the virus program.

The presentation notes that there is significant  resistance
to  such a  strategy and, specifically, to  the  use of such
programs.  It  addresses  many  of  the  arguments  used  to
justify   this  resistance.  It   concludes   that  we  will
ultimately be forced to such a strategy, but that, given the
growth of  the  viruses and the resistance to  stragtegy, we
will not likely act on a timely basis.





























Abstract                                                   3

STRATEGY


It  is time for a  new  strategy for dealing  with  computer
viruses.  The  present  strategy  recommended   by  computer
manufacturers,  the  National  Institute  of  Standards  and
Technology (NIST), this author,  and others is to:













Because many of us believed that talking about viruses could
only  make the  problem  worse, there was  also a  "silence"
component in the strategy.

This strategy  was developed more  than three years ago.  At
that time, the potential for success of computer viruses was
still unknown.  The concern was for the potential for damage
to individual users and systems and, to  a lesser extent, to
the health of the institution.

Today there is  no  longer any  doubt  as to  the success of
computer viruses.  There are  more than four hundred viruses
that  have  been identified and  cataloged.  Twenty-five  of
these  are  classified as "common."  That  is,  they are  so
widespread  as to be considered  both successful and out  of
control.  Another sixty-six are  classified as "rare."  What
this really means  is they are  young,  and their success is
not  yet  demonstrated.  However,  there  are  a  sufficient
number of viruses in this class  and copies of each  of them
that the future success of some of them is certain.

One  common  virus,  Jerusalem B, is  estimated  to  have  a
hundred  thousand  copies.  Since it  is known  to date from
November 87, its rate of growth suggests that there may well
be sixteen million copies by November 91 [TIPP].

Most  large institutions have  now seen one or more viruses.
Many  now  report  several  infections  a  month.  In  some,
infection is now so  routine  that they no  longer bother to
report.  Given  this  success, it  seems  certain  that  all
organizations will suffer from infection.  It is no longer a
question of whether or not, but only of when and how often.

While  the  concern remains damage to user systems and data,
this is no  longer appropriate.  The  concern  should be the
epidemic growth,  damage  to  the  community,  and potential
damage to necessary trust.

Dealing with viruses is  now a  cost of doing business.  You


Page     1

must  pay.  The  only questions are whether you pay early or
late, with disruption or without.

Since viruses have demonstrated such rapid growth, they must
be removed.  If  they are not removed, ultimately they  will
saturate  the space.   The  requirement  to  remove  them is
independent  of the symptoms that they  manifest.  That  is,
even   if  they  did  nothing  other  than  make  copies  of
themselves,  you  would  still  have to  remove them.  Thus,
replication, all by itself, is a problem.  [Some viruses are
self-limiting.]

In  other  words, while the  symptoms  of the  virus may  be
problematic,  mere replication  is  THE problem.  Therefore,
the  strategy must  be aimed at preventing  replication  and
spread, not simply at limiting and repairing damage.  In the
face  of  the  epidemic growth,  the  old  strategy  is  the
equivalent  of trying to deal with smallpox  by washing your
hands and treating sores and fever.

The old strategy was intended  to  be conservative.  Indeed,
when it was developed, it was conservative.  In the light of
what we  know today, it is  merely  timid.  However, we have
restated  it  so many times that  the  timid  are  unable to
abandon it.

We were successful in eliminating  smallpox from the face of
the  earth  only  after we had a cheap,  effective, and safe
vaccine.  However, the  existence  and  availability  of the
vaccine  proved not to have been sufficient; we also had  to
have the will to apply it massively and pervasively.

We now have  computer software  that is the equivalent of  a
number   of  broad  spectrum  vaccine.   It  is  capable  of
preventing a  specific  computer from being  infected.  More
important,  it is capable  of preventing the  replication of
the  virus.  It is characterized  by  the fact  that  it  is
resident and  acts early.  Some of it acts  on the basis  of
detection  of  the  signature  of  known  viruses;  some  by
recognizing   trusted   software.   Its   intended   use  is
distinguished from that of earlier scanning software  by the
fact that it  acts  before,  rather  than  after,  the virus
executes  and replicates.  It  is  distinguished  from  some
resident programs  by  its intent to block execution, rather
than to block writing.

Some  have  suggested  that  there is  nothing fundamentally
different about this software.  They  assert  that IBM  Scan
can do anything that this software can do.  IBM insists that
their advice for good hygiene includes the  advice  that you
scan all new software BEFORE using.  If you were to do that,
then the effect would be the same as vaccination software.

This argument fails  to take into account how the viruses in
question really spread.  It assumes that viruses spread when
people use new software that they know  is new and that they
intend  to  use.  In  reality  viruses  are  spreading  from
machine  to diskette  and  diskette  to  machine without any
conscious  intent  to share software.  The software that  is


Page     2

spreading  the viruses are  things like the  loader  in  the
diskette   boot   sector,   the   operating   system   (e.g.
COMMAND.COM),  TSRs (terminate-and-stay-RESIDENT  programs),
and  the MacIntosh  FINDER.  These  are  programs  that  are
beneath the level  of notice or  intent  of  most users  and
beyond the level of knowledge of many.

In a typical scenario, a student enters a  laboratory, picks
a  machine   at  random,  inserts  a  diskette  and  presses
Ctl-Alt-Del.  With  many of the  successful viruses, if  the
diskette is infected, the machine becomes infected.  If  the
machine was  infected, the  diskette becomes infected.  When
the diskette  is inserted in another  machine, that  machine
becomes  infected.  There  was no intent to share  software;
nothing to trigger the use of  IBM-Scan  in the way that IBM
recommends.

Use of  IBM-Scan in the manner that IBM recommends, requires
both knowledge and intent on the part of the user.  While it
is sufficient to  protect any particular user or machine, it
has  not been sufficient to resist the  growth and spread of
viruses.

Many  have  resisted the  use of  such software on the basis
that  it would not be one hundred  percent effective.  Those
vaccines  that rely  upon  their  ability to  recognize  the
virus,  would not be effective  against  new viruses.  While
this  is  true  in principle, it  does  not  matter much  in
practice.   They  are   effective   against  the  widespread
viruses.  They  can be made effective against new viruses in
less time than those viruses can spread widely, though  this
begs the question of timely distribution and maintenance.

Those that  rely  upon  restricting  execution  to  software
trusted by the user,  are  vulnerable  to  the user's  being
duped.  While it  will  always be  possible for a user to be
baited  into executing a  virus,  even  in  the presence  of
software intended to  resist it,  the present success of the
viruses takes place in an environment  in  which there is no
resistance at  all.  It  is  reasonable  to assume  that the
software will be successful in  resisting the  execution  of
the  virus much of the time, perhaps often  enough to retard
the epidemic growth.

There are those who resist the use  of vaccines on the basis
that  such  use  would  simply  encourage  new  and  smarter
viruses.  These viruses would take advantage of knowledge of
the  vaccine to  defeat it.  This concern is based, in part,
upon acceptance of the fact  that, at least in theory, there
is no perfect defense against  a  sufficiently  smart virus.
Of course, this is true about  any security measure  and any
threat.  Jake's Law  asserts that  "anything  hit with a big
enough  hammer  will fall to pieces."  However,  a  security
measure need not be one hundred percent effective for us  to
use  it.  We  use  those  that  are  efficient;  those  that
displace sufficient risk or damage to cover their cost.  One
hundred percent  effective security measures  have  infinite
cost.  Therefore,  we  do not attempt to eliminate risk, but
rather to  limit it.  It is not necessary to be one  hundred


Page     3

percent effective against all viruses  all  of  the time  in
order to resist, limit, or even reverse the growth.

Those who would  tolerate today's viruses because  resisting
them  might  make  tomorrow's  viruses  worse,  embrace  the
strategy so thoroughly discredited at Munich.  It is  called
"let sleeping  dogs  lie."  Unfortunately  these dogs,  like
those of war, are not sleeping, they are replicating.

Some have suggested that we should ignore the dogs and worry
about the dragon, the omniscient puissant virus.  Of course,
no one has  seen  the dragon, but the  dogs are here now and
their numbers are  legion.  "Oh, but" they say,  "if you use
your arrows on the dogs,  you  may  provoke the dragon  into
existence.  The  dragon will be created  to be  specifically
resistant to your arrows.  It  will include  knowledge about
your arrows and be so intelligent as to be able to overwhelm
your compromised defenses."

The  intelligence of  the  virus  is an issue only  if it is
successful  in  getting  itself executed.  The  idea  behind
these  vaccines is that they prevent the virus  from getting
control in the first place.

Viruses are bad enough; we  should  not  frighten  ourselves
into  inaction with  our  own  fantasies.  While  there  are
limits to the  effectiveness of any defense against viruses,
there are also limits to their  power.  All  of  the hype to
the  contrary  notwithstanding, viruses cannot  do magic.  A
virus must succeed in getting itself executed in order to do
anything.  In no circumstance can it make  your  PC levitate
off the desk and smash against the wall.

Part of the resistance  appears  to  be rooted in a  concern
that one vaccine would be so  successful and pervasive as to
become a  target for viruses.  This would be unlikely in any
case.  It is particularly unlikely in the face of the number
of candidates,  the variety of strategies  that they employ,
and the success that each has already achieved.

Some managers resist the  use of  this  software  because of
cost.  Most  of these  managers are  responsible  for  large
numbers of systems.  When  multiplied  by  these  numbers of
systems, the cost of the software rapidly escalates into the
thousands of dollars.

If there  were some  question  about  whether or  not  their
systems would  be infected, or if there  were a limited cost
to  it, this resistance might make  sense.  As  it is, it is
almost  a  certainty that  they will  be infected.  The only
questions are when  and how often.  The cost of dealing with
viruses is now  a  tax on the use of computers.  Like  other
taxes,  it is inevitable.  You will pay.  You  may pay early
with limited disruption, or late with  unlimited disruption,
but you will pay.

The Jerusalem B virus may  infect many  of the  systems on a
LAN in  hours.  The number of copies of Jerusalem B in a LAN
doubles in minutes to hours, depending upon user privileges.


Page     4

If not removed  promptly, it may saturate  the LAN in  days.
It must be removed.  At  a minimum, removing it will require
the scanning and/or  purging of all  the hard disks.  If the
systems  on the LAN are not  immunized before restarting the
file server, then  the LAN  will be reinfected within hours.
A few  managers have purged a  LAN twice.  One  or two  have
even done it three times.  We know of no one  that  has done
it  four  times.  The  cost of  purging a  hard  drive  once
approaches  the  cost of  the  software.  The  cost  is  not
avoidable.

We  are in the incipient phase of an epidemic.  The  viruses
are multiplying  at a  significant  rate.  There are tens of
them and  they do not compete until you  begin to run out of
disk  space.  They are successful  in spite of the best that
we can expect from  our  present strategy.  It is the growth
of the virus, rather than its symptoms, that is the problem.
We are rapidly running out of time to cope.

We have a number of vaccines that are effective  against all
of the viruses that are patently successful, and most of the
others.  However,  they  must be  applied  to  a  system  to
protect that  system.  They  must  be  applied massively and
pervasively to  be  effective  in  halting  or reversing the
growth.  The earlier the better.  It is urgent that we begin
now.  It is time for a new strategy.

The new strategy will continue  to include  good hygiene and
backup copies of programs and other  data.  However, it must
include  rapid, massive,  and  pervasive  vaccination of all
business and academic systems, beginning with those that are
shared by multiple users.  It  must  include  isolation  and
quarantine of unvaccinated systems.

No, I am not proposing law or regulation,  or even political
pressure.  I am  proposing responsible behavior  on the part
of influential people.  If  you have  influence over a large
number  of machines,  you should vaccinate them.  I  am also
proposing peer pressure; we must influence  each  other  and
support each other in responsible action.

It will require courage.  It is difficult  to go against the
conventional wisdom; it persists long after it  ceases to be
wise.

I am certain that we will act;  in  the  long  run, I do not
believe that there is a  choice.  I  am not hopeful that  we
will  act  in  time; the short run is all too short, and the
resistance to change all too high.












Page     5