💾 Archived View for spam.works › mirrors › textfiles › virus › ibmpaper.vir captured on 2023-11-14 at 12:51:41.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

 
 
 
 
 
 
          Coping with Computer Viruses and Related Problems
 
          Steve R. White
          David M. Chess
          IBM Thomas J. Watson Research Center
          Yorktown Heights, NY
 
          Chengi Jimmy Kuo
          IBM Los Angeles Scientific Center
          Los Angeles, CA
 
          Research Report (RC 14405)
          January 30, 1989
 
 
 
          This research report is provided without restriction;
          we encourage its redistribution.
 
 
 
 
 
          Copies may be requested from:
 
          IBM Thomas J. Watson Research Center
          Distribution Services F-11 Stormytown
          Post Office Box 218
          Yorktown Heights, New York 10598
 
          (This report will be available from this address up to
           one year after the IBM publication date (up to Jan 1990))
 
 
          This online version differs from the hardcopy report only
          in pagination, and in using *asterisks* for emphasis.  It
          is formatted to print at 66 lines per page, and 80 or so
          characters per line (including a 10 character margin on
          either side).
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                     Coping with Computer Viruses and Related Problems
 
 
 
 
 
 
 
 
 
 
                                                        Steve R. White
                                                        David M. Chess
                                  IBM Thomas J. Watson Research Center
                                                  Yorktown Heights, NY
 
                                                      Chengi Jimmy Kuo
                                     IBM Los Angeles Scientific Center
                                                       Los Angeles, CA
 
 
 
 
 
                                       Research Report Number RC 14405
 
                                                      January 30, 1989
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          ABSTRACT
 
 
 
          We discuss computer viruses and related problems.  Our
          intent is to help both executive and technical managers
          understand the problems that viruses pose, and to suggest
          practical steps they can take to help protect their
          computing systems.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Abstract                                                  ii
 
 
 
 
 
 
 
 
 
          CONTENTS
 
 
 
          1.0  Executive Summary   . . . . . . . . . . . . . . . . . 1
          1.1  What Is a Computer Virus?   . . . . . . . . . . . . . 1
          1.2  How Can Computer Viruses Affect an Organization?  . . 2
          1.3  How Serious Is The Problem?   . . . . . . . . . . . . 2
          1.4  Summary and Recommendations   . . . . . . . . . . . . 3
 
          2.0  Coping with Computer Viruses: A Guide for Technical
           Management  . . . . . . . . . . . . . . . . . . . . . . . 5
          2.1  How Viruses Infect Computing Systems  . . . . . . . . 5
          2.2  How Viruses Differ From Other Security Threats  . . . 6
          2.3  General Security Policies   . . . . . . . . . . . . . 7
            2.3.1  User Education  . . . . . . . . . . . . . . . . . 7
            2.3.2  Backups   . . . . . . . . . . . . . . . . . . . . 7
          2.4  Decreasing the Risk of Viral Infection  . . . . . . . 8
            2.4.1  Isolated Systems  . . . . . . . . . . . . . . . . 8
            2.4.2  Limited-Function Systems  . . . . . . . . . . . . 9
            2.4.3  Policies for Software Repositories  . . . . . .  10
            2.4.4  Policies for Production Systems   . . . . . . .  11
          2.5  Detecting Viral Infections  . . . . . . . . . . . .  12
            2.5.1  Watching for Unexpected Things Happening  . . .  13
            2.5.2  Some Symptoms of Known Viruses  . . . . . . . .  13
            2.5.3  Watching for Changes to Executable Objects  . .  15
            2.5.4  Using External Information Sources  . . . . . .  17
          2.6  Containing Viral Infections   . . . . . . . . . . .  17
            2.6.1  The Importance of Early Detection   . . . . . .  17
            2.6.2  The Importance of Rapid Action  . . . . . . . .  18
          2.7  Recovering from Viral Infections  . . . . . . . . .  19
            2.7.1  Restoration and Backups   . . . . . . . . . . .  19
            2.7.2  Virus-Removing Programs   . . . . . . . . . . .  20
            2.7.3  Watching for Re-Infection   . . . . . . . . . .  20
          2.8  Summary and Recommendations   . . . . . . . . . . .  21
 
          For Further Reading  . . . . . . . . . . . . . . . . . .  23
 
          Glossary   . . . . . . . . . . . . . . . . . . . . . . .  24
 
          Appendix: Viral Infections in PC-DOS   . . . . . . . . .  27
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Contents                                                 iii
 
 
 
 
 
 
 
 
 
          PREFACE
 
 
 
          While this document has been widely reviewed, and many
          helpful suggestions have been incorporated, the authors are
          entirely responsible for its present content.  It does not
          represent the opinions, policies, or recommendations of IBM
          or any other organization.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Preface                                                   iv
 
 
 
 
 
 
 
 
 
          1.0  EXECUTIVE SUMMARY
 
 
 
          Computer viruses present a relatively new kind of security
          problem in computing systems.  The purpose of this section
          is to acquaint the senior management of an organization with
          the nature of the problem.  It also outlines some of the
          steps that can be taken to reduce the organization's risk
          from computer viruses and other, similar, problems.
 
          Traditional computer security measures are helpful, but new
          measures are needed to deal with the problems effectively.
          The computer security management of the organization will
          play a key role in reducing the risk.  But education and
          ongoing participation of the users are also vital.
 
 
 
 
          1.1  WHAT IS A COMPUTER VIRUS?
 
 
          A computer virus is one kind of threat to the security and
          integrity of computer systems.  Like other threats, a
          computer virus can cause the loss or alteration of programs
          or data, and can compromise their confidentiality.  Unlike
          many other threats, a computer virus can spread from program
          to program, and from system to system, without direct human
          intervention.
 
          The essential component of a virus is a set of instructions
          which, when executed, spreads itself to other, previously
          unaffected, programs or files.  A typical computer virus
          performs two functions.  First, it copies itself into
          previously-uninfected programs or files.  Second, (perhaps
          after a specific number of executions, or on a specific
          date) it executes whatever other instructions the virus
          author included in it.  Depending on the motives of the
          virus author, these instructions can do anything at all,
          including displaying a message, erasing files or subtly
          altering stored data.  In some cases, a virus may contain no
          intentionally harmful or disruptive instructions at all.
          Instead, it may cause damage by replicating itself and
          taking up scarce resources, such as disk space, CPU time, or
          network connections.
 
          There are several problems similar to computer viruses.
          They too have colorful names:  worms, bacteria, rabbits, and
          so on.  Definitions of them are given in the glossary.  Each
          shares the property of replicating itself within the
          computing system.  This is the property on which we will
          focus, using viruses as an example.  There are also a
          variety of security issues other than viruses.  Here, we
 
 
          Executive Summary                                          1
 
 
 
 
 
 
 
 
 
          will deal only with viruses and related problems, since new
          measures are required to deal with them effectively.
 
 
 
          1.2  HOW CAN COMPUTER VIRUSES AFFECT AN ORGANIZATION?
 
 
          Let us examine a particular sequence of events, by which a
          virus could enter an organization and spread within it.
          Suppose that the organization hires an outside person to
          come in and perform some work.  Part of that person's work
          involves working on one of the organization's personal
          computers.  The person brings in a few programs to aid in
          this work, such as a favorite text editor.
 
          Without the person having realized it, the text editor may
          be infected with a virus.  Using that editor on one of the
          organization's machines causes the virus to spread from the
          editor to one of the programs stored on the organization's
          machine, perhaps to a spreadsheet program.  The virus has
          now entered the organization.
 
          Even when the outside person leaves, the virus remains on
          the machine that it infected, in the spreadsheet program.
          When an employee uses that spreadsheet subsequently, the
          virus can spread to another program, perhaps to a directory
          listing program that the employee keeps on the same floppy
          disk as the spreadsheet data files.  The listing program is
          then infected, and the infection can be spread to other
          computers to which this floppy disk is taken.  If the
          employee's personal computer is connected to the
          organization's network, the employee may send the listing
          program to another user over the network.  In either case,
          the virus can spread to more users, and more machines, via
          floppy disks or networks.  Each copy of the virus can make
          multiple copies of itself, and can infect any program to
          which it has access.  As a result, the virus may be able to
          spread throughout the organization in a relatively short
          time.
 
          Each of the infected programs in each of the infected
          machines can execute whatever other instructions the virus
          author intended.  If these instructions are harmful or
          disruptive, the pervasiveness of the virus may cause the
          harm to be widespread.
 
 
 
          1.3  HOW SERIOUS IS THE PROBLEM?
 
 
          Traditional security measures have attempted to limit the
          number of security incidents to an acceptable level.  A
 
 
          Executive Summary                                          2
 
 
 
 
 
 
 
 
 
          single incident of lost files in a year may be an acceptable
          loss, for instance.  While this is important, it only
          addresses part of the problem of viruses.  Since a single
          virus may be able to  spread throughout an organization, the
          damage that it could cause may be much greater than what
          could be caused by any individual computer user.
 
          Limiting the number of initial viral infections of an
          organization is important, but it is often not feasible to
          prevent them entirely.  As a result, it is important to be
          able to deal with them when they occur.
 
          Most actual viruses discovered to date have either been
          relatively benign, or spread rather slowly.  The actual
          damage that they have caused has been limited accordingly.
          In some cases, though, thousands of machines have been
          affected.  Viruses can easily be created which are much less
          benign.  Their *potential* damage is indeed large.
          Organizations should evaluate their vulnerability to this
          new threat, and take actions to limit their risks.
 
 
 
 
          1.4  SUMMARY AND RECOMMENDATIONS
 
 
          o   A computer virus is a program that can infect other
              programs by modifying them to include a copy of itself.
              When the infected programs are executed, the virus
              spreads itself to still other programs.
 
          o   Viruses can spread rapidly in a network or computing
              system and can cause widespread damage.
 
          o   Unlike many other security threats, viruses can enter a
              given computing system without anyone intending them to.
 
 
          o   There are no known ways to make a general computing
              system completely immune from viral attacks, but there
              are steps you can take to decrease the risks:
 
              -   Use good general security practices.  (For a more
                  complete discussion of these points, and some
                  examples of others, see reference (6).)
 
                  --  Keep good backups of critical data and programs.
                  --  Periodically review overall controls to
                      determine weaknesses.
                  --  Use access control facilities to limit access to
                      information by users, consistent with their job
                      duties and management policies.  Audit accesses
                      that do occur.
 
 
          Executive Summary                                          3
 
 
 
 
 
 
 
 
 
                  --  Do not use network connections to outside
                      organizations without a mutual review of
                      security practices.
                  --  Consider limiting electronic mail communications
                      to non-executable files.  Separate
                      communications that must move executable files
                      from electronic mail, so that they can be
                      separately controlled.
                  --  Make security education a prerequisite to any
                      computer use.
 
              -   Put a knowledgeable group in place to deal with
                  virus incidents.
 
                  --  The group may be a formal part of the
                      organization, or may be an informal collection
                      of knowledgeable people.
 
                  --  The group should be responsible for educating
                      users about the threat of viruses, providing
                      accurate information about viruses, responding
                      to reports of viruses, and dealing with viral
                      infections when they occur.
 
                  --  Make sure each employee who works with a
                      computer knows how to contact this group if they
                      suspect a viral infection.
 
              -   Develop a plan to deal with viruses *before* there is
                  a problem.
 
                  --  Decrease the risks of an initial infection, from
                      internal and external sources.
                  --  Put mechanisms in place to detect viral
                      infections quickly.
                  --  Develop procedures to contain an infection once
                      one is detected.
                  --  Know how to recover from a viral infection.
 
              -   Test the plan periodically, as you would test a fire
                  evacuation plan.
 
                  --  But *do not* use a real virus to test the plan!
 
 
 
 
 
 
 
 
 
 
 
 
 
          Executive Summary                                          4
 
 
 
 
 
 
 
 
 
          2.0  COPING WITH COMPUTER VIRUSES: A GUIDE FOR TECHNICAL
          MANAGEMENT
 
 
 
          Once an organization makes a commitment to deal with the
          problems of computer viruses, there are specific areas which
          should receive attention.  The purpose of this section is to
          acquaint technical management with the problems and to
          indicate the actions that can be taken to limit the risks
          posed by viruses.
 
 
 
          2.1  HOW VIRUSES INFECT COMPUTING SYSTEMS
 
 
          There are many ways in which a system can become infected
          with a virus.  Any time a program is run which can alter one
          or more other programs, there is the possibility of viral
          infection.  Any time a user executes a program which is
          written by anyone else, compiled by a compiler, or linked
          with run time libraries, all the resources to which that
          program has access are in the hands of every person who
          contributed to that program, that compiler, or those
          libraries.
 
          The initial introduction of an infected program can occur
          through a large variety of channels, including:
 
          o   Software introduced into or used on the system by an
              outsider who had access to the system,
 
          o   Software used at home by an employee whose home computer
              system is, unknown to the employee, itself infected,
 
          o   Software purchased from a commercial software company
              whose production facilities are infected,
 
          o   Software that turns out to be infected that has been
              down-loaded from public bulletin boards for business
              use, or by employees,
 
          o   Software intentionally infected by a malicious or
              disgruntled employee,
 
          o   *Any* other time that a piece of software (including
              programs, operating systems, and so on) is created
              within the organization, or brought in from *any*
              outside source.
 
          See the appendix for an example of sources and locations of
          possible infection for one operating system.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                 5
 
 
 
 
 
 
 
 
 
          2.2  HOW VIRUSES DIFFER FROM OTHER SECURITY THREATS
 
 
 
          There are many kinds of threats to security.  Threats
          traceable to dial-in systems are greatly reduced with the
          use of call-back systems.  Simple threats created by
          disgruntled employees can often be traced to the person
          responsible.  One important thing that makes the virus
          different from all the rest is its untraceability.  Except
          in rare cases, the only way a virus' author becomes known is
          if the author admits to ownership.  As a result, an author
          can create a virus with reasonable certainty that he will
          not be discovered.  This allows great latitude in the design
          of the destructive portion of the virus.
 
          The only perfect ways to protect against viral infection are
          isolation and reduced functionality.  A computer system
          cannot be infected if it runs only one fixed program, and
          cannot have new programs either loaded or created on it.
          But this is clearly not very useful in many circumstances.
          So there is almost always some exposure.  As with other
          security concerns, it is a matter of weighing benefits,
          practicality, and potential risks, and then taking
          cost-effective action to help control those risks.
 
          Viruses exhibit elements of many other security threats.
          (See the Glossary for a summary of some of these threats.)
          There are important differences, though.  Dr. Fred Cohen,
          who has done much of the original research on computer
          viruses, defines a virus as:
 
              a program that can "infect" other programs by modifying
              them to include a possibly evolved copy of itself.  (See
              reference (1).)
 
          But a virus is more than the part that replicates itself.
          There is usually also a potentially damaging portion.  This
          portion could be a "time bomb" (on November 11th, display a
          political message), a "logic bomb" (when it sees a certain
          write to disk, it also corrupts the file structure), or
          anything else the virus author can design.  The variety of
          possible effects is part of the reason why the notion of a
          virus is so confusing to many people.  The term "virus" is
          sometimes misused to refer to anything undesirable that can
          happen to a computer.  This is incorrect.  The thing that
          makes viruses and related threats different from other
          problems is that they spread.
 
 
 
 
 
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                 6
 
 
 
 
 
 
 
 
 
          2.3  GENERAL SECURITY POLICIES
 
 
 
          2.3.1  User Education
 
 
          Good security policies depend on the knowledge and
          cooperation of the users.  This is just as true of security
          against viruses as it is of policies about password
          management.  Users should be aware of the dangers that
          exist, should know what to do if they suspect they have
          found a security problem.  In particular, they should know
          whom to call if they have questions or suspicions, and
          should know what to do, and what not to do, to minimize
          security risks.  Users should be encouraged to feel that
          security measures are things that they want to do for their
          own benefit, rather than things that are required for no
          rational reason.
 
          A strategy to detect and contain viruses is described below.
          An important part of that strategy is for users to know whom
          to call if they see a system problem that may be the result
          of a virus.  Someone should always be available to work with
          the user in determining if a problem exists, and to report
          the problem to a central source of information if it is
          serious.  This central source must have the ability to
          inform the necessary people of the problem quickly and
          reliably, and to set in motion the process of containing and
          solving the problem.  More detailed suggestions for this
          mechanism will be given below, but each stage depends on
          education.  It is important to educate the end users, the
          first-level support people, and management involved at all
          levels, since they must take the necessary actions quickly
          when a viral infection is detected.
 
 
 
          2.3.2  Backups
 
 
          Even without the threat of viruses, good backups are an
          important part of system management.  When a program or a
          data file is lost, a good set of backups can save many days
          or months of work.  The potential harm caused by computer
          viruses only increases the need for backups.
 
          Although they are necessary for recovery, backups can also
          present a place for a virus to hide.  When a virus attack
          has been stopped, and the virus removed from all software on
          the system, the obvious way to recover altered or lost files
          is by restoring them from backups.  Great care must be taken
          not to reintroduce the virus into the system in the process!
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                 7
 
 
 
 
 
 
 
 
 
          All backups should be inspected to ensure that the virus is
          not present in any file on any backup.  Until a backup has
          been certified "clean," it should not be used, unless
          certain files on it are not recoverable through other means.
          Even in this case, it is necessary to be very careful to
          restore only objects which the virus did not infect or
          otherwise change.  The behavior of the virus should be well
          understood before any restoration from backup is attempted.
 
 
 
          2.4  DECREASING THE RISK OF VIRAL INFECTION
 
 
          Viruses can spread from one user to another on a single
          system, and from one system to another.  A virus can enter a
          company either by being written within the company, or by
          being brought in from the outside.  Although a virus cannot
          be written accidentally, a virus may be brought in from the
          outside either intentionally or unintentionally.  Viruses
          can enter a company because a program is brought in from
          outside which is infected, even though the person who brings
          it in does not know it.
 
          Because sharing of programs between people is so
          commonplace, it is difficult to prevent an initial infection
          from "outside." An employee may take a program home to use
          it for business purposes on his or her home computer, where
          it becomes infected.  When the program is returned to the
          workplace, the infection can spread to the workplace.
          Similarly, an outside person can bring a set of programs
          into a company in order to perform work desired by the
          company.  If these programs are infected, and they are
          executed on the company's systems, these systems may also
          become infected.
 
          There are two major ways to prevent infection in the first
          place, and to limit the spread of an existing infection:
          isolating systems, and limiting their function.
 
 
 
          2.4.1  Isolated Systems
 
 
          Since viruses spread to new users and systems only when
          information is shared or communicated, you can prevent
          viruses from spreading by isolating users and systems.
          Systems that are connected to other systems by a network can
          spread a virus across that network.  Isolating systems from
          the network will prevent their being infected by that
          network.  If a company maintains connections with other
          companies (or universities, or other institutions) by a
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                 8
 
 
 
 
 
 
 
 
 
          network, a virus may be able to enter the company through
          that network.  By isolating the company from such external
          networks, it cannot be infected by these networks.
 
          This is a reasonable policy to follow when possible,
          especially for those systems which contain especially
          sensitive programs and data.  It is impractical in many
          cases, though.  Networks are valuable components of a
          computing system.  The easy sharing of programs and data
          that they make possible can add substantially to the
          productivity of a company.  You should be aware, however,
          that this sharing also increases the risk of viral infection
          to these systems.  This is especially true if the network
          security measures have not been designed with viruses and
          related threats in mind.
 
          Your organization may wish to limit the kinds of access to
          systems afforded to those outside the organization.  In many
          cases, users of external systems may be less motivated to be
          benevolent to your systems than internal users are.  This
          may make it worthwhile to limit the ability of external
          users to transmit executable files, or have full interactive
          access, to internal systems.
 
          Similarly, movement of programs between personal computers
          on floppy disks can result in one system infecting another.
          If an employee's home computer is infected, for instance,
          bringing a program (or even a bootable disk) from home to
          work could result in the work computer becoming infected.
          You may want to have a policy that employees should not
          bring programs or bootable disks between work and home.  Or,
          you may want to have a policy that employees should use
          virus-detection tools on their home computers as well as
          their work computers.
 
 
 
 
          2.4.2  Limited-Function Systems
 
 
          Since viruses must be able to infect other executable
          objects in order to spread, you can help prevent viruses
          from spreading by eliminating this ability from a computing
          system.  This can be done in some circumstances by
          restricting the ability to add or change programs on a
          system.
 
          If general-purpose programming must be done on a system, as
          is the case with development systems, it is not possible to
          prevent users from creating or adding new programs.  On
          these systems, it is not possible to prevent the
          introduction of viruses under every possible condition.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                 9
 
 
 
 
 
 
 
 
 
          Many companies have computing systems, including
          workstations and personal computers, that are not used for
          general-purpose programming.  A bank, for instance, may use
          personal computers as teller stations, to handle a fixed set
          of teller transactions.  Since the tellers need not program
          these systems, it may be possible to strictly limit the
          introduction of new programs and thus greatly limit the
          introduction of viruses onto them.
 
          This is a prudent policy.  Whenever practical, limit the
          ability of users to add or change programs on the systems
          they use.  This ability should be restricted to authorized
          personnel, and these personnel should use every means
          available to them to check any new programs for viruses
          before they are installed in the limited-function systems.
          As long as no new programs are introduced, no new viruses
          can be introduced onto these systems.
 
          Remember, though, that the trend in personal workstations
          has been toward the empowerment of the individual user,
          including giving the user the ability to create programs to
          suit his or her own needs.  Thus, it may not be practical
          and competitive in the long run to impose restrictions on
          many systems.  The risk of viral infection must be weighed
          against the benefits of providing power and flexibility to
          the individual user.
 
 
 
 
          2.4.3  Policies for Software Repositories
 
 
 
          Software repositories are places in which programs reside
          which may be used by a number of people.  These may be disks
          on a mainframe, which can be accessed from a number of
          different users' accounts.  They may also be disks on a
          local area network file server, from which many users get
          common programs.
 
          These repositories can pose more of a risk in the spread of
          viruses than most "private" program storage locations.  If a
          commonly-accessed program becomes infected, such as a text
          editor used by an entire department, the entire department
          can become infected very quickly.  So, extra care is
          required to prevent infection of repositories.
 
          A policy can be put into place that requires each program
          added to a repository to be checked thoroughly for possible
          infection.  It is helpful, for instance, to use tools to
          ensure that it is not infected with any of the already-known
          viruses.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                10
 
 
 
 
 
 
 
 
 
          In cases in which users who access the repository deal with
          especially sensitive programs and data, it may be prudent to
          enforce even more stringent policies.  Programs to be added
          may be tested first on isolated systems, to see if they show
          any signs of infecting other programs.  Or, a repository
          team may inspect the source code of the program for viral
          code.  If no viral code is found, the repository team can
          compile the program on an isolated system that has been
          certified to be free of viruses.  In such a case, the only
          object code allowed on the repository would come directly
          from the team's compilation on its isolated system.
 
          Repositories can also be helpful in detecting and
          controlling viruses.  Consider the situation in which most
          users run a significant amount of the software that they
          execute from a central server to which they do not have
          write access, rather than from individual writeable disks.
          Since the users do not regularly update this software,
          viruses will not be able to spread as quickly between these
          users.  If a program on a central repository becomes
          infected, it may be comparatively simple to replace it with
          an uninfected version (or remove it entirely).  It may be
          more difficult to screen all programs on hundreds of
          individual systems.  It may also be easier to audit the
          usage of, and updates to, a single software repository, as
          opposed to a large number of individual systems.
 
          There are a variety of other areas in many organizations
          which could spread viruses rapidly, and hence which should
          be carefully controlled.  Internal software distribution
          centers, for instance, could spread a virus widely if they
          were infected.  Similarly, a software lending library, if
          infected, may transmit a virus to many other users before it
          is detected.  Walk-in demo rooms and educational centers are
          also potential problems.  In general, any place from which
          software is widely distributed, and which has uncontrolled
          software importation, needs special attention.
 
 
 
 
          2.4.4  Policies for Production Systems
 
 
          Production systems are those systems which are used to
          prepare internally-developed programs for distribution
          either within a company, or for sale to external customers.
          If these systems were infected with a virus, the virus could
          spread to programs used widely within the company, or to
          programs used by the company's customers.  In the former
          case, this could spread the virus widely throughout the
          company.  In the latter case, it could damage the reputation
          of the company with its customers.  There has been
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                11
 
 
 
 
 
 
 
 
 
          documented cases of companies accidentally shipping
          virus-infected program products to customers.
 
          Since the infection of production systems could have serious
          consequences, you should be especially careful about
          protecting them.  The key to this is the institution of
          stringent change control policies on production systems.
 
          They should be strongly isolated from non-production
          systems, so that only known, authorized files can be put
          onto the system.  Each file should be checked for infection,
          to whatever extent possible.  Installing object code on
          these systems should be avoided whenever possible.  Rather,
          source code should be installed, and compiled locally with a
          trusted compiler.  Where the impact of a viral infection
          would be particularly large, it may be important to inspect
          the source code before it is compiled, to avoid the
          introduction of a virus through the source code.  If object
          code must be installed, its origin should be verified
          beforehand.  For instance, object code for a personal
          computer could be installed only from an original,
          write-protected distribution disk, which has been found to
          be free of viruses.
 
          In addition, virus-checking programs (see below) should be
          run frequently on production systems.  On a multitasking
          system, it may be possible to run a virus detector
          continuously in the background.  Further, a policy can be
          instituted which ensures that a virus detector will be
          executed at least once between the time that new files are
          installed on the system, and the time that any files are
          exported from the system.
 
 
 
          2.5  DETECTING VIRAL INFECTIONS
 
 
          With the possible exception of isolation, all of the methods
          outlined above for preventing viral infections are only
          somewhat reliable.  Viruses can still reach some systems
          despite the implementation of preventative measures.
          Indeed, no perfect defense exists that still allows
          programming, and sharing of executable information.  There
          is no "one time fix," as there is for many other computer
          security problems.  This is a hole that cannot be plugged
          completely.  Defenses will have to be improved with time to
          deal with new classes of viruses.  Because of this, virus
          *detection* is an important component of system security.
 
          The two most important resources available for the detection
          of viruses are watchful users and watchful programs.  The
          best approaches to virus detection include both.  The users
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                12
 
 
 
 
 
 
 
 
 
          should be aware of the possibility of viruses, just as they
          are aware of the need for backups, and to know what kinds of
          things to watch for.  System programs and utilities should
          be available to help the users, and the computer center
          staff, to take advantage of this awareness.
 
 
 
          2.5.1  Watching for Unexpected Things Happening
 
 
          If users are aware of the kinds of visible things that are
          known to happen in systems that are virus-infected, these
          users can serve as an important line of defense.  Users
          should know that odd behavior in a computer system may be a
          symptom of penetration by a virus, and they should know to
          whom such odd behavior should be reported.
 
          On the other hand, it is a fact that odd behavior is usually
          *not* caused by viral penetration.  Software bugs, user
          errors, and hardware failures are much more common.  It is
          important to avoid unfounded rumors of viral infections, as
          dealing with such "false alarms" can be costly.  An actual
          infection, however, may require rapid action.  So the group
          to which users report oddities must have the skill to
          determine which reports are almost certainly due to one of
          these more common causes, and which merit closer
          investigation for possible viral infection.  One obvious
          choice for such a group is within the computing center or
          "help desk," since the computing center staff probably
          already has a good idea of what sorts of oddities are
          "business as usual."
 
 
 
          2.5.2  Some Symptoms of Known Viruses
 
 
 
 
          2.5.2.1  Workstation Viruses
 
 
          This section lists specific oddities that are known to occur
          in workstations infected with particular viruses that have
          already occurred.  Some of the things in these examples only
          occur once the virus is in place, and is triggered to
          perform its particular function.  Others occur while the
          virus is still spreading.  Some things users should know to
          watch for include:
 
          o   Unexpected changes in the time stamps or length of
              files, particularly executable files,
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                13
 
 
 
 
 
 
 
 
 
          o   Programs taking longer to start, or running more slowly
              than usual,
          o   Programs attempting to write to write-protected media
              for no apparent reason,
          o   Unexplained decreases in the amount of available
              workstation memory, or increases in areas marked as
              "bad" on magnetic media,
          o   Executable files unexpectedly vanishing,
          o   Workstations unexpectedly "rebooting" when certain
              previously-correct programs are run, or a relatively
              constant amount of time after being turned on,
          o   Unusual things appearing on displays, including
              "scrolling" of odd parts of the screen, or the
              unexpected appearance of "bouncing balls" or odd
              messages,
          o   Unexpected changes to volume labels on disks and other
              media,
          o   An unusual load on local networks or other communication
              links, especially when multiple copies of the same data
              are being sent at once.
 
          It is important to remember, though, that future viruses may
          do none of these things.  Users should be alert to oddities
          in general and should have a place to report them, as
          recommended above.
 
 
 
 
          2.5.2.2  Mainframe Viruses
 
 
 
          Viruses in multi-user computer systems share some of the
          typical behaviors of viruses in single-user workstations.
          In particular, lengths or time stamps of executable files
          may change, programs may load or execute more slowly,
          unusual errors (especially relating to disk-writes) may
          occur, files may vanish or proliferate, and odd things may
          appear on displays.  If the virus is attempting to spread
          between users, users may also notice "outgoing mail" that
          they did not intend to send, "links" to other user's
          information that they did not intentionally establish, and
          similar phenomena.
 
          Generally, the same comments apply in this environment as in
          the single-user workstation environment.  Future viruses may
          do none of these things, and users should be sensitive to
          suspicious oddities in general, and have a place to which to
          report them.
 
 
 
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                14
 
 
 
 
 
 
 
 
 
          2.5.3  Watching for Changes to Executable Objects
 
 
 
          Users are not the only line of defense in the detection of
          viruses.  It is comparatively simple to create programs that
          will detect the presence and the spread of the simpler
          classes of viruses.  Such programs can go a long way in
          "raising the bar" against computer viruses.
 
          One effective approach to detecting simple viruses involves
          notifying the user of changes to the contents of executable
          objects (program files, "boot records" on magnetic media,
          and so forth).  Users can be provided with a program to be
          run once a day which will examine the executable objects to
          be checked, and compare their characteristics with those
          found the last time the program was run.  (This could be run
          at the same time as the backup program, for instance.)  The
          user can then be presented with a list of objects that have
          changed.  If things have changed that should not have, the
          user can contact the appropriate people to investigate.  If
          certain objects that should seldom or never change (such as
          the operating system files themselves) are different, the
          user can be specially warned, and urged to contact the
          appropriate people.
 
          Often, a central system programming group has control over a
          large multi-user computing system.  That group can execute
          this sort of program periodically, to check for changes to
          common operating system utilities, and to the operating
          system itself.  Because viruses can often spread to
          privileged users, they are quite capable of infecting even
          those parts of the system that require the highest authority
          to access.
 
          The frequency with which virus detectors should be used
          depends upon the rate at which executables are transmitted,
          and the value of the information assets on the systems.
          Workstations that are not connected to networks can exchange
          information via floppy disks.  The known computer viruses
          that propagate by way of floppy disks do so relatively
          slowly.  It may take days, or weeks, or even months for such
          a virus to propagate across a large organization.  In this
          case, running virus detectors once a day, or once a week,
          may be sufficient.  For systems connected to networks,
          especially large-scale networks, the situation is much
          different.  Experience has shown network viruses to be
          capable of spreading very rapidly across the network.  In
          some cases, replicating programs have spread across
          nationwide networks in a matter of hours or days.  In these
          cases, it may be important to run virus detectors hourly or
          daily.
 
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                15
 
 
 
 
 
 
 
 
 
          Below is an outline of one possible implementation of a
          virus detecting program.  It is for illustration only; many
          different structures would do the job as well or better.
 
          1.  The program obtains a list of files to be checked.  For
              PC-DOS, for instance, this should include .COM and .EXE
              files, any files that are listed as device drivers in
              the CONFIG.SYS file, the CONFIG.SYS file itself, and any
              other executables such as batch files or BASIC programs.
          2.  For each of these files, the program
              o   Determines the time/date and length of the file from
                  the operating system.
              o   If desired, actually reads the data in the file, and
                  performs a calculation such as a CRC (cyclic
                  redundancy check) on the data.  (The number of files
                  checked in such detail depends on the importance of
                  the file, the speed of the program, and the amount
                  of time the user is willing to spend.)
              o   Compares this file information (time/date, length,
                  and perhaps CRC or other code) with the database
                  generated last time the program was run.
              o   If the file was not present the last time the
                  program was run, or if the information in the
                  previous database was different from the information
                  just obtained, the program records that the file is
                  new or changed.
          3.  After checking all relevant files, the program reads all
              other known executable objects in the system(1), and
              compares their CRC or other codes with the values in the
              database, and records any changes.
          4.  When all the existing objects have been checked in this
              way, the program updates the database for next time and
              presents all its findings to the user.
          5.  On the basis of this information, the user can decide
              whether any of the reported changes are suspicious, and
              worth reporting.
 
          This method is by no means foolproof.  A sophisticated virus
          could do a variety of things.  It could change an executable
          object without altering the time, date, length, or CRC code.
          It could only alter objects that had been legitimately
          changed recently.  It could act directly on the database
          itself and thus escape detection.  More sophisticated
          versions of the program outlined here can provide
          significantly more foolproof detection.  It is advantageous
          to have many different virus detectors in place at the same
 
          ----------------
          (1) For PC-DOS, this would typically include the boot record
              on a floppy diskette, and the master and partition boot
              records on hard disks.  For multi-user operating
              systems, this might include "shared system images," or
              "IPL datasets" or equivalent objects.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                16
 
 
 
 
 
 
 
 
 
          time.  That way, a virus that can evade one detector may be
          caught by another.  Nevertheless, user awareness, and
          procedures for recovery in the event of an infection that is
          not detected until too late, are both still vital.
 
 
 
          2.5.4  Using External Information Sources
 
 
          Software viruses are able to spread because information
          flows so quickly in the modern world.  That same information
          flow can help in the detection of viruses.  Newspapers,
          magazines, journals, and network discussion groups have
          carried significant amounts of material dealing with
          computer viruses and other forms of malicious software.
          These sources of information can be valuable in maintaining
          awareness of what hazards exist, and what measures are
          available to detect or prevent specific viruses.  This kind
          of information can be invaluable to the people in your
          organization charged with investigating suspicious events
          reported by users, and deciding which ones to follow up on.
          On the other hand, these channels also carry a certain
          amount of inevitable misinformation, and care should be
          taken not to react to, or spread, rumors that seem to have
          no likely basis in fact.
 
 
 
          2.6  CONTAINING VIRAL INFECTIONS
 
 
          Having procedures in place to detect viral infection is very
          important.  By itself, however, it is of little use.  The
          individual who makes the first detection must have a
          procedure to follow to verify the problem and to make sure
          that appropriate action occurs.  If the information supplied
          in the detection phase is allowed to "fall between the
          cracks," even for a relatively short time, the benefit of
          detection can easily be lost.
 
 
 
 
          2.6.1  The Importance of Early Detection
 
 
          Computer viruses generally spread exponentially.  If a virus
          has infected only one system in a network on Monday, and
          spread to four by Tuesday, sixteen systems could easily be
          infected by Wednesday, and over five hundred by Friday.
          (These numbers are just samples, of course, but they give an
          idea of the potential speed of spread.  See reference (1)
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                17
 
 
 
 
 
 
 
 
 
          for some experiments in which much faster spread was
          observed.)
 
          Because viruses can spread so fast, it is very important to
          detect them as early as possible after the first infection.
          The surest way of doing this is to have every vulnerable
          user run the best available virus-detection software as
          often as feasible.  This solution may be too expensive and
          time-consuming for most environments.
 
          In most groups of users, it is possible to identify a number
          of "star" users who do a disproportionately large amount of
          information-exchange, who generally run new software before
          most people do, and who are the first to try out new things
          in general.  In multi-user systems, some of these people
          often have special authorities and privileges.  When a virus
          reaches one of these people, it can spread very rapidly to
          the rest of the community.  In making cost/benefit decisions
          about which users should spend the most time or effort on
          virus-detection, these are the people to concentrate on.
 
 
 
 
          2.6.2  The Importance of Rapid Action
 
 
          When a virus is detected, every moment spent deciding what
          to do next may give the virus another chance to spread.  It
          is vital, therefore, to have action plans in place *before* an
          infection occurs.  Such plans should include, for instance:
 
          o   Designation of one particular group (whether formal or
              informal) as the "crisis team,"
          o   Procedures for identifying infected systems, by
              determining how and from where the infection reached
              each system known to be infected,
          o   Procedures for isolating those systems until they can be
              rendered free of the virus,
          o   Procedures for informing vulnerable users about the
              virus, and about how to avoid spreading it themselves,
          o   Procedures for removing the virus from infected systems,
          o   Procedures for identifying the virus involved, and for
              developing or obtaining specific software or procedures
              to combat the virus.  These may remove the virus from
              infected systems and files, determine whether or not
              backups are infected, and so on.
          o   Procedures for recording the characteristics of the
              virus and the effectiveness of the steps taken against
              it, in case of later re-infection with the same or a
              similar virus.
 
          Some suggestions for recovery are given in the next section.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                18
 
 
 
 
 
 
 
 
 
          2.7  RECOVERING FROM VIRAL INFECTIONS
 
 
          Once a virus has been detected and identified, and measures
          have been taken to stop it from spreading further, it is
          necessary to recover from the infection, and get back to
          business as usual.  The main objective of this activity is
          to provide each affected user with a normal, uninfected
          computing environment.  For individual workstations, this
          means ensuring that no infected objects remain on the
          workstation.  For more complex environments, it means
          ensuring that no infected objects remain anywhere on the
          system where they might inadvertently be executed.
 
          The basic recovery activities are:
 
          o   Replacing every infected object in the system with an
              uninfected version, and
          o   Restoring any other objects that the virus' actions may
              have damaged.
 
          It is of critical importance during these activities to
          avoid re-introducing the virus into the system.  This could
          be done, for instance, by restoring an infected executable
          file from a backup tape.
 
 
 
 
          2.7.1  Restoration and Backups
 
 
 
          An obvious but incorrect approach to removing the infection
          from a system is simply to restore the infected objects from
          backups.  This is *not* a wise thing to do, however, since
          the backups themselves may be infected.  If the virus first
          entered the system sufficiently long ago, infected objects
          may well have been backed up in infected form.
 
          Once the virus has been well understood, in terms of what
          types of objects it spreads itself to, three different
          categories of objects may be considered for restoration:
 
          o   Objects of the type that the virus infects.  These
              should only be restored from backups if the backed-up
              versions are thoroughly and individually checked for
              infection by the virus.  If it is possible, it is
              preferable to restore the objects from more "trusted"
              sources, such as original, unwriteable, copies supplied
              by the manufacturer, or by recompiling source code.
              Even in these cases, it is worthwhile to check once
              again for infection after restoration has been done.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                19
 
 
 
 
 
 
 
 
 
          o   Objects of types that the virus does not infect, but
              which have been destroyed or altered by the virus'
              actions.  These can generally be restored from backups
              safely, although again it is worth checking the
              integrity of the backed-up copies.  If the virus has
              been in the system long enough, it may have damaged
              objects that were later backed up.
 
          o   Objects of types that the virus neither infects, nor
              damages.  If you are very sure that the virus does not
              infect or alter certain types of files, there may be no
              need to restore those files during the recovery process.
 
 
 
          2.7.2  Virus-Removing Programs
 
 
          Once a virus has been studied, you can write or obtain
          programs to help remove that particular virus.  One type of
          these programs checks for the presence of the virus in a
          executable objects.  Another type tries to remove the
          infection by restoring the object to its previous uninfected
          form.  "Checking" programs can be extremely valuable during
          the recovery process, to ensure that files that are being
          restored after infection or damage by the virus are now
          "clean." "Removal" programs are somewhat less useful, and
          should usually only be used when there is no other practical
          way to obtain an uninfected version of the object.  Removing
          a virus from an executable object can be a complex and
          difficult process, and even a well-written program may fail
          to restore the object correctly.
 
 
 
          2.7.3  Watching for Re-Infection
 
 
          Once recovery is complete, and all known infected and
          damaged objects have been restored to uninfected and correct
          states, it is necessary to remain watchful for some time.  A
          system that has recently been infected by a certain virus
          runs an increased risk of re-infection by that same virus.
          The re-infection can occur through some obscure, infected
          object that was missed in the recovery process.  It can also
          occur from the same outside source as the original
          infection.  This is especially true if the original source
          of infection is not known.
 
          Vigilance in the use of general virus-detection programs,
          like those described above, continues to be important.  In
          addition, it will often be possible to obtain or write
          programs designed to detect the specific virus from which
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                20
 
 
 
 
 
 
 
 
 
          the system has just recovered.  Specific virus-detection
          programs of this kind are particularly useful at this time.
          The same users who use the general virus-detection programs,
          and any users who would be specifically vulnerable to the
          virus just recovered from, can be given such programs to
          run.  This increases the probability of detection, should an
          infection recur.  The programs might also be incorporated
          into the backup system for a time, to scan files being
          backed up for infection, and even into appropriate places in
          networks and file-sharing systems.  Because such checks will
          introduce extra overhead, there will be a trade-off between
          performance and added security in considering how long to
          leave them in place.
 
 
 
          2.8  SUMMARY AND RECOMMENDATIONS
 
 
          Computer viruses can pose a threat to the security of
          programs and data on computing systems.  We have suggested
          several means of limiting this threat.  They are summarized
          below.
 
 
          o   Viruses represent a new kind of threat to the security
              of computing systems.
 
              -   They can be spread without the intent of the people
                  who spread them.
              -   They can spread widely and quickly within an
                  organization, reaching systems and users well beyond
                  the initial infection point.
              -   They can perform virtually any action that their
                  designer intends.
 
 
          o   The risks posed by viruses can be limited by proper
              action.
 
              -   Follow good security practices in general.
 
                  --  Educate your users about security threats,
                      including computer viruses.
                  --  Make sure that good backups are kept of all
                      important data.
 
              -   Take steps to reduce the possibility of being
                  infected.
 
                  --  Where practical, isolate critical systems from
                      sources of infection, such as networks and
                      outside programs.
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                21
 
 
 
 
 
 
 
 
 
                  --  Where practical, limit the ability to create or
                      install new programs on those systems which do
                      not require this ability.
                  --  Ensure that adequate controls exist on software
                      repositories, production systems, and other
                      important areas of your organization.  These
                      include careful change management and the use of
                      virus detectors.
 
              -   Take steps to ensure that virus infections will be
                  detected quickly.
 
                  --  Educate your users about possible warning signs.
                  --  Use virus detectors, which will inform users of
                      the unintended modification of programs and
                      data.
                  --  Make sure your users know to whom they can
                      report a potential problem.
 
              -   Take steps to contain virus infections that are
                  detected.
 
                  --  A plan to deal with an infection should be put
                      into place *before* an infection occurs.
                  --  A "crisis team" should be put into place, which
                      can respond quickly to a potential problem.
                  --  Isolate infected systems until they can be
                      cleaned up, to avoid them infecting other
                      systems, and to avoid their becoming reinfected.
 
              -   Take steps to recover from viral infections that are
                  contained.
 
                  --  Be able to restore critical programs and data
                      from virus-free backups.
                  --  Know how to remove viruses from programs if
                      virus-free backups are unavailable.
                  --  Watch for a reinfection from that particular
                      virus.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Coping with Computer Viruses: A Guide for Technical
          Management                                                22
 
 
 
 
 
 
 
 
 
          FOR FURTHER READING
 
 
 
          (1)  Fred Cohen, "Computer Viruses: Theory and Experiment,"
                Computers & Security, Vol. 6 (1987), pp. 22-35
 
          (2)  Fred Cohen, "On the Implications of Computer Viruses
                and Methods of Defense," Computers & Security, Vol. 7
                (1988), pp. 167-184
 
          (3)  W.H. Murray, "Security Considerations for Personal
                Computers," IBM System Journal, Vol. 23, No. 3 (1984),
                pp. 297-304
 
          (4)  --, "Security Risk Assessment in Electronic Data
                Processing Systems," IBM Publication Number
                G320-9256-0 (1984)
 
          (5)  --, "Good Security Practices for Information Systems
                Networks," IBM Publication Number G360-2715-0 (1987)
 
          (6)  --, "An Executive Guide to Data Security," IBM
                Publication Number G320-5647-0 (1975)
 
          (7)  --, "Security, Auditability, System Control
                Publications Bibliography," IBM Publication Number
                G320-9279-2 (1987)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          For Further Reading                                       23
 
 
 
 
 
 
 
 
 
                GLOSSARY
 
 
 
                Computer viruses and the like are relatively new
                phenomena.  The terms used to describe them do not
                have definitions that are universally agreed upon.  In
                this glossary, we give definitions that try to clarify
                the differences between the various concepts.  These
                terms may be used differently elsewhere.
 
 
 
                Availability:  That aspect of security that deals with
                the timely delivery of information and services to the
                user.  An attack on availability would seek to sever
                network connections, tie up accounts or systems, etc.
 
                Back Door:  A feature built into a program by its
                designer, which allows the designer special privileges
                that are denied to the normal users of the program.  A
                back door in a logon program, for instance, could
                enable the designer to log on to a system, even though
                he or she did not have an authorized account on that
                system.
 
                Bacterium (informal):  A program which, when executed,
                spreads to other users and systems by sending copies
                of itself.  (Though, since it does "infect" other
                programs, it may be thought of as a "system virus" as
                opposed to a "program virus.") It differs from a
                "rabbit" (see below) in that it is not necessarily
                designed to exhaust system resources.
 
                Bug:  An error in the design or implementation of a
                program that causes it to do something that neither
                the user nor the program author had intended to be
                done.
 
                Confidentiality:  That aspect of security which deals
                with the restriction of information to those who are
                authorized to use it.  An attack on confidentiality
                would seek to view databases, print files, discover a
                password, etc., to which the attacker was not
                entitled.
 
                Integrity:  That aspect of security that deals with
                the correctness of information or its processing.  An
                attack on integrity would seek to erase a file that
                should not be erased, alter an element of a database
                improperly, corrupt the audit trail for a series of
                events, propagate a virus, etc.
 
 
 
 
          Glossary                                                  24
 
 
 
 
 
 
 
 
 
                Logic Bomb:  A Trojan Horse (see below), which is left
                within a computing system with the intent of it
                executing when some condition occurs.  The logic bomb
                could be triggered by a change in a file (e.g. the
                removal of the designer's userid from the list of
                employees of the organization), by a particular input
                sequence to the program, or at a particular time or
                date (see "Time Bomb" below).  Logic bombs get their
                name from malicious actions that they can take when
                triggered.
 
                Rabbit (informal):  A program is designed to exhaust
                some resource of a system (CPU time, disk space, spool
                space, etc.) by replicating itself without limit.  It
                differs from a "bacterium" (see above) in that a
                rabbit is specifically designed to exhaust resources.
                It differs from a "virus" (see below) in that it is a
                complete program in itself; it does not "infect" other
                programs.
 
                Rogue Program:  This term has been used in the popular
                press to denote any program intended to damage
                programs or data, or to breach the security of
                systems.  As such, it encompasses malicious Trojan
                Horses, logic bombs, viruses, and so on.
 
                Security:  When applied to computing systems, this
                denotes the authorized, correct, timely performance of
                computing tasks.  It encompasses the areas of
                confidentiality, integrity, and availability.
 
                Time Bomb:  A "logic bomb" (see above) activated at a
                certain time or date.
 
                Trojan Horse:  Any program designed to do things that
                the user of the program did not intend to do.  An
                example of this would be a program which simulates the
                logon sequence for a computer and, rather than logging
                the user on, simply records the user's userid and
                password in a file for later collection.  Rather than
                logging the user on (which the user intended), it
                steals the user's password so that the Trojan Horse's
                designer can log on as the user (which the user did
                not intend).
 
                Virus (pl. viruses):  a program that can "infect"
                other programs by modifying them to include a possibly
                evolved copy of itself.  Note that a program need not
                perform malicious actions to be a virus; it need only
                "infect" other programs.  Many viruses that have been
                encountered, however, do perform malicious actions.
 
                Worm:  A program that spreads copies of itself through
                network-attached computers.  The first use of the term
 
 
          Glossary                                                  25
 
 
 
 
 
 
 
 
 
                described a program that copied itself benignly around
                a network, using otherwise-unused resources on
                networked machines to perform distributed computation.
                Some worms are security threats, using networks to
                spread themselves against the wishes of the system
                owners, and disrupting networks by overloading them.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Glossary                                                  26
 
 
 
 
 
 
 
 
 
                APPENDIX: VIRAL INFECTIONS IN PC-DOS
 
 
 
                This section is intended to give an example of the
                places in a typical computer system where a virus
                might enter.  It is intended for a reader with some
                knowledge of the workings of PC-DOS, although it may
                be instructive to others as well.  PC-DOS was chosen
                for convenience; many computer systems have similar
                vulnerabilities.
 
                Consider the process that is required for you to run a
                single program.  What is happening?  Which parts do
                you not bother checking since you have seen it a
                million times?
 
                For example, you turn on the power switch and then ...
 
                o   You boot off the disk.  What code ran to enable
                    you to boot off the disk?
 
                o   You boot off a diskette drive.  Again ...
 
                o   You run a program.  It reads off a disk.  What was
                    actually read in?  How was it read in?  What did
                    the reading?
 
                o   You compile a program.  Are you using any library
                    files?  What is in them?
 
                o   When was the last time you looked at your
                    CONFIG.SYS?  AUTOEXEC.BAT?
 
                o   You just bought a brand new program.  You just
                    brought it home from the store.  What do you know
                    about the program?  About the company that
                    produced it?
 
                This list is not meant to be all-inclusive nor
                thorough.  It is meant to be a spark to start
                education.  Let us continue by examining each of these
                cases.  (Where found, the symbol "(!)" is used to
                designate a potential point of attack for viruses.)
 
 
 
 
                When you turn on the power switch
 
 
                Before we investigate the different cases above, we
                examine the steps that occur when you first flip the
                power switch of your IBM PC to the ON position.
 
 
          Appendix: Viral Infections in PC-DOS                      27
 
 
 
 
 
 
 
 
 
                Power is given to the system.  A section of code known
                as POST (Power On Self Test) residing in ROM (Read
                Only Memory) starts running.  It checks memory,
                devices, peripherals, and then transfers control to
                any "properly signatured" ROMs found in the I/O
                channels.  Assuming those pieces run smoothly, control
                returns to POST.  When POST completes, it searches for
                a diskette in the diskette drive.  If unsuccessful, it
                tries to boot off a hard file.  And finally, if
                neither works, it starts running the BASIC interpreter
                which is found in its ROM.
 
                The first place where programs are read into system
                RAM (Random Access Memory) is the hard file or
                diskette boot up process.  Until then, all the code
                that is run has come from ROM.  Since these ROMs are
                from trusted sources, we must assume that they have
                not been created with viruses installed.  ROMs, by
                their nature, can only be written by special
                equipment, not found in your PC.  Thus to tamper with
                them, they must be removed and/or replaced without
                your knowledge.  For the purposes of this discussion,
                we will assume that this has not happened.
 
 
 
                Boot from hard file
 
 
                When the computer boots off the hard file, it relies
                on code which has been placed in two areas on the hard
                file.  The first location is the master boot
                record(!).  The master boot record contains code and
                information to designate which "system boot record"(!)
                to read and run.  This is the "active partition."
                There are potentially many system boot records, one
                for each partition, while there is only one master
                boot record.
 
                Boot records on a fixed disk vary.  But usually, up to
                a whole track is reserved.  This is a large amount of
                space, most of which is not normally used.  The large
                empty space provides a potential area for viruses to
                hide.
 
 
 
                Boot from diskette
 
 
                For a floppy disk, the boot record is a properly
                "signatured" sector at head 0 track 0 sector 1 of the
                disk(!).  If the machine finds a proper signature, it
                takes the bytes stored in that sector and begins
 
 
          Appendix: Viral Infections in PC-DOS                      28
 
 
 
 
 
 
 
 
 
                executing them.  This code is usually very short.
                Usually, one of the first things it does is to tell
                the machine where to get other sectors to form a
                complete boot up program.
 
                Viruses can hide parts of themselves on either hard or
                floppy disks, in sectors that they mark as "bad."(!)
                These sectors would require special commands to be
                read.  This prevents the code from being accidentally
                overwritten.  They also provide an obvious sign,
                should you be looking for them (CHKDSK will report bad
                sectors).
 
 
 
                PC-DOS, the operating system
 
 
                The purpose of the boot records is to load the
                operating system.  This is done by loading files with
                the names IBMBIO.COM(!), IBMDOS.COM(!), and
                COMMAND.COM(!).  These files contain the operating
                system.
 
                After the operating system is loaded, it becomes the
                integral portion of all system activities.  This
                includes activities such as reading and writing
                files(!), allocating memory(!), and allocating all
                other system resources(!).  Few applications exist
                that do not use the operating system to take advantage
                of the system resources.  Thus, some viruses change
                COMMAND.COM or intercept attempts to request a system
                resource.
 
                The purpose of such action would be two-fold.  The
                first purpose is to place the virus in a common code
                path, so that it is executed frequently so that it may
                have ample opportunity to spread.  The second is to
                cause damage, intercepting the proper request and
                altering the request.
 
 
 
 
                Running a program
 
 
                What code runs when you run a program? (!)  (The
                following list is not meant to be complete.  It is to
                show you that any link could be a potential point of
                attack for a virus.  Since the virus' purpose is to be
                executed frequently, it would find itself executed
                frequently enough if it resided in any of the
                following areas.)
 
 
          Appendix: Viral Infections in PC-DOS                      29
 
 
 
 
 
 
 
 
 
                o   DOS accepts your keystrokes.
 
                    -   BIOS INT 9H, INT 16H, INT 15H, INT 1BH
                    -   DOS INT 21H keyboard functions, INT 28H
                    -   Any keyboard device driver or TSR (Terminate
                        and Stay Resident) program.
 
                o   DOS loads your program
 
                    -   BIOS INT 13H, INT 40H, INT 15H
                    -   DOS INT 21H file search functions, memory
                        allocation, set DTA, disk read, CTRL-BREAK
                        check, etc.
                    -   Any DOS extension driver or TSR (Terminate and
                        Stay Resident) program.
 
                o   General background functions
 
                    -   BIOS INT 8 (timer), INT 0FH (printer), INT 1CH
                        (timer)
                    -   Any system driver or TSR (Terminate and Stay
                        Resident) program.
 
                All these things happen and more, each time you run a
                program.
 
 
 
                CONFIG and AUTOEXEC
 
 
                Every time you boot your system, CONFIG.SYS(!)  and
                AUTOEXEC.BAT(!) tell the system to load many files and
                options before you can start working on the computer.
                If a virus decided to attach an extra line of
                instruction to one of these files, it would result in
                the program being loaded each day.  When was the last
                time you looked at CONFIG.SYS?  AUTOEXEC.BAT?  Do you
                remember the reason for the existence of each line in
                the two files?
 
 
 
                Compiling programs, using libraries
 
 
                When you compile a program, you use several programs.
                One is the compiler itself (!).  If the compiler is
                infected with a virus, the virus may spread to other,
                unrelated programs.  But it could also spread to the
                program being compiled.
 
                When a compiled program is linked to form an
                executable program, it is common to link in programs
 
 
          Appendix: Viral Infections in PC-DOS                      30
 
 
 
 
 
 
 
 
 
                from libraries(!).  These library programs provide
                standard operating system interfaces, perform input
                and output, and so on.  If one or more of the library
                programs are infected with a virus, then every program
                which is linked with it will be infected.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          Appendix: Viral Infections in PC-DOS                      31