home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ASP Advantage 1993
/
The Association of Shareware Professionals Advantage CD-ROM 1993.iso
/
contents
/
compyths
< prev
next >
Wrap
Text File
|
1993-07-21
|
28KB
|
491 lines
Computer Virus Myths
(9th Edition: March 26, 1993)
by Rob Rosenberger
with Ross M. Greenberg
A number of myths have surfaced about the threat of computer
"viruses." There are myths about how widespread they are, how
dangerous they are, and even myths about what a computer virus
really is. We want you to know the facts.
The first thing you need to learn is that a computer virus falls
in the realm of malicious programming techniques known as "Trojan
horses." All viruses are Trojan horses, but relatively few
Trojan horses can be called a virus.
That having been said, it's time to go over the terminology we
use when we lecture:
BBS Bulletin Board System. If you have a modem, you
can call a BBS and leave messages, transfer
computer files back & forth, and learn a lot about
computers. (What you're reading right now, for
example, most likely came to you from a BBS.)
Bug an accidental flaw in the logic of a program which
makes it do things it shouldn't really be doing.
Programmers don't mean to put bugs in their
programs, but they always creep in. Programmers
often spend more time debugging programs than they
do writing them in the first place. Inadvertent
bugs have caused more data loss than all viruses
combined.
Hacker someone who really loves computers and who wants
to push them to the limit. Hackers have a healthy
sense of curiosity: they try doorknobs just to see
if they're locked, for example. They also love to
tinker with a piece of equipment until it's "just
right." The computer revolution itself is largely
a result of hackers.
Shareware a distribution method for quality software
available on a "try before you buy" basis. You
must pay for it if you continue using it after the
trial period. Shareware authors let you download
their programs from BBSs and encourage you to give
evaluation copies to friends. Many shareware
applications rival their retail-shelf counterparts
at a fraction of the price. (You must pay for the
shareware you continue to use -- otherwise you're
stealing software.)
Trojan a generic term describing a set of computer
horse instructions purposely hidden inside a program.
Trojan horses tell programs to do things you don't
expect them to do. The term comes from the
legendary battle in which the ancient city of Troy
received a large wooden horse to commemorate a
fierce battle. The "gift" secretly held soldiers
in its belly and, when the Trojans rolled it into
their fortified city, ....
Virus a term for a very specialized Trojan horse which
spreads to other computers by secretly "infecting"
programs with a copy of itself. A virus is the
only type of Trojan horse which is contagious,
much like the common cold. If a Trojan horse
doesn't meet this definition, then it isn't
a virus.
Worm a term similar to a Trojan horse, but there is no
"gift" involved. If the Trojans had left that
wooden horse outside the city, they wouldn't have
been attacked. Worms, on the other hand, can
bypass your defenses without having to deceive you
into dropping your guard. An example would be a
program designed to spread itself by exploiting
bugs in a network software package. Worms usually
come from someone who has legitimate access to the
computer or network.
Wormers what we call people who unleash destructive Trojan
horses. Let's face it, these people aren't
angels. What they do hurts us. They deserve our
disrespect.
Viruses, like all Trojan horses, purposely make a program do
things you don't expect it to do. Some viruses will just annoy
you, perhaps only displaying a "Peace on earth" greeting. The
viruses we worry about will try to erase your data (the most
valuable asset of your computer!) and waste your valuable time in
recovering from an attack.
Now you know the differences between a bug and a Trojan horse and
a virus. Let's get into some of the myths:
"All purposely destructive code spreads like a virus."
Wrong. Remember, "Trojan horse" describes purposely
destructive code in general. Very few Trojan horses actually
qualify as viruses. Newspaper & magazine reporters tend to call
almost anything a virus because most of them have no real
understanding of computer crime.
"Viruses and Trojan horses are a recent phenomenon."
Trojan horses have existed since the first days of the
computer; hackers toyed with viruses in the early 1960s as a form
of amusement. Many different Trojan horse techniques have
emerged over the decades to embezzle money, destroy data, fool
investors, etc. The general public really didn't know of this
problem until the IBM PC revolution brought it into the
spotlight. Banks still hush up computerized embezzlements to
this day because they believe customers will lose faith in them
if word gets out.
"Viruses are written by teenage hackers."
Yes, hackers have unleashed viruses -- but so has a computer
magazine publisher. And according to one trusted military
publication, the U.S. Defense Department creates viruses for use
as weapons. Trojan horses for many decades sprang from the minds
of middle-aged men; computer prices have only recently dropped to
a level where teenagers could get into the act. We call people
"wormers" when they abuse their knowledge of computers.
You shouldn't fear hackers just because some of them know how
to write viruses. This whole thing boils down to an ethics
issue, not a technology issue. Hackers know a lot about
computers; wormers abuse their knowledge. Hackers as a whole got
a bum rap when the mass media corrupted the term.
"Viruses infect 25% of all IBM PCs every month."
If 25% suffer an infection every month, then 100% would have a
virus every four months -- in other words, every IBM PC would
suffer an infection three times per year. This mythical estimate
surfaced in the media after researcher Peter Tippett wrote a
complex thesis on how viruses might spread in the future.
Computer viruses exist all over the planet, yes -- but they
won't take over the world. Only about 500 different viruses
exist at this time; many of them have never existed "in the wild"
and some have since been completely eliminated "from the wild."
You can easily reduce your exposure to viruses with a few simple
precautions. Yes, it's still safe to turn on your computer!
"Only 500 different viruses? But most experts talk about them in
the thousands."
The virus experts who claim much larger numbers usually work
for antivirus companies. They count even the most insignificant
variations for advertising purposes. When the Marijuana virus
first appeared, for example, it displayed the word "legalise,"
but a miscreant later modified it to read "legalize." Any
program which can detect the original virus can detect the
version with one letter changed -- but antivirus companies count
them as "two" viruses. These obscure differentiations quickly
add up.
And take note: the majority of "new" computer viruses
discovered these days are only minor variations on well-known
viruses.
"A virus could destroy all the files on my disks."
Yes, and a spilled cup of coffee could do the same thing. You
can recover from any virus or coffee problem if you have adequate
backups of your data. Backups mean the difference between a
nuisance and a disaster. You can safely presume there has been
more accidental loss of data than loss by all viruses and Trojan
horses.
"Viruses have been documented on over 300,000 computers {1988}."
"Viruses have been documented on over 400,000 computers {1989}."
"The Michelangelo virus alone was estimated to be on over
5,000,000 computers {1992}."
These numbers originated from John McAfee, a self-styled virus
fighter who craves attention and media recognition. If we assume
it took him a mere five minutes to adequately document each viral
infection, it would have taken four man-years of effort to
document a problem only two years old by 1989. We further assume
McAfee's statements included every floppy disk ever infected up
to that time by a virus, as well as every computer involved with
the Christmas and InterNet worm attacks. (Worms cannot be
included in virus infection statistics.)
McAfee prefers to "estimate" his totals these days and was
widely quoted during the Michelangelo virus hysteria in early
1992. Let's do some estimating ourselves by assuming about 80
million IBM PC-compatible computers around the world. McAfee's
estimate meant one out of every 16 computers on the planet
supposedly had the virus. Many other experts considered it an
astronomical estimate based on the empirical evidence.
"Viruses can hide inside a data file."
Data files can't wreak havoc on your computer -- only an
executable program file can do that (including the one that runs
every time you turn on or reboot a computer). If a virus
infected a data file, it would be a wasted effort. But let's be
realistic: what you think is `data' may actually be an executable
program file. For example, a "batch file" on an IBM PC contains
only text, yet DOS treats it just like an executable program.
"Some viruses can completely hide themselves from all antivirus
software, making them truly undetectable."
This myth ironically surfaced when certain antivirus companies
publicized how they could detect so-called "Mutation Engine"
viruses. The myth gained national exposure in early 1993 when
the Associated Press printed excerpts from a new book about
viruses. Most viruses have a character-based "signature" which
identifies it both to the virus (so it doesn't infect a program
too many times) and to antivirus software (which uses the
signature to detect the virus). A Mutation Engine virus employs
an algorithm signature rather than a character-based signature --
but it still has a unique, readily identifiable signature.
The technique of using algorithm signatures really doesn't
make it any harder to detect a virus. You just have to do some
calculations to know the correct signature -- no big deal for an
antivirus program.
"BBSs and shareware programs spread viruses."
Here's another scary myth, this one spouted as gospel by many
"experts" who claim to know how viruses spread. "The truth,"
says PC Magazine publisher Bill Machrone, "is that all major
viruses to date were transmitted by [retail] packages and private
mail systems, often in universities." [PC Magazine, October 11,
1988.] What Machrone said back then still applies today. Over
50 retail companies have admitted spreading infected master disks
to tens of thousands of customers since 1988 -- compared to only
nine shareware authors who have spread viruses on master disks to
less than 300 customers since 1990.
Machrone goes on to say "bulletin boards and shareware authors
work extraordinarily hard at policing themselves to keep viruses
out." Reputable sysops check every file for Trojan horses;
nationwide sysop networks help spread the word about dangerous
files. Yes, you should beware of the software you get from BBSs
and shareware authors, but you should also beware of retail
software found on store shelves. (By the way, many stores now
routinely re-shrinkwrap returned software and put it on the shelf
again. Do you know for sure only you ever touched those master
disks?)
"My computer could be infected if I call an infected BBS."
BBSs can't write information on your disks -- the
communications software you use performs this task. You can only
transfer a dangerous file to your computer if you let your
software do it.
And there is no "300bps subcarrier" by which a virus can slip
through a modem. A joker who called himself Mike RoChenle
("micro channel," get it?) started this myth after leaving a
techy-joke message on a public network. Unfortunately, some
highly respected journalists got taken in by the joke.
"So-called `boot sector' viruses travel primarily in software
downloaded from BBSs."
This common myth -- touted as gospel even by "experts" --
expounds on the supposed role bulletin boards play in spreading
infections. Boot sector viruses spread only if you directly copy
an infected floppy disk, or if you try to "boot" a computer from
an infected disk, or if you use a floppy in an infected computer.
BBSs deal exclusively with program files and don't pass along
copies of boot sectors. Bulletin board users thus have a natural
immunity to boot-sector viruses in downloaded software. (And
since the clear majority of infections stem from boot sector
viruses, this fact alone exonerates the BBS community as the so-
called "primary" source for the spread of viruses.)
We should make a special note about "dropper" programs
developed by virus researchers as an easy way to transfer boot
sector viruses among themselves. Since they don't replicate,
"dropper" programs don't qualify as viruses. These programs have
never appeared on BBSs to date and have no real use other than to
transfer infected boot sectors.
"My files are damaged, so it must have been a virus attack."
It also could have happened because of a power flux, or static
electricity, or a fingerprint on a floppy disk, or a bug in your
software, or perhaps a simple error on your part. Power
failures, spilled cups of coffee, and user errors have destroyed
more data than all viruses combined.
"Donald Burleson was convicted of releasing a virus."
Newspapers all over the country hailed a 1989 Texas computer
crime trial as a "virus" trial. The defendant, Donald Burleson,
had released a destructive Trojan horse on his employer's
mainframe computer. The software in question couldn't spread to
other computers, and prosecuting attorney Davis McCown claimed he
"never brought up the word virus" during Burleson's trial. So
why did the media call it one?
1. David Kinney, an expert witness testifying for the defense,
claimed Burleson unleashed a virus. The prosecuting
attorney didn't argue the point and we don't blame him --
Kinney's claim may have actually swayed the jury to convict
Burleson.
2. McCown gave reporters the facts behind the case and let them
come up with their own definitions. The Associated Press
and USA Today, among others, used such vague definitions
that any program would have qualified as a virus. If we
applied their definitions to the medical world, we could
safely label penicillin as a biological virus (which is, of
course, absurd).
"Robert Morris Jr. released a benign virus on a defense network."
It supposedly may have been benign, but it wasn't a virus.
Morris, the son of a chief computer scientist at the National
Security Agency, decided one day to take advantage of bugs in the
software which controls InterNet, a network the Defense
Department often uses. These tiny bugs let Morris send a worm
throughout the network. Among other things, the "InterNet worm"
sent copies of itself to other computers -- and clogged the entire
network in a matter of hours due to bugs in the worm module
itself. The press called it a "virus," like it called the 1987
"Christmas worm" a virus, because it spread to other computers.
Yet Morris's work didn't infect any computers. A few notes:
1. Reporters finally started calling it a worm a year after the
fact, but only because lawyers on both sides of the case
constantly referred to it as a worm.
2. The worm operated only on Sun-3 & Vax computers which employ
the UNIX operating system and were specifically linked into
the InterNet network at the time of the attack.
3. The 6,200 affected computers cannot be counted in virus
infection statistics (they weren't infected).
4. It cost way less than $98 million to clean up the attack.
An official Cornell University report claims John McAfee,
the man behind this wild estimate, "was probably serving
[him]self" in an effort to drum up business. People
familiar with the case estimated the final figure at
slightly under $1 million.
5. Yes, Morris could easily have added some infection code to
make it both a worm and a virus if he'd had the urge.
6. InterNet gurus have since fixed the bug Morris exploited in
the attack.
7. Morris went on trial for launching the worm and received a
federal conviction. The Supreme Court refused to hear his
case, so the conviction stands.
"The U.S. government planted a virus in Iraqi military computers
during the Gulf War."
U.S. News & World Report in early 1992 claimed the National
Security Agency had replaced a computer chip in a printer bound
for Iraq just before the Gulf War with a secret computer chip
containing a virus. The magazine cited "two unidentified senior
U.S. officials" as their source, saying "once the virus was in
the [Iraqi computer] system, ...each time an Iraqi technician
opened a `window' on his computer screen to access information,
the contents of the screen simply vanished."
Yet the USN&WR story shows amazing similarities to a 1991
April Fool's joke published by InfoWorld magazine. Most computer
experts dismiss the USN&WR story as a hoax -- an "urban legend"
innocently created by the InfoWorld joke. Some notes:
1. USN&WR continues to stand by its story, but did publish a
"clarification" stating "it could not be confirmed that the
[virus] was ultimately successful." The editors broke with
tradition by declining to print any letters readers had
submitted about it.
2. Ted Koppel, a well-known American news anchor, opened one of
his "Nightline" broadcasts with a report on the alleged
virus. Koppel's staff politely refers people to talk with
USN&WR about the story's validity.
3. InfoWorld didn't label their story as fiction, but the last
paragraph identified it as an April Fool's joke.
"Viruses can spread to all sorts of computers."
The design of all Trojan horses limits them to a family of
computers, something especially true for viruses. A virus
written for IBM PCs cannot infect an IBM 4300 series mainframe,
nor can it infect a Commodore C64, nor can it infect an Apple
Macintosh.
"My backups will be worthless if I back up a virus."
No, they won't. Let's suppose a virus does get backed up with
your files. You can restore important documents and databases
and spreadsheets -- your valuable data -- without restoring an
infected program. You just reinstall the programs from master
disks. It's tedious work, but not as hard as some people claim.
"Antivirus software will protect me from viruses."
There is no such thing as a foolproof antivirus program.
Viruses and other Trojan horses can be (and have been) designed
to bypass them. Antivirus products also can be tricky to use at
times and they occasionally have bugs. Always use a good set of
backups as your first line of defense; rely on antivirus software
only as a second line of defense.
"Read-only files are safe from virus infections."
This common myth among IBM PC users has appeared even in some
computer magazines. Supposedly, you can protect yourself by
using the DOS ATTRIB command to set the read-only attribute on
program files. Yet ATTRIB is software -- what it can do, a virus
can undo. The ATTRIB command cannot halt the spread of most
viruses.
"Viruses can infect files on write-protected floppy disks."
Another common IBM PC myth. If viruses can modify read-only
files, people assume they can also modify files on write-
protected disks. However, the disk drive itself knows when a
floppy has a write-protect tab and refuses to write to the disk.
You can't override an IBM PC drive's write-protect sensor with a
software command.
We hope this dispels the many computer virus myths. Viruses DO
exist, they ARE out there, they WANT to spread to other
computers, and they CAN cause you problems. But you can defend
yourself with a cool head and a good set of backups.
The following guidelines can shield you from viruses and other
Trojan horses. They will lower your chances of getting infected
and raise your chances of recovering from an attack.
1. Implement a procedure to regularly back up your files and
follow it religiously. We can't emphasize this enough!
Consider purchasing a user-friendly program or a tape backup
device to take the drudgery out of this task. You'll find
plenty of inexpensive programs and tape backup hardware to
choose from.
2. Rotate between at least two sets of backups for better
security (use set #1, then set #2, then set #1...). The
more sets you use, the better protection you have. Many
people take a "master" backup of their entire hard disk,
then take a number of "incremental" backups of files which
have changed since the last time they backed up.
Incremental backups might only require five minutes of your
time each day.
3. Download files only from reputable BBSs where the sysop
checks every program for Trojan horses. If you're still
afraid, consider getting programs from a BBS or "disk
vendor" company which gets files direct from the authors.
4. Let newly uploaded files "mature" on a BBS for one or two
weeks before you download it (others will put it through
its paces).
5. Consider using a program that searches ("scans") for known
viruses. Almost all infections involve viruses known to
antivirus companies. A recent version (no more than four
months old) of any "scanning" program will in all
probability identify a virus before it can infect your
computer. But remember: there is no perfect antivirus
defense.
6. Consider using a program that creates a unique "signature"
of all the programs on your computer. Run this software
once in awhile to see if any of your program files have been
modified -- either by a virus or perhaps just by a stray
gamma ray.
7. DON'T PANIC if your computer starts acting weird. You might
have a virus, but then again you might not. Immediately
turn off all power to your computer and disconnect it from
any local area networks. Reboot from a write-protected copy
of your master DOS disk. Do NOT run any programs on a
"regular" disk -- you might activate a Trojan horse. If you
don't have adequate backups, try to bring them up-to-date.
(Yes, you might back up a virus as well, but it can't hurt
you if you don't use your normal programs.) Set your
backups off to the side. Only then can you safely hunt for
problems.
8. If you can't figure out the problem and you don't know what
to do next, just turn off your computer and call for help.
Consider calling a local computer group before you call for
an expert. If you need a professional, consider a regular
computer consultant first. (Some "virus removal experts"
charge prices far beyond their actual value.)
We'd appreciate it if you would mail us a copy of any Trojan
horse or virus you discover. (Be careful you don't damage the
data on your disks while trying to do this!) Include as much
information as you can and put a label on the disk saying it
contains a malicious program. Send it to Ross M. Greenberg, P.O.
Box 908, Margaretville, NY 12254. Thank you.
Ross M. Greenberg writes both shareware and retail virus
detection/removal programs. Rob Rosenberger writes various
phone productivity applications and lecturing software.
(Products are not mentioned by name because this isn't the
place for advertisements.) They each consult for national
computer magazines about the virus threat and lecture around
the country. These men communicated entirely by modem while
writing this treatise.
(c) 1988,93 Rob Rosenberger & Ross M. Greenberg
Rosenberger can be reached electronically on CompuServe as
[74017,1344], on GEnie as R.ROSENBERGE, on InterNet as
`74017.1344@compuserve.com', and on various national BBS linkups.
He serves as the lead sysop for CompuServe's SHAREWARE forum.
Greenberg can be reached on MCI and BIX and GEnie as `greenber',
on UseNet as `greenber@ramnet.com', and on CompuServe as
[72461,3212]. He serves as the lead sysop for GEnie's Virus &
Security RoundTable.
You may give copies of this treatise to anyone if you pass it
along in its entirety. Publications may reprint it in whole or
in part at no charge if they give due credit to the authors and
submit two copies to: Rob Rosenberger, P.O. Box 1115, O'Fallon,
IL 62269.
