home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
IBM Aptiva Multimedia Exploration CD
/
Aptiva DEMO CD.iso
/
dos63
/
tutorial.lst
< prev
next >
Wrap
File List
|
1993-12-31
|
26KB
|
556 lines
Introduction to computer viruses
--------------------------------
This section gives a brief introduction to computer viruses: what they
are, how they can spread, and what they can do.
What is a computer virus?
_________________________
A computer virus is a program that can "infect" other programs by
modifying them to include a (possibly "evolved") copy of itself.
Viruses can spread themselves, without the knowledge or permission of the
workstation users, to potentially large numbers of programs on many
machines. Viruses can also contain instructions that cause damage or
annoyance; the combination of possibly-damaging code with the ability to
spread is what makes viruses a considerable concern.
Viruses are not mysterious. They are just computer programs and only do
things that programs can do. However, unlike most other programs, they
are specifically designed to spread themselves.
Viruses can often spread without any readily visible symptoms. When a
virus is started on a workstation, it can run any instructions that its
author chooses to include. These instructions can be event-driven effects
(for example, triggered after a specific number of executions),
time-driven effects (triggered on a specific date, such as Friday the
13th or April 1st), or can occur at random.
Depending on the motives of the virus author, a virus can contain no
intentionally harmful or disruptive instructions. Or, it can cause damage
simply by replicating itself and taking up scarce resources, such as hard
disk space, CPU time, or network connections. Some typical things that
some current Personal Computer (PC) viruses do are:
* Display a message.
* Erase files.
* Scramble data on a hard disk.
* Cause erratic screen behavior.
* Halt the PC.
Many viruses do nothing obvious at all except spread! You cannot rely on
strange behavior to find viruses. The most reliable way to find viruses
is to use competent anti-virus software as discussed later.
The idea of computer viruses was first developed in its current form in
1983. Since then, people have written many viruses. Viruses are a
relatively new problem and require some new approaches to deal with them
effectively.
Although it is possible to write a virus for virtually any computer, the
viruses that are commonly spreading in the world today are limited to
microcomputers. There are no known viruses in circulation that run in
native sessions of IBM's OS/2, AIX, VM, MVS or OS/400 operating systems.
Any of these operating systems that run PC-DOS programs are capable
though, of spreading PC-DOS viruses, including DOS sessions of OS/2 and
the DOS Emulation Mode of AIX.
Infected files can be stored almost anywhere. They can be stored as files
on servers (such as OS/2 LAN servers, AIX LAN servers, or OS/400 network
"folders"). Even when they cannot run on the server machine, an infected
file on the server can be run by DOS machines on the network and can
spread the infection to them.
How do virus infections start?
______________________________
The viruses under discussion enter organizations (such as companies and
businesses) because an infected diskette or program is brought into that
organization. Unlike other security problems, viruses often spread from
system to system without anyone's knowledge. Viruses are usually spread
within an organization by innocent people going about their normal
business activities.
Here is an example. Suppose the organization hires an outside person to
come in and perform some work. Part of that person's work involves
working on one of the organization's personal computers or
microcomputers. The person brings in a few programs to aid in this work,
such as a favorite text editor.
Without the person having realized it, the text editor was infected by a
virus. By using that editor on one of the organization's machines, the
virus spread from the editor to one of the programs stored on the
organization's machine, perhaps to a spreadsheet program. The virus has
now entered the organization.
Even after the outside person took their personal programs when they
left, the virus remained on the machine that it infected in the
spreadsheet program. When another employee used that spreadsheet
subsequently, the virus spread to another program, such as a directory
listing program that the employee kept on the same diskette as the
spreadsheet data files. The listing program now is also infected. The
infection might spread to other computers to which this diskette disk is
taken or, if the employee's personal computer is connected to the
organization's network, the employee might send the listing program to
another user over the network. In either case, the virus can spread to
more users and more machines using diskettes or networks. Each copy of
the virus can make multiple copies of itself and can infect any program
to which it has access. As a result, the virus can spread widely in the
organization.
Each of the infected programs in each of the infected machines can start
whatever other instructions the virus author intended. If these
instructions are harmful or disruptive, the pervasiveness of the virus
causes the harm to be widespread.
How serious is the problem?
___________________________
Traditional security measures have attempted to limit the number of
security incidents to an acceptable level. A single incident of lost
files in a year might be an acceptable loss, for instance. Although this
is important, it only addresses part of the problem of viruses. Because a
single virus could potentially spread throughout an organization, the
damage it could cause might be much greater than what could be caused by
any individual computer user. The problem is that viruses modify software
in an uncontrolled way, which can damage the software. In addition, some
viruses actually tamper with data files and can damage the data.
Limiting the number of initial virus infections in an organization is
important, but it is often not feasible to prevent them entirely. As a
result, it is important to be able to deal with them when they occur.
The potential damage is indeed large. By using IBM AntiVirus, and
following the advice given here, our experience is that most virus
incidents can be managed with little difficulty.
Anti-virus programs
-------------------
In this section, we discuss the principles and functions of anti-virus
programs. It is impossible to completely prevent systems from becoming
infected as long as new programs can be introduced on them or their
existing programs can be modified. It is also impossible to detect all
possible viruses without error. Therefore, it is always possible for
systems to become infected. It is important to plan for prevention to the
extent possible but equally important to plan for containment and
recovery of infections when they do occur.
What are anti-virus programs?
_____________________________
To understand anti-virus programs, it is useful to understand the basic
behavior of known viruses. Generally, all viruses insert copies of
themselves in one or more of the following:
* Program files (typically stored on diskettes or hard disks).
* Boot records (initialization areas on diskettes or hard disks).
Anti-virus programs take advantage of either the general characteristics
of all viruses (that they change file or boot records), or
characteristics of specific viruses or classes of viruses. The latter
kind of program examines the system for something characteristic of
either the behavior, or the appearance of specific viruses or classes of
viruses. When it finds something with one of these characteristics, it
can warn the user, try to prevent the virus from spreading, and so forth.
Techniques used by anti-virus programs
______________________________________
This section discusses some of the common techniques used by anti-virus
programs-their advantages and their limitations. It is intended as a
technical introduction for people who want to understand how anti-virus
programs work.
Scanning
________
When a virus is known and has been analyzed, it is possible to write a
program that detects any file or boot record that is infected with that
virus. In most cases, the detector can simply look for a pattern of bytes
found in the virus but not found in normal programs. Detectors that look
for these patterns of bytes are called scanners.
For many viruses, this pattern is a simple, sequential string of fixed
bytes. For other viruses, more complicated byte patterns are needed. Care
must be taken to ensure that the pattern of bytes is not also found in
normal programs, or the detector will report a virus when there is none.
Change detection
________________
Viruses must change files or boot records in order to infect them. A
program that notices when files and boot records change can be used to
detect viruses even if these viruses were not previously known. But files
and boot records change for many normal reasons unrelated to viruses. By
itself, change detection is of limited usefulness because it requires
users to understand which changes are normal and which changes indicate a
virus.
Heuristic analysis
__________________
Heuristic analysis attempts to detect viruses by watching for appearance
or behavior that is characteristic of some class of known viruses. It can
look in files for operations that viruses use but that are seldom used in
normal programs. Or it can watch for attempts to write to hard disks or
diskettes in unusual ways.
Like change detection, it can potentially detect whole classes of
viruses, but care must be taken to ensure that normal programs are not
identified as infected.
Verification
____________
The above techniques can indicate that a file or boot record is infected
with a virus, but by themselves they cannot be sure nor can they identify
with certainty which virus it is. Programs that perform this
identification task are called verifiers. Verifiers can be written for
known viruses after careful analysis of them.
Disinfection
____________
When a virus is found in a file or boot record, it might be possible to
remove it and restore the file or boot record to its original, uninfected
state. This process is called disinfection.
Some viruses damage the files or boot records that they infect so that it
is not possible to disinfect them successfully. It is also possible for
two different viruses to be identified as the same virus by a scanner and
for a disinfector to work correctly on one virus but not the other.
Because disinfectors change your programs, they must be very reliable.
Resident and non-resident operation
___________________________________
The techniques discussed above can be used in a variety of ways. One
common way for them to be used is in programs that examine everything on
your disks, trying to find and eliminate viruses. Another common use is
in resident programs in DOS that are always actively monitoring your
system for viruses.
Resident programs have the advantage of checking programs for infection
every time you run them. Unless they are carefully constructed, they can
cause delays in program loading and execution.
Non-resident programs have the advantage of looking for and dealing with
viruses on your entire system at one time. They serve as a complementary
function to resident programs.
Automated operation
___________________
If users have to remember to run an anti-virus program periodically,
experience has shown that they will forget, increasing their risk of
infecting their systems with a virus and of spreading the virus to other
systems.
A better approach is to make sure that the anti-virus program operates
automatically. Such programs protect the system without requiring you to
take any explicit action. This protection can be accomplished by
installing resident anti-virus programs when the system is started and by
running non-resident programs, either at startup or periodically at a
specified time.
Prevention and detection
________________________
Detecting that a virus exists and determining what is infected are
important first steps in taking corrective action in a virus incident.
Preventing a virus from spreading is important in limiting the size of
the infection.
Missing viruses and false alarms
________________________________
In general, it is impossible to detect all viruses that might ever exist
and never make mistakes. Virus detectors will always fail to detect some
viruses, incorrectly claim that a normal program is infected, or both.
This failure is not a limitation of current technology. Rather, it can be
proven mathematically. Any claim that a program can detect all possible
viruses and not make mistakes is untrue.
It is possible, on the other hand, to correctly identify infections from
all viruses that we currently know. It is also possible to detect large
classes of viruses without making mistakes. By carefully balancing
accurate detection with techniques for avoiding false alarms, the risk
due to viruses can be drastically reduced.
Techniques used by IBM AntiVirus
________________________________
This section discusses the techniques used by IBM AntiVirus to provide
you with extremely reliable virus protection.
Change detection and fuzzy scanning
___________________________________
IBM AntiVirus uses change detection for two purposes. The first purposes
is as a starting point for heuristic analysis to detect new viruses,
which is discussed in the next section. The second purpose is to make
known virus detection faster.
Viruses must change files or boot records in order to infect them. If a
file did not have a virus yesterday when we checked it and if we know
that the file has not changed, then we know that it does not have a virus
today. As it is normally used, IBM AntiVirus only looks in changed and
new files for the viruses that it knows about. It is faster to see if a
file has changed or is new than it is to examine it for known viruses.
This process speeds up the check. (All specified boot records and files
are checked for changes and other features, even if they are not examined
for known viruses.)
When IBM AntiVirus looks in files and boot records for known viruses, it
uses a technique called "fuzzy scanning." This scanning technology used
by IBM AntiVirus looks for sequences of bytes that indicate the presence
of a virus, as do most scanners. In addition, it recognizes when the
sequence of bytes is almost (but not exactly) matched. An inexact match
is likely to indicate the presence of a variant of a known virus, and IBM
AntiVirus reports the file or boot record as probably infected when it
shows you the virus infection report. You will be given the opportunity
to remove any such virus.
This technique allows IBM AntiVirus to detect, and correctly identify, a
wide range of new virus variants. Without additional measures, this
"fuzzy matching" could lead to more false alarms. IBM AntiVirus keeps its
identifications highly reliable by advanced false alarm elimination,
which is discussed in a subsequent section.
IBM AntiVirus Heuristic analysis
________________________________
IBM AntiVirus is not limited to detecting viruses that we already know
about. It uses heuristic analysis to detect previously unknown viruses as
well. It looks for patterns of changes in files, and for features of
programs, that are typical of large classes of known DOS viruses. If it
finds anything that matches these criteria, IBM AntiVirus will report the
files or boot records as "suspicious" when it shows you the virus
infection report. You will be given the opportunity to erase/overwrite
any such suspicious file.
IBM AntiVirus heuristic analysis has been carefully designed to avoid
false alarms. It does not report boot records or files as suspicious just
because they have changed. Boot records and files change on computers all
the time for reasons unrelated to viruses. It only reports files as
suspicious if their pattern of change is typical of virus infections.
Verification before disinfection
________________________________
When IBM AntiVirus finds what appears to be a known virus, it checks
every relevant byte of the virus to determine that it is exactly as
expected. This check is very important. If the virus can be verified to
be the one expected, then the file or boot record can often be
disinfected safely. If the virus turns out to be different, it might have
changed the file or boot record in unexpected ways. Attempting to
disinfect it could result in a damaged file or boot record.
IBM AntiVirus does not attempt disinfection if it will result in damaged
files or boot records. Instead, it gives you the option of
erasing/overwriting the infected files or boot records. In cases where
disinfection could result in damaged files, but it might not, IBM
AntiVirus records this fact in the log file of your IBM AntiVirus
session. You can then examine these programs in more detail and determine
whether you should restore them from backups.
Some viruses damage programs that they infect and make it impossible to
disinfect them safely. IBM AntiVirus recognizes these cases and deals
with them properly. When it disinfects files and boot records, IBM
AntiVirus does everything it can to make sure you are not left with
malfunctioning programs.
Thorough examination
____________________
When you do an initial check for viruses, you might be checking only some
of the files or drives on your system. For instance, you might check only
program files, because viruses do not typically infect any other files.
Checking only program files is how IBM AntiVirus is normally used and is
a good way to minimize the time it takes to do an initial check.
If the initial check finds a virus, it is possible there are files you
have not yet checked that are also infected. When you do not find all of
the infected files and boot records, it is very likely the virus will
continue to spread on your system and perhaps spread to other systems as
well.
When IBM AntiVirus finds a virus during the initial check, it can then
check your entire system thoroughly. It checks all files on all local
fixed disks, even if they have not changed, and lets you eliminate any
viruses found.
If your system is infected, it is likely that the virus came from a
diskette recently or that you have accidentally spread the virus to a
diskette. IBM AntiVirus reminds you to check all diskettes that you might
have used recently, and lets you eliminate any viruses you find on them.
This check is an important step to take to stop the local spread of the
virus.
Install and forget operation
____________________________
IBM AntiVirus is designed to do the correct thing automatically. You do
not need to develop a detailed understanding of viruses or anti-virus
technology for IBM AntiVirus to protect your system.
Unless you change the default settings for IBM AntiVirus your system will
be checked periodically for viruses, and known viruses that attempt to
spread in DOS will be detected and stopped. You are notified of any
viruses that are found, and are given recommendations about what to do.
Advanced false alarm elimination
________________________________
Anti-virus programs should both reduce the risk of your system being
affected by a virus and avoid bothering you if you do not have a virus.
IBM AntiVirus uses a variety of techniques to ensure that known viruses
are found and removed reliably and that variants and unknown viruses are
likely to be found as well.
IBM has gone to great lengths to eliminate false alarms from IBM
AntiVirus. IBM AntiVirus is tested on a collection of several hundred
megabytes of normal (uninfected) programs to help ensure that common
programs are not identified as infected. However, this is not enough. It
is impossible to have every program in the world in this collection so
there might be a program somewhere that causes problems.
To help solve this problem, IBM has developed an advanced statistical
model to characterize what normal programs look like. All virus search
patterns used by IBM AntiVirus are tested against this model and any that
have too high a chance of being found in normal programs are rejected,
even if they are not found in any of the normal programs in the test
collection.
Finally, IBM's internal Personal Computers (PCs) are used as a test
population. IBM has over 250,000 PCs. We test IBM AntiVirus on a large
number of these PCs before releasing it to help ensure that any problems
are found and corrected before you ever see them.
DOS shielding
_____________
DOS viruses that infect program files spread when those programs are
started under DOS. If you have installed DOS shielding, IBM AntiVirus
will warn you when a program that you are running is infected with
common, known viruses. In addition, it prevents these viruses from
spreading and lets you run the program as if it was not infected at all.
This has two important benefits. First, you can usually run your critical
applications even if you have just discovered that they are infected. It
is not necessary to shut down your system and deal with the virus
immediately (though it is a good idea). Second, you can usually run IBM
AntiVirus from your fixed disk, even if the system is infected. It is
seldom necessary to shut your system down and restart from a diskette to
handle a virus infection. Instead, you can tell IBM AntiVirus to remove
the virus and quickly go on with what you were doing. This ability makes
it more likely that the infection is taken care of quickly and safely.
To view the list of viruses that IBM AntiVirus knows about, select Virus
descriptions from the Help pull-down on the main window. Then select List
of viruses detected by IBM AntiVirus from the help screen. Viruses that
are prevented by the shield are marked on this list.
Intelligent incident management
_______________________________
IBM AntiVirus is based on IBM's years of experience in handling virus
incidents around the world. Dealing with viruses correctly and safely
without the proper training can be difficult. We have built our
anti-virus expertise right into IBM AntiVirus so that you can protect
your systems from viruses without becoming a virus expert.
IBM AntiVirus provides default settings that offer the right protection
for most systems. If a virus is found, IBM AntiVirus will lead you
through the proper steps to remove the virus from your system.
IBM AntiVirus products and services
-----------------------------------
IBM AntiVirus products and services are available in several countries
around the world. The details of IBM AntiVirus Services differ from
country to country; they typically offer:
* Site licenses for IBM AntiVirus/DOS and IBM AntiVirus/2, including
regular updates.
* Support for distributing and installing IBM AntiVirus from LAN servers.
* Support for restricting end users from having IBM AntiVirus remove
viruses, while permitting anti-virus personnel to do so.
* Site license for the IBM Virus Information Manual, a document that
describes known viruses and discusses successful enterprise strategies
for limiting their spread.
* Assistance in managing virus incidents.
For more information, please consult the list below. In countries that
are not yet listed, please contact your IBM Marketing Representative for
more information.
Canada For information on IBM AntiVirus Services, call (416)
946-3786.
Denmark For information on IBM AntiVirus Services, call (+45) 45
93 45 45.
Netherlands For information on IBM AntiVirus Services, call ++31 30
383816.
United Kingdom For information on IBM AntiVirus Services, call
Basingstoke (0256) 344558.
United States For single copies of IBM AntiVirus/DOS or IBM
AntiVirus/2, call (800) 551-3579. For information on site
licensing and IBM AntiVirus Services, call (800)
742-2493.
For further reading
-------------------
The following recommended reading is for those who want more information
about viruses and related topics:
1. Fred Cohen, "Computer Viruses: Theory and Experiment", Computers and
Security, Vol. 6 (1987) pp. 22-35. This is the first paper that
defined viruses in the form that they appear today.
2. Communications of the ACM, Vol. 32 No. 6 (June 1989) has several good
articles on the Internet Worm incident.
3. Lance J. Hoffman (ed.), Rogue Programs: Viruses, Worms, and Trojan
Horses, Van Nostrand Reinhold, New York (1990), ISBN 0-442-00454-0.
This book is a very good collection of articles spanning many aspects
of the virus problem.
4. Virus Bulletin, published by Virus Bulletin, Ltd.; 21 The Quadrant;
Abingdon Science Park; Abingdon, Oxfordshire OX143YS; England, UK.
This monthly newsletter can help technical personnel keep up with the
PC virus field.