home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
-
-
-
- Computer Viruses and Trojan Horses;
- A Guide to Protecting Your Computer
-
- by Ted Landberg
- 3/8/88
-
-
- This bulletin discusses software called viruses and trojan horses
- and what precautionary steps you should take to prevent harm to
- your computer based information.
-
-
- Introduction
-
- Recent newspaper and magazine articles have publicized several
- incidences of malicious software known as computer viruses and
- trojan horses. Serious questions are being raised about how
- computer-based information can be protected from this type of
- software. Presently, there are no absolute safeguards from this
- malicious software short of isolating your computers, however
- adequate protection can be achieved by employing a combination of
- traditional safeguards and some common sense about where and who
- you get software from.
-
-
- What is a virus?
-
- A computer virus has been described as a set of "extra" computer
- instructions capable of replicating itself into other files,
- usually programs. This self-replicating code is hidden in a
- "host" program, referred to as a trojan horse. When the "host"
- program is executed, so are the "extra instructions. A program
- can be a trojan horse i.e. have "extra" instructions that may or
- may not be a virus (self-replicating).
-
- Trojan horses and viruses can be malicious. Examples of
- malicious action include deleting data files, or rendering
- computer systems unavailable by modifying software libraries.
- This type of software presents a distinct threat to the
- integrity of computer systems.
-
-
- How do these virus programs enter a computer system?
-
- Generally, viruses enter a computer system by using an appealing
- program as a 'host' to harbor the self replicating computer
- instructions. The host can be one of the operating system tools
- such as compilers, editors, file utilities or one of the
- embedded macro languages found in spreadsheets or data base
- management software, and sometimes even in games.
-
-
- 1 Computer Viruses
-
-
-
-
-
- Distribution of malicious software depends on getting an
- unsuspecting user to accept a program where visual inspection of
- the product is difficult, and the author or source can remain
- anonymous. Public or private conferencing systems, timesharing
- networks and electronic bulletin boards as well as user group
- software exchanges and computer "flea markets" meet these
- requirements.
-
-
- What should I do to protect myself?
-
- Isolating the computer system from contact with outside sources
- of software is the best way to insure the integrity of the
- system. This is very difficult for multi-user systems and not a
- particularly attractive solution if the computer is going to
- continue be useful over time.
-
- One alternative approach is to detect the existence of malicious
- or self replicating computer instructions. This requires some
- knowledge of the target of the attack and the means used by a
- virus to self replicate. A generic solution is difficult, but
- several programs have been developed for identifying certain
- types of computer instructions that could present risks.
-
- These programs check for extraneous file operations including
- opens, closes, reads and writes that bypass operating system
- functions. A partial list of available software products is
- found in Appendix A.
-
- Another solution is to stop the virus from replication by
- preventing the rewriting of 'infected' files. Confining programs
- to libraries on storage devices with 'write disable' hardware is
- one approach. Many large scale computer peripheral devices have
- such a switch, however these features are rarely found on
- desktop computers. An alternative to a hardware 'write disable'
- switch is a software 'read only' feature. Unfortunately, these
- options are found only on mini and mainframe computer operating
- systems. The "read-only" attribute in MS-DOS is not an effective
- protection mechanism because File Allocation Tables (FAT) can be
- changed from user written programs.
-
- Popular microcomputer operating systems allow execution of
- computer instructions that can directly address and operate
- storage devices bypassing normal operating system calls. Thus
- there is a constant exposure of disk storage devices and their
- file directories to destruction or modification.
-
-
-
-
-
-
-
- 2 Computer Viruses
-
-
-
-
-
-
- A Five Point Program
-
- There is no single set of solutions. Each installation must
- assemble its own procedures for containing the problem. However
- this 5 step process is suggested.
-
- 1. Education
-
- All users of computers should be told about the existence of
- Trojan Horses and Computer Viruses, what they are and how
- to tell whether their system has been infected. Be frank
- when discussing the threat of computer viruses.
-
- 2. Backup and recovery procedures.
-
- Develop easy procedures for routine backup of important
- computer files. Make backup hardware (i.e. tape units)
- readily available to all users. Users connected to LANs
- should use automatic backup features. Suggest file
- organization structures that facilitate backup and recovery
- of disks that have been ruined by computer viruses.
-
- 3. Isolate Software Libraries
-
- On larger computer systems, consolidate libraries into 'Read
- Only' directories. In general system or shared software
- should have limited update and write attribute privileges.
-
- 4. Implement Software Library Management Procedures
-
- Enforce program testing, version control, and quality
- assurance checking for all software libraries. Use software
- library management tools to control and audit programs.
- Assign responsibility for testing public domain software and
- providing "approved" copies of that kind of software. Known
- source of software, inspect distribution media and
- documentation for tapering, and develop a "master copy"
- system.
-
- 5. Develop an Virus Alert Procedure
-
- Getting the word out about potential or known viruses can
- contain or minimize the eventual spread and harmful effects
- of a computer virus. Notices, telephone trees to ADP
- coordinators, phone or electronic mail are all good
- vehicle. Procedures for containment and eradication should
- be thought out before hand. These procedures usually
- require shutting system down, reformatting disk or tape
- storage media and re-building software libraries with a
- known uninfected copies.
-
-
- 3 Computer Viruses
-
-
-
-
-
-
-
- Appendix A
-
-
- Virus Detection Tools
-
-
-
- All Software Listed below is in the Public Domain and available
- off of the NBS/ICST Security Bulletin Board (301) 948-5717 or
- 5718.
-
-
-
- CHK4BOMB Checks for "write" instructions to absolute
- disk sectors.
-
-
- BOMBSQUAD A memory resident program that intercepts
- read, write and verifies to floppy or hard
- disks. Sends message on suspected
- operations.
-
-
- FLUSHOT3 Monitors COMMAND.COM file for writes and
- updates. Will not allow a write to the
- COMMAND.COM file. Note: some earlier
- versions of this program had their own virus
- in it.
-
-
- HDSENTRY Protects hard disks from malicious writes
- during testing of uncertified software.
-
-
- EARLY Checks programs for incidence of use of OUT
- instruction, INT 13H and DOS INT 26H.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 4 Computer Viruses
- ������������������������������������������������������������������������������������
