home *** CD-ROM | disk | FTP | other *** search
-
- Computer Virus Myths
- (10th Edition: October 4, 1993)
-
- by Rob Rosenberger
- with Ross M. Greenberg
-
-
- A number of myths have surfaced about the threat of computer
- "viruses." There are myths about how widespread they are, how
- dangerous they are, and even myths about what a computer virus
- really is. We want you to know the facts.
-
- The first thing you need to learn is that a computer virus falls
- in the realm of malicious programming techniques known as "Trojan
- horses." All viruses are Trojan horses, but relatively few
- Trojan horses can be called a virus.
-
- That having been said, it's time to go over the terminology we
- use when we lecture:
-
- BBS Bulletin Board System. If you have a modem, you
- can call a BBS and leave messages, transfer com-
- puter files back & forth, and learn a lot about
- computers. (What you're reading right now, for
- example, most likely came to you from a BBS.)
-
- Bug an accidental flaw in the logic of a program which
- makes it do things it shouldn't be doing. Pro-
- grammers don't mean to put bugs in their programs,
- but they always creep in. Programmers often spend
- more time "debugging" programs than they do
- writing them in the first place. Inadvertent bugs
- have caused more data loss than all viruses
- combined.
-
- Hacker someone who really loves computers and who wants
- to push them to the limit. Hackers have a healthy
- sense of curiosity: they try doorknobs just to see
- if they're locked, for example. They also love to
- tinker with a piece of equipment until it's "just
- right." The entire computer revolution itself is
- largely a result of hackers.
-
- Shareware a distribution method for quality software avail-
- able on a "try before you buy" basis. You must
- pay for it if you continue using it after the
- trial period. Shareware authors let you download
- their programs from BBSs and encourage you to give
- evaluation copies to friends. Many shareware
- applications rival their retail-shelf counterparts
- at a fraction of the price. (You must pay for the
- shareware you continue to use -- otherwise you're
- stealing software.)
-
-
-
- (c) 1988,93 Rob Rosenberger & Ross M. Greenberg Page 1 of 10
-
- Trojan
- horse a generic term describing a set of computer
- instructions purposely hidden inside a program.
- Trojan horses tell programs to do things you don't
- expect them to do. The term comes from the legen-
- dary battle in which the ancient city of Troy
- received a large wooden horse to commemorate a
- fierce battle. The "gift" secretly held enemy
- soldiers in its belly and, when the Trojans rolled
- it into their fortified city, ....
-
- Virus a term for a very specialized Trojan horse which
- spreads to other computers by secretly "infecting"
- programs with a copy of itself. A virus is the
- only type of Trojan horse which is contagious,
- much like the common cold. If a Trojan horse
- doesn't meet this definition, then it isn't
- a virus.
-
- Worm a term similar to a Trojan horse, but there is no
- "gift" involved. If the Trojans had left that
- wooden horse outside the city, they wouldn't have
- been attacked from inside the city. Worms, on the
- other hand, can bypass your defenses without
- having to deceive you into dropping your guard.
- An example would be a program designed to spread
- itself by exploiting bugs in a network software
- package. Worms usually come from someone who has
- legitimate access to the computer or network.
-
- Wormers what we call people who unleash Trojan horses onto
- an unsuspecting public. Let's face it, these
- people aren't angels. What they do hurts us.
- They deserve our disrespect.
-
- Viruses, like all Trojan horses, purposely make a program do
- things you don't expect it to do. Some viruses will just annoy
- you, perhaps only displaying a "Peace on earth" greeting. The
- viruses we worry about will try to erase your data (the most
- valuable asset of your computer!) and waste your valuable time in
- recovering from an attack.
-
- Now you know the differences between a bug and a Trojan horse and
- a virus. Let's get into some of the myths:
-
- "All purposely destructive code spreads like a virus."
- Wrong. Remember, "Trojan horse" describes purposely destruc-
- tive code in general. Very few Trojan horses actually qualify as
- viruses. Newspaper & magazine reporters tend to call almost any-
- thing a virus because they often have no real understanding of
- computer crime.
-
-
-
-
-
-
- Page 2 of 10 Computer Virus Myths
-
- "Viruses and Trojan horses are a recent phenomenon."
- Trojan horses have existed since the first days of the com-
- puter; hackers toyed with viruses in the early 1960s as a form of
- amusement. Many different Trojan horse techniques have emerged
- over the decades to embezzle money, destroy data, fool investors,
- etc. The general public really didn't know of this problem until
- the IBM PC revolution brought it into the spotlight. Banks still
- hush up computerized embezzlements to this day because they
- believe customers will lose faith in them if word gets out.
-
- "Viruses are written by teenage hackers."
- Yes, hackers have unleashed viruses -- but so has a computer
- magazine publisher. And according to one trusted military publi-
- cation, the U.S. Defense Department creates computer viruses for
- use as weapons. Trojan horses for many decades sprang from the
- minds of middle-aged men; computer prices have only recently
- dropped to a level where teenagers could get into the act. We
- call people "wormers" when they abuse their knowledge of com-
- puters.
- You shouldn't fear hackers just because some of them know how
- to write viruses. This whole thing boils down to an ethics
- issue, not a technology issue. Hackers know a lot about com-
- puters; wormers abuse their knowledge. Hackers as a whole got a
- bum rap when the mass media corrupted the term.
-
- "Viruses infect 25% of all IBM PCs every month."
- If 25% suffer an infection every month, then 100% would have a
- virus every four months -- in other words, every IBM PC would
- suffer an infection three times per year. This mythical estimate
- surfaced in the media after researcher Peter Tippett wrote a com-
- plex thesis on how viruses might spread in the future.
- Computer viruses exist all over the planet, yes -- but they
- won't take over the world. Only about 500 different viruses
- exist at this time; many of them have never existed "in the wild"
- and some have since been completely eliminated "from the wild."
- You can easily reduce your exposure to viruses with a few simple
- precautions. Yes, it's still safe to turn on your computer!
-
- "Only 500 different viruses? But most experts talk about them in
- the thousands."
- The virus experts who claim much larger numbers usually work
- for antivirus companies. They count even the most insignificant
- variations for advertising purposes. When the Marijuana virus
- first appeared, for example, it contained the word "legalise,"
- but a miscreant later modified it to read "legalize." Any pro-
- gram which can detect the original virus can detect the version
- with one letter changed -- but antivirus companies count them as
- "two" viruses. These obscure differentiations quickly add up.
- And take note: the majority of "new" computer viruses dis-
- covered these days are only minor variations on well-known
- viruses.
-
-
-
-
-
-
- Computer Virus Myths Page 3 of 10
-
- "A virus could destroy all the files on my disks."
- Yes, and a spilled cup of coffee could do the same thing. You
- can recover from any virus or coffee problem if you have adequate
- backups of your data. Backups mean the difference between a nui-
- sance and a disaster. You can safely presume there has been more
- accidental loss of data than loss by all viruses and Trojan
- horses.
-
- "Viruses have been documented on over 300,000 computers {1988}."
- "Viruses have been documented on over 400,000 computers {1989}."
- "The Michelangelo virus alone was estimated to be on over
- 5,000,000 computers {1992}."
- These numbers originated from John McAfee, a self-styled virus
- fighter who craves attention and media recognition. If we assume
- it took him a mere five minutes to adequately document each viral
- infection, it would have taken four man-years of effort to docu-
- ment a problem only two years old by 1989. We further assume
- McAfee's statements included every floppy disk ever infected up
- to that time by a virus, as well as every computer involved in
- the Christmas and InterNet worm attacks. (Worms cannot be
- included in virus infection statistics.)
- McAfee prefers to "estimate" his totals these days and was
- widely quoted during the Michelangelo virus hysteria in early
- 1992. Let's do some estimating ourselves by assuming about 80
- million IBM PC-compatible computers around the world. McAfee's
- estimate meant one out of every 16 of those computers not only
- had a virus of some type, it specifically had the Michelangelo
- virus. Many other virus experts considered it an astronomical
- estimate based on the empirical evidence.
-
- "Viruses can hide inside a data file."
- Data files can't wreak havoc on your computer -- only an execu-
- table program file can do that (including the one that runs every
- time you turn on or reboot a computer). If a virus infected a
- data file, it would be a wasted effort. But let's be realistic:
- what you think is "data" may actually be an executable program
- file. For example, a "batch file" on an IBM PC contains only
- text, yet DOS treats it just like an executable program.
-
- "Some viruses can completely hide themselves from all antivirus
- software, making them truly undetectable."
- This myth ironically surfaced when certain antivirus companies
- publicized how they could detect so-called "Mutation Engine"
- viruses. The myth gained national exposure in early 1993 when
- the Associated Press printed excerpts from a new book about
- viruses. Most viruses have a character-based "signature" which
- identifies it both to the virus (so it doesn't infect a program
- too many times) and to antivirus software (which uses the
- signature to detect the virus). A Mutation Engine virus employs
-
-
-
-
-
-
-
-
- Page 4 of 10 Computer Virus Myths
-
- an algorithm signature rather than a character-based signature --
- but it still has a unique, readily identifiable signature.
- The technique of using algorithm signatures really doesn't
- make it any harder to detect a virus. You just have to do some
- calculations to know the correct signature -- no big deal for an
- antivirus program.
-
- "BBSs and shareware programs spread viruses."
- Here's another scary myth, this one spouted as gospel by many
- "experts" who claim to know how viruses spread. "The truth,"
- says PC Magazine publisher Bill Machrone, "is that all major
- viruses to date were transmitted by [retail] packages and private
- mail systems, often in universities." [PC Magazine, October 11,
- 1988.] What Machrone said back then still applies today. Over
- 50 retail companies have admitted spreading infected master disks
- to tens of thousands of customers since 1988 -- compared to only
- nine shareware authors who have spread viruses on master disks to
- less than 300 customers since 1990.
- Machrone goes on to say "bulletin boards and shareware authors
- work extraordinarily hard at policing themselves to keep viruses
- out." Reputable sysops check every file for Trojan horses;
- nationwide sysop networks help spread the word about dangerous
- files. Yes, you should beware of the software you get from BBSs
- and shareware authors, but you should also beware of retail soft-
- ware found on store shelves.
- By the way, many stores now routinely re-shrinkwrap returned
- software and put it on the shelf again. Do you know for sure
- only you ever touched those master disks?
-
- "My computer could be infected if I call an infected BBS."
- BBSs can't write information on your disks -- the communica-
- tions software you use performs this task. You can only transfer
- a dangerous file to your computer if you let your software do it.
- And there is no "300bps subcarrier" by which a virus can slip
- through a modem. A joker who called himself Mike RoChenle
- ("micro channel," get it?) started this myth after leaving a
- techy-joke message on a public network. Unfortunately, some
- highly respected journalists got taken in by the joke.
-
- "So-called `boot sector' viruses travel primarily in software
- downloaded from BBSs."
- This common myth -- touted as gospel even by "experts" --
- expounds on the supposed role bulletin boards play in spreading
- infections. Boot sector viruses spread only if you directly copy
- an infected floppy disk, or if you try to "boot" a computer from
- an infected disk, or if you use a floppy in an infected computer.
- BBSs deal exclusively with program files and don't pass along
- copies of boot sectors. Bulletin board users thus have a natural
- immunity to boot-sector viruses in downloaded software. (And
- since the clear majority of infections stem from boot sector
-
-
-
-
-
-
-
- Computer Virus Myths Page 5 of 10
-
- viruses, this fact alone exonerates the BBS community as the so-
- called "primary" source for the spread of viruses.)
- We should make a special note about "dropper" programs
- developed by virus researchers as an easy way to transfer boot
- sector viruses among themselves. Since they don't replicate,
- "dropper" programs don't qualify as viruses. These programs have
- never appeared on BBSs to date and have no real use other than to
- transfer infected boot sectors.
-
- "My files are damaged, so it must have been a virus attack."
- It also could have happened because of a power flux, or static
- electricity, or a fingerprint on a floppy disk, or a bug in your
- software, or perhaps a simple error on your part. Power
- failures, spilled cups of coffee, and user errors have destroyed
- more data than all viruses combined.
-
- "Donald Burleson was convicted of releasing a virus."
- Newspapers all over the country hailed a 1989 Texas computer
- crime trial as a "virus" trial. The defendant, Donald Burleson,
- had released a destructive Trojan horse on his employer's main-
- frame computer. The software in question couldn't spread to
- other computers, and prosecuting attorney Davis McCown claimed he
- "never brought up the word virus" during Burleson's trial. So
- why did the media call it one?
- 1. David Kinney, an expert witness testifying for the defense,
- claimed Burleson had unleashed a virus. The prosecuting
- attorney didn't argue the point and we don't blame him --
- Kinney's claim may have actually swayed the jury to convict
- Burleson.
- 2. McCown gave reporters the facts behind the case and let them
- come up with their own definitions. The Associated Press
- and USA Today, among others, used such vague definitions
- that any program would have qualified as a virus. If we
- applied their definitions to the medical world, we could
- safely label penicillin as a biological virus (which is, of
- course, absurd).
-
- "Robert Morris Jr. released a benign virus on a defense network."
- It supposedly may have been benign, but it wasn't a virus.
- Morris, the son of a chief computer scientist at the U.S.
- National Security Agency, decided one day to take advantage of
- bugs in the software which controls InterNet, a network the
- Defense Department often uses. These tiny bugs let Morris send a
- worm throughout the network. Among other things, the "InterNet
- worm" sent copies of itself to other computers -- and clogged the
- entire network in a matter of hours due to bugs in the worm
- module itself. The press called it a "virus," like it called the
- 1987 "Christmas worm" a virus, because it spread to other com-
- puters. Yet Morris's work didn't infect any computers. A
- few notes:
- 1. Reporters finally started calling it a worm a year after the
- fact, but only because lawyers on both sides of the case
- constantly referred to it as a worm.
-
-
-
-
- Page 6 of 10 Computer Virus Myths
-
- 2. The worm operated only on Sun-3 & VAX computers which employ
- the UNIX operating system and which were specifically linked
- into InterNet at the time of the attack.
- 3. The 6,200 affected computers cannot be counted in virus
- infection statistics (they weren't infected).
- 4. It cost way less than $98 million to clean up the attack.
- An official Cornell University report claims John McAfee,
- the man behind this wild estimate, "was probably serving
- [him]self" in an effort to drum up business. People
- familiar with the case estimated the final figure at
- slightly under $1 million.
- 5. Yes, Morris could easily have added some infection code to
- make it both a worm and a virus if he'd had the urge.
- 6. InterNet gurus have since fixed the bugs Morris exploited in
- the attack.
- 7. Morris went on trial for launching the worm and received a
- federal conviction. The Supreme Court refused to hear his
- case, so the conviction stands.
-
- "The U.S. government planted a virus in Iraqi military computers
- during the Gulf War."
- U.S. News & World Report in early 1992 claimed the National
- Security Agency had replaced a computer chip in a printer bound
- for Iraq just before the Gulf War with a secret computer chip
- containing a virus. The magazine cited "two unidentified senior
- U.S. officials" as their source, saying "once the virus was in
- the [Iraqi computer] system, ...each time an Iraqi technician
- opened a `window' on his computer screen to access information,
- the contents of the screen simply vanished."
- Yet the USN&WR story shows amazing similarities to a 1991
- April Fool's joke published by InfoWorld magazine. Most computer
- experts dismiss the USN&WR story as a hoax -- an "urban legend"
- innocently created by the InfoWorld joke. Some notes:
- 1. USN&WR continues to stand by its story, but did publish a
- "clarification" stating "it could not be confirmed that the
- [virus] was ultimately successful." The editors broke with
- tradition by declining to print any letters readers had sub-
- mitted about it.
- 2. Ted Koppel, a well-known American news anchor, opened one of
- his "Nightline" broadcasts with a report on the alleged
- virus. Koppel's staff politely refers people to talk with
- USN&WR about the story's validity.
- 3. InfoWorld didn't label their story as fiction, but the last
- paragraph identified it as an April Fool's joke.
-
- "Viruses can spread to all sorts of computers."
- The design of all Trojan horses limits them to a family of
- computers, something especially true for viruses. A virus
- written for IBM PCs cannot infect an IBM 4300 series mainframe,
- nor can it infect a Commodore C64, nor can it infect an Apple
- Macintosh.
- But take note: some computers can now run software written for
- other types of computers. An Apple Macintosh, with the right
- products, can run IBM PC software for example. If one type of
-
-
-
- Computer Virus Myths Page 7 of 10
-
- computer can run software written for another type of computer,
- then it can also catch viruses written for the other type of com-
- puter.
-
- "My backups will be worthless if I back up a virus."
- No, they won't. Let's suppose a virus does get backed up with
- your files. You can restore important documents and databases
- and spreadsheets -- your valuable data -- without restoring an
- infected program. You just reinstall the programs from master
- disks. It's tedious work, but not as hard as some people claim.
-
- "Antivirus software will protect me from viruses."
- There is no such thing as a foolproof antivirus program.
- Viruses and other Trojan horses can be (and have been) designed
- to bypass them. Antivirus products also can be tricky to use at
- times and they occasionally have bugs. Always use a good set of
- backups as your first line of defense; rely on antivirus software
- only as a second line of defense.
-
- "Read-only files are safe from virus infections."
- This common myth among IBM PC users has appeared even in some
- computer magazines. Supposedly, you can protect yourself by
- using the ATTRIB command to set the read-only attribute on pro-
- gram files. Yet ATTRIB is software -- what it can do, a virus can
- undo. The ATTRIB command cannot halt the spread of most viruses.
-
- "Viruses can infect files on write-protected floppy disks."
- Another common IBM PC myth. If viruses can modify read-only
- files, people assume they can also modify files on write-pro-
- tected disks. However, the disk drive itself knows when a floppy
- has a write-protect tab and refuses to write to the disk. You
- can't override an IBM PC drive's write-protect sensor with a
- software command.
-
-
-
- We hope this dispels the many computer virus myths. Viruses DO
- exist, they ARE out there, they WANT to spread to other com-
- puters, and they CAN cause you problems. But you can defend
- yourself with a cool head and a good set of backups.
-
- The following guidelines can shield you from viruses and other
- Trojan horses. They will lower your chances of getting infected
- and raise your chances of recovering from an attack.
- 1. Implement a procedure to regularly back up your files and
- follow it religiously. We can't emphasize this enough!
- Consider purchasing a user-friendly program or a tape backup
- device to take the drudgery out of this task. You'll find
- plenty of inexpensive programs and tape backup hardware to
- choose from.
- 2. Rotate between at least two sets of backups for better
- security (use set #1, then set #2, then set #1...). The
- more sets you use, the better protection you have. Many
- people take a "master" backup of their entire hard disk,
-
-
-
- Page 8 of 10 Computer Virus Myths
-
- then take a number of "incremental" backups of files which
- have changed since the last time they backed up. Incre-
- mental backups might only require five minutes of your time
- each day.
- 3. Many IBM PC computers now have a "BIOS option" to ignore
- floppy drives during the bootup process. Consult your com-
- puter's documentation to see if you can set this option. It
- will greatly reduce your exposure to boot sector viruses
- (the most common type of computer virus).
- 4. Download files only from reputable BBSs where the sysop
- checks every program for Trojan horses. If you're still
- afraid, consider getting programs from a BBS or "disk
- vendor" company which obtains files direct from the authors.
- 5. Let a newly uploaded file "mature" on a BBS for one or two
- weeks before you download it (others will put it through
- its paces).
- 6. Consider using a program that searches ("scans") for known
- viruses. Almost all infections involve viruses known to
- antivirus companies. A recent version (no more than four
- months old) of any "scanning" program will in all proba-
- bility identify a virus before it can infect your computer.
- But remember: there is no perfect antivirus defense.
- 7. Consider using a program that creates a unique "signature"
- of all the programs on your computer. Run this software
- once in awhile to see if any of your program files have been
- modified -- either by a virus or perhaps just by a stray
- gamma ray.
- 8. DON'T PANIC if your computer starts acting weird. You might
- have a virus, but then again you might not. Immediately
- turn off all power to your computer and disconnect it from
- any local area networks. Reboot from a write-protected copy
- of your master DOS disk. Don't run any programs on a "regu-
- lar" disk -- you might activate a Trojan horse. If you don't
- have adequate backups, try to bring them up-to-date. (Yes,
- you might back up a virus as well, but it can't hurt you if
- you don't use your normal programs.) Set your backups off
- to the side. Only then can you safely hunt for problems.
- 9. If you can't figure out the problem and you don't know what
- to do next, just turn off your computer and call for help.
- Consider calling a local computer group before you call for
- an expert. If you need a professional, consider a regular
- computer consultant first. (Some "virus removal experts"
- charge prices far beyond their actual value.)
-
- We'd appreciate it if you would mail us a copy of any Trojan
- horse or virus you discover. (Be careful you don't damage the
- data on your disks while trying to do this!) Include as much
- information as you can and put a label on the disk saying it con-
- tains a malicious program. Send it to Ross M. Greenberg, Soft-
- ware Concepts Design, Virus Acres, New Kingston, NY 12459.
- Thank you.
-
-
-
-
-
-
- Computer Virus Myths Page 9 of 10
-
- Ross M. Greenberg writes both shareware and retail virus
- detection & removal programs. (Products aren't mentioned by
- name because this treatise isn't the place for advertise-
- ments.) He serves as a sysop for the Virus & Security Round-
- Table on GEnie and is also currently working on a number of
- other products having nothing to do with computer viruses.
-
- Rob Rosenberger serves as lead sysop for CompuServe's SHARE-
- WARE forum. He has researched computer virus myths & hoaxes
- since 1988. His research on the cause of the Michelangelo
- virus scare of 1992 has been reprinted in ISPNews (a computer
- security industry newsletter); and he has consulted on com-
- puter virus & data security books written by Janet
- Endrijonas, Pamela Kane, and Richard B. Levin.
-
- These men communicated entirely by modem while writing this
- treatise.
-
- (c) 1988,93 Rob Rosenberger & Ross M. Greenberg
-
-
- Rosenberger can be reached electronically on CompuServe as
- [74017,1344], on GEnie as R.ROSENBERGE, on InterNet as
- `74017.1344@compuserve.com', and on various national BBS linkups.
- Greenberg can be reached electronically on MCImail and BIX and
- GEnie as `greenber', on InterNet as `greenber@ramnet.com', and on
- CompuServe as [72461,3212].
-
- You may give copies of this treatise to anyone if you pass it
- along unmodified and in its entirety. We especially encourage
- antivirus vendors and book authors to bundle it with their pro-
- ducts as a public service.
-
- Printed publications may reprint this treatise in whole or in
- part, at no charge, if they give due credit to the authors. For-
- profit publications must submit two copies to: Rob Rosenberger,
- P.O. Box 1115, O'Fallon, IL 62269. Book publications need only
- submit one copy. Non-profit publications do not have to submit
- any copies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Page 10 of 10 Computer Virus Myths
-