Of the many threats to the security of our information systems, viruses must surely be the most annoying. It would have been foolish to expect computers to be immune to natural disasters such as earthquakes and tornadoes. And our efforts to protect information systems are bound to encounter such manifestations of human imperfection as data theft. But unauthorized programs that invade and reproduce by infecting legitimate programs and using them as hosts? This is one headache we could have done without.

Of course, these days there is no shortage of vendors offering to provide a cure to the virus problem, but the mere existence of viruses is understandably vexing to those charged with system security, who have plenty of other things to worry about, from hackers on the outside forcing their way in, to disgruntled insiders turning into system saboteurs. In this article we will try to put the virus problem into perspective and look at how our responses to this most annoying of problems have evolved.

The Evolution of Viruses

Before we review the evolution of viruses, and the attendant anti-virus industry, we need to make it clear that "annoying" is really not adequate to describe the impact of viruses. They are directly responsible for hundreds of millions of dollars per year in data damage and lost productivity (based on numerous studies by ICSA, as well as Ernst&Young/Information Week, whose 1997 study cited the not unusual case of National City Corp., a Cleveland bank, where the cost of one particular virus outbreak was estimated to be $400,000).

The high cost of virus-related losses is somewhat ironic because many viruses were not designed to cause harm, and those that contain seriously malicious code seldom work as planned. The reason for this is that no programmer can predict the effect his or her software is going to have on every computer system there is. This is true whether you work with a five-year old PC and pirated copy of DOS or a multi-million dollar commercial application development budget. However, because viruses are designed to subvert legitimate program operation and spread across a large number of systems, they are more likely than legitimate software to cause unexpected problems, ranging from system crashes to file system corruption and large-scale data loss.

In fact, when ICSA looked into this aspect of virus incidents it found that most of the financial impact of viruses was in the cleanup cost. Any virus outbreak within an organization must be dealt with immediately, and thoroughly, and this can be very time-consuming (if you don't act swiftly, you risk the embarrassment of infecting customers, colleagues, or suppliers; if you are not thorough, you risk re-infection). ICSA's 1997 study indicated that 99 percent of all medium and large organizations in North America had experienced at least one computer virus infection and 33 percent all sites had experienced a costly computer virus incident.

Then and Now

Of course, it all began innocently enough. People were intrigued by the notion of self-replicating code. Science fiction authors and real scientists as eminent as Professor Steven Hawking have been fascinated by the possibilities, both good and evil. Viruses have even found starring roles in Hollywood (such as the 1997 blockbuster, Independence Day).

The first viruses found "in the wild" were Apple II viruses, such as Elk Cloner, which was reported in 1981. We refer to viruses being in the wild when they are actually known to be infecting production systems (there less than 300 viruses currently in the wild). This is substantially different from being "in the zoo," which is how we describe the more than 16,000 viruses that are currently confined to a research environment (for definitions of the peculiar language of the anti-virus world see: Malicious Code Words).

The term "computer virus" was formally defined by Fred Cohen in 1983, while he performed academic experiments on a Digital Equipment Corporation VAX minicomputer system. However, viruses are almost entirely a personal computer phenomenon, their continued evolution paralleling that of the PC. Over the last decade and a half, viruses have increased in complexity, expanded their channels of distribution, and responded to anti-virus measures.

Early PCs were mainly diskette-based and floppy diskettes were the primary means of virus distribution. The first IBM-PC virus appeared in 1986. Brain was a boot sector virus, infecting the first part of the disk that the operating system reads, then infecting successive diskettes used by an infected system. In 1987 another boot sector virus, Alameda (Yale), appeared, plus file infecting viruses, Cascade, Jerusalem, Lehigh, and Miami (South African Friday the 13th), which subvert COM and/or EXE files. Cascade broke new ground by using encryption to evade detection. Three years later, the 1260 virus used variable encryption to make detection even harder. So-called stealth viruses, which use a variety of techniques to avoid detection, appeared the same year. Examples include Zero Bug, Dark Avenger and Frodo (4096 or 4K). They were followed, the next year, by self-modifying viruses, such as Whale.

When people started networking PCs in local area networks, LANs became a means of spreading virus infection. In 1991, a network-specific virus appeared (GP1 attempts to steal Novell NetWare passwords). The popularity of CD-ROM drives in the mid-nineties enabled companies to conduct huge software distribution campaigns that in turn contributed to the rapid growth of a new virus strain, the macro virus, the appearance of which coincided with the massive Windows 95 beta and rollout programs. Macro viruses, which mainly affect users of Microsoft Word, take advantage of an unhappy coincidence: Microsoft's domination of the application software market, providing a huge number of potential victims who share documents in a common format; and Microsoft's decision to allow powerful programming instructions to be embedded within documents (as opposed to being stored in separate files, as in Corel WordPerfect or Lotus WordPro, for example).

More recently, the large-scale connection of PCs to a global public access data network has turned the Internet into an enormous virus distribution mechanism. The ability of macro viruses to spread through document files, shared on network servers and distributed as email attachments, has made them the most "successful" of all viruses, although old "favorites" such as the Form boot sector virus, continue to share the top ten (see Table 1: VB Virus Prevalence Table}.

The Internet has also enabled the resurgence of the Trojan Horse, a type of malicious code that pre-dates viruses. A Trojan Horse program is one that is designed to present itself as a legitimate executable, yet contains within itself, malicious code. For example, a program that presents itself as a screen-saver might actually act as a password-sniffer. Applications that unwittingly host a virus are not, strictly speaking, Trojan Horses, but malicious code definitions get even more blurred when we discuss developments made possible by the World Wide Web: malicious applets. These are programs sent from servers (web sites) to clients (web browsers). Scanning for applets that are up to no good has been added to the growing list of chores performed by anti-virus software.

AV: The Defensive Response

Parallel with evolution of viruses has been the emergence of a multi-billion dollar anti-virus, or AV, industry. Early AV programs were often freeware, notably on the Apple platforms, whose users arguably enjoyed a greater sense of community, leading to community-based efforts to deal with the virus problem. However, it soon became clear that the AV software effort was not a fix-and-forget proposition.

The determination of virus writers to create code that avoid detection meant that efforts to protect against infection have to be well-financed and ongoing. Also, it soon became clear that detection was not enough. Users needed a prompt response to virus incidents and effective methods of disinfection. The result: commercial AV software, financed largely by corporate license fees, plus in-house AV policies, procedures, and staff, at just about every organization that uses a lot of personal computers.

Efforts to beat viruses have followed several different paths. These are variously referred to as prevention, detection, identification, and disinfection. To simplify considerably, the prevention approach starts with a detailed picture of the system in a healthy state and blocks unauthorized attempts to alter that picture. This is very much easier said than done, because computers were designed to run programs and viruses are, after all, programs. Furthermore, within the system architecture of personal computers there are no security models to restrain the execution of programs.

During the course of normal PC operation many legitimate applications alter a lot of files, so a prevention-based anti-virus strategy has to distinguish between legitimate and illegitimate attempts to alter files. One form of this approach is referred to as checksum or change detection technique. As described by NIST's 1994 publication, Threat Assessment of Malicious Code and Human Threats: "A checksum method would use a CRC (Cyclical Redundancy Check) and a method for storing the information such as a database. Because viruses must change files or boot records in order to infect them, an anti-virus program using a checksum method has a point of reference to detect when changes have occurred."

It is generally agreed that this method offers advantages when dealing with unknown viruses, but is prone to false alarms, for instance, when applications are being upgraded (which seems to be all the time these days). A variation on this approach, sometimes referred to as vulnerability or activity monitoring, monitors the system calls that viruses use to achieve their goal of infection and blocks the required interrupts. But again, it is very difficult to distinguish between legitimate and illegitimate use of these functions.

To over-simplify the detection and identification approaches, they works like this: look for viruses and let the user know when one is located, hence the term: scanners. The most widely used commercial AV products scan systems for viruses based on a vast amount of accumulated knowledge about viral code. Scanners search for "signature strings" or use algorithmic detection methods to identify known viruses on the user's system. This means that AV companies must try to obtain copies of new viruses as soon as they are reported, analyze them, and then determine a detection method. After this, the database used by the scanning engine can be updated (many organizations purchase AV updates on monthly subscription plans).

Obviously, viruses that are not yet recorded in the scanner's database can avoid detection. So, instead of simply using signatures, some AV products use a heuristic scanning method, which analyzes an executable file for functionality that is typical of viruses. If a scanned file contains virus-like code, it may be flagged as infected. The problem here is that you tend to get a lot of false alarms and considerable expertise is required to deal with them.

A Layered Approach

Given the benefits and drawbacks of the various approaches to protecting systems against virus infection, many AV products combine several technologies (see Product/service section for more details on specific products). For example, heuristic scanning can be combined with signature scanning, augmented with some basic integrity checking.

Another approach taken by the people who buy AV software to defend their company's systems, is to layer two different products, which can improve detection rates, possibly using one product on servers and another on desktop systems (substantial management issues can result, but you definitely need to be scanning on both desktops and servers, whether you use the same product or different ones). Some high security systems may also warrant a dedicated integrity-checking program as well, to defeat unauthorized users as well as viruses.

In the overall battle against viruses, many organizations use a layered approach, with AV software providing just one or two of the many layers. The first layer is a high-level policy, which declares the organization's stance on viruses (typically this states that virus infections are to be avoided because they have a negative impact on profits and productivity, and that distribution of infected files by the company, or its employees, intentional or otherwise, is not acceptable).

From this flow more detailed policies, such as "all files entering or leaving the organization shall be scanned for viruses." This is followed by specific procedures, such as "All desktop computers will run the latest version of approved AV software, configured to operate in background mode, and in such a way as to always scan the hard drive on system startup."

Note that there are some pretty major implications to a statement such as "all files entering or leaving the organization shall be scanned for viruses." There have to be procedures in place to scan all notebook computers, including those of visiting dignitaries, consultants, and service engineers. All disks and backup tapes must be scanned (and labeled and tracked if you are really serious about this). You must scan also all files flowing through the organization's remote access, Internet, and email gateways (another good reason why there should be as few of these gateways as possible).

In this layered approach, simple things can make a big difference, like configuring all systems to ignore the floppy drive when booting, now an option in the BIOS of any reputable PC. But educating users about viruses is probably the most effective use of the AV budget, followed by a well-negotiated contract with a reputable AV vendor whose product fits your needs, covering the platforms you use, providing the type of reporting that fits your problem management structure (centralized reporting of virus alerts and a well-rehearsed, coordinated response can make all the difference between a virus incident and a virus disaster).

Virtual Viruses

One major reason for good end-user anti-virus education, and for coordinated virus incident handling, is the growing problem of virtual viruses, otherwise known as virus hoaxes, and their close cousins, email chain letters. If unchecked, one of these can waste just as much time as an actual virus infection. A virtual virus outbreak is usually triggered by an employee receiving an email message containing dire warnings about a particularly powerful new virus, and urging the recipient to spread the word about this problem to co-workers and friends. Unless the employee is savvy about such matters, or has been made aware of company guidelines for reporting such messages, there is a good chance the message will, with the best of intentions, be forwarded. If this continues unchecked, the company help desk will eventually be inundated with inquiries from concerned users.

Some of the most widespread hoaxes contain warnings that reading email can infect or damage your computer. This illustrates the problematic nature of this phenomenon. While it is practically impossible to execute malicious actions with a plain ASCII email message, file attachments to email can certainly perform malicious actions when opened or executed, and it entirely conceivable that active email content could cause problems. Explaining such subtleties to today's vast end-user populations is not easy. The best that most organizations can hope for is a high rate of compliance with a policy that prohibits the circulation of virus warnings by anyone other than authorized support staff.

All of which highlights the most serious security implication of viruses, the inherent insecurity of personal computers. Not only do personal computers lack the necessary system architecture to defend against viruses, they are operated, in most cases, by people who lack the necessary knowledge to manage and maintain an entire computer system. While most of the personal computers on corporate desktops today are networked, all of them are also, by definition, self-contained systems, which require a competent and properly trained system operator. Otherwise they can quickly become powerful platforms from which to mount attacks on the confidentiality, integrity, and availability, of the organization's information systems.

Conclusions

There is one ray of hope in the anti-virus war. Based on medical experience with human virus infections, it is possible to say that, when the number of computer users taking adequate anti-virus precautions reaches critical mass, virus infections will start to decline. Until that happens, there is one painful, but valuable conclusion we can draw from the current situation: waiting for someone else to solve the problem is not a valid strategy. It doesn't matter how much research the AV vendors do, or how much AV product they sell, if organizations that use computers don't use AV products, if they don't enforce AV policy, they, and rest of us, will continue to be plagued with viruses.
 

Malicious Code Words

• Disinfect: removing a virus from an infected file.
• Goat: infected host program used to test an anti-virus program.
• Host: a file infected with a virus.
• Infect: when a virus adds itself to another program so that the infected program, when executed, adds the virus to yet more programs.
• In the wild: viruses that are actively infecting real world computers, based on monthly reports from a worldwide network of virus experts.
• In the zoo: viruses that are not active and currently exist only in virus research collections.
• Logic bomb: dormant code inserted within a larger program, activation of which causes harm to the system (as in the recent $10 million Omega case).
• Malicious applet: code transferred from a web server to a web client where its execution causes nuisance or harm.
• Payload: an action, such erasing files, that a virus program attempts to carry out.
• Trigger: a specific computer event, such system date changing or rebooting, that is tracked by a virus with a payload and used to activate the payload.
• Trojan Horse: a program designed to appear legitimate in order to enter a system and execute its own agenda.
• Worm: a program which copies itself many times over, taking up space and other resources, without permission.

Anti-virus resources

The most important weapon in the fight against viruses is reliable and up-to-date information. The Internet has the potential to be an extremely efficient channel for distribution of such information and it has to be said that anti-virus vendors provide a wealth of useful and freely-accessible information at their web sites (see Vendor Listing for URLs). Much of this data is entirely free of sales-bias, but be wary when they veer toward the "our product is the only way to defend against X" syndrome.

Fortunately there are some independent channels, such as the ICSA Labs web site, the Computer Virus Myths site, and the Virus Bulletin site. Check these for independent assessment of both anti-virus products and anti-virus vendors.

ICSA Labs web site: www.icsa.com

Virus Bulletin: The International Publication on Computer Virus Prevention, Recognition, and Removal. Monthly publication. Web site: www.virusbtn.com

VMyths & Hoaxes: Web site: vmths.com

There are several helpful publications. Threat Assessment of Malicious Code and Human Threats, by Lawrence E. Bassham and W. Timothy Polk, National Institute of Standards and Technology, Computer Security Division, 1994, is available online at: csrc.ncsl.nist.gov/nistir/threats

One of the best ever books about viruses is Virus Bulletin's Survivor's Guide to Computer Viruses, Ed. Victoria Lammer, 1993 (copies may still be available from ICSA). It does not cover macro viruses, but it is still a good background work. And we have to say that Cobb's Guide to PC & LAN Security has a very good chapter on viruses, including the first macro viruses.  

The 3 Main Virus Types and How to Beat Them

1. Boot sector: These viruses hide in the very first part of a computer disk, so that they infect the computer as soon as it reads the disk. Then they infect all the floppy diskettes that are placed in that computer, which is how they spread.

Fortunately, it is relatively easy to beat this type of virus if you stick with two basic rules: never turn on the computer with a floppy disk in drive A, and scan all floppy disks whenever they are inserted into the drive.

2. File viruses: These viruses hide in ordinary program files, which then become infected “hosts.” When you execute or run a host file the virus is loaded into memory, ready to infect other programs.

To beat this type of virus we again have two basic rules: set your anti-virus software to always scan all program files on your computer whenever you turn it on, and use the memory resident feature of your scanner to detect any viruses that get loaded into memory while you are working.

3. Macro viruses: A relatively new type of virus, macro viruses affect programs that use macros, such as Microsoft Word and Microsoft Excel, by altering the template file that controls new documents. Basically, the macro virus makes itself part of the normal template and thus it becomes part of each new document.

You beat the macro virus by being suspicious of any Word or Excel document that you open, whether it comes from a colleague, your boss, a client, or the Internet. Scanning software can spot documents that have these viruses, but you have to make sure your scanner scans ALL documents, even ones that are in compressed, or ZIP, files.

10 Anti-Virus Rules (7 for Everyone, 3 for Managers)

1. Everyone: Keep floppy diskettes out of drives at all times, unless you have immediate need to access files.

2. Everyone: Scan all floppy diskettes whenever they are placed in drives. Do the same with any other writable media, such as cartridge drives.

3. Everyone: Scan every file before running, loading, executing, or opening. Never assume someone else has scanned a file or that the file has not been changed since the last time it was scanned.

4. Everyone: Refuse to use unauthorized software, media, or systems.

5. Everyone: Treat all incoming files, disks, tapes, drives, and systems with suspicion.

6. Everyone: Treat all messages warning of new viruses or other malicious code with suspicion, and verify with the appropriate department (it could be a hoax).

7. Everyone: Report all virus incidents to the appropriate department.

8. Managers: Make sure there is an appropriate department to handle virus reports, answer virus-related questions, investigate virus incidents, and verify virus warnings.

9. Managers: Make sure everyone has anti-virus software, knows how to use it, and knows they must use it.

10. Managers: Abide by ALL the rules!

Table 1: VB Prevalence Table, December 1997
(Click the link for the latest, courtesy of VB and Joe Wells)
 

Virus Name	Type	# of incidents	Percentage
Cap	Macro	93	20.8%
Concept	Macro	27	6.0%
Parity_Boot	Boot	22	4.9%
Wazzu	Macro	21	4.7%
AntiEXE	Boot	20	4.5%
Form	Boot	19	4.3%
Laroux	Macro	19	4.3%
Npad	Macro	18	4.0%
Empire_Monkey	Boot	15	3.4%
Ripper	Boot	15	3.4%

Thanks, as always, to Joe Wells, for his amazing and often unacknowledged work in tracking the virus threat so tirelessly and professionally for so many years.