An Abbreviated Bibliography for Computer Viruses and Related Security Issues NIST The National Institute of Standards and Technology ABSTRACT This document provides a list of suggested readings about computer viruses and other related threats to computer security. The primary intended audience is management and those who need access to the basic facts, however readings are included that are also suitable for technically-oriented individuals who wish to learn more about the nature of computer viruses and techniques that can be used to reduce their potential threat. The suggested readings range from general discus- sions on the nature of viruses and related threats, to technical articles which explore the details of various viruses, the mechan- isms they attack, and methods for controlling these threats to computer security. Other articles are included that deal with more general aspects of computer security, but which have some bearing on the problem. The National Institute of Standards and Technology The National Institute of Standards and Tech- nology (NIST) has responsibility within the Federal Government for computer science and technology activities. The programs of the NIST National Computer Systems Laboratory (NCSL) are designed to provide ADP standards, guidelines, and technical advisory services to improve the effectiveness of computer utilization and security, and to perform appropriate research and development efforts as foundation for such activities and prog- rams. Copies of this paper as well as other publications may be obtained from the follow- ing address: National Institute of Standards and Technology Computer Security Management and Evaluation Group Computer Security Division A216, Technology Gaithersburg, MD 20899 BASIC TERMS The following list provides general definitions for basic terms used throughout the literature. Some of the terms are relatively new and their definitions are not widely agreed upon, thus they may be used differently elsewhere. Computer Virus: A name for software written to cause some form(s) of damage to a comput- ing system. Computer viruses copy their instructions to other programs; the other pro- grams may continue to copy the instructions to more programs. Depending on the author's mo- tives, the instructions may cause many different forms of damage, such as deleting files or crashing the system. Com- puter viruses are so named be- cause of their functional sim- ilarity to biological viruses, in that they can spread rapid- ly throughout a host system. The term is sometimes used in a general sense to cover many different types of harmful software, such as Trojan hor- ses or network worms. Network Worm: A name for a program or command file that uses a computer network as a means for causing damage to computing systems. From one system, a network worm may at- tack a second system by first establishing a network connec- tion with the second system. The worm may then spread to other systems in the same man- ner. A network worm is simil- ar to a computer virus in that its instructions can cause many different forms of damage. However, a worm is a self-contained program that spreads to other systems, whereas a virus spreads to programs within the same sys- tem (a worm could do that as well). Malicious Software: A general term for computer viruses, network worms, Trojan horses, and other software designed to deliberately circumvent established security mechanisms or codes of ethical conduct or both, to adversely affect the confidentiality, integrity, or availability of computer systems and networks. Unauthorized User(s): A user who knowingly uses a system in a non-legitimate manner. The user may or may not be an authorized user of the system. The actions of the user violate established security mechanisms or policies, or codes of ethical conduct, or both. Trojan Horse: A name for a program that disguises its harmful intent by purporting to accomplish some harmless and possibly useful function. For example, a Trojan horse program could be advertised as a calculator, but it may actually perform some other function when executed such as modifying files. Back Door: An entry point to a program or system that is hidden or disguised, perhaps created by the software's author for maintenance or other convenience reasons. For example, an operating sys- tem's password mechanism may contain a back door such that a certain sequence of control characters may permit access to the system manager account. Once a back door be- comes known, it can be used by unauthorized users or malicious software to gain entry and cause damage. Time Bomb, Logic Bomb: Mechanisms used by some examples of malicious software to cause damage after a predetermined event. In the case of a time bomb, the event is a certain system date, whereas for a logic bomb, the event may vary. For example, a computer virus may infect other programs, yet cause no other immediate damage. If the virus contains a time bomb mechanism, the infected programs would routinely check the system date or time and compare it with a preset value. When the actual date or time matches the preset value, the destructive aspects of the virus code would be executed. If the virus contains a logic bomb, the triggering event may be a certain sequence of key strokes, or the value of a counter. Anti-Virus Software: Software designed to detect the occur- rence of a virus. Sold as commercial products and as shareware, anti-virus programs can scan software for known viruses or monitor a system's behavior and raise alarms when activity occurs that is typi- cal of certain types of computer viruses. Isolated System: A system that has been specially configured for determining whether applicable programs contain viruses or other types of malicious software. The system is generally disconnected from any computer networks or linked systems, and contains test data or data that can be restored if damaged. The system may use anti-virus or other monitoring software to detect the presence of malicious software. Computer Security: The tech- nological safeguards and management procedures that can be applied to computer hardware, programs, data, and facilities to assure the availability, integrity, and confidentiality of computer based resources and to assure that intended functions are performed without harmful side effects. SUGGESTED READINGS Adler, Marc, "Infection Protection: Antivirus Software" PC Magazine, April 25, 1989. Arkin, Stanley et al., "Prevention and Prosecution of High-Tech Crime," Matthew Bender Press Co., 1989. Brenner, Aaron, "LAN Security", LAN Magazine, August 1989. Bunzel, Rick, "Flu Season," Connect, Summer 1988. Cohen, Fred, "Computer Viruses," Proceedings of the 7th DoD/NBS Computer Security Conference, 1984. Computer Viruses - Proceedings of an Invitational Symposium, Oct 10/11, 1988, Deloitte, Haskins, and Sells, 1989. Denning, Peter J., "Computer Viruses," American Scientist, Volume 76 May-June 1988. Denning, Peter J., "The Internet Worm," American Scientist, Volume 77, March-April 1989. Dewdney, A. K., "Of Worms, Viruses and Core Wars," Scientific American, March 1989. Dvorak, John, "Virus Wars: A Serious Warning," PC Magazine, Feb 29, 1988. Federal Information Processing Standards Publication 112, Password Usage, National Bureau of Standards, May 1985. Fiedler, David and Hunter, Bruce M., "Unix System Administra- tion," Hayden Books, 1987. Fites, P.F., M.P.J. Kratz, and A.F. Brebner, "Control and Security of Computer Information Systems," Computer Science Press, 1989. Fitzgerald, Jerry, "Business Data Communications: Basic Concepts, Security, and Design," John Wiley and Sons, Inc., 1984. Gasser, Morrie, "Building a Secure Computer System," Van Nostrand Reinhold, New York, 1988. Grampp, F. T. and Morris, R. H., "UNIX Operating System Security," AT&T Bell Laboratories Technical Journal, October 1984. Greenberg, Ross, "Know Thy Viral Enemy," Byte Magazine, June 1989. Hatkin, Martha E, and Robert B. J. Warner, "Smart Card Technol- ogy: New Methods for Computer Access Control," NIST Special Publication 500-157, National Institute of Standards and Tech- nology, September 1988. Hoffman, Lance, "Modern Methods for Computer Security and Privacy," Prentice-Hall, 1977. Honan, Patrick, "Avoiding Virus Hysteria," Personal Computing, May 1989. Kurzban, Stanley A., "Viruses and Worms--What Can You Do?," ACM SIG Security, Audit, & Control, Volume 7 Number 1, Spring 1989. Lipner, S. and S. Kalman, "Computer Law,", Merrill Publishing Co., 1989. McAfee, John, "The Virus Cure," Datamation, Volume 35, Number 4, February 15, 1989. McLellan, Vin, "Computer Systems Under Siege," The New York Times, January 17, 1988. Murray, William H., "Epidemiology Application to Computer Viruses," Computers and Security, Volume 7, Number 2, April 1988. Parker, T., "Public domain software review: Trojans revisited, CROBOTS, and ATC," Computer Language, April 1987. Pfleeger, Charles, P., "Security in Computing," Prentice-Hall, 1989. Pozzo, Maria M., and Terence E. Gray, "An Approach to Containing Computer Viruses," Computers and Security, Volume 6, Number 4, August 1987. Rubenking, Neil, "Infection Protection," PC Magazine, April 25, 1989. Schnaidt, Patricia, "Fasten Your Safety Belt," LAN Magazine, October 1987. Shoch, John F., and Jon A. Hupp, "The Worm Programs--Early Experience with a Distributed Computation," Communications of the ACM, Volume 25, Number 3, March 1982. Spafford, Eugene H., "The Internet Worm Program: An Analysis," Purdue Technical Report CSD-TR-823, November 28, 1988. Spafford, Eugene H., Kathleen A. Heaphy, and David J. Ferbrache, "Computer Viruses - Dealing with Electronic Vandalism and Programmed Threats," ADAPSO Software Industry Division Report, 1989. Stefanac, Suzanne, "Mad MACS," Macworld, November 1988. Steinauer, Dennis D., NBS Special Publication 500-120, Security of Personal Computer Systems: A Management Guide, National Bureau of Standards, January 1985. Stohl, Clifford, "The Cuckoo's Egg," Doubleday, 1989. Thompson, Ken, "Reflections on Trusting Trust (Deliberate Software Bugs)," Communications of the ACM, Vol 27, August 1984. Tinto, Mario, "Computer Viruses: Prevention, Detection, and Treatment," National Computer Security Center C1 Tech. Rpt. C1- 001-89, June 1989. Wack, John P., and Lisa J. Carnahan, "Computer Viruses and Related Threats: A Management Guide," NIST Special Publication 500-166, National Institute of Standards and Technology, August 1989. White, Steve R., David M. Chess, and Chengi Jimmy Kuo, "Coping with Computer Viruses and Related Problems," Research Report Number RC 14405, International Business Machines Corporation, Yorktown Heights, New York, 1989, adapted and distributed as "Coping with Computer Viruses and Related Problems," Form G320- 9913, International Business Machines Corporation, September 1989. Witten, I. H., "Computer (In)security: infiltrating open sys- tems," Abacus (USA), Summer 1987. ELECTRONIC FORUMS: VIRUS-L is a moderated mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Infor- mation on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Send subscrip- tion requests to: LISTSERV@LEHIIBM1.BITNET. In the body of the message, enter "SUB VIRUS-L your name" RISKS-FORUM Digest is a moderated mail forum for discussing computer security issues as well as risks associated with other forms of technology. Send subscription requests to: RISKS-Request@CSL.SRI.COM. The NIST Security Bulletin Board is a repository of computer security information open to the general public. Users can download files, send messages, participate in forums, and access security alert information. Dial (301) 948-5717 at 2400/1200/300 BPS, parity none, 1 stop bit, 8- bit characters.