Date: Fri, 23 Oct 92 01:23:48 EST
From: spaf@CS.PURDUE.EDU(Gene Spafford)
Subject: File 1--Re: Cu Digest, #4.49- Viruses--Facts and Myths (1)
 
In the Digest, #4.49, "Dark Adept" provided a long article on virus
facts and myths.  Unfortunately, he/she got several "facts" incorrect.
I could try to make a point about the danger of correct-sounding
material being mistaken for factual simply because it is well-written,
and on the difficulty of verifying information presented from behind a
pseudonym and without citations, but will leave that for another rant. :-)
 
I'll try to correct a few of the more glaring errors.  The interested
reader should consult one of the well-researched and documented texts
on the market for further details.  I'd suggest Ferbrache's excellent
text "A Pathology of Computer Viruses" (Springer-Verlag), Hoffman's
collection "Rogue Programs" under the Van Nostrand Reinhold imprint,
and Denning's "Computers Under Attack" by Addison-Wesley.  Also of
value are Hruska's "Computer Viruses and Anti-Virus Warfare" and the
badly overpriced "Computer Virus Handbook" edited by Highland.
 
The comp.virus newsgroup (Virus-L mailing list) has a very nice FAQ
article compiled by several knowledgeable researchers and authors in
the area of computer viruses that addresses many of these points and
provides pointers to additional information.
 
Now for my comments.
 
> A virus is a tiny program that attaches itself to other programs.  It does
 
Viruses do not need to be tiny.
 
> a chance of catching a virus.  Data files (files that are not programs, like
> text for your wordprocesser) cannot contain viruses.
 
Wrong.  Data files can contain viruses in two ways.  First, they may
contain viruses that are in a non-threatening format.  For instance, a
text file may contain a virus encoded as hex digits.  This is not a
threat, per se, but is a virus.  This is the pedantic objection.
 
However, it is also possible for a virus to be present in a form that
causes it to be interpreted.  For instance, a virus can be written in
Lotus 1-2-3 macros in a spreadsheet.  The spreadsheet is not a
program, but is has elements that can be executed and act like a
virus.  Likewise, a virus can be written in GNU Emacs macros that are
automatically executed when a file is read with Emacs (unless the
"inhibit-local-variables" variable is set correctly).
 
Viruses can be written for .bat files under DOS, and these are not
considered to be programs by everyone.  However, they get executed,
and that means that a virus can be in one of them.
 
> The only way to activate the virus is to run the program.
 
Including my examples given above, this is not strictly true, either.
Some Mac viruses activate when one inserts a disk into the drive and
the desktop is read (under System 6.0.x).  This does not involve
executing a program, but interpreting code present on the disk.  Other
examples exist, but you get the point.
 
> Another thing is batch files.  These are files on IBM PC's that end in ".bat".
> These DO NOT contain viruses.
 
However, they could.  The viruses would be easy to spot and probably
not very effective, but they could be written, just as Unix shell
script viruses can be written. (For instance, see Tom Duff's paper in
"Computing Systems" of a few years ago.)
 
> Ok.  Viruses can only be made for specific machines.  By this I mean
> that a virus that infects IBM PC's will NOT be able to infect Macs.
> There may be a tiny tiny chance if your Mac is running something like
> an IBM Emulator that a virus may cause problems, but in general, if
> you have a non-IBM compatible computer, and you can't run IBM software,
> then you can't catch IBM viruses and vice-versa.
 
Wrong.  A virus written in spreadsheet macros or Perl or some other
higher-level language will indeed work on any machine that supports an
interpreter for that high-level language.  Also, we have seen cases of
viruses written for DOS machines (Intel 80x86 architecture) able to
run on DOS emulators under MacOS -- it isn't a tiny chance, but a real
possibility.
 
> For the most part, only personal computers (i.e., IBM PC's and Macs) are
> affected by viruses.  On IBM's, they are usually limited to DOS, so if
> you are running Unix on a 386 you don't really need to worry (yet).
 
Wrong.  Boot sector infectors are generally able to spread to Unix
disks.  Usually they just wipe out the Unix boot sector.  This should
indeed be a worry.  If the Unix disk shares the same boot record
format as MS-DOS, it's even more of a worry (luckily, this isn't
generally the case).
 
>   If you buy the software from
> a computer store, you don't have to worry.  Once in a million there might
> be some type of problem, but in general, store purchased software will
> NEVER have a virus.
 
Wrong.  Some stores will take software back for refunds after it has
been used in machines with viruses.   Thus, the store software will be
infected.  Some stores even put new shrink-wrap over the packages so
you can't tell it happened.
 
Other stores will use the software in the store in their machines to
demo it or to make sure it works the way you think.  Again, this is a
source of viruses -- many store systems are badly infected.
 
Finally, there are many incidents where vendors have shipped their
software to stores with the disks already infected with a virus.
 
Getting software from a store is NOT a guarantee that it is free from
viruses.
 
> There are 3 main types of "anti-virus" software available:
>
> o  Scanners
> o  Detectors
> o  Removers
 
This is not how most experts in the field classify such software.
 
> Each virus has what the anti-virus geeks call a "footprint".
 
We "geeks" usually refer to it as a signature.  I know of no one
reputable who refers to these as  "footprints."
 
[Dark Adept then goes on to explain his "detectors" and jumbles
together activity monitors and integrity checkers.  I won't bother
explaining the nuances here -- consult one of the references.
However, many of his points are off the mark, especially as regards
integrity monitors.]
 
>   Nine times out of ten, a disinfector will have to
> delete *ALL* the programs that are infected.  Gone. Erased.  Never to come
> back.  Some can get out the virus without deleting files, but this is
> rare.
 
Not so rare -- several such programs exist and work quite well.  In
the Mac world, almost all viruses can be successfully disinfected by
John Norstad's "Disinfectant".  Skulason's F-Prot does a very good job
on removing most MS-DOS viruses.  It is not rare at all.
 
[Dark Adept then recommends Central Point Software.  We can't tell if
this is an informed opinion based on comparison, or if Dark Adept is
really the president of Central Point and trying to scam us because we
have no idea who or what Dark Adept really is.
 
In general, thorough and impartial tests conducted by places like the
Hamburg virus research group and by the Virus Bulletin have revealed
that Skulason's F-Prot and Dr. Solomon's Toolkit are far and away the
most complete and effective anti-virus tools for MS-DOS.  Interested
readers can consult those mentioned and similar references for
details.  Neither Skulason nor Solomon are greedy SOBs like some other
vendors in the arena (I agree with Dark Adept that there are some
notable ones out there).  In fact, Skulson's product is free for
personal use at home!]
 
> A virus is made up of two basic parts: an infector and a destructor.
> The INFECTOR is the part of the program which hides the virus and makes
> it spread.  The DESTRUCTOR is the mischief maker.  This is the part
> that draws crazy pictures on your screen or erases a file on you.
 
Not strictly true.  Many viruses cause damage because the people who
wrote them aren't as clever as they like to think they are, or because
new hardware & software configurations have come along that weren't
anticipated by the virus author.  The result is that the virus causes
damage as it tries to spread by overwriting critical data or poking
into the wrong memory locations.  This is one of the principle reasons
that *NO* virus is harmless -- two or three years from now, something
that appeared harmless in someone's home system may cause a massive
failure in the machines at a business or laboratory with a vastly
different set of configuration parameters.
 
> "The first virus was written by..."
> No one knows.  However, if you were to ask me, I will say the first
> virus was written by the first person who made copy-protection.
 
Pure bullshit -- an apologist attempt to justify pirating and/or virus
writing.  Many copy protection schemes bear no real resemblance to
viruses, and in any event they don't replicate themselves into other
software.
 
Ferbrache and I both have good evidence that the first PC viruses were
written in 1981 (2 years before Cohen thought of the idea).  Many
people credit Ken Thompson with the first virus because of his Turing
Award lecture on trust.  Others credit early core wars experimenters.
It depends on how you formally define virus.  The definition I use
sides with the ones who credit Thompson.
 
[Dark Adept then claims that viruses aren't a problem because in all
his limited academic experience he has seen only a few cases of
viruses.  This is like claiming that elephants don't exist because he
hasn't seen one in years while living in Illinois.
 
Business and government sites continue to report wide-spread and
continuing outbreaks.  Viruses exist and they continue to be a
significant problem.  It's not the end of the world, but it is not
getting better and it is real.]
 
> I just hoped I made this virus thing clearer.  This is not based
> on any virus "expertise" I have, just a thorough knowledge of
> computers and my experience with them (which is extensive).  I am not a
> "virus expert" nor am I a virus author. But next time someone tries to
> scare you or calls themselves a "virus professional" call them an idiot.
 
OKay, you're an idiot.
 
>  They don't even want to format a hard drive, just have a little
> fun programming.  Once in a while one of their "projects" might get out
> of hand, but they're not there to make your life miserable.  Sure I'd be
> pissed at em if Flight Simulator got infected, but no biggie.  Just clean
> up and reinstall.
 
Fun, hell.  If I set fire to your house because I wanted to have a
little fun, don't get bent out of shape -- it's your own fault for not
having sprinklers, right?  Just get the insurance money and move
somewhere else.
 
If the people who write viruses are so talented and bored, there are
lots of other things they could do that would be of benefit to others
around them and might be just as much fun.  Committing indirect acts
of vandalism are not "fun" for the victims nor is it the fault of the
people who are conducting research or a business on the systems that
get hosed.  There are people using their systems for more critical
efforts than "Flight Simulator" -- and they don't have time,
personnel, or resources to backup their systems every 10 minutes...nor
should they be forced to.  Virus writing is nothing more than
vandalism and is solely the fault of the virus authors.
 
  --spaf
 
------------------------------
 

Downloaded From P-80 International Information Systems 304-744-2253