Date: Tue, 13 Oct 92 08:09:24 EDT From: "David M. Chess" Subject: File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2) This is a brief reply to the file from The Dark Adept that appeared in CuD 4.49. As an anti-virus weenie myself, I'm speaking from a rather different point of view, obviously. On the other hand, I don't claim to be speaking for the anti-virus weenie community as a whole; this is just a few personal reactions, written during a sanity break from some heavy debugging. Most of the factual stuff in the Adept's file is generally correct (and amusingly phrased!). A few notes: - It's not really just .COM and .EXE files in DOS that can carry viruses. Those are the most common vectors, but since there is a DOS call that will execute a file of any name at all as a program, and some viruses infect when that call is used, you have to look in all your files during a cleanup operation. For instance, if you have a game program in FINOGA.COM, and all it really does is display the game-company logo and then run FINOGA.BNX, some of the most common file-infecting viruses will be able to infect FINOGA.BNX, and if you don't clean it up from there, you're still infected. - It's possible (just barely) to write a virus for a BAT file. But no one's figured out how to do it in a reliable or non-obvious way, so there are no BAT viruses "in the wild", and users don't have to worry about them. The same applies to (for instance) worksheet files for spreadsheet programs; since they can contain things like autostart macros, it's theoretically possible to write a virus that infects them, but there are none in the wild. The Adept writes that viruses are more common on personal computers because they "need access to memory that they shouldn't have, and on a personal computer, there is nothing to stop them from getting it." This is a common misconception. In fact, viruses *don't* need access to memory that they shouldn't have; all they need to be able to do is read and write program files (the same way that your compiler, your patch program, your file manager, and so on, do). Experimental viruses have been written for larger non-personal computers, and they work just fine (ask your local librarian for a list of papers by Fred Cohen from the computer science literature for some good details of this sort of thing). The reason we don't see viruses for larger computers is that software for them does not flow as freely as software for personal computers. Quick, how many people reading this have a diskette in some pocket? OK, now how many have a 9-track tape reel? The Adept's confidence about the cleanliness of store-purchased software is, I fear, somewhat unfounded. There have been numerous reports of legitimately-purchased software accidentally shipped (or infected at the point of sale) with a virus. As software producers and sellers become aware of the problem and better instrumented to prevent it, we can hope it will become increasingly rare. But more than one system has become virus infected even though "all I ever use is shrink-wrapped software, honest!". > Each virus has what the anti-virus geeks call a "footprint". Actually, we anti-virus geeks call it a "signature" or a "scan-id". Most of the rest of the Adept's comments are quite correct. I would observe that most infections in the real world are caused by viruses that have been out for some time, so it's not incredibly vital to have this week's copy of your scanner. This quarter's copy is probably a good idea, though! Also, modern scanners tend to be good at detecting small variants of viruses that they have signatures for, so if someone creates a "new" virus by the usual method of munging an old one, many scanners will still find it. One disadvantage of modification detectors that the Adept doesn't mention is that they are prone to false positives. That is, when you install a new version of HyperWunga, and it changes five-godzillion programs on your disk, the next time you run your modification detector it will of course tell you that lots of programs have changed. How do you know that none of them were changed by a virus rather than WungaInstall? You probably don't. The Adept somewhat underestimates the abilities of virus removers. In fact, a good remover will be able to restore almost all of the objects infected by almost all common viruses to almost their original state; it should *never* delete a file without asking your permission first. Note all those "almost"s, though; many viruses are very buggy, and if *I* had an actual infection on a machine I cared about, I would restore the infected objects from backups, even if I had a remover that claimed to work correctly on that virus. The other choice is to trust both the virus and the remover not to have done anything wrong. A good remover, of course, will know which viruses are buggy, and warn you about the files that might be corrupted. Microcomputer viruses probably don't matter much to the Net, as the Adept points out. We should keep in mind, though, similar things that matter more to the Net: there was this little worm the other December, for instance! Spreading things can impact just about any kind of computer system, if the culture and the connectivity are right. Adept also offers the usual "virus writers are just nice guys who like to write interesting programs" line. May be true; I don't know any actual virus writers. I would, however, like to ask how all that hard-disk-trashing code got in there. Did someone sneak into the Nice Guys' rooms at night and type it in? The people who write destructive viruses clearly have some maladjustments that need to be cleared up before I'd let them near any of *my* offspring. Even viruses that aren't meant to be destructive generally wreak havoc and cause pain as they spread. I have no quarrel with someone who writes a virus just to play with and takes reasonable measures to make sure it never gets to anyone who doesn't want it. But the authors of the viruses that are currently in the wild messing up machines (accidentally or on purpose) don't qualify. I certainly agree that there's been quite a bit of hype in the anti-virus field. As usual, of course, one should blame the marketing departments rather than the coding labs! *8) The world is certainly not about to end, and the average user should probably take about the same level of precautions against viruses that she does against, say, a hard disk failure. Get a couple of good backup programs, and a couple of good anti-virus programs, and use them well! And bring up your kids to have something more interesting to do with a computer than write code that hurts other folks... ------------------------------ Downloaded From P-80 International Information Systems 304-744-2253