



        ͻ
                                                                      
                             The Amazing Realities                    
                             of SOFTWARE VIRUSES!                     
                                                                      
                                      by                              
                                 Steve Gibson                         
                          GIBSON RESEARCH CORPORATION                 
                                                                      
             Portions of this text originally appeared in Steve's     
                       InfoWorld Magazine TechTalk Column.            
                                                                      
        ͼ



        My mother always hoped I'd become a doctor... actually a brain
        surgeon. Since I work with electronic "brains" every day I
        always thought that was a close as I would come to "doctoring"
        anything, but the recent flare-up of interest in software
        viruses, infections, cures, antidotes and inoculations might
        change all that.

        The notion of software "hacking" isn't new, having been born
        just five minutes later than software. But as we've grown
        increasingly dependent upon the expensive programs and precious
        data, stored in our machines, the cost of a computer failure,
        whether accidental or deliberate, has skyrocketed. Factor in the
        notion of someone DELIBERATELY destroying your irreplaceable
        data and you have a hot situation indeed! Multiply this by the
        unwitting and infectious spread of this destruction throughout
        the far-reaching tendrils of an entire organization or
        community's computer usage and the cost of such deliberate
        sabotage can be incalculable.

        Software viruses can be loosely divided into four classes. The
        General Purpose Infector Virus (GPIV), Special Purpose Infector
        Virus (SPIV), Very Clever General Purpose Infector Virus
        (VCGPIV), and Central System Infecting Virus (CSIV). The habitat
        for the first three viral strains is any unwitting application
        host, while the Central System Infecting Virus takes up
        residence at the core of the operating system.

        One of the most fascinating aspects of the entire
        software/medicine analogy is the amazing degree to which it
        holds. Modern computer systems and software are now complex
        enough to support a crude simulation of life-cycle processes.

        The General Purpose Infector Virus operates by tacking itself
        onto the front or back of any existing application program. To
        keep its size and complexity down it's generally specific to COM
        or EXE file types and is thus unable to infect a file of the
        other type. COM-file infectors have a far simpler genetic
        design, but they don't have as much future as the EXE infectors.

        Poorly designed GPIV viruses are simple to spot once you're
        looking for them since they alter the program's overall length
        and may update the file's own date. However both of these clues
        are also easily handled with a little added viral design. The
        date can be easily restored after the infecting alteration has
        taken place, and the clever GPIV can mask its size by creating a
        hidden file containing the real program while it occupies the
        abandoned file husk of the actual program. Only a scan of the
        entire computer system for hidden or system files would turn up
        the real programs, renamed as something innocent. Then again it
        might not even hide the actual program, but leave it there in
        plain sight, mixed in with the files in your largest sub-
        directory, and named something reasonable, appearing to be an
        overlay, help file, or who knows what.

        The Special Purpose Infector Virus is designed to INHABIT only
        one version of one particular application program and
        consequently can be far harder to spot. It lives parasitically
        WITHIN the body of the application in a buffer region, array
        area, or other non-code-bearing space. Only a byte-by-byte
        comparison of a file against a known good copy can spot the
        SPIV, and you'd better hope that it didn't alter the system's
        compare command beforehand to report equality whenever its
        inhabited file is being tested!

        The Very Clever General Purpose Infector Virus (VCGPIV) combines
        the features and capabilities of the GPIV with those of the
        SPIV. It is able to find non-code bearing regions WITHIN the
        bodies of other application programs for which it was not
        specifically designed and infect those programs with its own
        presence. These features make the VCGPIV virus one of the
        nastiest and hardest to spot or control since every program in
        an entire computer system network could be overrun with VCGPIV
        before anything unusual begins happening. In fact, the worst
        variations of VCGPIV don't begin "acting up" until sometime
        after EVERY LAST CANDIDATE host application program in the
        system has been infected!

        Central System Infecting Virus (CSIV) doesn't infect individual
        application programs, but rather attacks and alters the core of
        the operating system itself. The carrier for this virus is
        usually a Trojan Horse program which appears to be doing
        something useful, simple, and disk intensive, like displaying a
        sorted directory, sorting directories, or reorganizing the hard
        disk. Its disk activities tend to cover up its real intention
        which is to plant an infection into the operating system which
        alters the system's subsequent behavior.



               The Intimate Details of Software Virus Reproduction


        Software "viruses" have three fundamental aspects: Existence,
        Reproduction, and Non-Reproductive Purpose. We've examined the
        nature of such viral existence, and we've seen that software
        viruses can be specific to certain programs, general to COM or
        EXE application program files, vary in their degree of
        cleverness and concealment, and can also be carried by Trojan
        Horse programs for the purpose of infecting the central core of
        the operating system itself. Now we'll look at viral software's
        reproductive cycle and non-reproductive purpose.

        Nasty as a virus' mere existence is, the real power of such
        software lies in its capacity and proclivity for "self
        reproductive survival." The notion that a downloaded program
        could spread its seed throughout an unwitting user's hard disks,
        backed-up files, and entire software library is quite chilling
        indeed. Add to this the fact that the virus might well have some
        far more sinister purpose that mere reproduction, and we have an
        unpleasant scenario.

        A software virus rides along on a host program gaining brief
        control of the system each time the host application is used.
        Patterning itself after organic life, which after all has a
        proven survival track record, a virus' first priority must be
        its own survival. This means that the well-designed virus won't
        make its own presence known or felt until it feels that there's
        nothing further to be gained from secrecy. As we'll demonstrate
        later, this point is never really reached, although to some
        degree this occurs some time after the user's system is infected
        at the 100% level. Once every last available file is carrying
        viral clones, the virus' reproductive urgency is reduced.

        However, since the serious virus designer's real goal is true
        global infection, the well designed virus waits still longer to
        maximize the probability that it will have an opportunity to
        spread to other systems and communities before being removed
        completely from the system after some powerful and deliberate
        demonstration of its presence.

        When an infected application program is started, its hosted
        virus gains immediate control. It is this brief start up
        interval of disk activity as the application loads that masks
        the virus' reproductive activities. The virus briefly searches
        for an uninfected host application. When found it quickly
        infects this unknowing application with a parasitic copy of
        itself and passes control to the hosting application as if
        nothing out of the ordinary had happened.

        The only unmaskable clue of anything out of the ordinary having
        happened would be a longer than usual start up time for the host
        application. If you've been noticing your applications behaving
        somewhat erratically during start up you might want to take a
        close look at it. Of course, you still wouldn't know WHAT other
        program the virus had just then jumped into.

        Suppose now that a computer system has become completely overrun
        with its virus (or viruses, since it might have picked up more
        than one!) and consequently the virus has failed in its attempt
        at infecting a new host application. At this point the virus
        switches from its reproductive mode into its non-reproductive
        mode.

        The question we now face is: What is the intention of the virus
        when it is no longer able to reproduce within the system? Is it
        functionally benign, so that it's simply going to announce
        proudly "GOTCHA!...Every EXE file on this system is infected!,"
        or is it going to behave more maliciously?

        In this regard we're completely in the hands of the virus'
        designer. However we should note that simply causing the user's
        hard disk to begin low-level formatting is antithetical to the
        virus' primary survival drive. In destroying the user's hard
        disk it also destroys itself, and more importantly, it alerts
        the system's owner to the presence of something quite evil.  And
        in wiping the user's disk it might very well destroy other
        entirely different viral strains which have not yet succeeded in
        achieving their 100% infection levels.

        No, the optimal strategy during the viruses non-reproductive
        malignant-mode, for the infliction of maximum long term damage,
        is to FRUSTRATE while continuing to remain hidden. By PRESERVING
        the user's hard disk data rather than destroying it wholesale
        the virus continues to remain hidden and unsuspected. This also
        preserves the opportunity for further inter-system infection,
        which supports the virus' global survival goal. By RANDOMLY
        messing things up and lowering the overall RELIABILITY of the
        system, the virus achieves its goal of producing maximum long
        term hurt.


                     What can we do about Software Viruses?

        Whatever their means or intent, these viruses spread within an
        organization or community of computers by riding along whenever
        a program is uploaded, downloaded, borrowed, exchanged, shared,
        or demoed... even if it's only run once for ten seconds. I know
        how eagerly I try new shareware or public-domain goodies which
        promise to provide a needed benefit, and I've sold many copies
        of my own commercial programs to people who admit to having
        first "borrowed" a copy from a friend to try out. That's today's
        reality, and I don't fight it. In fact it's software's ability
        to be easily uploaded, downloaded, copied, and transported which
        so enriches the personal computing experience.

        Now I know this is a controversial area, and many people feel
        that the attention given to the whole topic by the popular press
        is completely overblown. I want to tell you right now that
        they're utterly and completely wrong.

        I have been placed in contact with several groups of people who
        REALLY know what's going on...  and it's terrifying.  Based upon
        some additional theory which we'll examine now, and MANY
        specifics which I'm still uncovering to share later, I'm going
        to make a solid prediction which you can sadly depend upon:

        In the not too distant future there's going to be a MAJOR SCALE
        CORPORATE-WIDE INFORMATION SYSTEM DISASTER which will be caused
        by a system-wide viral attack. The question is where is it going
        to hit, what can be done to prevent it, and how will our
        industry be changed as a consequence. Mark my words, I am
        utterly certain that we REALLY have a problem developing.

        I'm committed to doing whatever is possible, through the vehicle
        of this column and InfoWorld, to try to avert this disaster. But
        human nature says that it's NOT going to be enough. By combining
        theory with specifics I hope to make you individually aware of
        the reality of the danger to you... perhaps enough to avert your
        own small scale personal disaster... and perhaps for your
        companies. So what about preventive measures? What about
        inoculations, antidotes, and sugar cubes?

        The bottom line on virus prevention is good news for the virus
        and NOT good news for US. To illustrate, let's examine a pair of
        useful parallels: The discovery of the many secrets which led to
        the development of resident pop-up TSRs, and the copy protection
        wars of the last five years.

        As you know, Microsoft has always actively refused to tell
        anyone how to create resident TSR pop-ups under DOS. It is
        completely impossible to do so using just their documentation.
        They could have made things A LOT EASIER on everyone by
        documenting many of their "secrets"... but they kept saying
        "NO!" Did that stop the industry's sharp software developers? No
        way. We simply sat down with our debuggers and tore their
        "secret" code apart to figure out exactly what it did and how it
        worked. And before you knew it, voila, Pop-Ups!

        Then we have the tireless merry-go-round tournament formed on
        one side by companies who desire to protect their software from
        being illegally copied versus those whose very purpose in life
        seems to be the defeat of the latest copy protection schemes. By
        applying the same "reverse engineering" which allowed us to
        develop TSRs, the protection busters mirrored every move made by
        the protectors... and held them in check.

        The overall result was escalation. Both teams ended up
        developing Olympian-level skills, but the war never ended. It
        couldn't end until one side or the other gave up. The final
        result, as anyone who has dipped into the typical bulletin board
        system knows, is that copy protection busting utilities are one
        of the hottest downloading categories today.

        So today we have a new battleground with the same players
        wearing different hats. Anything any anti-virus solution can do
        to prevent infection and viral spread the next viral strain will
        defeat. Not good news.


                Today's Real-World Solutions to the Viral Threat

        There's a terrific group of people in Santa Clara, California
        who have dedicated themselves to catching, analyzing, and
        disseminating helpful and specific information about software
        viruses. This non-profit organization, the National BBS Society
        (NBBSS), can be contacted at (408) 727-4559.

        The NBBSS has identified 39 different strains of software
        viruses, and more are being found continually.  For example, the
        latest virus, which the NBBSS has preliminarily named the RETRO-
        VIRUS was submitted by one of their members on April 19th.  This
        virus infects and lives inside ANY ONE OF THREE popular
        shareware programs. It reproduces by attaching passive carrier
        clones of itself to other executable files in the hope that the
        infected executable file will make its way to another system
        which contains one of its three target "infectable" host
        programs.

        It was named the RETRO-VIRUS because it continually communicates
        with its infected clone carrier executables via a clever "flag"
        hidden within the system. When any of its viral clones executes,
        this flag is turned ON. Then when one of the three internally
        infected hosts executes this flag is checked, then turned OFF.
        If the flag was already OFF, the host determines that the system
        must have been swept clean of its viral carriers. Then, after
        quietly waiting for several months, the host REINFECTS several
        of the system's executable files. The system user THINKS that
        the system was virus-free... but then the same virus reemerges
        "from out of nowhere."

        As you can see from this example, we're dealing with some
        extremely sophisticated programming... which is specifically
        intended to DEFEAT attempts at removing the viral code from the
        system.

        So exactly what measures can be taken to deal with the spread of
        software viruses? The good news is, there are several. Viruses
        can either be caught "in the act" of spreading their seed, or
        located while they're lying dormant on a disk.

        The "catch'em in the act" approach provides the best anti-viral
        protection currently available since the reproducing behavior of
        many viruses is quite similar and can be somewhat generalized
        then readily spotted. Such solutions have the negative side
        effect of requiring continual RAM residency, with all the
        problems which that implies. Also, they can sometimes
        erroneously alert their owner to questionable but benign
        behavior of non-viral software. Even so, these programs are
        innocuous and are highly recommended when using new software
        "submissions" on any system which falls into a high viral
        infection risk group.

        The two most effective virus detection monitors available today
        happen to be the least expensive of any available. FluShot+ is
        available as shareware, with a $10 fee requested, and C-4 is a
        commercial product retailing for just $29.95.

        FluShot+ catches 22 of the known 39 viruses, providing FAR
        GREATER protection than other currently available virus fighting
        agents which retail for hundreds of dollars. FluShot+ may be
        downloaded from CompuServe (in the IBMSW Forum in DL0) or from
        the IBM SIG on The Source, or from its author's bulletin board
        system in New York (1200/2400 Baud: (212) 889-6438) under the
        name FSP12.ARC. It may also be requested directly from its
        author, Ross Greenberg, at (212) 889-6431.

        C-4, which derives its name from Cybernetic Xylene since Xylene
        inhibits the growth and spread of carbon-based viruses, is the
        best commercial viral inhibitor available. Though you might have
        trouble believing the $29 could buy much, C-4's publisher is
        dedicated to stopping software viral spread and even intends to
        offer continual upgrades at near their cost. As a result of
        Interpath's association with the NBBS, C-4 IS THE ONLY PRODUCT
        TODAY WHICH STOPS THE SPREAD OF EVERY ONE OF THE NBBS's 39 KNOWN
        VIRAL STRAINS! It may be purchased from: Interpath, 4423 Cheeney
        Street, Santa Clara, CA 95054. (408) 988-3832.

        It has been my goal to address this issue directly and frankly.
        I now know that these viruses exist.  I believe that the problem
        is less wide-spread than the popular press has indicated, but I
        also believe, based upon an analysis of the reproductive
        mechanisms involved, that it has far more POTENTIAL FOR DAMAGE
        than is commonly believed.

        Please exercise some form of self-protection, even if it's just
        altering some software trading habits. In the meantime I'll keep
        you posted.

                                   - The End -


                     Copyright (c) 1989 by Steven M. Gibson
                             Laguna Hills, CA 92653
                            **ALL RIGHTS RESERVED **
