MANAGEMENT OF IT

Computer viruses present a major threat to the security of computing systems-a threat unlike those experienced previously. In the seven years since viruses became prevalent on business sytems their destructive power has received widespread publicity. All computer professionals will be aware of their existence and prudent managers will have investigated the available countermeasures. A body of myth and folklore still surrounds the whole topic of computer viruses and obscures--even from computer professionals-the increasing sophistication of the later viruses. The development of an anti-viral policy presupposes an understanding of the nature of the threat and of the strategic options which are available. The threat is real and the potential damage is substantial. A major virus infection may inflict serious disruption on an organisation; such an outbreak may even put a small company out of business!

Computer viruses: a problem of management 0

rr
A game of chance? n the 15th January 1991, all the main banks in Valetta, Rabat and Mdina on the island of Malta reported the same problem: many of their computers seemed to be playing a game. No one knew what it was, where it had come from, or how it had got there. But throughout the day the reports arriving at head office were the same-an ominous message had appeared on the computer screen (Fig. 1) Even to the uninitiated it is self-evidently bad news. To those who understood the acronyms in the message it was even worse. The FAT (or File Allocation Table) keeps track of the location of each part of a disk file which shows which areas of disk are currently unused. If this table becomes corrupted there is no means of knowing which parts of the disk comprise any particular file. It is as if the contents of an archive holding many tens of thousands of unnumbered pages (including some from both current and obsolete versions of documents) had suddenly become thoroughly shuffled. The message was emphatic that the File Allocation Table had been destroyed, but it qffered the slender hope that a copy had been retained in the electronic memory of the computer (its RAM or Random Access Memory). To switch the computer off or to reset it would immediately clear the RAM of its contents, and that slender hope would have gone. This game was generated by a computer virus (known as the Casino virus) which had
DISK DESTROYER

~ i The ~ . messageon the banks computers

A SOUVENIR OF MALTA

I have just DESTROYED the FAT on your Disk 1 I However, I have a copy in RAM, and Im givlng you a last chance t o restore your precious data. WAUNISG: TF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER ! Your Data depends on a game of JACKPOT CASINO DE MALTE JACKPOT

CREDITS : 5
fff * Your Disk
? ? ? = My Phone No.

by Ian Leitch
ENGINEERING MANAGEMENT JOURNAL FEBRUARY 1994

ANY KEY TO PLAY

21

MANAGEMENT OF IT

Fig. 2 The viruss grudging concession

BASTARD ! Youre lucky this t i m e - but, for your own sake, now SWITCH OFF YOUR COMPUTER AND DONT TURN I T ON T I L L TOMORROW ! ! !

embedded itself in some of the large programs used by the banks. Those who hoped that it was a practical joke were out of luck; the malicious virus was as good (or bad) as his word. Hitting one of the keys caused the characters in three windows to run through a sequence before stopping. If after five attempts, the virus deemed that the winning sequence of letters had not been achieved, an abusive message was displayed and the computer hung; its FAT had been scrambled. The winning combination was fff and won a reprieve. The virus displayed the message shown in Fig. 2, and then restored the File Allocation Table to the disk. When a Casino-infected program is run, the virus code installs itself in the computer memory. On only three days in the year (15th of January, April and August) does it display the extreme behaviour discovered by the banks in Malta. For the rest of the year the virus quietly reproduces itself into every major program that is run; if infected programs remain undetected and are transferred to other computers the original isolated outbreak can quickly create an epidemic. Although the Casino virus is highly destructive and was written with obvious malicious intentions, it lacks the sophistication of later viruses. Casino makes only trivial attempts to hide its existence. Alert staff could have easily detected and eradicated it in the long period before its dramatic appearance. Managers who operate without reliable measures for early detection of computer viruses and contingency plans if infection is found are playing a perpetual game of c h a n c c

where the continued existence of their business may be at stake.

e-.

Viruses and initial countermeasures A computer virus consists of a sequence of instructions which causes a copy of itself to be incorporated into other executable programs. This ability to reproduce itself (possibly in a modified form) is the sole defining characteristic of a computer virus. However, many of the early viruses were written as practical jokes and embodied a fun element: for example, one virus put a bouncing ball on the screen, while another caused all the characters on the monitor to slide down to the bottom of the screen. These were not written from malice, though all had unintended side effects which could cause data loss. A replication strategy adopted by many viruses is to delay the display of their most visible effects; initially they just reproduce themselves quietly without attracting attention. Some time later-perhaps a specific date or after the virus has reproduced itself a particular number of times-the more visible effects will be displayed also. As nothing would be gained by constantly re-infecting the same program, most viruses contain a means of determining which programs already contain the virus instructions. Effective protection against computer viruses requires a corporate anti-viral policy which combines good practice with anti-virus software tools. Three main categories of anti-viral software soon developed: detection of changes in program files, scanning program files for virus code, and monitoring program execution for suspicious behaviour. Each method is based on a major characteristic of computer viruses.

9;.

Chanpe detection software (often known as check&mers) exAoits theonly certain fact S . about a computer virus-that it * reproduces itself. A signature (or checksum) is calculated for G . each file such that any change will result in a different signature. .a % : * , A changed signature implies a changed file;

inrection.
22

ENGINEERING MANAGEMENTJOURNAL FEBRUARY 1994

MANAGEMENT OF IT

0 Virus scanneys grew out of the principle that if a virus could detect which programs it had infected, so could a virus detector. Scanners search through the program file to looking for sequences of instructions which occur in known viruses. 0 Behaviour monitors check the instructions issued by a program before they are obeyed. If, for example, it spots one program inserting instructions into another, or intercepts an instruction to corrupt the hard disk, confirmation is sought from the user before proceeding.

These three tools each have different strengths and weaknesses. The virus scanners embody intelligence about the characteristics of each particular virus, and thus can make positive identifications; their action is virus-specific, and may include the restoration of infected programs to their original state; to be effective each scanner must be frequently updated with the latest information about known viruses. Behaviour monitors and checksummers are concerned primarily to observe virus replication; as they require no information about any specific virus (frequent updating is not necessary), they can be as effective on previously unknown viruses as on familiar ones; however, both methods are vulnerable to false alarms as legitimate actions may fall within the criteria which trigger an alert. Although virus scanners rapidly gained the highest profile, these software tools could he used in combination to give substantial protection. Had the virus threat been seen off? No, but virus writers needed to employ a greater sophistication thereafter.

The virus writers retaliate

Ever since they first appeared in 1986, a few virus characteristics have served to provide a simple descriptive classification. File viruses infect application program files, and boot sector viruses inhabit an executable program which is automatically written to every diskette when it is formatted (the so-called boot record program). The more versatile logical structure of a hard disk requires it to have at least two boot records. Some file viruses try to replicate only while the infected program is being run. However, all boot sector viruses and many file viruses operate by loading themselves in the memory of the computer. By this means they can spread infection for an unlimited time; they can intercept any instructions from the user-

particularly those looking for the virus or its effects-and return a reply that the user wants to hear, rather than the truth. For example, a user asking for the size of a suspect program might be told the size of the program before infection, or when examining the contents of a suspect program file might be shown the uninfected program code. Increasingly viruses incorporated these stealth features to obscure their presence. Originally scanners searched for sequences of instructions which were believed to identify uniquely. The virus writers responded by encrypting their virus instructions. This greatly increased the magnitude of the task of even understanding the virus before protection could be incorporated into any scanner. As if that were not enough, some virus writers chose to use a different encryption key each time the virus replicated! Thus the virus instruction code appeared to be different every time. Like other complex tasks, computer programs contain many small steps and often the precise order in which these steps are conducted are unimportant. Some viruses were written to permute all interchangeable instructions randomly on each replication. They presented scanners with another moving target. Other techniques appeared in viruses to counteract the initial success of virus scanners. The virus was broken into many small pieces to make it more difficult to find a unique identification string. Some viruses dispersed their code throughout the program it infected; others incorporated variable-sized pieces of noise code. Some virus writers relied on the obfuscation technique-virus code which was designed to be obscure. Checksummers also came under attack. Computer systems are regularly upgraded as new software is introduced or existing software is upgraded. At such times a checksummer

This virus infection is getting out-of-bund.. .

ENGINEERING MANAGEMENT JOURNAL FEBRUARY 1994

23

MANAGEMENT OF IT

requires new signatures to be calculated for these programs. Some viruses exploited this fact by only infecting software when the user was changing it of his own volition. The recalculated signature would be for the infected file, and the user would be none the wiseruntil the virus was triggered into action. The leading anti-viral products have developed constantly to counteract each of these new techniques. The virus scanner no longer just searches for the identifying virus code sequences from its database; its own program must take account of the variability found in current viruses. Daily the demands on anti-viral software manufacturers become more difficult. For example, the number of viruses which attack IBM (and compatible) personal computers using MS-DOS is increasing by about 150 new viruses each month. At present there are some 2500 known viruses for this system-although only about 70 viruses are active in Britain. Unravelling these viruses to incorporate them into a scanner is a major task. But worse is yet to come. Already there have been two attempts to write programs which will themselves generate very large numbers of different viruses. The Self Mutating Engine (MtE) permutes an existing virus to make many variants of it; the Urus Construction Set (VCS) enables non-programmers to create viruses. In both cases the viruses generated have many similarities to the original viruses and the best scanners can still cope-but these virus generators are only the start. Most network operating systems aim to provide security for each user. Already virus writers have attempted to circumvent these security levels. There is no reason to suppose that their progress will be long delayed. But that will be another story. Are viruses a real threat? Is there a real risk, or were the banks in Malta just unlucky? Many companies may consider that their own practices for commercial security will isolate them from risk of infection. In the early days of the virus threat major corporations not known for loose security were hit, including IBM, the computer giant, and British Rail. Subsequently, many other major organisations have suffered infectionincluding distributors of computer hardware and software. For ten days the software distributed by Novell, makers of the worlds most widely used
24

network operating system, contained a computer virus. For six weeks four popular microcomputer manufacturers distributed their products with a boot sector virus already infecting the hard disk of the system. Over a long period the copies of MS-DOS supplied with a hundred thousand new computers contained the Michelangelo virus, and gave rise to a major concern on the 6th March, its trigger date. For a time the most commonly found boot sector virus was widely distributed on diskettes which were formatted prior to sale. Will your security guarantee to protect your organisation from the many similar accidental infections which continue to occur? Ironically three of the most widely found viruses are some of the earliest. Although they lack the sophistication of later viruses, they survive because once having become endemic the task of eradication is immensely greater. The popular image of computer viruses and the way that they are spread is wildly erroneous. Most viruses do not trigger on specific dates; the threat is spread through the whole year. Games programs or shareware software are not inherently more vulnerable than other types of program, nor are programs on bulletin boards necessarily more virus prone than shrink-wrapped products. Most computer viruses do not aim to damage the disk datz files, but those that are malicious can be ruthless. Finally, most problems that occur on computer systems are not due to virus infection, but it is the fourth most common cause and demands serious attention. A corporate anti-virus strategy cannot guarantee total immunity from infection, but it can dramatically reduce the threat to your business. Like an insurance policy it should be tailored to the perceived risk. However, it should always include the adoption of good practices, the use of good anti-viral software, and appropriate anti-viral training for computer specialists, non-technical users and managers. When you next go to use your spreadsheet or word processor, can you be certain that the machine is not infected? Would you know what to do if it were? Are you playing a game of chance, or are you managing the problem? How important is your business?
0 IEE: 1994 Ian Leitch is a computer consultant specialising in the provision of supporr and training sewices for protection against computer viruses. He can be contacted at 121 Abbotts Drive, North Wembley HA0 3SH, UK.

ENGINEERING MANAGEMENT JOURNAL FEBRUARY 1994