The Virus Threat

The Cost Of A Virus

Although many viruses are labeled benign (more annoying than actually causing damage to the system or data), a virus usually causes at least some inconvenience, some loss of system-access time and, at the worst, loss of data.

Recent virus cleanup figures at a large corporation found an average of one hour of technician time was required to locate and remove a virus from each computer. Data from Certus support staff suggests that a reasonable figure for direct technician time to resolve a disastrous computer virus is approximately $250 per computer or network workstation.

What Is A Virus?

A virus is a program that has the ability to reproduce by modifying other programs to include a copy of itself. It may contain destructive code that moves into multiple programs, data files, or devices on a system and spreads through multiple systems in a network. Viral code may execute immediately or wait for a specific set of circumstances. Viruses are not distinct programs; they need a host program executed to activate their code.

Many distinct programmed threats have been lumped together as viruses; however, most are not actually viruses at all. To better understand the threat, we will identify and define these other techniques.

Bacteria , also known as rabbits, are programs that do not explicitly damage any files. Their sole purpose is to reproduce themselves . A typical bacteria program does nothing more than reproduce itself exponentially, eventually eating up all the processor capacity, memory, or disk space, denying the user access to those resources. This kind of programming attack is one of the oldest forms of programmed threat.

A logic bomb is a program or a section of code built into a program that lies dormant until a predefined condition is met. When that condition occurs, the bomb goes off with a result that is neither expected nor desired. Time bombs explode frequently. Depending on who authored the bomb and how many generations of backups it contaminated, the recovery effort ranges from mildly inconvenient to nearly impossible .

A password catcher is a program that mimics the actions of a normal sign-on screen but stores supplied ID and password combinations, usually in a hidden file accessible only to the author. The collected ID/password combinations are later used to attack the system. Running for three or four days will generally yield more than 90 percent of a site's active system users. Truly clever ones cause no perceptible delay and force no repeated sign-ons.

A repeat dialer is a program that continually calls the same number, thus placing it virtually out of service for any other caller. This technique has been used against TV preachers during fund drives to stop pledge calls. As would-be donors keep receiving busy signals, they tend to get frustrated and stop trying.

Trapdoors , also known as backdoors, are undocumented entry points into an otherwise secure system. During software development, programmers often create entry points into "their" programs to aid in debugging and adding final enhancements. These trapdoors are supposed to be closed before the program goes through the promotion to production process. Many times, however, they are not. This breach leaves an unadvertised but very real hole in the system's security.

A Trojan horse is a program that appears to perform a useful function, and sometimes does so quite well, but also includes an unadvertised feature that is usually malicious in nature. Viruses and logic bombs can be hidden in Trojan horses. The code in a well- constructed Trojan horse can perform its apparent function long and admirably before encountering the triggering condition that prompts it to let loose its secret agenda.

A war or demon dialer is a program run from outside an organization's environment and control, usually by hackers, to find dial-up ports into computer systems. Such a program identifies numbers in a given range that connect to a computer. From a modem-equipped PC, the hacker enters a starting phone number and an ending value to the resident dialer program. The program then sequentially dials each number in the range, seeking a computer tone. Copies of this type of program are found on bulletin boards everywhere.

A worm is a program that scans a system or an entire network for available, unused disk space in which to run. Originally, worms were developed by systems programmers searching for fragments of core in which to run segments of large programs. They tend to tie up all computing resources in a system or on a network and effectively shut it down. Worms can be activated at boot-up or submitted separately. Probably the most well-known worm was the November 2, 1988, Internet incident. In two days, an estimated 6,200 Unix-based computer systems on the network were infected.

How Does A Virus Spread?

A computer virus, like its human counterpart , does not spread through the air. Humans become infected by a virus by coming in contact with someone who is infected. So it is with computers. They must come in contact with some contaminated source. The virus infects any form of writable storage, including hard drives, diskettes, magnetic tapes and cartridges, optical media, and memory. The most frequent sources of contamination include:

• physical or communication contact with an infected computer,

• copying an unknown disk containing a carrier program,

• downloading a file from a bulletin board system,

• running an infected network program,

• booting with an infected disk,

• infected software from a vendor,

• overt action by individuals, and

• e-mail attachments.

Virus Protection

A number of clues can indicate that a virus has infected or attempted to infect a system, even before any damage is done. Unexplained system crashes, programs that suddenly don't seem to work properly, data files or programs mysteriously erased, disks becoming unreadableall could be caused by a virus.

Here are some indicators that may confirm the presence of a virus. Most viruses use information provided by the command DIR, which lists a disk's directory, and CHKDSK, which snapshots disk and memory usage.

File size increase. A file's size may increase when a virus attaches itself to the file.

Change in update timestamp. When a virus modifies another programeven one such as COMMAND.COM (which is part of the operating system)the "last-update" date and time are often changed. Since most programs are normally never modified (except when they're upgraded), periodically checking the last-update timestamp, with the DIR command, can alert the user to the presence of a virus. Another danger sign is when many programs list the same date and/or time in their last-update field. This occurrence indicates that all have been modified together, possibly by a virus.

Sudden decrease of free space. When running a new program, particularly if it is freeware or shareware, be alert for a sudden, unexpected decrease in disk space or memory.

Numerous unexpected disk accesses . Unless a program is exceptionally large or uses huge data files, it should not conduct a high number of disk accesses. Unexpected disk activity might signal a virus.

Preventing Infection

Preventing a virus infection is the best way to protect your organization against damage. If a virus cannot establish itself within your systems, then it cannot damage your programs or data. The following steps can help keep a clean system from becoming infected with a virus.

Awareness training. All employees having access to computer systems should be required to attend a training session on the virus threat. It is crucial that employees realize how much damage a virus can inflict.

Policies and procedures. The organization should prepare a policy on virus control to address the following issues: tight control of freeware and shareware; a control process that includes running anti-virus software regularly by each department; a virus response team and methods for contacting the team; control of the infection once it is detected ; and recovery from the virus, including backup and dump policies.

For two very important reasons, the user community should be made aware of the risks of sharing software. The primary cause of the spread of virus infections is through the uncontrolled use of diskettes being introduced into computer systems. The other reason is the possibility of the illegal use of copyrighted software.

If your organization lets employees transport diskettes out of the work facility, a quarantined system to test diskettes and software before their introduction into the system should be in effect. This quarantine system should test all diskettes for the possibility of virus contamination.

In the network environment, avoid placing shareware in a common file server directory, thereby making it accessible to any PC in the network. Only allow the network administrator to sign on to the file server node.

The most prudent precaution is to carefully make, store, and routinely check backup copies of files and programsall on an established schedule. And control access to backups to guarantee integrity.

Virus-Protection Packages

Several commercially available programs can now help detect viruses and provide some degree of protection against them. However, if you use such programs, be careful that they don't cause greater problems than they solve. Some anti-virus programs interfere with the normal operations of programs they are supposed to protect (such as blocking a disk formatting utility).

Also, an anti-virus program may warn of a suspected infection when none has actually taken place. Because of the differences in anti-virus packages, it's important to standardize testing procedures and analytical tools, so results can be compared on a consistent basis.

Unfortunately, malicious code is now a fact of life. Computer viruses appear to be a long-term threat. Systems and data will continue to be vulnerable until a proactive preventive and corrective action is established. In the short term , caution in testing and using unfamiliar software, as well as carefully made backups, are your best safeguards. Your slogan should be, "Don't accept software from strangers."

This tutorial, number 45, by Thomas Peltier, was originally published in the April 1992 issue of LAN Magazine/Network Magazine.