COMPUTER VIRUSES - CURRENT STATUS,

FUTURE TRENDS AND POSSIBLE ADVANTAGES.

(c) Jean-Paul Van Belle

Note: this was an early draft version - couldn't dig up the final version ;-)

Abstract

This paper attempts to take a longer term perspective on the computer virus technology. Firstly, viruses are defined, described and classified. Popular anti-virus protection mechanisms are listed. The current impact of viruses is briefly assessed and an attempt is made to isolate and project some expected trends in virus technology. Finally, a number of potential advantages of viruses are discussed.

1. Introduction

The computer virus and its technology represent a relatively new phenomenon, although its origins can be traced back to the late fifties. The emergence of the virus technology may be attributed to a combination of factors, including the wide availability of computer resources, the increased level of connectivity, the event of decentralized computing with a certain relaxation of security measures, the development of a hacker community (culture and literacy), and perhaps a general decline in morality principles. All of these factors have resulted in what may be called a democratization of the computer technology. This has in its turn established the necessary "critical mass" for the virus technology to develop.

The media have publicized a large number of virus attacks; not necessarily in the most accurate or factual manner. But the very fast evolution of the technology has even confused many professionals. This resulted in a lot of "hype", popular myths and misconceptions about computer viruses. An interesting study claims that "[s]tories about computer viruses may be as full of myth as they are of truth" and careful investigation of these stories led to the conclusion that "tales about the destruction wrought by Trojan horse programs were, in fact, a new form of urban legend".

Although a number of computer specialists are still of the opinion that the virus problem has been over-estimated, surveys indicate that the incidence of virus infections within academic and commercial computing environments has grown exponentially to very high levels over the past three years.

Most of the virus literature has focussed on the security aspects of viruses. This has led to a relatively reactive viewpoint which is mostly concerned with the negative aspects of viruses. In this paper, an attempt will be made to extrapolate a number of future trends in the virus technology which might enable a more pro-active attitude. A seperate section will deal specifically with the advantages of viruses.

2. Definitions and Concepts

Definitions of viruses abound. As one extreme, the very fuzzy, broad concept used by most mass-media could be adopted. At the other end of the continuüm the following definition has been proposed by

Kauranen & Mäkinen "a computer virus is a description of a TM whose simulation by the [universal] TM causes another description of a viral TM to appear to the tape of the [universal] TM" with the TM [Türing Machine] being a 7-tuple M = {Q, S , G , d , q0, B, F} where each of the tuples is specifically defined as a (set of) state(s), tape symbol(s) or a function.

For the purposes of this paper a more operational definition will be adequate: "a computer virus is a set of instructions which, when executed, spreads itself to other, previously unaffected, programs or files". The key property of the virus is thus its "infection" feature: it attaches itself to another piece of code which serves as its carrier or host. A virus does not necessarily need to contain destructive code, nor does it need to make exact copies of itself. Some viruses also infect previously infected files. Various plural forms of 'virus" can be found in the literature: viruses, viri and virii. The most common plural appears to be "viruses" and is the form that has been adopted in this paper.

Often, the term "virus" is used inappropriately to describe other types of malicious or destructive, replicating code. They are typically known by colourful names such as rabbit, bacterium, time or logic bomb. The following two types in particular are commonly confused with viruses. A Trojan Horse is any program designed to do things that the user of the program did not intend to do. Unlike program bugs, they were coded with the intent of the program author. A Worm is a program that spreads copies of itself through network-attached computers. Neither program requires a host. The widely publicized American "Internet Virus" was in fact not a virus but a worm.

3. Virus Technology.

3.1 General Theory of Operation.

Viruses have two distinct operational features: a replication function and a (usually destructive) action triggered by a certain event.

The objective of the replication function is to infect as many files or systems as possible. Each time the virus code is run it attempts to locate uninfected files on the host system or any other on-line system. Sophisticated viruses employ several techniques to make this process as efficient and invisible as possible: temporary modicification of file attributes, intelligent device access, keeping the reported file size as before, not modifying file date or time stamps and maintaining the Cyclic Renduncy Checksum. To keep track of their activities, virus-marker bytes are usually placed in infected files.

The ultimate aim of this covert reproduction process is usually a specific action. The trigger for the action could be an internal count of the number of infections, but is usually a specific time or date.

3.2 Virus Trigger and Action Examples.

The following examples of MS-DOS viruses may serve as illustration of the diversity of triggers and actions. They have been collated from the documentation of various anti-virus packages. Fu Manchu is triggered (inter alia) by typing Thatcher, Reagan, Waldheim or Botha and adds the sentence part "is a xxxx" where xxxx is a 4-letter word. Italian (Bouncing Ball) is triggered if a certain clock state (every half hour) coincides with a disk access and puts a bouncing dot on the text screen. Stoned (Marijuana) triggers on every 8th infective boot-up and overwrites (non-intentionally) parts of the File Allocation Table on non-standard disks as well as displaying the dreaded "Your PC is now stoned" message. Denzuk keeps an internal infection counter and places its red graphics logo on a CGA system. Datacrime is triggered on October 13th (or thereafter) and does a low level format of cylinder 0 of a hard disk. Cascade's trigger incorporates a random number generator and causes the characters on the monitor to gradually crumble into a heap at the bottom of the screen. Typo checks every fiftieth character send to the printer and substitutes certain pairs. Dbase checks for DOS function calls with the file name extension DBF and swaps certain pairs of bytes. Oropax uses a one in four random number generator coupled to a date later than May 1st, 1987 and a specific machine ID, upon which it plays one of three tunes at an interval of a few minutes. Pretoria renames file names to ZAPPED on June 16th. Print Screen does a screen dump every 255 disk BIOS accesses. Icelandic displays "Gleileg jAl" on December 24th. Virus-90 displays white bars moving down the screen on when the day of the month is a multiple of 9. Solano checks random screen positions at 73 second time intervals for figures and, if found, swaps two digits. Shake displays the message "Shake well before use !" every 6th time it goes resident.

There are many more viruses; the above have been selected to show the diversity of triggers and actions. Although quite a number of viruses do not intentially destroy data, it must be realised that no harmless viruses do exist: just the computational overhead can be critical in certain applications e.g. medical systems

3.3 Types of Viruses.

Since viruses attach themselves to executable code, they can be classified according to the type of their host program.

Boot infectors locate themselves in the system boot track, which is used by the operating system to initiate system operation. They often move the original code to another area on the disk. Their major weakness lies in the fact that they cannot make use of any of the operating system functions; as a result they tend to be fairly simple. Their major strength is that they are always resident, ensuring a high level of infectiousness. The Bouncing Ball and the Stoned virus are two well-known examples.

System infectors attach themselves to a operating system module, such as the command interpreter, system I/O routines or system device drivers. They are just as infectious as boot infectors but can make full use of all operating system routines, enabling very sophisticated actions.

Finally, generic application infectors infect some or all application programs or their code overlay files. They execute only when the infected aplication is loaded and can be further sub-divided into two categories: direct and indirect action file viruses. A direct action file virus (such as the Vienna virus) attempts self-replication immediately upon its first execution. The indirect type (e.g. Israeli) works in two distinct steps: first it copies itself into memory and hooks itself into one (or more) of the system interrupts; only at a later stage, when the redirected interrupts are called, does the actual replication or action code get executed.

From the above discussion it must be clear that viruses cannot be executed from data files. There are however a number of potential exceptions. Firstly, operating system (or program) bugs may cause data to be loaded into the code area and thus be executed by accident. Precisely such a bug in the Unix mail system was apparently exploited by the US Internet worm. Secondly, it is conceivable that certain program source code editors are modified in such a way that they add some virus code to the stored program source which will execute only when the source code is compiled. Admittedly, it would be more practical and efficient to let the compilers be the infection mechanism.

3.4 Typical ways in which virus spread.

Viruses can enter a computer system through any of the input devices. By far the most common vehicle for virus are removable magnetic storage media. These could be programme disks "borrowed" from a friend, collegue or computer club; data diskettes (boot sector viruses only); demonstration diskettes included with computer magazines, etc. Software piracy, academic software libraries and technicians' diagnostics disks appear to be the major culprits. Even cases of infected shrink-wrapped software have been reported where a virus was present on the developer's system and infected the master disk; or the software was infected by a first user, returned and re-wrapped by the retailer.

Another common way of spreading viruses is through communications links. The most spectacular and easiest method is trough computer networks although they have also been downloaded from bulletin board systems and public access information services.

Ultimately, no system is safe since virus code can be entered manually through the keyboard by a user or might conceivable be found on read-only devices such as CD-ROM disks or EPROM chips.

4. Anti-Virus Protection Methods.

4.1 Anti-virus Packages.

A flourishing anti-virus software industry has sprung into being with the advent of the virus threat. Three main functions are provided by these packages: virus "diagnosis" or identification; protection by trying to detect virus intrusion ("vaccination") or check files/disks for alterations; and "antidotes" to remove virus code. It is important to realize that no package can offer 100% security, and the cost of a package is not necessarily a good measure of a package's functionality.

Virus diagnosis is usually done by checking system memory, boot records, and system/application files against a list of virus "signatures". This list is apt to grow longer and longer and must be updated on a regular basis (see addendum 1 for a sample list of viruses); Dr Alan Solomons reported over 770 viruses in May 1991 against a mere 142 as of December 1990. A number of anti-virus services offer dial-up online listings of these signatures. Some viruses employ self-encryption which makes detection even more difficult. On larger systems the detection process can become quite time-consuming and is never fool-proof since it does not detect newly developed virus. In addition, a growing number of "false alarms" can be expected since "signatures" could be present in orthodox program code by coincidence.

A number of virus vaccination alternatives exist. Some software packages append small anti-virus routines to target executable files that check file entegrity by calculating modified file checksum calculations before execution of the proper program. Other antidote programs maintain a separate datafile of checksums for all or most program files of the disk and check against this list on a regular basis (daily or upon system boot). A "brute force" variant of this software maintains coded images of entire disks instead of the checksum totals. A final category of antidotes loads as a background resident application which monitors the critical interrupts to which viruses attach themselves and intercepts exceptional or suspicious system calls. All of these vaccination programmes use system resources in the form of available system memory, processing time and/or disk storage space and represent therefore additional system overhead. More recently, sophisticated viruses have been released that anticipate these vaccines and thus escape detection or, even worse, make use of the anti-virus software as a vehicle to spread even faster. Finally, most vaccination software involves a trade-off between the level of security and the number of false alarms generated, since apparently innocous system routines can still be used to damage data whilst many "dangerous" interrupts have to be called occasionally by orthodox applications. Executable files may be modified in development environments (after re-compilation) or through self-modifying software (SideKick), which will change checksums.

Virus elimination or removal software is intended to remove virus code from a system and, in some cases, repair data damage inflicted by the virus. This is a fairly straightforward process for many boot infectors but the process of infection is often irreversible for the more sophisticated viruses. The only remaining alternative will be to restore the executable code from uninfected backups or the original program disks. Undoing serious data damage is only rarely feasible although the extent of damage can usually be pinpointed more easily with the aid of virus removal packages.

As a final note, there is a growing number of hardware products available that implement some of the above methodologies although their effectiveness is not yet assured.

4.2 Procedures.

Because anti-virus packages are generally of a reactive nature and involve considerable system overhead, organizations are well advised to implement adequate virus control procedures as well. Appropriate anti-virus procedures have become essential in all larger organizations during the last few months. Space limitations prevent full discussion of possible procedures in this paper but some general pointers will be mentioned.

Ideally, the potential impact of virus damage to the organization should first be assessed. The risk and cost appraisal could then serve as a basis for cost-effective preventative management policies.

Preventative procedures are a combination of general data and program exchange regulations; user education; appropriate hardware choices, some centralized controls; security measures; and sound data management principles such as regular system backups, appropriate user rights and program source control. The exact procedures will depend on various factors such as the risk profile, size and culture of the organization. More detailed guidelines for these procedures can be found in White & Chess and many more guidelines can be expected to appear shortly in the literature although they currently concentrate on individual users and LANs.

However, it is virtually impossible to prevent virus attacks entirely and it is therefore imperative for concerned management to set up virus eradication procedures - preferably before the event. In practice, the procedures will depend on the virus type, the extent of its infection and the type of damage incurred. Procedures for both academic and commercial environments are suggested by A. Solomon.

5. Current Impact of Viruses.

The most observable impact is the direct damage done by viruses in the form of lost data, computer and operator time and other resources. The quantification of the estimated losses could form the subject of an elaborate study in its own right but is likely to contain a wide margin of error. At the current virus infection growth rates the estimate is in any case likely to be outdated before it is calculated.

A second area of quantifiable impact is the cost of implementing anti-virus measures. This goes beyond the mere financial costs of software and hardware packages as operator and management productivity are affected and computer processing overhead introduced.

There are also a number of non-quantifiable consequences of the virus threat, mainly in the form of changed attitudes. Some vendors blame the slowdown in growth rate of PC sales on the virus threat although this is probably exagerated. What cannot be denied is that many user errors, hardware problems or software bugs are now blamed on viruses, often resulting in a significant waste of time and efforts before the real problem is diagnosed.

A very important but more long term negative impact is the reduced level of networking and interaction which results from system users who are more hesitant in accessing online bulletin boards and databases or system managers who increase the level of security unduly. This is specifically expressed in the policy statement issued by Internet after the worm attack: "The Internet is a [...] facility whose utility is largely a consequence of its wide availability and accessiblity. [...] Security [to make the Internet more resistant to disruption] may be extremely expensive and may be counterproductive if it inhibits the free flow of information which makes the Internet so valuable."

6. Trends in Virus Technology

A number of trends have already become apparent in the four years that viruses have become widespread, which may serve as pointers to future further evolutions.

Many viruses anticipate anti-virus software and employ a number of stealth techniques to make their detection more difficult. Most viruses now already intercept system error messages while they are trying to infect other files. Many are also careful to retain (or reset) the original file attributes such as date and time stamps, read-only attributes or file size (even if the actual size is larger than the system record!). Some viruses already employ self-encryption schemes whereby the code is dynamically changed as it is executed, others use a number of different signatures. Larger viruses have been reported who contain a lot of redundant "armour" code, apparently in an effort to confuse anti-virus experts. Finally, it is only a matter of time before viruses check file CRCs and add some "padding characters" of the appropriate values in order to retain the original checksums.

Apart from making the detection more difficult, nastier memory-resident viruses even exploit anti-virus packages and use them as a vehicle to spread themselves during the scanning process to all the software that is being virus-checked! This fact constitutes in fact a major dangers of using virus-checking software. Both the Dark Avenger and Plastique have been spread in this way.

As more and more viruses are created, the amount of publicly available information increases which enables prospective virus writers to employ more sophisticated routines which exploit operating system software bugs and current anti-virus software weaknesses. Examples are MS-DOS viruses which make direct use of ROM BIOS routines. Because of this, some virus researchers were moving to restrict the access to facts about computer viruses. This is unlikely to become successful as proven by the many varieties of viruses that are around. The publication of a number of virus codes have made the process even easier, although even unpublished viruses can be disassembled and improved with relative ease. And even relatively unsophisticated computer users will soon be able to construct their own custom-made viruses with user-definable messages and menu-selectable actions using black market "do-it-yourself virus building kits".

Viruses also start targeting specific software applications, such as the Dbase or Lotus virus. This is accompanied by a greater subtility in the damageing actions. Instead of erasing file allocation tables or deleting entire files, only pairs of digits are being swopped or small parts of the disks are being modified over a relatively large time span.

The first virus writers were hackers who wanted to show off their programming capabilities. More and more writers seem to have political objectives in mind. This is already illustrated in a number of viruses (e.g. the Marijuana, Peace and Israeli viruses). As the media attention continues, it motivates certain other individuals bent on (anonymous?) publicity, similar to the psychology behind many serial murders. But the most important source of future highly sophisticated and professionally developed viruses may be the cut-throat, not-so-ethic commercial software industry itself. Consider the following scenario painted by Dvorak.

"Imagine some Microsoft code that went out looking for programs compiled by non-Microsoft compilers. Borland and others insist on inserting a message in the compiled code to let everyone know what product did the compilation. So the virus looks for the Borland name and then swaps a few bits around. What if someone working for Borland did it? An industrial spy somehow hired at Microsoft by accident? Can you imagine the kinds of intrigue we may have in the next few years? Lawyers: on your mark, get set..." and "The next logical step in the marketing of software is to keep people from using the competitor's product at all costs. Viruses are likely to be discussed as a genuine strategy in teh years ahead when the going gets tough."

Viruses will spread to many different operating systems. Although currently only MS/PC-DOS, Apple, Unix and Xenix viruses have been reported, they are likely to spread to other operating environments as well. Already a virus is reported to be written with Novell Netware in mind. Viruses are also likely to become a problem in mainframe environments. It is expected that OS/2 and Windows viruses are much more difficult to create but will also much more difficult to fight.

All the above factors make it clear that the growth in the number of different viruses is exponential as evidenced by recent statistics:

"[In May 1991] the European virus research community revised its estimate of how many know viruses there would be by the end of 1991. Predictions have moved from 1000 to 2000, as against last year in December when a mere 142 viruses had been identified."

It is clear that if this growth rate continues, the traditional virus identification and detection packages will no longer be feasible since it will be impossible to scan entire systems for all known viruses.

7. Advantages of viruses.

The purpose of the following discussion must be seen in context. It is clear that costs associated with viruses have far outweighted any short term benefits. However, very little attention is given to the small benefits they do have, so this discussion should provide some counter balance. Also, in most revolutions short term costs exceed the immediate benefits; the final cost-benefit analysis can often only be assessed from a long term historical perspective. In time, the virus threat may prove to be just one of the growing pains or necessary childhood diseases of a maturing micro-computer industry.

7.1 The Anti-virus Industry.

The virus threat has proved to be a boon for computer security products. The US market for security products and services for computers was estimated at $588 million in 1988 and this market is predicted to grow substantially, in part due to the virus scare. Although many dubious security products were released initially, a shake-out can be expected and has in fact already occurred to a certain extent. But the fact remains that many companies confirm that their sales rose dramatically when they started selling virus protection software.

A huge market has thus been created in the form of software packages, hardware add-ons, conferences, publications etc. It is probably too early to decide whether this market is really a "zero-sum" game or if there is real value being added.

7.2 Security Awareness.

The virus scare has at least made both managers and users aware of the dangers involved with a relatively free data and program exchange between computer systems. An analogy can be drawn with the early hacking activities whereby large corporate mainframe systems were penetrated by youngsters and outsiders. The shocking display of vulnerability of major financial and other information systems was thus brought to light and in many instances proper steps were taken to assure an adequate level of security.

In a similar vein, the security threat posed by virus attacks has prompted many prominent institutions to analyze and review their security systems. A local study undertaken by J.P. van den Berg reveals that the larger South African organisations see virus attacks as the number two priority security issue.

It is important to note that the level of information systems security awareness has risen significantly not only with MIS executives but, maybe more importantly, among corporate chief financial officers and chief executive officers.

7.3 Development of More Secure Operating Systems and Architectures.

Virus have exposed one of the major weaknesses of small system operating systems and open architectures in general: their general lack of security. The lack of password protection or file history of micro-computers make the task of viruses so much easier. More importantly, should it be so easy to modify the operating system? The author used a bit editor to rename the "copy" command within the command processor and thus substituted it with the renamed external "vcopy" program (that checks for viruses in addition to copying). While this procedure addresses a real need it is debatable whether such tampering should be allowed.

More and more programs are coming onto the market with built-in checking procedures which detect and report tampering with source code or file attributes. Whilst this process has been inspired almost entirely by the virus, it may be argued that this a generally positive development which protects the intellectual property rights of software developers. It is expected that future programming language compilers will implement file integrity checking subroutines which may be incorporated almost automatically in user-developed programs.

In the longer run, more thought will be put into the development of operating systems and hardware architectures. Already a number of systems have appeared on the market, such as "The Immune System" announced by American Computer Security Industries which features a system protection kernel, user authorization procedures and protected software directories.

7.4 Computational Aspects of Computer Viruses.

By far the most exciting potential advantage of viruses stems from a theoretical study of their computational aspects. Cohen, which has pioneered theoretical virus research, has shown formally that:

"any number that can by `computed' by a Türing Machine can be `evolved' by a virus, and that therfore, viruses are at least as powerful as Türing machines as a means for computation."

Few people have recognized that fact that viruses are one of the first successful (...) demonstrations of the potential of decentralized computing within a micro-computer environment. The mind boggles at the potential applications for this type of technology. A few examples will be mentioned but cannot be fully worked out due to space limitations.

"The [Simple Viral Protocols] called `viruses' are destructive, but it should be very interesting to use such processes for automatic maintenance of software. As an example : Suppose several packages use an inefficient version of a procedure or routine, in large organizations, it should be easier to update such a package by such an approach rather than to recompile and link all these packages, especially in case of large distribution." (bold print by Guinier)

Another potential application is mentioned by Cohen:

"As an example, a compression virus could be written to find uninfected executables, compress them upon the user's permission, and prepend itself to them. Upon execution, the infected program decompresses itself and executes normally. [...] Studies indicate that such a virus could save over 50% of the space taken up by executable files in an average system."

Many more examples come to the author's mind easily. Maybe the ideal application would be an anti-virus file integrity checking routine that would attach itself to any executable file which has no built-in checking feature. Might a sufficiently powerful but flexible routine not mean the end to the virus saga?

Another potential application might be a network utilitie that spreads and balances application workloads across different workstations: "viruses" in idle workstations send messsages (or message-viruses?) and take some of the workload over from busy workstations. From this perspective, it seems that many unexplored links and potentialities may exist between virus technology, decentralized processing techniques and object-orientation.

Other uses could be a virus that spreads "auto-backup" routines to software that needs backing up, mail and message systems, task scheduling processes and the automatic addition of hardware device drivers to programs when system configurations change.

A proposed name for this type of routines was suggested by Thimbleby: Liveware. The idea is to let liveware spread like a virus, to carry information on behalf of one or more users that want to share their work is.

7.5 Other Advantages.

The event of software piracy may be reduced because of the virus threat. It has certainly prompted a number of companies to make the use of illegal software cause for dismissal. As the relative cost of legal software in Thirld World countries seems to have made piracy more widespread, many of these countries appear to have suffered more extensively from viruses.

Some researchers contend that a community of hackers, often highly intelligent computer programmers, is essential for a dynamic and evolving computer industry. "The hacker is both a national treasure and a national headache and [we need] to learn to live with them." In this light, viruses may be viewed as a detrimental, but necessary by-product of this essential sub-culture.

If nothing else, viruses have also created a new area for sccientific research and media controversy. Many more studies can be expected along the lines of Harrington's "Why people copy software and create computer viruses: individual characteristics or situational factors?"

Thimbleby mentions a number of other potential advantages in . He expresses the

Context - many "costs" but also some advantages - like many revolution it is unclear (initial cost, sometimes outweighted by subsequent better environment)

Computational aspects of viruses: [cohen - theoretical pioneer] first true "distributed procession" (refer definition!) in DOS? file compression [] but also anti-virus (checksum) (Fight fire with fire!) - theoretical research - backup - monitoring (big brother) - messages

Importance of security procedures:

Data & system integrity => more secure OS? MS-DOS comes of age (growth pains of single-user, single-workstation OS) (cost?), selfchecking programs

anti-virus industry

piracy