COMPUTER VIRUSES
According to Jeffrey Kephardt from Scientific Journal, “ Computer viruses replicate by attaching themselves to a host (a program or computer instead of a biological cell) and co-opting the host’s resources to make copies of themselves” (www.sciam.com, Nov 97). Viruses can infect over 1 million computers rapidly because of the ease of transport. It can travel from computers to computers through floppy diskettes, hard disks, networks, and even online. Compared to Trojan horses, which make a malicious program appear benign, and worms, which have a pernicious impact on networks, Mr. Kephardt contends that viruses are by far the most devastating computer pathogen. Computer viruses present a deadly threat to all PC owners, businesses, and the global economy. Our increasing dependence upon technology requires that we devise and implement countermeasures to viruses, which threaten to obliterate our way of life.
John Von Neumann is credited with self-replicating data in the 1940’s; however, the first computer virus, a DOS virus called “The Brain”, was not discovered until October 1987 in the University of Delaware. It did not affect the hard disks; however, it affected the boot sectors of the floppy diskettes. The virus was devastating because floppy diskettes were used to boot the PCs. It became obsolete when the PC industry started creating systems that booted from the hard disks. Having learned the intricacies of the new system, virus writers wrote more sophisticated viruses that could not conceivably be curtailed.
In 1989, a new virus called “The Stoned Virus” surfaced. It infected the boot sectors for hard disks and floppy diskettes, which made it the most prevalent virus. It dropped its load (the virus) successfully because of its versatility and ability to attack the computers once they were booted. The transition from 5.25 inch to 3.5-inch drives contributed greatly to the decline of the virus.
The Michelangelo Virus appeared in 1996 in New Zealand. It overwrites parts of the hard disks if the PCs were booted on 6 March, rendering the information inaccessible. The virus was named after the famous artist because 6 March was his birthday. According to Sarah Gordon from IBM, “Michelangelo was unusual in that it was found in an actual incident, rather than as one of the thousands of viruses gathered by anti-virus workers but as yet unseen in an incident” (www.research.ibm.com/antivirus, 1999). Prior to 6 March, several people predicted that this virus was going to destroy the world of computers; however, it turned out that they overreacted. Michelangelo virus did not destroy nearly as many computers as some people predicted. That however, should not undermine the need to actively sustain a considerable level of protection for the systems. Given the astronomical number of viruses developed daily, it is very important to have anti-virus software.
The Jerusalem Virus, one of the most versatile viruses in the 80’s and early 90’s, puzzled the anti-virus writers because of its ability to infect files on several medium: 5.25 or 3.5 floppy diskettes and hard disks. Unlike The stone Virus, it persisted until 1995 when a single incident was documented.
The Form Virus, which emerged in the 90’s, had a more devastating effect on PCs. Its impact was long lasting because it resided on the hard disks or any kind of diskettes, deploying its load when the computer is booted. It operated clandestinely so the users would not be aware of the damage in progress. The virus became prevalent until the end of 1994.
In 1997, more than 10,000 viruses emerged and an average of 6 viruses were developed daily. As one can imagine, currently the number is increasing exponentially. Anti-virus writers face a constant challenge of detecting the most current viruses and developing software to combat them. According to David Chess from IBM, “over 1 million viruses exist today” (www.research.ibm.com, 1999). The gravity of this situation has even attracted the attention of lawmakers.
The three classes of PC viruses are: file infectors, boot-sector viruses, and macro viruses. According to Gregory Sorkin from Scientific American, “Roughly 85 percent of all known viruses infect files containing applications such as spreadsheet programs or games. When a user runs an infected application, the virus code executes first and installs itself independently in the computer’s memory so that it can copy itself into subsequent applications that the user runs” (www.sciam.com/1197issue, 1997). The infected application has control over the PC without the user being aware of it. The virus is dormant in the applications until all applications are infected. The infection will spread to another computer through a diskette or a network and the cycle will repeat itself.
Gregory Sorkin contends that boot-sector viruses account for 5 percent of known PC virus strains. These viruses execute when the computer boots up because memory reads them from a part of the hard disks or diskettes. They will inevitably infect the computer because the boot sector has the program code required to load the operating system. Given the fact that these viruses are very effective, it is uncertain why they are not as prevalent as the file infectors. Perhaps its unpopularity stems from the fact that it is noticeable. Unlike the file infectors that operate clandestinely causing substantial damage by the time the user notices the effects.
Macro viruses are the most rapidly spread viruses because they attach themselves to the scripts embedded in a document. Virus writers capitalize on the fact that data are more easily shared than programs. Programs require data input in order to convey meaningful information. Then the users share the information and thereby, propagate the infection. “Concept” was the first macro virus to infect Microsoft Word document in 1995 and it remains one of the most prevalent virus in the world in 1997. Steve R. White from Scientific American states, “ Today more than 1,000 macro viruses are known” (www.sciam.com, 1997).
Programmers can write source codes to do unimaginable harm to a system. The payload may range from displaying repugnant messages on the screen to damaging programs and data. The virus writers’ practice is especially dangerous because even if their intention is benign, the payload may damage the system if its configuration is different from the system. Steve offers an example, “ The Form virus, which usually produces only a slight clicking noise once a month, overwrites one disk directory sector in a way that is harmless to older PCs but lethal to newer ones that arrange disk information differently.” This concept is hard for some script kiddies to grasp because they think that good intentions and a benign payload will not hurt the targeted system, when in fact the possibility exists. As with everything else in life, if it is not an absolute, they are willing to take a chance. However, they fail to realize the disastrous effect that their payload may cause. In terms of risk management, the benefits of a thrill do not outweigh the possible costs. The legal system is in the process of instituting laws to eradicate the spreading of virus; however, it must cautiously and firmly implement effective punishments. It must consider its historic tendency to react swiftly and harshly, only to find that the punishments do not deter the targeted crime.
Gordon from IBM, based on his research, breaks down virus writers into four categories: the adolescent, the college student, the adult, and the ex-virus writer (www.research.ibm.com/antivirus, 2000). He explained that the adolescent and college student virus writers were morally and ethically sound. They valued society and respected their parents; however, they did not understand the correlation between their virus and its effects. The adult virus writers, though small in comparison, did not value ethics and seemed more immature. They would most likely stop writing viruses if they faced punishment. The ex-virus writers valued ethics and society. Guilt associated with the effects of their viruses was not the cause for their refusal to write them; rather boredom and preoccupation with other hobbies accomplish what lawmakers will be striving for. They were uncertain about whether virus writing should be illegal, but they had no problems with the ones who engage in that type of activity.
The research does not indicate that everyone writes viruses with good intentions. Besides, the result is based on a survey administered to several virus writers. Common sense dictates that we understand that they did not respond all the questions honestly. There are criminals who write viruses with the sole purpose of harming systems, destroying the economy, and creating anarchy. One can imagine how powerful they would feel if they were to change society drastically. The computer is a challenging aspect of technology that most people would like to control. Virus writers notice that society is becoming increasingly dependent on computers, a fact that presents an opportunity to control the world without physically breaking the law. In fact, the virus writing practice is even more dangerous because it is psychologically mitigating for them to hurt a business via computer viruses by detaching themselves from the act emotionally. The common justification is “I did not physically do anything.” Technology offers absolute power over the cyberspace world and that transcends into reality.
Virus writers usually plan extensively on the penetration tactics. Because most companies tend to physically secure their hardware and software, virus writers commonly send a virus as a file attachment via e-mail. Some viruses are coded to replicate themselves and send e-mails from a seemingly recognizable source. Once the attachment is opened, the virus infects the computer and possibly the network. That, in turn, may bring a business to its knees, especially if it does not have any virus protection software or it does not back up its data properly. McAfee, a virus company, relates several tips to help prevent and detect viruses. First, they advise not to open any file attachments unless you are absolutely sure about the identity of the source. Second, you should confirm that the source actually sent you the attachment before you open it. Third, you should delete the file if the subject line is ambiguous. Fourth, disregard junk e-mails or spams because they can be used to snatch your password. Fifth, you should not download files from strangers. Even if your source is reputable, always virus-check the files if you must download them from the Internet. Another option is to download them on an empty desk and virus-check them. According to McAfee, “Over 500 viruses are discovered each month” (www.Dispatch.McAfee.com, 2000). The most prudent and sensible practice is to backup your data and install the most current version of anti-virus software on your system.
McAfee and Norton have site where viruses can be reported. Although a national security company notifies the presence of a virus, Anti-virus software companies also depend on our reports to detect, investigate, devise, and implement countermeasures for viruses. How does the anti-virus technology work?
People were reluctant to use the computer after the effect of the first virus. Anti-virus technology salvaged the computer market by building customers’ confidence in computers. It emerged soon after the appearance of the computer virus. The generic programs were designed to monitor a computer and detect behavior consistent with a virus. However, the drawback was that it could not distinguish an actual virus from an activity behaving like a virus, and it only monitored important files and parts of main memory. That means the entire system was not protected.
Conversely, scanning programs can monitor the computer and effectively curtail the effect of a virus because it understood the difference between a file behaving like a virus and an actual virus. According to Scientific American, “Scanning programs can search files, boot records, and memory for specific patterns of bytes indicative of known viruses” (www.sciam.com/1197issue, 1997). They protect the entire system and they rarely mistakenly identify a file for a virus. Updating these programs is vital to detecting new viruses. The Scientific American claims that the scanning programs recognize viral signatures that are about 16 to 30 bytes out of the several thousand that make up a virus. Recognizing a small segment is quicker and more efficient because the programs don’t have to read thousands of bytes to recognize the virus. Since it is uncertain whether viruses will have the same signatures, anti-virus writers designed the virus scanners to scan for thousands of signatures simultaneously. The Scientific American contends that, “The best can check for 10,000 signatures in 10,000 programs in under 10 minutes.”
The most viable option is to remove the virus when it is detected in the system. The tendency is to delete the infected program, but that may not be necessary especially if the program is crucial. Anti-virus programmers took that into account by instructing the program to attempt to repair the files, using the tendency of the virus to remain undetectable by not infecting the host program. Viruses use this ruse to give the user the impression that the computer is intact in order to prevent them from being curtailed through early detection.
Scanning programs attempt to replicate a copy of the original files while deleting the viral codes. Anti-virus programmers have developed other methods that are effective with known and unknown viruses. One highly effective method is to assemble mathematical fingerprints for each program, which is used to salvage the infected program by creating a working copy of the original.
The ingenuity of the virus writers dictates that the anti-virus programmers constantly examine their software for vulnerabilities. For instance, Microsoft has created several versions of Windows to cover the security patches or vulnerabilities of the previous ones. In fact, the site for Norton Anti-virus leads to a site where Microsoft exposes certain vulnerabilities and provides the patches for them. It is painstakingly complicated to analyze a virus, given the complex viral codes that may be placed within other complex codes. Typically, programmers look for unusual codes that may be different from those of functional and legitimate programs. They must specify the instructions for the anti-virus codes in terms how to clean and/or delete an infected file or program. David M. Chess stated that, “ Antivirus technologists have developed automated tools and procedures to assist human virus experts or even replace them” (www.sciam.com/1197issue, 1997). I imagine that programmers have to constantly update those automated tools when new complex viruses emerge, an everyday occurrence (6 per day).
A newly developed method has proven to be much faster and more effective than hand analysis of the programs. Programmers use numerous programs to extract high-quality signatures by measuring the frequencies of the short byte sequences. When a new virus emerges, the software selects the sequence of viral bytes that are least common in legitimate programs. The Scientific American stated, “ Tests suggest that this method produces signatures that are less prone to false alarms than those selected by human experts.” In other words, the anti-virus software resulting from this method effectively differentiates the file or program behaving like a virus and the actual virus. Similar to the concept family members have a genetic link through DNA, viruses tend to relate to each other. Programmers create new viruses using parts of existing viruses. Antivirus writers have developed family signatures to combat viruses. "A single 20-byte family signature can recognize dozens of distinct viruses" (www.sciam.com/1197issue, 1997). Some virus writers use encryption to produce polymorphic viruses. The viruses change forms as they spread making them more difficult to hunt. In this instance, antivirus writers use the decryption key code stored within the viruses to detect and combat them. Cryptographic checksums (modification-detection codes), a small unique number created from an algorithm, are used to verify whether a file was altered. Cryptography can be an effective measure of virus prevention; however, Scheiner from IBM noted, " Turning the algorithm into a working system involves multiple layers of architecture, design, coding, and user interface, and a mistake anywhere along the way can render the resulting system completely insecure, despite the soundness of the basic algorithm" (www.research.ibm.com/antivirus, 20000).
Computer systems are increasingly susceptible to viruses. Anti-virus software is developed daily because of the frequent emergence of viruses. The best protection is to update the anti-virus software often and use common sense when downloading a file from the Internet. Extreme caution is necessary when accessing the Internet because the open port on the system increases the likelihood of a cracker delivering a virus. System users should frequently access Norton's or McAfee's website in order to stay abreast of the spread of new viruses. The most secure system in the world has its vulnerabilities in the process of being discovered.