The Amazing Realities of SOFTWARE VIRUSES!
…ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕª
∫ ∫
∫ The Amazing Realities ∫
∫ of SOFTWARE VIRUSES! ∫
∫ ∫
∫ by ∫
∫ Steve Gibson ∫
∫ GIBSON RESEARCH CORPORATION ∫
∫ ∫
∫ Portions of this text originally appeared in Steve's ∫
∫ InfoWorld Magazine TechTalk Column. ∫
∫ ∫
»ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕº
My mother always hoped I'd become a doctor... actually a brain surgeon. Since I work with electronic "brains" every day I always thought that was a close as I would come to "doctoring" anything, but the recent flare-up of interest in software viruses, infections, cures, antidotes and inoculations might change all that.
The notion of software "hacking" isn't new, having been born just five minutes later than software. But as we've grown increasingly dependent upon the expensive programs and precious data, stored in our machines, the cost of a computer failure, whether accidental or deliberate, has skyrocketed. Factor in the notion of someone DELIBERATELY destroying your irreplaceable data and you have a hot situation indeed! Multiply this by the unwitting and infectious spread of this destruction throughout the far-reaching tendrils of an entire organization or community's computer usage and the cost of such deliberate sabotage can be incalculable.
Software viruses can be loosely divided into four classes. The General Purpose Infector Virus (GPIV), Special Purpose Infector Virus (SPIV), Very Clever General Purpose Infector Virus (VCGPIV), and Central System Infecting Virus (CSIV). The habitat for the first three viral strains is any unwitting application host, while the Central System Infecting Virus takes up residence at the core of the operating system.
One of the most fascinating aspects of the entire software/medicine analogy is the amazing degree to which it holds. Modern computer systems and software are now complex enough to support a crude simulation of life-cycle processes.
The General Purpose Infector Virus operates by tacking itself onto the front or back of any existing application program. To keep its size and complexity down it's generally specific to COM or EXE file types and is thus unable to infect a file of the other type. COM-file infectors have a far simpler genetic design, but they don't have as much future as the EXE infectors.
Poorly designed GPIV viruses are simple to spot once you're looking for them since they alter the program's overall length and may update the file's own date. However both of these clues are also easily handled with a little added viral design. The date can be easily restored after the infecting alteration has taken place, and the clever GPIV can mask its size by creating a hidden file containing the real program while it occupies the abandoned file husk of the actual program. Only a scan of the entire computer system for hidden or system files would turn up the real programs, renamed as something innocent. Then again it might not even hide the actual program, but leave it there in plain sight, mixed in with the files in your largest sub- directory, and named something reasonable, appearing to be an overlay, help file, or who knows what.
The Special Purpose Infector Virus is designed to INHABIT only one version of one particular application program and consequently can be far harder to spot. It lives parasitically WITHIN the body of the application in a buffer region, array area, or other non-code-bearing space. Only a byte-by-byte comparison of a file against a known good copy can spot the SPIV, and you'd better hope that it didn't alter the system's compare command beforehand to report equality whenever its inhabited file is being tested!
The Very Clever General Purpose Infector Virus (VCGPIV) combines the features and capabilities of the GPIV with those of the SPIV. It is able to find non-code bearing regions WITHIN the bodies of other application programs for which it was not specifically designed and infect those programs with its own presence. These features make the VCGPIV virus one of the nastiest and hardest to spot or control since every program in an entire computer system network could be overrun with VCGPIV before anything unusual begins happening. In fact, the worst variations of VCGPIV don't begin "acting up" until sometime after EVERY LAST CANDIDATE host application program in the system has been infected!
Central System Infecting Virus (CSIV) doesn't infect individual application programs, but rather attacks and alters the core of the operating system itself. The carrier for this virus is usually a Trojan Horse program which appears to be doing something useful, simple, and disk intensive, like displaying a sorted directory, sorting directories, or reorganizing the hard disk. Its disk activities tend to cover up its real intention which is to plant an infection into the operating system which alters the system's subsequent behavior.
The Intimate Details of Software Virus Reproduction
Software "viruses" have three fundamental aspects: Existence, Reproduction, and Non-Reproductive Purpose. We've examined the nature of such viral existence, and we've seen that software viruses can be specific to certain programs, general to COM or EXE application program files, vary in their degree of cleverness and concealment, and can also be carried by Trojan Horse programs for the purpose of infecting the central core of the operating system itself. Now we'll look at viral software's reproductive cycle and non-reproductive purpose.
Nasty as a virus' mere existence is, the real power of such software lies in its capacity and proclivity for "self reproductive survival." The notion that a downloaded program could spread its seed throughout an unwitting user's hard disks, backed-up files, and entire software library is quite chilling indeed. Add to this the fact that the virus might well have some far more sinister purpose that mere reproduction, and we have an unpleasant scenario.
A software virus rides along on a host program gaining brief control of the system each time the host application is used. Patterning itself after organic life, which after all has a proven survival track record, a virus' first priority must be its own survival. This means that the well-designed virus won't make its own presence known or felt until it feels that there's nothing further to be gained from secrecy. As we'll demonstrate later, this point is never really reached, although to some degree this occurs some time after the user's system is infected at the 100% level. Once every last available file is carrying viral clones, the virus' reproductive urgency is reduced.
However, since the serious virus designer's real goal is true global infection, the well designed virus waits still longer to maximize the probability that it will have an opportunity to spread to other systems and communities before being removed completely from the system after some powerful and deliberate demonstration of its presence.
When an infected application program is started, its hosted virus gains immediate control. It is this brief start up interval of disk activity as the application loads that masks the virus' reproductive activities. The virus briefly searches for an uninfected host application. When found it quickly infects this unknowing application with a parasitic copy of itself and passes control to the hosting application as if nothing out of the ordinary had happened.
The only unmaskable clue of anything out of the ordinary having happened would be a longer than usual start up time for the host application. If you've been noticing your applications behaving somewhat erratically during start up you might want to take a close look at it. Of course, you still wouldn't know WHAT other program the virus had just then jumped into.
Suppose now that a computer system has become completely overrun with its virus (or viruses, since it might have picked up more than one!) and consequently the virus has failed in its attempt at infecting a new host application. At this point the virus switches from its reproductive mode into its non-reproductive mode.
The question we now face is: What is the intention of the virus when it is no longer able to reproduce within the system? Is it functionally benign, so that it's simply going to announce proudly "GOTCHA!...Every EXE file on this system is infected!," or is it going to behave more maliciously?
In this regard we're completely in the hands of the virus' designer. However we should note that simply causing the user's hard disk to begin low-level formatting is antithetical to the virus' primary survival drive. In destroying the user's hard disk it also destroys itself, and more importantly, it alerts the system's owner to the presence of something quite evil. And in wiping the user's disk it might very well destroy other entirely different viral strains which have not yet succeeded in achieving their 100% infection levels.
No, the optimal strategy during the viruses non-reproductive malignant-mode, for the infliction of maximum long term damage, is to FRUSTRATE while continuing to remain hidden. By PRESERVING the user's hard disk data rather than destroying it wholesale the virus continues to remain hidden and unsuspected. This also preserves the opportunity for further inter-system infection, which supports the virus' global survival goal. By RANDOMLY messing things up and lowering the overall RELIABILITY of the system, the virus achieves its goal of producing maximum long term hurt.
What can we do about Software Viruses?
Whatever their means or intent, these viruses spread within an organization or community of computers by riding along whenever a program is uploaded, downloaded, borrowed, exchanged, shared, or demoed... even if it's only run once for ten seconds. I know how eagerly I try new shareware or public-domain goodies which promise to provide a needed benefit, and I've sold many copies of my own commercial programs to people who admit to having first "borrowed" a copy from a friend to try out. That's today's reality, and I don't fight it. In fact it's software's ability to be easily uploaded, downloaded, copied, and transported which so enriches the personal computing experience.
Now I know this is a controversial area, and many people feel that the attention given to the whole topic by the popular press is completely overblown. I want to tell you right now that they're utterly and completely wrong.
I have been placed in contact with several groups of people who REALLY know what's going on... and it's terrifying. Based upon some additional theory which we'll examine now, and MANY specifics which I'm still uncovering to share later, I'm going to make a solid prediction which you can sadly depend upon:
In the not too distant future there's going to be a MAJOR SCALE CORPORATE-WIDE INFORMATION SYSTEM DISASTER which will be caused by a system-wide viral attack. The question is where is it going to hit, what can be done to prevent it, and how will our industry be changed as a consequence. Mark my words, I am utterly certain that we REALLY have a problem developing.
I'm committed to doing whatever is possible, through the vehicle of this column and InfoWorld, to try to avert this disaster. But human nature says that it's NOT going to be enough. By combining theory with specifics I hope to make you individually aware of the reality of the danger to you... perhaps enough to avert your own small scale personal disaster... and perhaps for your companies. So what about preventive measures? What about inoculations, antidotes, and sugar cubes?
The bottom line on virus prevention is good news for the virus and NOT good news for US. To illustrate, let's examine a pair of useful parallels: The discovery of the many secrets which led to the development of resident pop-up TSRs, and the copy protection wars of the last five years.
As you know, Microsoft has always actively refused to tell anyone how to create resident TSR pop-ups under DOS. It is completely impossible to do so using just their documentation. They could have made things A LOT EASIER on everyone by documenting many of their "secrets"... but they kept saying "NO!" Did that stop the industry's sharp software developers? No way. We simply sat down with our debuggers and tore their "secret" code apart to figure out exactly what it did and how it worked. And before you knew it, voila, Pop-Ups!
Then we have the tireless merry-go-round tournament formed on one side by companies who desire to protect their software from being illegally copied versus those whose very purpose in life seems to be the defeat of the latest copy protection schemes. By applying the same "reverse engineering" which allowed us to develop TSRs, the protection busters mirrored every move made by the protectors... and held them in check.
The overall result was escalation. Both teams ended up developing Olympian-level skills, but the war never ended. It couldn't end until one side or the other gave up. The final result, as anyone who has dipped into the typical bulletin board system knows, is that copy protection busting utilities are one of the hottest downloading categories today.
So today we have a new battleground with the same players wearing different hats. Anything any anti-virus solution can do to prevent infection and viral spread the next viral strain will defeat. Not good news.
Today's Real-World Solutions to the Viral Threat
There's a terrific group of people in Santa Clara, California who have dedicated themselves to catching, analyzing, and disseminating helpful and specific information about software viruses. This non-profit organization, the National BBS Society (NBBSS), can be contacted at (408) 727-4559.
The NBBSS has identified 39 different strains of software viruses, and more are being found continually. For example, the latest virus, which the NBBSS has preliminarily named the RETRO- VIRUS was submitted by one of their members on April 19th. This virus infects and lives inside ANY ONE OF THREE popular shareware programs. It reproduces by attaching passive carrier clones of itself to other executable files in the hope that the infected executable file will make its way to another system which contains one of its three target "infectable" host programs.
It was named the RETRO-VIRUS because it continually communicates with its infected clone carrier executables via a clever "flag" hidden within the system. When any of its viral clones executes, this flag is turned ON. Then when one of the three internally infected hosts executes this flag is checked, then turned OFF. If the flag was already OFF, the host determines that the system must have been swept clean of its viral carriers. Then, after quietly waiting for several months, the host REINFECTS several of the system's executable files. The system user THINKS that the system was virus-free... but then the same virus reemerges "from out of nowhere."
As you can see from this example, we're dealing with some extremely sophisticated programming... which is specifically intended to DEFEAT attempts at removing the viral code from the system.
So exactly what measures can be taken to deal with the spread of software viruses? The good news is, there are several. Viruses can either be caught "in the act" of spreading their seed, or located while they're lying dormant on a disk.
The "catch'em in the act" approach provides the best anti-viral protection currently available since the reproducing behavior of many viruses is quite similar and can be somewhat generalized then readily spotted. Such solutions have the negative side effect of requiring continual RAM residency, with all the problems which that implies. Also, they can sometimes erroneously alert their owner to questionable but benign behavior of non-viral software. Even so, these programs are innocuous and are highly recommended when using new software "submissions" on any system which falls into a high viral infection risk group.
The two most effective virus detection monitors available today happen to be the least expensive of any available. FluShot+ is available as shareware, with a $10 fee requested, and C-4 is a commercial product retailing for just $29.95.
FluShot+ catches 22 of the known 39 viruses, providing FAR GREATER protection than other currently available virus fighting agents which retail for hundreds of dollars. FluShot+ may be downloaded from CompuServe (in the IBMSW Forum in DL0) or from the IBM SIG on The Source, or from its author's bulletin board system in New York (1200/2400 Baud: (212) 889-6438) under the name FSP12.ARC. It may also be requested directly from its author, Ross Greenberg, at (212) 889-6431.
C-4, which derives its name from Cybernetic Xylene since Xylene inhibits the growth and spread of carbon-based viruses, is the best commercial viral inhibitor available. Though you might have trouble believing the $29 could buy much, C-4's publisher is dedicated to stopping software viral spread and even intends to offer continual upgrades at near their cost. As a result of Interpath's association with the NBBS, C-4 IS THE ONLY PRODUCT TODAY WHICH STOPS THE SPREAD OF EVERY ONE OF THE NBBS's 39 KNOWN VIRAL STRAINS! It may be purchased from: Interpath, 4423 Cheeney Street, Santa Clara, CA 95054. (408) 988-3832.
It has been my goal to address this issue directly and frankly. I now know that these viruses exist. I believe that the problem is less wide-spread than the popular press has indicated, but I also believe, based upon an analysis of the reproductive mechanisms involved, that it has far more POTENTIAL FOR DAMAGE than is commonly believed.
Please exercise some form of self-protection, even if it's just altering some software trading habits. In the meantime I'll keep you posted.
- The End -
Copyright (c) 1989 by Steven M. Gibson
Laguna Hills, CA 92653
**ALL RIGHTS RESERVED **
