Computer Viruses: Past, Present And Future

In our health-conscious society, viruses of any type are an enemy. Computer viru
ses are especially pernicious. They can and do strike any unprotected computer s
ystem, with results that range from merely annoying to the disastrous, time-cons
uming and expensive loss of software and data. And with corporations increasingl
y using computers for enterprise-wide, business-critical computing, the costs of
virus-induced down-time are growing along with the threat from viruses themselv
es. Concern is justified - but unbridled paranoia is not. Just as proper diet, e
xercise and preventative health care can add years to your life, prudent and cos
t-effective anti-virus strategies can minimize your exposure to computer viruses
.
· A history of computer viruses
· Who writes viruses - and how they can reach you
· The early warning symptoms of virus infection
· The real numbers behind the growth of viruses and their costs
· How viruses work - and how virus protection can stop them

What, Exactly, Is A Computer Virus?

A computer virus is a program designed to replicate and spread, generally with t
he victim being oblivious to its existence. Computer viruses spread by attaching
themselves to other programs (e.g., word processors or spreadsheets application
files) or to the boot sector of a disk. When an infected file is activated - or
executed - or when the computer is started from an infected disk, the virus its
elf is also executed. Often, it lurks in computer memory, waiting to infect the
next program that is activated, or the next disk that is accessed.
What makes viruses dangerous is their ability to perform an event. While some ev
ents are harmless (e.g. displaying a message on a certain date) and others annoy
ing (e.g., slowing performance or altering the screen display), some viruses can
be catastrophic by damaging files, destroying data and crashing systems.

How Do Infections Spread?

Viruses come from a variety of sources. Because a virus is software code, it can
be transmitted along with any legitimate software that enters your environment:

· In a 1991 study of major U.S. and Canadian computer users by the market research
firm Dataquest for the National Computer Security Association, most users blame
d an infected diskette (87 percent). Forty-three percent of the diskettes respon
sible for introducing a virus into a corporate computing environment were brough
t from home.
· Nearly three-quarters (71 percent) of infections occurred in a networked environ
ment, making rapid spread a serious risk. With networking, enterprise computing
and inter-organizational communications on the increase, infection during teleco
mmunicating and networking is growing.
· Seven percent said they had acquired their virus while downloading software from
an electronic bulletin board service.
· Other sources of infected diskettes included demo disks, diagnostic disks used b
y service technicians and shrink-wrapped software disks - contributing six perce
nt of reported infections.

What Damage Can Viruses Do To My System?

As mentioned earlier, some viruses are merely annoying, others are disastrous. A
t the very least, viruses expand file size and slow real-time interaction, hinde
ring performance of your machine. Many virus writers seek only to infect systems
, not to damage them - so their viruses do not inflict intentional harm. However
, because viruses are often flawed, even benign viruses can inadvertently intera
ct with other software or hardware and slow or stop the system. Other viruses ar
e more dangerous. They can continually modify or destroy data, intercept input/o
utput devices, overwrite files and reformat hard disks.

What Are The Symptoms Of Virus Infection?

Viruses remain free to proliferate only as long as they exist undetected. Accord
ingly, the most common viruses give off no symptoms of their infection. Anti-vir
us tools are necessary to identify these infections. However, many viruses are f
lawed and do provide some tip-offs to their infection. Here are some indications
to watch for:
· Changes in the length of programs
· Changes in the file date or time stamp
· Longer program load times
· Slower system operation
· Reduced memory or disk space
· Bad sectors on your floppy
· Unusual error messages
· Unusual screen activity
· Failed program execution
· Failed system bootups when booting or accidentally booting from the A: drive.
· Unexpected writes to a drive.

The Virus Threat: Common - And Growing

How real is the threat from computer viruses? Every large corporation and organi
zation has experienced a virus infection - most experience them monthly. Accordi
ng to data from IBM's High Integrity Computing Laboratory, corporations with 1,0
00 PCs or more now experience a virus attack every two to three months - and tha
t frequency will likely double in a year.
The market research firm Dataquest concludes that virus infection is growing exp
onentially. It found nearly two thirds (63%) of survey respondents had experienc
ed a virus incident (affecting 25 or fewer machines) at least once, with nine pe
rcent reporting a disaster affecting more than 25 PCs. The 1994 Computer Crime
Survey by Creative Strategies Research International and BBS Systems of San Fran
cisco found 76 percent of U.S. respondents had experienced infection in 1993 alo
ne.
If you have only recently become conscious of the computer virus epidemic, you a
re not alone. Virus infections became a noticeable problem to computer users onl
y around 1990 - but it has grown rapidly since then. According to a study by Cer
tus International of 2,500 large U.S. sites with 400 or more PCs, the rate of in
fection grew by 600 percent from 1994 to 1995.
More Viruses Mean More Infections
Virus infections are a growing problem, in part, because there are more strains
of viruses than ever before. In 1986, there were just four PC viruses. New virus
es were a rarity, with a virus strain created once every three months. By 1989,
a new virus appeared every week. By 1990, the rate rose to once every two days.
Now, more than three viruses are created every day - for an average 110 new viru
ses created in a typical month. From those modest four viruses in 1986, today's
computer users face thousands of virus strains.

Number Of Unique Viruses

Here is the frightening part: Most infections today are caused by viruses that a
re at least six years old. That is, the infections are caused by viruses created
no later than 1990, when there were approximately 300 known viruses. Today, the
re are thousands of viruses. If that pattern of incubation holds, the explosion
of new viruses over the past few years could result in another explosion in tota
l infections over the next few years.

The History Of Viruses: How It All Began

Today, the existence of viruses and the need to protect against them are inevita
ble realities. But it wasn't always so. As recently as the middle 1980s, compute
r viruses didn't exist. The first viruses were created in university labs - to d
emonstrate the"potential" threat that such software code could provide. By 1987,
viruses began showing up at several universities around the world. Three of the
most common of today's viruses - Stoned, Cascade and Friday the 13th - first ap
peared that year.
Serious outbreaks of some of these viruses began to appear over the next two yea
rs. The Datacrime and Friday the 13th viruses became major media events, presagi
ng the concern that would later surround the Michelangelo virus. Perhaps surpris
ingly, tiny Bulgaria became known as the world's Virus Factory in 1990 because o
f the high number of viruses created there. The NCSA found that Bulgaria, home o
f the notorious Dark Avenger, originated 76 viruses that year, making it the wor
ld's single largest virus contributor. Analysts attribute Bulgaria's prolific vi
rus output to an abundance of trained but unemployed programmers; with nothing t
o do, these people tried their hands at virus production, with unfortunately suc
cessful results.
This growing activity convinced the computer industry that viruses were serious
threats requiring defensive action. IBM created its High Integrity Computing Lab
oratory to lead Big Blue's anti-virus research effort. Symantec began offering S
ymantec Anti-Virus, one of the first commercially available virus defenses. Thes
e responses came none too soon. By 1991, the first polymorphic viruses - that ca
n, like the AIDS virus in humans, change their shape to elude detection - began
to spread and attack in significant numbers. That year too, the total number of
viruses began to swell, topping 1,000 for the first time.
Virus creation proliferated, and continues to accelerate, because of the growing
population of intelligent, computer-literate young people who appreciate the ch
allenge - but not the ethics - of writing and releasing new viruses. Cultural fa
ctors also play a role. The U.S. - with its large and growing population of comp
uter-literate young people - is the second largest source of infection. Elsewher
e, Germany and Taiwan are the other major contributors of new viruses.
Another reason for the rapid rise of new viruses is that virus creation is getti
ng easier. The same technology that makes it easier to create legitimate softwar
e - Windows-based development tools, for example - is, unfortunately, being appl
ied to virus creation. The so-called Mutation Engine appeared in 1992, facilitat
ing the development of polymorphic viruses. In 1992, the Virus Creation Laborato
ry, featuring on-line help and pull-down menus, brought virus creation within th
e reach of even non-sophisticated computer users.
More PCs And Networks Mean More Infections, Too
The growing number of PCs, PC-based networks and businesses relying on PCs are a
nother set of reasons for rising infections: there are more potential victims. F
or example, in the decade since the invention and popularization of the PC, the
installed base of active PCs grew to 54 million by 1990. But that number has alr
eady more than doubled (to 112 million PCs in 1993) and climbed to 154 million i
n 1994.
Not only are PCs becoming more common - they are taking over a rising share of c
orporate computing duties. A range of networking technologies - including Novell
NetWare, Microsoft Windows NT and LAN Manager, LAN Server, OS/2 and Banyan VINE
S - are allowing companies to downsize from mainframe-based computer systems to
PC-based LANs and, now, client-server systems. These systems are more cost-effec
tive and they are being deployed more broadly within organizations for a growing
range of mission-critical applications, from finance and sales data to inventor
y control, purchasing and manufacturing process control.
The current, rapid adoption of client-server computing by business gives viruses
fertile new ground for infection. These server-based solutions are precisely th
e type of computers that are susceptible - if unprotected - to most computer vir
uses. And because data exchange is the very reason for using client-server solut
ions, a virus on one PC in the enterprise is far more likely to communicate with
- and infect - more PCs and servers than would have been true a few years ago.
Moreover, client-server computing is putting PCs in the hands of many first-time
or relatively inexperienced computer users, who are less likely to understand t
he virus problem. The increased use of portable PCs, remote link-ups to servers
and inter-organization-and inter-network e-mail all add to the risk of infection
s, too. Once a virus infects a single networked computer, the average time requi
red to infect another workstation is from 10 to 20 minutes - meaning a virus can
paralyze an entire enterprise in a few hours.

What Is Ahead?
The industry's latest buzz-phrase is "data superhighway" and, although most peop
le haven't thought about those superhighways in the context of virus infections,
they should. Any technology that increases communication among computers also i
ncreases the likelihood of infection. And the data superhighway promises to expa
nd on today's Internet links with high-bandwidth transmission of dense digital v
ideo, voice and data traffic at increasingly cost-effective rates. Corporations,
universities, government agencies, non-profit organizations and consumers will
be exchanging far more data than ever before. That makes virus protection more i
mportant, as well.
In addition to more opportunities for infection, there'll be more and more-damag
ing strains of virus to do the infecting. Regardless of the exact number of viru
ses that appear in the next few years, the Mutation Engine, Virus Creation Labor
atory and other virus construction kits are sure to boost the virus population.
Viruses that combine the worst features of several virus types - such as polymor
phic boot sector viruses - are appearing and will become more common. Already, W
indows-specific viruses have appeared. Virus writers, and their creations, are g
etting smarter. In response to the explosion in virus types and opportunities fo
r transmission, virus protection will have to expand, too.
Computer anti-virus program manufacturers had a speed bump in which many used to
profit: 32-bit applications. DOS and Windows 3.1 used a 16-bit architecture,
and other 32-bit platforms such as Windows NT, UNIX, and a variety of other serv
er operating systems had anti-virus programs already made. McAfee and Symantec,
two giants in the anti-virus industry, prepared for the release of a new 32-bit
home operating system. In August, Microsoft released Windows 95 for resale and
it stormed across the nation. A large number of virus problems surfaced in the
short months after the release. This was due to the neglect of a readily-avail
able 32-bit anti-virus for the home user, and the fact that old 16-bit anti-viru
s programs could not detect 32-bit viruses. McAfee introduced Virus Scan 95 and
Symantec released Norton Antivirus 95 shortly after the Windows 95 release. As
the future progresses and the data architecture increases, anti-virus programs
will have to be upgraded to handle the new program structure.

The Costs Of Virus Infection

Computer viruses have cost companies worldwide nearly two billion dollars since
1990, with those costs accelerating, according to an analysis of survey data fro
m IBM's High Integrity Computing Laboratory and Dataquest. Global viral costs ar
e clmbed another 1.9 billion dollars in 1994 alone, but has been at a more stead
y rate as anti-virus programs have been improved significantly.
The costs are so high because of the direct labor expense of cleanup for all inf
ected hard disks and floppies in a typical incident. The indirect expense of los
t productivity - an enormous sum - is higher, still. In a typical infection at a
large corporate site, technical support personnel will have to inspect all 1,00
0 PCs. Since each PC user has an average 35 diskettes, about 35,000 diskettes wi
ll have to be scanned, too.

Recovery Time For A Virus Disaster (25 PCs)

On average, it took North American respondents to the 1991 Dataquest study four
days to recover from a virus episode - and some MIS managers needed fully 30 day
s to recover. Even more ominously, their efforts were not wholly effective; a si
ngle infected floppy disk taken home during cleanup and later returned to the of
fice can trigger a relapse. Some 25 percent of those experiencing a virus attack
later suffered such a re-infection by the same virus within 30 days.
That cleanup is costing each of these corporations an average $177,000 in 1993 -
and that sum will grow to more than $254,000 in 1994. If you're in an enterpris
e with 1,000 or more PCs, you can use these figures to estimate your own virus-f
ighting costs. Take the cost-per-PC ($177 in 1993, $254 in 1994) and multiply it
by the number of PCs in your organization.
At a briefing before the U.S. Congress in 1993, NYNEX, one of North America's la
rgest telecommunications companies, described its experience with virus infectio
ns
· Since late 1989, the company had nearly 50 reported virus incidents - and believ
es it experienced another 50 unreported incidents.
· The single user, single PC virus incident is the exception. More typical inciden
ts involved 17 PCs and 50 disks at a time. In the case of a 3Com network, the vi
sible signs of infection did not materialize until after 17 PCs were infected. T
he LAN was down for a week while the cleanup was conducted.
· Even the costs of dealing with a so-called benign virus are high. A relatively i
nnocuous Jerusalem-B virus had infected 10 executable files on a single system.
Because the computer was connected to a token ring network, all computers in tha
t domain had to be scanned for the virus. Four LAN administrators spent two days
 plus overtime, one technician spent nine hours, a security specialist spent fiv
e hours, and most of the 200 PC on the LAN had to endure 15-minute interruptions
throughout a two-day period.
In the October 1993 issue of Virus Bulletin, Micki Krause, Program Manager for I
nformation Security at Rockwell International, outlined the cost of a recent vir
us outbreak at her corporation:
In late April 1993, the Hi virus was discovered at a large division of Rockwell
located in the U.S. The division is heavily networked with nine file servers and
630 client PCs. The site is also connected to 64 other sites around the world (
more than half of which are outside the U.S.). The virus had entered the divisio
n on program disks from a legitimate European business partner. One day after th
e disks arrived, the Hi virus was found by technicians on file servers, PCs and
floppy disks. Despite eradication efforts, the virus continued to infect the net
work throughout the entire month of May.
160 hours were spent by internal PC and LAN support personnel to identify and co
ntain the infections. At $45.00 per hour, their efforts cost Rockwell $7,200.
Rockwell also hired an external consultant to assist Rockwell employees in the c
leanup. 200 hours were spent by the consultant, resulting in a cost of $8,000.
One file server was disconnected from the LAN to prevent the virus from further
propagating across the network. The server, used by approximately 100 employees,
was down for an entire day. Rockwell estimated the cost of the downtime at $9,0
00 (100 users @ $45/hr for 8 hours, with users accessing the server, on average,
25% of the normal workday).
While some anti-virus software was in use, Rockwell purchased additional softwar
e for use on both the servers and the client PCs for an additional $19,800.
Total Cost of the virus incident at Rockwell was $44,000.

Technical Overview
Computer Viruses And How They Work
Viruses are small software programs. At the very least, to be a virus, these pro
grams must replicate themselves. They do this by exploiting computer code, alrea
dy on the host system. The virus can infect, or become resident in almost any so
ftware component, including an application, operating system, system boot code o
r device driver. Viruses gain control over their host in various ways. Here is a
closer look at the major virus types, how they function, and how you can fight
them.

File Viruses
Most of the thousands of viruses known to exist are file viruses, including the
Friday the 13th virus. They infect files by attaching themselves to a file, gene
rally an executable file - the .EXE and .COM files that control applications and
programs. The virus can insert its own code in any part of the file, provided i
t changes the hosts code, somewhere along the way, misdirecting proper program e
xecution so that it executes the virus code first, rather than to the legitimate
program. When the file is executed, the virus is executed first.
Most file viruses store themselves in memory. There, they can easily monitor acc
ess calls to infect other programs as they're executed. A simple file virus will
overwrite and destroy a host file, immediately alerting the user to a problem b
ecause the software will not run. Because these viruses are immediately felt, th
ey have less opportunity to spread. More pernicious file viruses cause more subt
le or delayed damage - and spread considerably before being detected.
As users move to increasingly networked and client-server environments, file vir
uses are becoming more common. The challenge for users is to detect and clean th
is virus from memory, without having to reboot from a clean diskette. That task
is complicated because file viruses can quickly infect a range of software compo
nents throughout a user's system. Also, the scan technique used to detect viruse
s can cause further infections; scans open files and file viruses can infect a f
ile during that operation. File viruses such as the Hundred Years virus can infe
ct data files too.

Boot Sector/partition table viruses

While there are only about 200 different boot sector viruses, they make up 75 pe
rcent of all virus infections. Boot sector viruses include Stoned, the most comm
on virus of all time, and Michelangelo, perhaps the most notorious. These viruse
s are so prevalent because they are harder to detect, as they do not change a fi
les size or slow performance, and are fairly invisible until their trigger event
occurs - such as the reformatting of a hard disk. They also spread rapidly. The
boot sector virus infects floppy disks and hard disks by inserting itself into
the boot sector of the disk, which contains code that's executed during the syst
em boot process. Booting from an infected floppy allows the virus to jump to the
computer's hard disk. The virus executes first and gains control of the system
boot even before MS-DOS is loaded. Because the virus executes before the operati
ng system is loaded, it is not MS-DOS-specific and can infect any PC operating s
ystem platform - MS-DOS, Windows, OS/2, PC-NFS, or Windows NT.
The virus goes into RAM, and infects every disk that is accessed until the compu
ter is rebooted and the virus is removed from memory. Because these viruses are
memory resident, they can be detected by running CHKDSK to view the amount of RA
M and observe if the expected total has declined by a few kilobytes. Partition t
able viruses attack the hard disk partition table by moving it to a different se
ctor and replacing the original partition table with its own infectious code. Th
ese viruses spread from the partition table to the boot sector of floppy disks a
s floppies are accessed.

Multi-Partite Viruses
These viruses combine the ugliest features of both file and boot sector/partitio
n table viruses. They can infect any of these host software components. And whil
e traditional boot sector viruses spread only from infected floppy boot disks, m
ulti-partite viruses can spread with the ease of a file virus - but still insert
an infection into a boot sector or partition table. This makes them particularl
y difficult to eradicate. Tequila is an example of a multi-partite virus.

Trojan Horses
Like its classical namesake, the Trojan Horse virus typically masquerades as som
ething desirable - e.g., a legitimate software program. The Trojan Horse general
ly does not replicate (although researchers have discovered replicating Trojan H
orses). It waits until its trigger event and then displays a message or destroys
files or disks. Because it generally does not replicate, some researchers do no
t classify Trojan Horses as viruses - but that is of little comfort to the victi
ms of these malicious stains of software.

File Overwriters
These viruses infect files by linking themselves to a program, keeping the origi
nal code intact and adding themselves to as many files as possible. Innocuous ve
rsions of file overwriters may not be intended to do anything more than replicat
e but, even then, they take up space and slow performance. And since file overwr
iters, like most other viruses, are often flawed, they can damage or destroy fil
es inadvertently. The worst file overwriters remain hidden only until their trig
ger events. Then, they can deliberately destroy files and disks.

Polymorphic viruses
More and more of today's viruses are polymorphic in nature. The recently release
d Mutation Engine - which makes it easy for virus creators to transform simple v
iruses into polymorphic ones - ensures that polymorphic viruses will only prolif
erate over the next few years. Like the human AIDS virus that mutates frequently
to escape detection by the body's defenses, the polymorphic computer virus like
wise mutates to escape detection by anti-virus software that compares it to an i
nventory of known viruses. Code within the virus includes an encryption routine
to help the virus hide from detection, plus a decryption routine to restore the
virus to its original state when it executes. Polymorphic viruses can infect any
type of host software; although polymorphic file viruses are most common, polym
orphic boot sector viruses have already been discovered.
Some polymorphic viruses have a relatively limited number of variants or disgui
ses, making them easier to identify. The Whale virus, for example, has 32 forms.
Anti-virus tools can detect these viruses by comparing them to an inventory of
virus descriptions that allows for wildcard variations - much as PC users can se
arch for half-remembered files in a directory by typing the first few letters pl
us an asterisk symbol. Polymorphic viruses derived from tools such as the Mutati
on Engine are tougher to identify, because they can take any of four billion for
ms.

Stealth Viruses
Stealth aircraft have special engineering that enables them to elude detection b
y normal radar. Stealth viruses have special engineering that enables them to el
ude detection by traditional anti-virus tools. The stealth virus adds itself to
a file or boot sector but, when you examine the host software, it appears normal
and unchanged. The stealth virus performs this trickery by lurking in memory wh
en it's executed. There, it monitors and intercepts your system's MS-DOS calls.
When the system seeks to open an infected file, the stealth virus races ahead, u
ninfects the file and allows MS-DOS to open it - all appears normal. When MS-DOS
closes the file, the virus reverses these actions, reinfecting the file.
Boot sector stealth viruses insinuate themselves in the system's boot sector and
relocate the legitimate boot sector code to another part of the disk. When the
system is booted, they retrieve the legitimate code and pass it along to accompl
ish the boot. When you examine the boot sector, it appears normal - but you are
not seeing the boot sector in its normal location. Stealth viruses take up space
, slow system performance, and can inadvertently or deliberately destroy data an
d files. Some anti-virus scanners, using traditional anti-virus techniques, can
actually spread the virus. That is because they open and close files to scan the
m - and those acts give the virus additional chances to propagate. These same sc
anners will also fail to detect stealth viruses, because the act of opening the
file for the scan causes the virus to temporarily disinfect the file, making it
appear normal.

Anti-Virus Tools And Techniques

Anti-virus software tools can use any of a growing arsenal of weapons to detect
and fight viruses, including active signature-based scanning, resident monitorin
g, checksum comparisons and generic expert systems. Each of these tools has its
specific strengths and weaknesses. An anti-virus strategy that uses only one or
two of the following techniques can leave you vulnerable to viruses designed to
elude specific defenses. An anti-virus strategy that uses all of these technique
s provides a comprehensive shield and the best possible defense against infectio
n.

Signature-Based Scanners
Scanners - which, when activated, examine every file on a specified drive - can
use any of a variety of anti-virus techniques. The most common is signature-base
d analysis. Signatures are the fingerprints of computer viruses - distinct stran
ds of code that are unique to a single virus, much as DNA strands would be uniqu
e to a biological virus. Viruses, therefore, can be identified by their signatur
es. Virus researchers and anti-virus product developers catalog known viruses an
d their signatures, and signature-based scanners use these catalogs to search fo
r viruses on a user's system. The best scanners have an exhaustive inventory of
all viruses now known to exist. The signature-based scanner examines all possibl
e locations for infection - boot sectors, system memory, partition tables and fi
les - looking for strings of code that match the virus signatures stored in its
memory.
When the scanner identifies a signature match, it can identify the virus by nam
e and indicate where on the hard disk or floppy disk the infection is located. B
ecause the signature-based scanner offers a precise identification of known viru
ses, it can offer the best method for effective and complete removal. The scanne
r can also detect the virus before it has had a chance to run, reducing the chan
ce that the infection will spread before detection. Against these benefits, the
signature-based scanner has limitations. At best, it can only detect viruses for
which it is programmed with a signature. It cannot detect so-called unknown vir
uses - those that have not been previously discovered, analyzed and recorded in
the files of anti-virus software. Polymorphic viruses elude detection by alterin
g the code string that the scanner is searching for; to identify these viruses,
you need another technique.
There is more than this... but it won't fit. PLease, let me email you the copy
so I can have the password.