incidents involved 17 PCs and 50 disks at a time. In the case of a 3Com
network, the visible signs of infection did not materialize until after
17 PCs were infected. The LAN was down for a week while the cleanup was
conducted.
? Even the costs of dealing with a so-called benign virus are high. A
relatively innocuous Jerusalem-B virus had infected 10 executable files on
a single system. Because the computer was connected to a token ring network,
all computers in that domain had to be scanned for the virus. Four LAN
administrators spent two days plus overtime, one technician spent nine
hours, a security specialist spent five hours, and most of the 200 PC on
the LAN had to endure 15-minute interruptions throughout a two-day
period.
In the October 1993 issue of Virus Bulletin, Micki Krause, Program Manager for
Information Security at Rockwell International, outlined the cost of a recent
virus outbreak at her corporation:
? In late April 1993, the Hi virus was discovered at a large division of
Rockwell located in the U.S. The division is heavily networked with nine file
servers and 630 client PCs. The site is also connected to 64 other sites around
the world (more than half of which are outside the U.S.). The virus had entered
the division on program disks from a legitimate European business partner. One
day after the disks arrived, the Hi virus was found by technicians on file
servers, PCs and floppy disks. Despite eradication efforts, the virus continued
to infect the network throughout the entire month of May. ? 160 hours were spent
by internal PC and LAN support personnel to identify and contain the infections.
At $45.00 per hour, their efforts cost Rockwell $7,200. ? Rockwell also hired an
external consultant to assist Rockwell employees in the cleanup. 200 hours were
spent by the consultant, resulting in a cost of $8,000. ? One file server was
disconnected from the LAN to prevent the virus from further propagating across
the network. The server, used by approximately 100 employees, was down for an
entire day. Rockwell estimated the cost of the downtime at $9,000 (100 users @
$45/hr for 8 hours, with users accessing the server, on average, 25% of the
normal workday). ? While some anti-virus software was in use, Rockwell purchased
additional software for use on both the servers and the client PCs for an
additional $19,800. ? Total Cost of the virus incident at Rockwell was $44,000.
Technical Overview
Computer Viruses And How They Work
Viruses are small software programs. At the very least, to be a virus, these
programs must replicate themselves. They do this by exploiting computer code,
already on the host system. The virus can infect, or become resident in almost
any software component, including an application, operating system, system boot
code or device driver. Viruses gain control over their host in various ways.
Here is a closer look at the major virus types, how they function, and how you
can fight them.
File Viruses
Most of the thousands of viruses known to exist are file viruses, including the
Friday the 13th virus. They infect files by attaching themselves to a file,
generally an executable file – the .EXE and .COM files that control applications
and programs. The virus can insert its own code in any part of the file,
provided it changes the hosts code, somewhere along the way, misdirecting proper
program execution so that it executes the virus code first, rather than to the
legitimate program. When the file is executed, the virus is executed first.
Most file viruses store themselves in memory. There, they can easily monitor
access calls to infect other programs as they’re executed. A simple file virus
will overwrite and destroy a host file, immediately alerting the user to a
problem because the software will not run. Because these viruses are immediately
felt, they have less opportunity to spread. More pernicious file viruses cause
more subtle or delayed damage – and spread considerably before being detected.
As users move to increasingly networked and client-server environments, file
viruses are becoming more common. The challenge for users is to detect and clean
this virus from memory, without having to reboot from a clean diskette. That
task is complicated because file viruses can quickly infect a range of software
components throughout a user’s system. Also, the scan technique used to detect
viruses can cause further infections; scans open files and file viruses can
infect a file during that operation. File viruses such as the Hundred Years
virus can infect data files too.
Boot Sector/partition table viruses
While there are only about 200 different boot sector viruses, they make up 75
percent of all virus infections. Boot sector viruses include Stoned, the most
common virus of all time, and Michelangelo, perhaps the most notorious. These
viruses are so prevalent because they are harder to detect, as they do not
change a files size or slow performance, and are fairly invisible until their
trigger event occurs – such as the reformatting of a hard disk. They also spread
rapidly. The boot sector virus infects floppy disks and hard disks by inserting
itself into the boot sector of the disk, which contains code that’s executed
during the system boot process. Booting from an infected floppy allows the virus
to jump to the computer’s hard disk. The virus executes first and gains control
of the system boot even before MS-DOS is loaded. Because the virus executes
before the operating system is loaded, it is not MS-DOS-specific and can infect
any PC operating system platform – MS-DOS, Windows, OS/2, PC-NFS, or Windows NT.
The virus goes into RAM, and infects every disk that is accessed until the
computer is rebooted and the virus is removed from memory. Because these viruses
are memory resident, they can be detected by running CHKDSK to view the amount
of RAM and observe if the expected total has declined by a few kilobytes.
Partition table viruses attack the hard disk partition table by moving it to a
different sector and replacing the original partition table with its own
infectious code. These viruses spread from the partition table to the boot
sector of floppy disks as floppies are accessed.
Multi-Partite Viruses
These viruses combine the ugliest features of both file and boot
sector/partition table viruses. They can infect any of these host software
components. And while traditional boot sector viruses spread only from infected
floppy boot disks, multi-partite viruses can spread with the ease of a file
virus – but still insert an infection into a boot sector or partition table.
This makes them particularly difficult to eradicate. Tequila is an example of a
multi-partite virus.
Trojan Horses
Like its classical namesake, the Trojan Horse virus typically masquerades as
something desirable – e.g., a legitimate software program. The Trojan Horse
generally does not replicate (although researchers have discovered replicating
Trojan Horses). It waits until its trigger event and then displays a message or
destroys files or disks. Because it generally does not replicate, some
researchers do not classify Trojan Horses as viruses – but that is of little
comfort to the victims of these malicious stains of software.
File Overwriters
These viruses infect files by linking themselves to a program, keeping the
original code intact and adding themselves to as many files as possible.
Innocuous versions of file overwriters may not be intended to do anything more
than replicate but, even then, they take up space and slow performance. And
since file overwriters, like most other viruses, are often flawed, they can
damage or destroy files inadvertently. The worst file overwriters remain hidden
only until their trigger events. Then, they can deliberately destroy files and
disks.
Polymorphic viruses
More and more of today’s viruses are polymorphic in nature. The recently
released Mutation Engine – which makes it easy for virus creators to transform
simple viruses into polymorphic ones – ensures that polymorphic viruses will
only proliferate over the next few years. Like the human AIDS virus that mutates
frequently to escape detection by the body’s defenses, the polymorphic computer
virus likewise mutates to escape detection by anti-virus software that compares
it to an inventory of known viruses. Code within the virus includes an
encryption routine to help the virus hide from detection, plus a decryption
routine to restore the virus to its original state when it executes. Polymorphic
viruses can infect any type of host software; although polymorphic file viruses
are most common, polymorphic boot sector viruses have already been discovered.
Some polymorphic viruses have a relatively limited number of variants or
disguises, making them easier to identify. The Whale virus, for example, has 32
forms. Anti-virus tools can detect these viruses by comparing them to an
inventory of virus descriptions that allows for wildcard variations – much as PC
users can search for half-remembered files in a directory by typing the first
few letters plus an asterisk symbol. Polymorphic viruses derived from tools such
as the Mutation Engine are tougher to identify, because they can take any of
four billion forms.
Stealth Viruses
Stealth aircraft have special engineering that enables them to elude detection
by normal radar. Stealth viruses have special engineering that enables them to
elude detection by traditional anti-virus tools. The stealth virus adds itself
to a file or boot sector but, when you examine the host software, it appears
normal and unchanged. The stealth virus performs this trickery by lurking in
memory when it’s executed. There, it monitors and intercepts your system’s MS-
DOS calls. When the system seeks to open an infected file, the stealth virus
races ahead, uninfects the file and allows MS-DOS to open it – all appears
normal. When MS-DOS closes the file, the virus reverses these actions,
reinfecting the file.
Boot sector stealth viruses insinuate themselves in the system’s boot sector and
relocate the legitimate boot sector code to another part of the disk. When the
system is booted, they retrieve the legitimate code and pass it along to
accomplish the boot. When you examine the boot sector, it appears normal – but
you are not seeing the boot sector in its normal location. Stealth viruses take
up space, slow system performance, and can inadvertently or deliberately destroy
data and files. Some anti-virus scanners, using traditional anti-virus
techniques, can actually spread the virus. That is because they open and close
files to scan them – and those acts give the virus additional chances to
propagate. These same scanners will also fail to detect stealth viruses, because
the act of opening the file for the scan causes the virus to temporarily
disinfect the file, making it appear normal.
Anti-Virus Tools And Techniques
Anti-virus software tools can use any of a growing arsenal of weapons to detect
and fight viruses, including active signature-based scanning, resident
monitoring, checksum comparisons and generic expert systems. Each of these tools
has its specific strengths and weaknesses. An anti-virus strategy that uses only
one or two of the following techniques can leave you vulnerable to viruses
designed to elude specific defenses. An anti-virus strategy that uses all of
these techniques provides a comprehensive shield and the best possible defense
against infection.
Signature-Based Scanners
Scanners – which, when activated, examine every file on a specified drive – can
use any of a variety of anti-virus techniques. The most common is signature-
based analysis. Signatures are the fingerprints of computer viruses – distinct
strands of code that are unique to a single virus, much as DNA strands would be
unique to a biological virus. Viruses, therefore, can be identified by their
signatures. Virus researchers and anti-virus product developers catalog known
viruses and their signatures, and signature-based scanners use these catalogs to
search for viruses on a user’s system. The best scanners have an exhaustive
inventory of all viruses now known to exist. The signature-based scanner
examines all possible locations for infection – boot sectors, system memory,
partition tables and files – looking for strings of code that match the virus
signatures stored in its memory. When the scanner identifies a signature match,
it can identify the virus by name and indicate where on the hard disk or floppy
disk the infection is located. Because the signature-based scanner offers a
precise identification of known viruses, it can offer the best method for
effective and complete removal. The scanner can also detect the virus before it
has had a chance to run, reducing the chance that the infection will spread
before detection. Against these benefits, the signature-based scanner has
limitations. At best, it can only detect viruses for which it is programmed with
a signature. It cannot detect so-called unknown viruses – those that have not
been previously discovered, analyzed and recorded in the files of anti-virus
software. Polymorphic viruses elude detection by altering the code string that
the scanner is searching for; to identify these viruses, you need another
technique.
There is more than this… but it won’t fit. PLease, let me email you the copy
so I can have the password.