Staying Abreast

To be effective against malicious code you must keep abreast of the latest threats. Fortunately, this is now a lot easier than it used to be. There are a number of online sources that are sure to report new developments:

•  NCSA forums on CompuServe

•  NCSA pages on the Web

•  Forum/Web page/BBS hosted by your antivirus vendor

•  VIRUS-L news group

For the small/home office user we recommend checking in with one or more of these sources once a week. After all, it only takes a few minutes. For larger organizations we suggest that someone, probably on the support staff, be assigned the task of making a daily check.

Basic Rules

Being vigilant about the files that enter your system will go a long way towards protecting it from malicious code. If you use access controls to extend that vigilance to the times when you are not around to oversee what is happening to your computer, you should avoid the immediate effects of malicious code attacks. To sum up the defensive measures discussed here, the following rules can be promulgated, first for the individual user, and then for the manager of users.

1.  Observe site, system, and file access security procedures.

2.  Always perform a backup before installing new software.

3.  Only use reputable software from reputable sources.

4.  Know the warning signs of a malicious program.

5.  Use antivirus products to watch over your system.

6.  Use an isolated machine to test software that might be suspect.

Rules for managers of users:

1.  Make sure that access control and backup procedures are observed by all users.

2.  Check all new software installations, floppy disks, and file transfers with an antivirus product.

3.  Forbid the use of unchecked or unapproved software, floppy disks, or online connections.

4.  Stay informed of latest developments in malicious programming, either through an alert service or by tasking in-house staff.

5.  Keep all staff informed of latest trends in malicious code so that they know what to look for.

6.  Make use of activity/operator logging systems so that you know who is using each system and what it is being used for.

7.  Encourage the reporting of all operational anomalies and match these against known attacks.

Boot Sector Viruses

This type of infection hits your computer just as it loads the operating system. Most common on IBM-compatible machines, boot sector viruses can also be created for other systems (the “first” virus was an Apple II boot sector virus). Boot sectors are what get the operating system loaded into memory after you power-up the system (cold boot), or perform a hard reset (usually using a button on the front of the machine). On IBM-compatible machines, the instructions stored in the BIOS, which cannot themselves be infected by a virus since they are burned into ROM (Read Only Memory), load information from the Master Boot Sector and DOS Boot Sector into RAM, after performing the POST (Power On Self Test) and reading data, such as the time, from CMOS (which can be corrupted by viruses).

According to Virus Bulletin’s description “boot sector viruses alter the code stored in either the Master Boot Sector or the DOS Boot Sector. Usually, the original contents of the boot sector are replaced by the virus code…. Once loaded, the virus code generally loads the original boot code into memory and executes it, so that as far as the user is concerned, nothing is amiss.” This might be accomplished by virus code in the boot sector that points to a different section of the disk. So the virus code is in memory and the user is none the wiser. The virus may then infect the boot sector of any floppy disk that is used in the machine’s floppy disk drive, thus passing the infection on. While this is rather clever, it would seem to be an inefficient means of replicating now that so many people boot from a hard disk. If everyone cleaned their hard disk boot sector it would appear that extermination of boot sector viruses would be achievable.

Unfortunately, this overlooks the fact that there are boot sectors on ALL floppy disks, not just those that are bootable system disks. And we have all made the mistake of turning on or resetting a system with a floppy in drive A. If the floppy disk is not bootable, for example, if it is a data or program installation disk, we get the “Non-System disk or disk error. Replace and strike any key when ready” message. Alas, at that point the boot sector virus is already in memory. Indeed, that message is read onto the screen from the boot sector. Taking the floppy out and pressing “any key” will not clear the virus from memory, and besides, it may have already infected the hard disk. Note that the Macintosh uses a combination of hardware design and operating system software to spit out floppy disks when booting, thus considerably reducing the chances of this type of infection.

Even without the Mac’s method of handling floppies, the solution appears quite simple: don’t leave floppies in drive A, and if you do get the Non-System error message, reset the system instead of pressing “any key” when you get the message. Better still, if you have a newer BIOS that allows you to adjust the drive boot sequence, tell it to boot from C before A (this still allows you boot from a floppy if something happens to drive C). Well-known boot sector viruses include Michelangelo, Monkey.B, and perhaps the most widely occurring viruses of all time, Stoned and Form.

While at first it sounds like you could only catch a boot sector virus from a floppy disk, the threat is slightly more complex thanks to the folks who enjoy placing boot sector viruses in Trojan horse or “bait” files and then uploading them to bulletin boards. These files are designed to place the boot sector virus on your system when you execute them (ironically, these programs accomplish this task with a routine known as a “dropper,” originally developed to allow the transfer of boot sector viruses between legitimate researchers and antivirus programmers).