|
|
|
DEFEATING VIRUSES AND OTHER MALICIOUS CODE One of the most persistent threats to the confidentiality, integrity, and availability of data entrusted to desktop systems, is malicious code, the most common form of which is the virus. A computer virus is self-replicating code designed to spread from system to system. Thousands of different viruses have been identified, although only a few hundred are active. This is software which can erase files, bring down networks, and waste a lot of person power and processing time. There are several types of programs, besides viruses, that can be grouped together as malicious code, or MC, although each type poses a different threat to the integrity and availability of your data. The Malicious Code Problem Based on numerous studies it is possible to say that malicious code has caused billions of dollars worth of damage and disruption over the last five years.15 Malicious code has affected everything from corporate mainframes and networks to computers in homes, schools, and universities. Despite impressive advances in defensive measures, malicious programs continue to pose a major threat to information security. A key member of IBM’s antivirus team, Alan Fedeli, uses the following as simple, working definitions of the three main problems for PC and LAN users:
Note that while viruses and worms replicate themselves, Trojan horses do not. Viruses and worms both produce copies of themselves but worms do so without using host files as carriers. A fourth category of malicious code, the logic bomb, has historically been associated with mainframe programs but can also appear in desktop and network applications. A logic bomb can be defined as dormant code, the activation of which is triggered by a predetermined time or event. For example, a logic bomb might start erasing data files when the system clock reaches a certain date or when the application has been loaded x number of times. In practice, these various elements can be combined, so that a virus could gain access to a system via a Trojan, then plant a logic bomb, which triggers a worm. The practical objection to viruses and worms, Trojan horses, and logic bombs, is that no programmer, however smart, can write code that will run benignly on every computer it encounters. Commercial software developers like Microsoft, which spend millions on software development and testing, cannot create such code, even when an elaborate installation program is used. The number of hardware permutations alone is staggering (with 12 alternatives in 12 categories you get 8,916,100,448,256 possible combinations). Quite simply, you cannot write benign code which can insert itself unannounced into every system without causing problems for at least some of those systems. About Viruses According to Dr. Peter Tippett, President of the National Computer Security Association, even if virus code does not try to cause harm, “most of the damage that viruses cause, day in and day out, relates to the simple fact that contamination by them must be cleaned up. The problem is that unless you search through all the personal computers at your site, as well as all the diskettes at your site, you can have no assurance that you have found all copies of the virus that may have actually infected only four or five PCs. Since viruses are essentially invisible the engineer must actually go looking for them on all 1000 PCs and 35,000 diskettes in an average corporate computer site. And if even a single instance of the virus is missed, then other computers will eventually be reinfected and the whole clean-up process must start again.” Further light is shed by IBM’s Al Fedeli who notes that “While viruses exhibit many other characteristic behaviors, such as causing pranks, changing or deleting files, displaying messages or screen effects, hiding from detection by changing or encrypting themselves, modifying programs and spreading are the necessary and sufficient conditions for a program to be considered a virus.” The very act of modifying files means that the presence of a virus causes disruption to normal operation, in addition to which the virus program can be written to carry out a specific task, like playing a tune at a certain time every day. In a mix of metaphors, such a virus task is referred to as a payload and the event that releases or invokes it is referred to as a trigger. This might be a date or action, such as booting up the machine. Some payloads are very nasty, such as corrupting the file allocation table (FAT) on a disk and thus rendering files inaccessible. A lot of viruses attack operating system files, meaning that they have the potential to disrupt a wide range of users. Other viruses attack a particular application. Consider the virus that attacks dBASE data files, stored with the DBF extension. The virus reverses the order of bytes in the file as it is written to disk. The virus reverses them back to normal when the file is retrieved, making the change transparent to the casual user. However, if the file is sent to an uninfected user, or if the virus is inadvertently removed from the host system, the data are left in a scrambled state. Before moving on to Trojan horses, it is important to point out that although some people say there are thousands of viruses to worry about, as of early 1997, only a few hundred were “in the wild”. This term is reserved for viruses that have actually infected someone, somewhere. It is important to distinguish this small number of “in the wild” viruses from the much larger number of “in the zoo” viruses. We use this term to describe a virus that has never been seen in a real-world situation (believe it or not, some people who write viruses send them to antivirus researchers, which is one reason the population of the zoo far outnumbers that of the wild).16
|