Computer Virus Myths by Rob Rosenberger with Ross Greenberg A number of myths have popped up recently about the threat of computer "viruses". There are myths about how widespread they are, how dangerous they are, and even myths about what a computer virus really is. We'd like the facts to be known. The first thing you have to understand is that a virus is a programming technique that falls in the realm of "Trojan horses." All viruses are Trojan horses, but very few Trojan horses can be called a virus. That having been said, it's time to go over the terminology we use when we lecture: BBS Bulletin Board System. If you have a modem, you can call a BBS and leave messages, transfer com- puter files back & forth, and learn a lot about computers. (What you're reading right now most likely came to you from a BBS, for example.) Bug an accidental flaw in the logic of a computer program that makes it do things it shouldn't really be doing. Programmers don't mean to put bugs in their program, but they always creep in. The first bug was discovered by pioneer Grace Hopper when she found a dead moth shorting out a circuit in the early days of computers. Pro- grammers tend to spend more time debugging their programs than they do writing them in the first place. Hacker someone who really loves computers and who wants to push them to the limit. Hackers don't release Trojan horses onto the world, it's the wormers who do that. (See the definition for a "wormer".) Hackers have a healthy sense of curiosity: they try doorknobs just to see if they're locked, and they tinker with a piece of equipment until it's "just right." Shareware a distribution method for quality software avail- able on a "try before you buy" basis. You pay for the program only if you find it useful. Shareware programs can be downloaded from BBSs and you are encouraged to give an evaluation copy to friends. There are few advertising & distribution costs, so many shareware applications can rival the power of off-the-shelf counterparts, at just a fraction of the price. Copyright (c) 1988 Rob Rosenberger & Ross Greenberg Page 1 Trojan horse a generic term describing a set of computer instructions purposely hidden inside a program. Trojan horses tell a program to do things you don't expect it to do. The term comes from a historic battle in which the ancient city of Troy was offered the "gift" of a large wooden horse that secretly held soldiers in its belly. The Trojans rolled it into their fortified city.... Virus a term for a very specialized Trojan horse that can spread to other computers by secretly "infecting" programs with a copy of itself. A virus is the only type of Trojan horse which is contagious, like the common cold. If it doesn't meet this definition, then it isn't a virus. Worm a term similar to a Trojan horse, but there is no "gift" involved. If the Trojans had left that wooden horse outside the city, they wouldn't have been attacked -- but worms can bypass your defenses. An example is an unauthorized program designed to spread itself by exploiting a bug in a network software package. (Such programs could possibly also contain a virus that activates when it reaches the computer.) Worms are usually released by someone who has normal access to the computer or network. Wormers the name given to the people who unleash destructive Trojan horses. Let's face it, these people aren't angels. What they do hurts us. They deserve our disrespect. Viruses, like all Trojan horses, are purposely designed to make a program do things you don't expect it to do. Some viruses are just an annoyance, perhaps only displaying a "Peace on earth" message. The viruses we're worried about are the ones designed to destroy your files and waste the valuable time you'll spend to repair the damage. Now you know the difference between a virus and a Trojan horse and a bug. Let's get into some of the myths: All purposely destructive code comes as a virus. Wrong. Remember, "Trojan horse" is the general term for purposely destructive code. Very few Trojan horses are actually viruses. All Trojan horses are bad. Believe it or not, there are a few useful Trojan horse tech- niques in the world. A "side door" is any command not documented in the user manual, and it's a Trojan horse by definition. Some programmers install side doors to help them locate bugs in their Computer Virus Myths Page 2 programs. Sometimes a command may have such an obscure function that it makes sense not to document it. Viruses and Trojan horses are a recent phenomenon. Trojan horses have been around since the first days of the computer. Hackers toyed with viruses in the early 1960s as a form of amusement. Many different Trojan horse techniques were developed over the years to embezzle money, destroy data, etc. The general public wasn't aware of this problem until the IBM PC revolution brought it into the spotlight. Just five years ago, banks were still covering up computerized embezzlements because they believed they'd lose too many customers. Computer viruses are reaching epidemic proportions. Wrong again. Viruses may be spread all over the planet but they aren't taking over the world. There are only about fifty or so known virus "strains" at this time and a few of them have been completely eliminated. Your chances of being infected are slim if you take proper precautions. (Yes, it's still safe to turn on your computer!) Viruses could destroy all the files on my disks. Yes, and a spilled cup of coffee will do the same thing. If you have adequate backup copies of your data, you will be able to recover from a virus/coffee attack. Backups mean the difference between a nuisance and a disaster. Viruses have been documented on over 300,000 computers. This statistic comes from John McAfee, a self-styled virus fighter who seems to come up with all the quotes the media love to hear. We assume it includes every floppy disk ever infected by a virus, as well as all of the computers participating in the Christmas worm attack. (That worm was designed for a particular IBM network software package; it never infected the computers. Therefore, it wasn't a virus. The Christmas worm attack can't be included in virus infection statistics.) Most of the media don't understand computer crimes, so they tend to call almost anything a virus. Viruses can be hidden inside a data file. Data files can't wreak havoc on your computer -- only an executable program can do that. If a virus were to infect a data file, it would be a wasted effort. Most BBSs are infected with viruses. Here's another scary myth drummed up in the big virus panic. Very few BBSs are really infected. (If they are infected, they won't be around for long!) It's possible a dangerous file could be available on a BBS, but that doesn't mean the BBS itself is infected. Computer Virus Myths Page 3 BBSs and shareware programs spread viruses. "The truth," says PC Magazine publisher Bill Machrone, "is that all major viruses to date were transmitted by commercial packages and private mail systems, often in universities." The Peace virus, for example, made its way into a commercial software product sold to thousands of customers. Machrone goes on to say that "bulletin boards and shareware authors work extraordinarily hard at policing themselves to keep viruses out." Many reputable sysops check all new files for Trojan horses; nationwide sysop networks help spread the word about dangerous files. You should be careful about software that comes from friends & BBSs, that's definitely true -- but you must also be careful with the software you buy at computer stores. The Peace virus proves it. My computer could be infected if I call an infected BBS. BBSs can't write information on your disks -- that's handled by the communications software you use. You can only transfer a dangerous file if you let your software do it. (In rare cases, a computer hooked into a network could be sent a dangerous file or directly infected, but it takes specialized software to connect a computer into a network. BBSs are NOT networks.) My files are damaged, so it must have been a virus attack. It could also have been caused by a power flux, or static electricity, or a fingerprint on a floppy disk, or a bug in your software, or perhaps a simple error on your part. Power failures and spilled cups of coffee have destroyed more data than all the viruses combined. Donald Burleson was convicted of releasing a virus. A recent Texas computer crime trial was hailed all over the country as a "virus" trial. Donald Burleson was in a position to release a complex, destructive worm on his employer's mainframe computer. This particular worm wasn't able to spread itself to other computers, so it wasn't a virus. The prosecuting attorney, Davis McCown, claims he "never brought up the word virus" during the trial. So why did the media call it a virus? 1. David Kinney, an expert witness testifying for the defense (oddly enough), claimed he believed Burleson unleashed a virus. This is despite the fact that the programs in question had no capability to infect other systems. The prosecuting attorney didn't argue the point and we don't blame him -- Kinney's bizarre claim on the witness stand probably helped sway the jury to convict Burleson, and it was the defense's fault for letting him testify. 2. McCown doesn't offer reporters a definition for the word virus. He gives the facts behind the case and lets the reporters deal with the definitions. The Associated Press and USA Today, among others, used such vague terms that any program could be called a virus. If we applied their definitions in the medical world, we could safely claim penicillin is a biological virus (which is absurd). Computer Virus Myths Page 4 3. McCown claims many of the quotes attributed to him "are misleading or fabricated" and identified one in particular which "is total fiction." Reporters occasionally print a quote out of context, and McCown apparently fell victim to it. (It's possible a few bizarre quotes from David Kinney or John McAfee were accidentally attributed to McCown.) Robert Morris Jr. released a benign virus on a defense network. It may have been benign, but it wasn't a virus in the strict technical sense. Morris, the son of a chief scientist for the National Security Agency, allegedly became bored and decided to take advantage of a tiny bug in the Defense Department's network software. (We say "alleged" because Morris hadn't been charged with a crime when we went to press.) That tiny bug let him send a worm through the network and have it execute when it reached certain computers. Among other things, Morris's "Internet" worm was able to tell some computers to send copies of itself to other computers in the network. The network became clogged in a matter of hours. The media called the Internet worm a "virus" (like it called the Christmas worm a virus) because it was able to spread itself to other computers. But it didn't infect those computers, so it can't be called a virus. (We can't really fault the press for calling it one, though. It escapes the definition of a virus because of a technicality.) A few notes: 1. This worm worked only on Sun-3 & Vax computers with a UNIX operating system that was linked to the Internet network; 2. The 6,200 affected computers should not be counted in any virus infection statistics (they weren't infected); 3. Yes, Morris could easily have added some infection code to make it a worm/virus if he'd had the urge; and, 4. The network bug Morris exploited has since been fixed. Viruses can spread to all sorts of computers. All Trojan horses are limited to a family of computers, and this is especially true for viruses. A virus designed to spread on IBM PCs cannot infect an IBM 4300-series mainframe, nor can it infect a Commodore C64, nor can it infect an Apple MacIntosh. My backup disks will be destroyed if I back up a virus. No, they won't. Let's suppose a virus does get backed up with your other files. Backups are just a form of data, and data can't harm your system. You can recover the important files from your backups without triggering the virus. Anti-virus software will protect me from viruses. Anti-virus packages offer some good front-line protection, but they can be tricky to use at times. You could make a crucial mistake in deciding whether to let a "flagged" event take place. Also, Trojan horses can be designed to take advantage of holes in your defense. Computer Virus Myths Page 5 Copy-protected software is safe from an attack. This is totally wrong. Copy-protected software is the most vulnerable software in a Trojan horse attack. You may have big problems trying to use or re-install such software, especially if the master disk was attacked. It should also be noted that copy- protection schemes rely on extremely tricky techniques which have occasionally "blown up" on users. Some people mistakenly believe they were attacked by a clever virus. Viruses are written by hackers. Yes, hackers have written viruses -- just to see how they operate. But they DON'T unleash them to an unsuspecting public. Wormers are the ones who do that. (You can think of a wormer as a hacker who was seduced by the Dark Side of The Force.) Hackers got a bum rap when the press corrupted the name. We hope this dispels the myths surrounding the virus scare. Viruses DO exist, many of them will cause damage, and all of them can spread to other computers. But you can defend yourself from an attack if you keep a cool head and a set of backups. The following guidelines can shield you from Trojan horses and viruses. They will lower your chances of being attacked and raise your chances of recovering from one. 1. Download files only from reputable BBSs where sysops check every program for Trojan horses. If you're still afraid, consider getting your programs from a BBS or "disk vendor" company which gets its programs directly from the author; 2. Let a newly uploaded file "mature" on a BBS for one or two weeks before you download it (others will put it through its paces). 3. Set up a procedure to regularly back up your files, and follow it religiously. Consider purchasing a user- friendly backup program that takes the drudgery out of backing up your files. 4. Rotate between two sets of backups for better security (use set #1, then set #2, then set #1...). 5. Consider using a program which will create a unique "signature" of all the programs on your computer. Once in a while, you can run this program to determine if any of your applications have been modified -- either by a virus or by a stray gamma ray. 6. If your computer starts acting weird, DON'T PANIC. It may be a virus, but then again it may not. Immediately reboot from a legitimate copy of your master DOS disk. Put a write-protect tab on that disk just to be safe. Do NOT run any programs on your regular disks (you might activate Computer Virus Myths Page 6 a Trojan horse). If you don't have adequate backups, try to bring them up to date. Yes, you might be backing up a virus as well, but it can't hurt you as long as you don't run any of your normal programs. Set your backups off to the side. Only then can you safely hunt for the problem. 7. If you can't figure out what's wrong with your computer, and you aren't sure of yourself, just turn it off and call for help. Consider calling a local computer group before you hire an expert to fix your problem. If you need a professional, consider hiring a regular computer consul- tant before you call on a "virus expert." 8. If you can't figure out what's wrong with your computer, and you are sure of yourself, execute a low-level format on all of your regular disks (you can learn how to do it from almost any BBS), then do a high-level format on each one of them. Next, carefully re-install your software from legitimate copies of the master disks, not from the backups. Then, carefully restore only the data files (not the executable program files!) from your backup disks. If you DO find a Trojan horse or a virus, we'd appreciate it if you'd mail a copy to us. (But please, don't handle one unless you know what you're doing.) Include as much information as you can, and put a label on the disk that says it contains a Trojan horse or virus. Send it to Ross Greenberg, 594 Third Avenue, New York, NY 10016. Thank you. ------------------------------------------------------- Ross Greenberg is the author of a popular Trojan/virus detection program. Rob Rosenberger is the author of a modem analysis program. These men have never met in person; they worked on this story completely by modem. ------------------------------------------------------- Copyright (c) 1988 Rob Rosenberger & Ross Greenberg You may give copies of this to anyone if you pass it along in its entirety. Publications must obtain written permission to reprint this article. Write to Rob Rosenberger, P.O. Box #643, O'Fallon, IL 62269. Computer Virus Myths Page 7