From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Tue, 19 Jun 90 09:44:32 BST 
Message-Id:   <$TGWFCWKBBCWC at UMPA>
Subject:      Here is Virus-L vol 0 #0997


Virus-L Digest Fri, 23 Sep 88, Volume 0 : Issue #0997

Today's Topics

"Virus Guide" from software vendor

------------------------------

Date:         Fri, 23 Sep 88 15:57:15 EDT
From:         Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU>
Subject:      "Virus Guide" from software vendor

In a recent (June or July?) issue of The  Chronicle  Of  Higher  Education,
there  was a computer virus article in which an anti-virus software vendor,
RG Software Systems, offered to send anyone who asked  a  free  copy  of  a
virus  guide  which they had written. So, I requested a copy of it on disk.
Here then, is the article (in the interest of fairness, I did edit out some
advertising information at the end of the article):

                COMPUTER VIRUSES: A RATIONAL VIEW

by: Raymond M. Glath, President, RG Software Systems, Inc.,
2300 Computer Ave., Suite I-51, Willow Grove, PA 19090. tel (215)  659-5300
April 14, 1988

WHAT ARE COMPUTER VIRUSES?
(a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage)

Any software that has  been  developed  specifically  for  the  purpose  of
interfering with a computer's normal operations.

WHAT DO THEY DO?

There are two major categories of viruses.

Destructive viruses, that cause:

Massive destruction...  ie:  Low  level  format  of  disk(s),  whereby  any
programs and data on the disk are not recoverable.

Partial destruction... ie: Erasure or modification of a portion of a  disk.

Selective destruction... ie: Erasure or modification of specific  files  or
file groups.

Random havoc... The most insidious form of all. ie: Randomly changing  data
on disk or in RAM during normal program applications, or changing keystroke
values,  or  data from other input/output devices, with the result being an
inordinate amount of time to discover and repair the  problem,  and  damage
that may never be known about.

Non-Destructive viruses, intended to cause attention to the  author  or  to
harass the end user.

a.  Annoyances...  ie:  Displaying  a  message,  changing  display  colors,
changing  keystroke  values  such  as reversing the effect of the Shift and
Unshift keys, etc.

WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS?

Lost productivity time !!!

In addition to the time and skills required to  re-construct  damaged  data
files, viruses can waste a lot of time in many other ways.

With either type of virus, the person subjected to the attack  as  well  as
many  support  personnel from the attacked site and from various suppliers,
will sacrifice many hours of otherwise productive time:

   Time to determine the cause of the attack.
   The removal of the virus code from the system.
   The recovery of lost data.
   The detective work required to locate the original source of the virus
       code.
   Then, there's the management time required to determine how this will be
       prevented in the future.

WHO DEVELOPS VIRUSES?

This individual, regardless of his specific motivation, will most  probably
want  to  see some form of publicity resulting from his handiwork. Anywhere
from a "Gotcha" message  appearing  on  the  computer's  screen  after  the
attack,  to  major press coverage of that particular virus' spread and wake
of damage.

Some of the reasons for someone to spend  their  time  developing  a  virus
program are:

     A practical joke.
     A personal vendetta against a company or  another person.
          ie: a disgruntled employee.
     The computer-literate political terrorist.
     Someone  trying  to  gain  publicity  for  some cause or product.
     The bored, un-noticed "genius," who wants attention.
     The mentally disturbed sociopath.

IS THE THREAT REAL?

Yes, however thus far the destructive  ones  have  primarily  been  in  the
Academic  environment.  Several  attacks have been documented by the press,
and, from first hand experience, I  can  attest  to  the  fact  that  those
reported  do  exist.  We have seen some of them and successfully tested our
Disk Watcher product against them.

Reputable individuals have reported additional viruses  to  us,  but  these
have  not  reached  the  scale of distribution achieved by the now infamous
"Lehigh," "Brain," "Israeli," and "MacIntosh" viruses.

We do expect the situation to worsen due to the  attention  it's  received.
Taking simple lessons from history, a new phenomenon, once given attention,
will  be  replicated  by  individuals who otherwise have no opportunity for
personal attention.

Now that there are products for defense from  viruses,  the  virus  writers
have been given a challenge; and for those people who have always wanted to
anonymously strike out at someone but didn't know of a method to do so, the
coverage has provided a "How To" guide.

HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM?

A virus may be entered into a system by an unsuspecting user who  has  been
duped by the virus creator (Covert entry), or it may be entered directly by
the creator. (Overt entry.)

[Examples of Covert entry of a virus into a computer system.]

A "carrier" program such as a "pirate" copy of a  commercial  package  that
has  been  tampered  with,  is utilized by the un-suspecting user, and thus
enters the virus code into the system.

Other types of carriers could be programs from Bulletin  Boards  that  have
been  either  tampered  with  or  specifically  designed  as  viruses,  but
disguised as useful programs. There  has  even  been  a  destructive  virus
disguised as a "virus protection" program on a BBS.

The user unknowingly acquires an "infected" disk and uses it  to  boot  the
system.

The virus has been hidden in the system files  and  then  hides  itself  in
system  RAM or other system files in order to reproduce, and later, attack.


[Examples of Overt entry into a computer system.]

An individual bent on harassing the user or sabotaging the computer system,
modifies an existing program on that computer or  copies  a  virus  program
onto someone's disk during their absence from their work station.

HOW DOES A VIRUS SPREAD?

A virus may reproduce itself by delaying  its  attack  until  it  has  made
copies  of  itself onto other disks (Active reproduction,) or it may depend
entirely on unsuspecting users to make copies of it and  pass  them  around
(Passive  reproduction).  It  may  also use a combination of these methods.

WHAT TRIGGERS THE VIRUS ATTACK?

Attacks begin upon the occurrence of a certain event, such as:

     On a certain date.
     At a certain time of day.
     When a certain job is run.
     After "cloning" itself n times.
     When a certain combination of keystrokes occurs.
     When the computer is restarted.

One way or another, the virus code must  put  itself  into  a  position  to
either  start  itself  when  the  computer is turned on, or when a specific
program is run.

HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN A PROGRAM  OR  A  HARDWARE
MALFUNCTION?

This can be a tough one.  With  the  publicity  surrounding  viruses,  many
people are ready to believe that any strange occurrence while computing may
have  been caused by a virus, when it could simply be an operational error,
hardware component failure, or a software "bug."

While most commercial software developers test their products exhaustively,
there is always the possibility that some combination of hardware;  mix  of
installed   TSR's;   user   actions;   or   slight  incompatibilities  with
"compatible" or "clone" machines or components;  can  cause  a  problem  to
surface.

We need to remember some key points here:

1. Examine the probabilities of your having contacted a virus.

2. Don't just assume that you've been attacked by a virus and abandon  your
   normal  troubleshooting  techniques  or those recommended by the product
   manufacturers.

3. When in doubt  contact  your  supplier  or  the  manufacturer  for  tech
   support.

4. Having an effective "Virus Protection" system  installed  may  help  you
   determine the cause of the problem.

HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES?

1. Know and be comfortable with the source of your  software  acquisitions.

   If you use a BBS (Bulletin Board,) verify that the BBS is reputable  and
   that  it  has satisfactory procedures in place to check out its software
   as well as provisions to prevent  that  software  from  being  modified.

   Do not use illegitimate copies of software.

   Be  sure  that  the  developer  of  the  software  you're  using  is   a
   professional.  Note  that  many  "Shareware" products are professionally
   produced. You needn't stop using them. Just be  sure  that  you  have  a
   legitimate  copy  of  the  program  if you choose to use these products.

   Don't accept free software that looks too good to be true.

2. Install a professional virus protection package on  your  computer  that
   will alert you to any strange goings on.

3. Provide physical security for your computers. ie: Locked rooms; locks on
   the computers; etc.

4. If you're unsure of a disk or a specific program, run it in an  isolated
   environment where it will not be able to do any damage.

   ie:  Run  the  program  on  a  "diskette  only"  computer,  and  keep  a
   write-protect tab on your "System Disk."

   Run the program with "Virus Protection" software installed.

5. Establish and maintain a sound Back-Up policy.

   DO NOT USE ONLY ONE SET OF BACK-UP DISKS THAT ARE  CONTINUOUSLY  WRITTEN
   OVER.

   Use at least three complete sets of back-up disks that are rotated in  a
   regular cycle.

DO YOU NEED SOME FORM OF PROTECTION FROM VIRUSES?

It couldn't hurt!!! You do lock the door to your  home  when  you  go  out,
right?

Plan in advance the methods you'll use to ward off virus  attacks.  It's  a
far  more  effective  use  of  management  time  to  establish preventative
measures in a calm environment instead of making panic  decisions  after  a
virus attack has occurred.

IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF?

No !!!

Any security system can be broken by someone  dedicated  and  knowledgeable
enough to put forth the effort to break the system.

WHAT LEVEL OF PROTECTION DO YOU NEED?

This of course depends on many factors, such as:

     1. The sensitivity of the data on your PC's.
     2. The number of personnel having access to your PC's.
     3. The security awareness of computing personnel.
     4. The skill levels of computing personnel.
     5. Attitudes, ethics, and morale of computing personnel.

A key point of consideration is the threshold for the  amount  of  security
you can use versus its impact on normal productivity.

Human nature must also be considered. If you were to install  10  locks  on
your  front  door  and it cost you 5 minutes each time you enter your home,
I'll bet that the first time that it's raining... and you have  3  bags  of
groceries...  you'll  go  back  to  using  the  one  lock  you always used.

HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES?

There are several approaches that have been developed.

One form is an "inoculation" or "signature" process, whereby the key  files
on  a  disk  are marked in a special way and periodically checked to see if
the files have been  changed.  Depending  on  the  way  in  which  this  is
implemented,  this  method  can  actually interfere with programs that have
built-in integrity checks.

Another method is to "Write Protect" specific key areas of the disk so that
no software is permitted to change the data in those places.

We at RG Software Systems, Inc. believe that preventative measures are  the
most effective. The Disk Watcher system provides multiple lines of defense:
A  "Batch" type program automatically checks all active disk drives for the
presence of certain hidden  virus  characteristics  when  the  computer  is
started,  and  a TSR (Terminate and Stay Resident) program monitors ongoing
disk activity throughout all processing. The "Batch" program  can  also  be
run on demand at any time to check the disk in a specific drive.

The TSR program, in addition to its other "Disaster  Prevention"  features,
contains  a  series  of  proprietary  algorithms  that  detect the behavior
characteristics of a myriad of virus  programs,  and  yet  produce  minimal
overhead  in  processing  time  and  "false alarm" reports. Disk Watcher is
uniquely able to tell the difference between legitimate IO activity and the
IO activity of a virus program.

When an action occurs indicative of a virus attempting to reproduce itself;
alter another program; set itself up to be automatically run the next  time
the  system  is started; or attempting to perform a massively damaging act;
Disk Watcher will automatically "pop up." The user will then  have  several
options, one of which is to immediately stop the computer before any damage
can be done. Detection occurs BEFORE the action takes place.

Other options  allow  the  user  to  tell  Disk  Watcher  to  continue  the
application  program and remember that this program is permitted to perform
the action that triggered the "pop up."

Some very important features of Disk Watcher are:

Whenever the user selects the "Stop the Computer" option,  the  Application
screen  image  and the Disk Watcher screen image will be sent to the system
printer before the machine is stopped, so that an effective analysis of the
problem may be done.

Disk Watcher performs an integrity check on itself whenever it runs.

The "Destructive" viruses that  produce  "selective"  file  destruction  or
"Random  Havoc" are the most difficult to defend against. The best measures
are to prevent them from getting  into  the  system  in  the  first  place.

WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU?

Since the first reports of virus attacks appeared in the press, a number of
"Virus Prevention" products have quickly appeared on the  market,  produced
by companies wishing to take advantage of a unique market opportunity. This
is  to  be expected. RG Software Systems, Inc. is one of them with our Disk
Watcher product.

It should be pointed out, however, that as of this writing, only  a  little
over  2  months  has  transpired  since  the  first major stories appeared.

Those companies that have had to build a product from scratch  during  this
limited  amount  of time have had to design the defensive system, write the
program code, write the user's manual, design the packaging, "Alpha"  test,
"Beta"  test,  and  bring  their product through manufacturing to market. A
monumental task in a miraculously short period of time.

Companies  that  have  had  products  on  the  market  that  include  virus
protection,  or  products  that  were enhanced to include virus protection,
such as Disk Watcher, have had extra time  and  field  experience  for  the
stabilization of their products.

As a professional in this industry,  I  sincerely  hope  that  the  quickly
developed products are stable in their released form.

The evaluation points listed below are usually applied as  a  standard  for
all types of software products:

         *Price
         *Performance
         *Ease of Use
         *Ease of Learning
         *Ease of Installation
         *Documentation
         *Copy Protection
         *Support

A "Virus Protection"  package,  like  a  security  system  for  your  home,
requires a close scrutiny. You want the system to do the job unobtrusively,
and yet be effective.

TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES:

1. Amount of impact the package may have on your computer's performance.
   If the package is "RAM Resident," does it noticeably slow down your
   machine's operations?
   If so, with what type of operation? Are  program  startups  slowed?  Are
   database operations slowed?

2. Level of dependency on operator intervention.
   Does the package require the operator to  perform  certain  tasks  on  a
   regular  basis  in  order for it to be effective? (Such as only checking
   for virus conditions on command.)
   Does the package require much time to install and keep operational?  ie:
   Each  time  any  new  software  is  installed  on  the  system, must the
   protection package be used?

3. Impact on productivity... Annoyance level.
   Does  the  package  periodically  stop  processing  and/or  require  the
   operator  to  take  some  action?  If  so,  does  the  package  have any
   capability to learn its environment and stop its interference?

4. False alarms.
   How does the package handle situations that appear to be viruses but are
   legitimate actions made by legitimate programs?
   Are there situations where legitimate jobs will have to be re-run or the
   system re-booted because of the protection package? How frequently  will
   this occur?
   How much additional end-user support will the package require?

5. The probability that the package will remain in use?
   Will  there  be  any  interference  or  usage  requirements  that   will
   discourage  the  user  from  keeping  the  package  active? (It won't be
   effective if they quickly desire  to  de-install  it  and  perhaps  only
   pretend they are using it when management is present.)

6. Level of effectiveness it provides in combatting viruses.
   Will it be  effective  against  viruses  produced  by  someone  with  an
   experience level of:
          Level 1 - "Typical End User"? (Basic knowledge of using
                      applications and DOS commands.)
          Level 2 - "Power  User"?   (Knowledge  of  DOS  Command
                      processor, Hardware functions, BASIC
                      programming, etc.)
          Level 3 - "Applications  Programmer"?  (Knowledge of
                      programming languages and DOS service calls.)
          Level 4 - "Systems  Engineer"?  (Knowledge  of  DOS and
                      Hardware internal functions.)
          Level 5 -  "Computer  Science  Professor  that develops
                         viruses for research purposes"?

   Which types of intrusion will it be effective against?
   "Covert Entry"?
   "Overt Entry"?

   Does it detect a virus attempting to spread or "clone" itself?
   Does it detect a virus attempting to place itself into a position to  be
   automatically run?
   If a virus gets into the computer, which types of virus damage  will  it
   detect?

          "Massive Destruction"
          "Partial Destruction"
          "Selective Destruction"
          "Random Havoc Destruction"
          "Annoyance"

   Does the software detect a virus before  or  after  it  has  infected  a
   program or made its attack?
   Does the publisher claim total protection from all viruses?

7. Does the software provide any assistance for "post mortem"  analysis  of
   suspected problems?

   ie: If a virus symptom is detected and the  computer  is  brought  to  a
   halt,  is  there  any  supporting  information for analyzing the problem
   other than the operator's recall of events?

8. Impact on your machine's resources.
   How much RAM is used?
   Is any special hardware required?

9. Is the product compatible with:
     Your hardware configuration.
     Your Operating system version.
     Your network.
     Other software that you use, especially TSR's.

10. Can  the  package  be  used  by  current  computing  personnel  without
   substantial training?
   What type of computing experience is required to install the package?

11. Background of the publisher.
   References... Who is using this or other products from  this  publisher?
   How is this company perceived by its customers? The press?
   How long has the publisher been in business?
   Was the product Beta Tested?... By valid, well-known organizations or by
   friends of the company's owner?
   Was  the  product  tested  against  any  known  viruses?   Successfully?
   What about on-going support? In what form? At what cost?
   Does the company plan to upgrade its product periodically?
   What is the upgrade policy? Expected costs?

12. Does the package provide any other useful benefits to the user  besides
   virus protection?

--------------------

*** end of Virus-L issue ***