Date: Tue, 13 Oct 92 08:09:24 EDT
From: "David M. Chess" <[email protected]>
Subject: File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2)

This is a brief reply to the file from The Dark Adept that appeared in
CuD 4.49.  As an anti-virus weenie myself, I'm speaking from a rather
different point of view, obviously.  On the other hand, I don't claim
to be speaking for the anti-virus weenie community as a whole; this is
just a few personal reactions, written during a sanity break from some
heavy debugging.

Most of the factual stuff in the Adept's file is generally correct
(and amusingly phrased!).  A few notes:

- It's not really just .COM and .EXE files in DOS that can carry
  viruses.  Those are the most common vectors, but since there
  is a DOS call that will execute a file of any name at all as
  a program, and some viruses infect when that call is used,
  you have to look in all your files during a cleanup operation.
  For instance, if you have a game program in FINOGA.COM, and all
  it really does is display the game-company logo and then run
  FINOGA.BNX, some of the most common file-infecting viruses will
  be able to infect FINOGA.BNX, and if you don't clean it up from
  there, you're still infected.

- It's possible (just barely) to write a virus for a BAT file.
  But no one's figured out how to do it in a reliable or non-obvious
  way, so there are no BAT viruses "in the wild", and users don't
  have to worry about them.  The same applies to (for instance)
  worksheet files for spreadsheet programs; since they can contain
  things like autostart macros, it's theoretically possible to
  write a virus that infects them, but there are none in the wild.

The Adept writes that viruses are more common on personal computers
because they "need access to memory that they shouldn't have, and on
a personal computer, there is nothing to stop them from getting it."
This is a common misconception.  In fact, viruses *don't* need
access to memory that they shouldn't have; all they need to be able to
do is read and write program files (the same way that your compiler,
your patch program, your file manager, and so on, do).  Experimental
viruses have been written for larger non-personal computers, and they
work just fine (ask your local librarian for a list of papers by Fred
Cohen from the computer science literature for some good details of
this sort of thing).  The reason we don't see viruses for larger
computers is that software for them does not flow as freely as
software for personal computers.  Quick, how many people reading this
have a diskette in some pocket?  OK, now how many have a 9-track tape
reel?

The Adept's confidence about the cleanliness of store-purchased
software is, I fear, somewhat unfounded.  There have been numerous
reports of legitimately-purchased software accidentally shipped (or
infected at the point of sale) with a virus.  As software producers
and sellers become aware of the problem and better instrumented to
prevent it, we can hope it will become increasingly rare.  But more
than one system has become virus infected even though "all I ever use
is shrink-wrapped software, honest!".

> Each virus has what the anti-virus geeks call a "footprint".

Actually, we anti-virus geeks call it a "signature" or a "scan-id".
Most of the rest of the Adept's comments are quite correct.  I would
observe that most infections in the real world are caused by viruses
that have been out for some time, so it's not incredibly vital to have
this week's copy of your scanner.   This quarter's copy is probably a
good idea, though!  Also, modern scanners tend to be good at detecting
small variants of viruses that they have signatures for, so if someone
creates a "new" virus by the usual method of munging an old one, many
scanners will still find it.

One disadvantage of modification detectors that the Adept doesn't
mention is that they are prone to false positives.  That is, when you
install a new version of HyperWunga, and it changes five-godzillion
programs on your disk, the next time you run your modification
detector it will of course tell you that lots of programs have
changed.   How do you know that none of them were changed by a virus
rather than WungaInstall?  You probably don't.

The Adept somewhat underestimates the abilities of virus removers.  In
fact, a good remover will be able to restore almost all of the objects
infected by almost all common viruses to almost their original state;
it should *never* delete a file without asking your permission first.
Note all those "almost"s, though; many viruses are very buggy, and if
*I* had an actual infection on a machine I cared about, I would
restore the infected objects from backups, even if I had a remover
that claimed to work correctly on that virus.   The other choice is to
trust both the virus and the remover not to have done anything wrong.
A good remover, of course, will know which viruses are buggy, and warn
you about the files that might be corrupted.

Microcomputer viruses probably don't matter much to the Net, as the
Adept points out.  We should keep in mind, though, similar things that
matter more to the Net: there was this little worm the other December,
for instance!  Spreading things can impact just about any kind of
computer system, if the culture and the connectivity are right.

Adept also offers the usual "virus writers are just nice guys who like
to write interesting programs" line.  May be true; I don't know any
actual virus writers.  I would, however, like to ask how all that
hard-disk-trashing code got in there.  Did someone sneak into the Nice
Guys' rooms at night and type it in?  The people who write destructive
viruses clearly have some maladjustments that need to be cleared up
before I'd let them near any of *my* offspring.  Even viruses that
aren't meant to be destructive generally wreak havoc and cause pain as
they spread.  I have no quarrel with someone who writes a virus just
to play with and takes reasonable measures to make sure it never gets
to anyone who doesn't want it.  But the authors of the viruses that
are currently in the wild messing up machines (accidentally or on
purpose) don't qualify.

I certainly agree that there's been quite a bit of hype in the
anti-virus field.  As usual, of course, one should blame the marketing
departments rather than the coding labs!  *8) The world is certainly
not about to end, and the average user should probably take about the
same level of precautions against viruses that she does against, say,
a hard disk failure.  Get a couple of good backup programs, and a
couple of good anti-virus programs, and use them well!  And bring up
your kids to have something more interesting to do with a computer
than write code that hurts other folks...

------------------------------


Downloaded From P-80 International Information Systems 304-744-2253