Computer Viruses Essay, Research Paper

Computer Viruses

Introduction

In the past decade, computer and

networking technology has seen

enormous growth. This growth

however, has not come without a

price. With the advent of the

“Information Highway”, as it?s coined,

a new methodology in crime has been

created. Electronic crime has been

responsible for some of the most

financially devastating victimizations

in society.

In the recent past, society has seen

malicious editing of the Justice

Department web page (1),

unauthorized access into classified

government computer files, phone

card and credit card fraud, and

electronic embezzlement. All these

crimes are committed in the name of

“free speech.” These new breed of

criminals claim that information should

not be suppressed or protected and

that the crimes they commit are

really not crimes at all. What they

choose to deny is that the nature of

their actions are slowly consuming

the fabric of our country?s moral and

ethical trust in the information age.

Federal law enforcement agencies, as

well as commercial computer

companies, have been scrambling

around in an attempt to “educate”

the public on how to prevent

computer crime from happening to

them. They inform us whenever there

is an attack, provide us with mostly

ineffective anti-virus software, and

we are left feeling isolated and

vulnerable. I do not feel that this

defensive posture is effective

because it is not pro-active. Society

is still being attacked by highly skilled

computer criminals of which we know

very little about them, their motives,

and their tools of the trade.

Therefore, to be effective in defense,

we must understand how these

attacks take place from a technical

stand-point. To some degree, we

must learn to become a computer

criminal. Then we will be in a better

position to defend against these

victimizations that affect us on both

the financial and emotional level. In

this paper, we will explore these

areas of which we know so little, and

will also see that computers are really

extensions of people. An attack on a

computer?s vulnerabilities are really an

attack on peoples? vulnerabilities.

Today, computer systems are under

attack from a multitude of sources.

These range from malicious code,

such as viruses and worms, to human

threats, such as hackers and phone

“phreaks.” These attacks target

different characteristics of a system.

This leads to the possibility that a

particular system is more susceptible

to certain kinds of attacks.

Malicious code, such as viruses and

worms, attack a system in one of two

ways, either internally or externally.

Traditionally, the virus has been an

internal threat (an attack from within

the company), while the worm, to a

large extent, has been a threat from

an external source (a person

attacking from the outside via modem

or connecting network).

Human threats are perpetrated by

individuals or groups of individuals

that attempt to penetrate systems

through computer networks, public

switched telephone networks or other

sources. These attacks generally

target known security vulnerabilities

of systems. Many of these

vulnerabilities are simply due to

configuration errors.

Malicious Code

Viruses and worms are related classes

of malicious code; as a result they

are often confused. Both share the

primary objective of replication.

However, they are distinctly different

with respect to the techniques they

use and their host system

requirements. This distinction is due

to the disjoint sets of host systems

they attack. Viruses have been

almost exclusively restricted to

personal computers, while worms

have attacked only multi-user

systems.

A careful examination of the histories

of viruses and worms can highlight

the differences and similarities

between these classes of malicious

code. The characteristics shown by

these histories can be used to explain

the differences between the

environments in which they are

found. Viruses and worms have very

different functional requirements;

currently no class of systems

simultaneously meets the needs of

both.

A review of the development of

personal computers and multi-tasking

workstations will show that the gap in

functionality between these classes

of systems is narrowing rapidly. In

the future, a single system may meet

all of the requirements necessary to

support both worms and viruses. This

implies that worms and viruses may

begin to appear in new classes of

systems. A knowledge of the histories

of viruses and worms may make it

possible to predict how malicious

code will cause problems in the

future.

Basic Definitions

To provide a basis for further

discussion, the following definitions

will be used throughout the report;

Trojan Horse – a program which

performs a useful function, but also

performs an unexpected action as

well;

Virus – a code segment which

replicates by attaching copies to

existing executables;

Worm – a program which replicates

itself and causes execution of the

new copy and

Network Worm – a worm which

copies itself to another system by

using common network facilities, and

causes execution of the copy on that

system.

In essence, a computer program

which has been infected by a virus

has been converted into a “trojan

horse”. The program is expected to

perform a useful function, but has the

unintended side effect of viral code

execution. In addition to performing

the unintended task, the virus also

performs the function of replication.

Upon execution, the virus attempts

to replicate and “attach” itself to

another program. It is the

unexpected and uncontrollable

replication that makes viruses so

dangerous. As a result, the host or

victim computer falls prey to an

unlimited amount of damage by the

virus, before anyone realizes what

has happened.

Viruses are currently designed to

attack single platforms. A platform is

defined as the combination of

hardware and the most prevalent

operating system for that hardware.

As an example, a virus can be

referred to as an IBM-PC virus,

referring to the hardware, or a DOS

virus, referring to the operating

system. “Clones” of systems are also

included with the original platform.

History of Viruses

The term “computer virus” was

formally defined by Fred Cohen in

1983, while he performed academic

experiments on a Digital Equipment

Corporation VAX system. Viruses are

classified as being one of two types:

research or “in the wild.” A research

virus is one that has been written for

research or study purposes and has

received almost no distribution to the

public. On the other hand, viruses

which have been seen with any

regularity are termed “in the wild.”

The first computer viruses were

developed in the early 1980s. The

first viruses found in the wild were

Apple II viruses, such as Elk Cloner,

which was reported in 1981 [Den90].

Viruses were found on the following

platforms:

Apple II

IBM PC

Macintosh

Atari

Amiga

These computers made up a large

percentage of the computers sold to

the public at that time. As a result,

many people fell prey to the Elk

Cloner and virus?s similar in nature.

People suffered losses in data from

personal documents to financial

business data with little or no

protection or recourse.

Viruses have “evolved” over the years

due to efforts by their authors to

make the code more difficult to

detect, disassemble, and eradicate.

This evolution has been especially

apparent in the IBM PC viruses; since

there are more distinct viruses known

for the DOS operating system than

any other.

The first IBM-PC virus appeared in

1986 [Den90]; this was the Brain

virus. Brain was a boot sector virus

and remained resident in the

computer until “cleaned out”. In 1987,

Brain was followed by Alameda (Yale),

Cascade, Jerusalem, Lehigh, and

Miami (South African Friday the

13th). These viruses expanded the

target executables to include COM

and EXE files. Cascade was

encrypted to deter disassembly and

detection. Variable encryption

appeared in 1989 with the 1260 virus.

Stealth viruses, which employ various

techniques to avoid detection, also

first appeared in 1989, such as Zero

Bug, Dark Avenger and Frodo (4096

or 4K). In 1990, self-modifying

viruses, such as Whale were

introduced. The year 1991 brought

the GP1 virus, which is

“network-sensitive” and attempts to

steal Novell NetWare passwords.

Since their inception, viruses have

become increasingly complex and

equally destructive.

Examples from the IBM-PC family of

viruses indicate that the most

commonly detected viruses vary

according to continent, but Stoned,

Brain, Cascade, and members of the

Jerusalem family, have spread widely

and continue to appear. This implies

that highly survivable viruses tend to

be benign, replicate many times

before activation, or are somewhat

innovative, utilizing some technique

never used before in a virus.

Personal computer viruses exploit the

lack of effective access controls in

these systems. The viruses modify

files and even the operating system

itself. These are “legal” actions within

the context of the operating system.

While more stringent controls are in

place on multi-tasking, multi-user

operating systems (LAN Networks or

Unix), configuration errors, and

security holes (security bugs) make

viruses on these systems more than

theoretically possible. This leads to

the following initial conclusions:

Viruses exploit weaknesses in

operating system controls and human

patterns of system use/misuse;

Destructive viruses are more likely

to be eradicated and

An innovative virus may have a

larger initial window to propagate

before it is discovered and the

“average” anti-viral product is

modified to detect or eradicate it. If

we reject the hypothesis that viruses

do not exist on multi-user systems

because they are too difficult to

write, what reasons could exist?

Perhaps the explosion of PC viruses

(as opposed to other personal

computer systems) can provide a

clue. The population of PCS and PC

compatible is by far the largest.

Additionally, personal computer users

exchange disks frequently.

Exchanging disks is not required if the

systems are all connected to a

network. In this case large numbers

of systems may be infected through

the use of shared network resources.

One of the primary reasons that

viruses have not been observed on

multi-user systems is that

administrators of these systems are

more likely to exchange source code

rather than executables. They tend

to be more protective of copyrighted

materials, so they exchange locally

developed or public domain software.

It is more convenient to exchange

source code, since differences in

hardware architecture may preclude

exchanging executables. It is this

type of attitude towards network

security that could be viewed as

victim precipitation. The network

administrators place in a position to

be attacked, despite the fact that

they are unaware of the activity. The

following additional conclusions can

be made:

To spread, viruses require a large

population of similar systems and

exchange of executable software;

Destructive viruses are more likely to

be eradicated;

An innovative virus may have a

larger initial window to propagate

before it is discovered and the

“average” anti-viral product is

modified to detect or eradicate it.

Preventive Action

Although many anti-virus tools and

products are now available, personal