VIRUS CHARACTERISTICS
FAST
A 'fast infector' spreads rapidly within a computer by infecting everything that is accessed. A fast infector isn't as bad as it sounds; it is just as easy to clean a computer with 1,000 infected files as one with 10, provided you have an anti-virus program that does a good cleaning job. However, most anti-virus products check memory for viruses, and the possibility of a fast infector in memory is one of the reasons why. If there is a fast infector in memory, and the product opens all your files, you wind up with every file on the computer infected. SLOWThe opposite of a 'fast infector' is a 'slow infector'. The idea here is that if the virus spreads slowly, you're less likely to notice it and kill it. There are various ways that a slow infector can work, but the classic slow infector works by only infecting those files that you had intended to change anyway. This means that if you are running a change detector as an anti-virus measure, the change detector will trigger each time there is an infection, but since you had intended the file to change anyway, you'll tell it to accept the change. Starship is another way of doing a slow infector. It only infects files as you copy them from your hard disk. So no file on the hard disk ever changes, and the change detector is happy. But when you copy a file to a floppy disk, the copy is infected, and when you take this to another computer protected by the change detector, the change detector warns you of the existence of the new file. You will then reassure the change detector that you knew about the new file, and the change detector is happy, and another system is infected.
STEALTH
If a virus is memory resident [as are over 99% of viruses 'in the wild'], then it has hooked at least one of the interrupts. If it is a BSV, then it has hooked the disk read/write interrupt 13h. If it is a stealth virus, and any program that tries to read the boot sector, then the virus says `Aha, someone wants to see the boot sector; I'll just read the original boot sector from where I put it, and present that instead'. So the software sees nothing out of the ordinary. Brain, vintage 1986, was the first virus that used this trick. File viruses can use a similar trick to disguise their presence, so that any software reading the file only sees the bytes that were there before the virus came along. Frodo is an example of this. It is much commoner to see stealth in BSVs than in file viruses, as it is much easier for the virus author to implement stealth in a BSV.
POLYMORPHISM
The commonest kind of anti-virus program that people use is the scanner, looking for a repertoire of viruses. So for the virus author this is the kind of product that he would most like to defeat. A polymorphic virus is one where if you take two instances of the virus, there are no bytes in common between them, so you cannot write down a byte-sequence and go looking for that in order to detect the virus. You have to do something a lot more complex and difficult.
DAMAGE DONE BY VIRUSES
We can categorise the damage done by viruses into six groups, according to the severity of the damage. Some authorities postulate the possibility of a virus that actually does good, but no one has yet demonstrated such a virus.We define damage as: the virus does something that you'd rather it hadn't done. And we quantify damage by measuring how long it takes to put things back the way they ought to be.We don't include consequential damage in this categorisation [damage done by the user in a mistaken attempt to get rid of the virus]. It is remarkable how many people will format the hard disk to get rid of Stoned, for example. All this does is get rid of all your data. The virus is untouched, as it resides in the MBR, which is not touched by FORMAT. Nor can we include damage done by obscure incompatibilities between the virus and the system. For example, if a computer that was originally set up under DOS 2 [but is now running a later version of DOS] is infected by Stoned, then a large number of files will be corrupted because the design of the virus had not anticipated this situation.
TRIVIAL DAMAGE
This is done by a virus such as Form [once the commonest virus in the world]. On the 18th of every month, each key that you hit makes the speaker beep. All you need to do is to get rid of the virus. This will usually take seconds or minutes [per computer].
MINOR DAMAGE
A good example of minor damage is the way that Jerusalem virus deletes any program that you try to run after the virus has gone memory resident, on Friday the thirteenth. At worst, you will have to re-install some programs, so the damage is unlikely to be more than 30 minutes per computer.
MODERATE DAMAGE
If a virus formats the hard disk, scrambles the FAT or overwrites the hard disk, this is moderate damage. The damage is only moderate because you know that it has happened, and you can re-install DOS and re-load yesterday's backup, because you do a backup every day. So, you'll lose on average half a day's work, plus maybe an hour doing the re-install and restore. The virus most famous for moderate damage is Michelangelo.
MAJOR DAMAGE
This is where a virus hits your backups as well as your hard disk. Every 16th time that a Dark Avenger-infected file is run, it overwrites a random sector on the hard disk with `Eddie lives . . . somewhere in time'. This might have been going on for several weeks. You discover Dark Avenger, get rid of the virus, and find `Eddie lives . . .' at several places in several files. You restore yesterday's backup, and find `Eddie lives . . .' in those as well. You might have to go back a few weeks before you can find clean data files, and when you've restored a six week old backup, you'll find that you don't actually have any way to redo that work, because you don't have the original documents to work from.
SEVERE DAMAGE
Severe damage is done when a virus makes gradual and progressive changes [so that backups are also corrupted], but the changes are not obvious [there is no `Eddie lives' to look out for]. You wind up simply not knowing whether your data is correct or changed.
UNLIMITED DAMAGE
Some viruses [such as Cheeba, Vacsina.44.login and GP1] aim to get the system manager password and pass it along to a third party. In the case of Cheeba, for example, it creates a new user with maximum privileges, with a fixed user name and password. The damage is then done by the third party, who can log in to the system and do anything he/she likes.
HOW VIRUSES ARE SPREAD
It seems to be a common belief that viruses are spread by games, by shareware or by BBSes. The truth is more complex. First, remember how the most common sort of virus, boot sector viruses, work. A physical floppy disk has to be involved, and there doesn't need to be any software on it. You cannot get a BSV by using a BBS. The most likely routes by which a virus gets into an organisation are engineers and parents. Hardware engineers visit a large number of computers, and like the busy little bee, could pick up some pollen here, and deposit it there. Hardware engineers should have all their software disks permanently write-protected, but don't. Hardware engineers should frequently check any write-enabled disks for viruses, but don't. Of course, the majority of hardware engineers are clean and well-behaved, but there are a few that need re-education. Parents have children, and if there is a PC at home, and the children are young teens, then they quite possibly swap software at school. The disks that they bring home might well be infected, and if the parent is taking disks to and from work, they could easily take a virus into work with them. A boot sector virus could arrive on a data disk from a colleague. Other ways of getting a virus include: in shrink-wrapped software [some of the largest companies have accidentally shipped a virus in shrink-wrapped software]; along with purchased hardware [most hardware comes with disks containing utilities or drivers]; salesmen running demos could unwittingly install the virus they picked up from the last place they ran their demo.
VIRUS PREVENTION
We recommend that everything be virus checked before it is used. This includes floppy disks with data on [remember BSVs] as well as software. This could be done using a scanner such as FindVirus, which could be installed on every computer [for convenience, because if it isn't convenient, it won't get done] or it could be installed on designated 'sheep-dip' computers, which is more convenient for the PC Support people to keep up to date, but less convenient for the users. Alternatively, you can make the whole thing as transparent and painless as possible by installing an on-access scanner, such as VirusGuard [DOS] and/or WinGuard [a VxD for Windows 3.x, Windows 95 and Windows NT]. This means that everything is automatically scanned without the user being aware of it [unless, of course, a virus is found]. The on-access scanner is the route that most people choose, together with some dedicated 'sheep-dip' machines.
RULES, PROCEDURES, EDUCATION AND TOOLS
Linda had worked in her job for some years. She occasionally took work to do on her home PC, with the knowledge and approval of her supervisor. One day, the PC Support department found a virus on her office PC. Later the same day Linda was fired for bringing a virus on to the premises. Linda was very upset at what she saw as unfair dismissal and sued the company. She won, because the company she worked for had no rules to tell employees what to do [so she hadn't broken any rules]. Although they had anti-virus software, there were no procedures for checking incoming disks [so she hadn't failed to carry out company procedures]. On investigation, it looked highly likely that the PC Support department had accidentally infected her machine, and only discovered it when they sent disks, copied on Linda's machine, to another company, who did check for viruses and found one on those disks. If such procedures had been in place and Linda had ignored them, then the company would have had a good reason for firing her. Of course, with proper rules and procedures, they would probably not have been infected by a virus in the first place. But you have to acknowledge the fact that people behave the way that they do. If you make your anti-virus procedures onerous and difficult, they'll quite likely be ignored on the grounds that viruses are very rare, and the cost and hassle of the procedures is too great. A good set of rules might be as follows. Any incoming floppy disk must be virus-checked. If your anti-virus software finds a virus, tell PC Support. Notice that the rules are very simple. That way, people are more likely to remember and follow them. The next thing you need is procedures. The procedure tells the users how to obey the rules. The procedure for checking disks should be written down in detail ['Put the floppy disk in the drive, and type . . .']. If you have a 'sheep-dip' computer, put the procedure up on the wall near to it. Education is also important. You can't just tell grown-ups to do something and expect that they'll obey without question. You have to explain the reason to them. You can do this with talks, or by getting the Dr Solomon's 'Virus Video' and letting them watch it. You also have to provide tools. You can't detect a virus with your bare hands. Any sensible anti-virus strategy must take account of the fact that even 'well-educated'users are fallible; and that they will circumvent even the best rules and procedures [either wittingly or unwittingly . . . remember that security is not the primary concern of staff who work in Sales, Marketing and other departments within an organisation]. The foundation of any comprehensive anti-virus strategy, therefore, must be anti-virus tools which will effectively detect, remove and prevent virus infection . . . even when the rules and procedures have not been followed.
ANTI-VIRUS TOOLS SCANNERS
A scanner is a program that knows how to find a particular repertoire of viruses. Scanners are updated, quarterly or monthly. For many users, quarterly upgrades are sufficient, but every now and then, a new virus comes out and spreads very fast [such as Tequila, or SMEG]. In that case, you could be unable to detect this 'in the wild' virus for several weeks, depending on where you are in the update cycle. So, many people subscribe to monthly upgrades to avoid this situation. Scanners can be either on-demand, or on-access. FindVirus is an on-demand scanner, and must be run by the user [although this could be done automatically, at start-up, from the AUTOEXEC.BAT; or using a scheduler]. VirusGuard [DOS] and WinGuard [Windows 3.x, Windows 95 and Windows NT] are on-access scanners, and work continuously. As soon as any disk is accessed, it is checked for boot sector viruses; and as soon as any file is used, it is checked for file viruses. Both programs may be [optionally] configured to check files as they are written to the hard disk [useful if files are being downloaded from a remote site, such as a BBS, or the Internet]. VirusGuard occupies approximately 9Kb of conventional [DOS] memory; WinGuard, which is a Windows-specific program uses zero conventional memory. Any additional time-overhead involved in checking the disk or file is unlikely to be noticeable in most cases. VirusGuard, a DOS TSR program, does not have the full facilities of FindVirus [for economy in memory consumption and time-overhead]; specifically, VirusGuard is not able to find macro viruses [which do not work under DOS anyway] and a small percentage of extremely polymorphic viruses [VirusGuard will find polymorphic viruses in memory, if an infected program has been run]. WinGuard, which does not have the constraints of a DOS TSR program, has the same detection capability as FindVirus. CHECKSUMMERSA checksummer is a change detector. Executable files should not change, except for a good reason, such as updating of software. A checksummer aims to detect changes. The advantage of checksummers is that they do not detect a repertoire of viruses, so do not need updating. The downside of checksummers, is that they are more hassle than scanners [files change on your computer more often than you might have thought, for good and valid reasons], and they do not detect all viruses. For example, checksummers do not detect 'slow infectors'; they do not detect all boot sector viruses [if the hard disk code is left unchanged]; and they have problems with stealth viruses. Some people use checksummers, but they are a minority. Checksummers can be on-demand [like ViVerify], or on-access.
NETWORKS AND VIRUSES
A network is a group of computers connected together to make it easier to share data. This provides interesting opportunities for viruses, and for dealing with viruses. There is a common perception that once a virus gets on to a network, somehow it flashes round the whole network very quickly. The truth, of course, is more complex. Firstly, BSVs cannot travel across networks. If several machines on a network are infected, that's because the virus spread via floppy disks in the usual way. Here's how a file virus spreads across a network. User 1 gets his/her computer infected, perhaps by a salesman's demo. disk. The virus goes TSR. User 1 runs other programs on his/her hard disk. They get infected. User 1 runs some programs on the network. They get infected. A network emulates a DOS device; reading and writing to files on the server is done in exactly the same way as locally. The virus doesn't have to behave any differently to infect files on the server. User 2 logs on to the server, and runs an infected file. The virus is now TSR in user 2's machine. User 2 runs several other programs, on the local hard disk, and on the server. Each file becomes infected. User 3, user 4 and user 5 log on and run infected files. And so on.
NETWORK PROTECTION
70% of networks use Novell NetWare, so we'll use that as an example, but you can adapt the same principles for other network operating systems. You can make directories read-only. If you make files on the local hard disk read-only, you're wasting your time, because just about every file virus will make them read/write, infect them, and make them read-only again. This is because the user has the privilege to make files read/write on his/her local hard disk. But on a file server, you don't have to give that privilege to the user, and the virus has the same privilege as the user. Indeed, the virus is the user, and can do no more than the user can. There is no magic about viruses; they are subject to the same constraints as any other programs. Unfortunately, some packages can't be run from read-only sub-directories, because they want to write to configuration, or temporary files, in the same directory. You can make programs execute-only. This means that although the directory is read/write, the executables cannot be written to, or even read. They can only be run. Be warned, though, that on Novell NetWare this is a one-way street. Once you've made a file execute-only, you can't go back. All you can do is delete it, even if you are Supervisor. So, make a copy first. Some programs won't run if they are execute-only, because they have overlays that are concatenated on the end of the EXE file. So if the EXE file can't be read, the overlays can't be loaded. You can make individual files read-only using the DOS attribute, and then deny the user the modify attribute privilege in that directory. Using a combination of the three techniques above, you should be able to make a large percentage of the files on the server uninfectable [indeed, unchangeable without Supervisor intervention]. This stops viruses infecting most of the executables on the server. Unfortunately, the important files on the server are the data, and you haven't protected those. The user has read/write access to the data [he/she needs it to do their job], and so the virus also has read/write access to the data. Deleting files is the least of our worries. Consider that some virus damage routines consist of altering files. So how do we protect the data on the server? The only answer is to keep viruses off the workstation as well. The next thing you can do, if your server is running Novell NetWare, is run an anti-virus NLM [NetWare Loadable Module] on the server. This can be scheduled to check the files on the server. The use of a server-based on access scanner [such as the File Access Monitor in Dr Solomon's Anti-Virus Toolkit for NetWare] provides a multi-layered defence against virus infection, checking files as they are passed to and from the workstations. In addition, users can be denied access to the server unless their workstation is protected. Similar protection is available for Windows NT. Dr Solomon's Anti-Virus Toolkit for Windows NT offers comprehensive protection for workstations and servers. FindVirus provides on-demand scanning; and a Scheduler, to check the system at pre-defined times. Winguard for Windows NT provides constant background protection, checking files and disks before they are accessed. If your server is LAN Manager or LAN Server, you can run an OS/2 version of the anti-virus program on the server.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment