|
Viruse Hysteria!
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Reprinted from CompuMag, Vol. 1 (1989), Issues 3 and 4
For subscription information call 1-805-273-0300
Virus Hysteria!
by Richard B. Levin
You're scared. Having heard how computer viruses leap
from computer to computer, you've learned your system could
be the next unwitting sufferer of a computer flu. After
all, your friend has a friend whose cousin knows someone
that witnessed a virus display "Arf! Arf! Gotcha'!" as it
gobbled up data on an office PC. And your local BBSes are
bubbling over with heated horror stories about bombs,
Trojans and viruses, not to mention countless
recommendations for anti-virus software products. It seems
that every new day brings with it stories of impending
computerized doom, created by evil geniuses with programming
abilities far beyond those you or your associates could ever
hope to achieve, much less do battle against.
Relax! Hysteria over computer viruses comes in waves.
The hysteria is fueled, in large part, by the popular press'
frenzied, poorly researched and consistently inaccurate
reporting on the subject. Computer crime is not a new story
and viruses are simply the latest plot twist. Vandals
sending "time-bombs" and viruses into our nation's telephone
network are akin to hackers breaking into corporate or
government mainframe computers and scrambling data--the
techniques they use for sowing destruction may differ, but
their intent and results are the same. Before you hang up
your joystick in disgust, however, realize that computer
vandalism has been with us, in one form or another, since
the first CRT was fired-up and will remain until the last
disk drive grinds to a halt. In any public endeavor there
will be an anti-social element; computing is no exception.
In the interest of "safe computing," the question we must
ask is "how do we protect ourselves from the ravages of the
computer criminal and computer viruses?"
If you choose not to ignore the reality of computer
viruses, there remains three ways to dispense with the
problem: virus prevention software, virus detection
software and safe-computing practices (which includes
anti-virus software usage, among other things). As with
other forms of crime prevention, virus prevention software
products may provide an effective deterrent in some cases;
they fail, however, when the criminal element is determined
to perpetrate criminal acts. Most virus prevention software
products have serious technical drawbacks users naturally
overlook (we're not all computer scientists) and virus
developers exploit. For example, not one of the anti-virus
software programs on the market today can protect a system
from a deadly disk "write" that bypasses DOS by directly
manipulating the disk controller. Users of virus prevention
products believe their computers are ImZ]?Y?????? in
reality,`taey're sitting ducks, safeguarded only from the
simplest of viruses.
Fact: it is physically impossible to prevent all
manner of viruses from entering your system; no matter how
many automobile alarms you may install, if the crooks want
to steal the wheels badly enough, they will. This same line
of reasoning remains true in the area of virus protection:
if the virus developer is determined to breach your system,
your system will be compromised. You can, however, detect
viral infections almost immediately after they occur, which
allows you to rapidly eradicate the invaders and prevent
future infections. By employing the following "safe
computing" measures (excerpted from the documentation that
accompanies my CHECKUP virus detection system) and by
installing a reliable virus DETECTION system, you are
guaranteed a measure of security virus PREVENTION software
can never provide:
* Run CHECKUP (or another reliable virus
detection system) daily. CHECKUP provides a
sanitary, clean floppy disk/batch file method
that is capable of detecting any virus, past,
present or future.
* Run major applications via DOS batch files
and have CHECKUP (or another reliable virus
detection system) perform a pre-run,
last-minute ci?ck of programs about to run.
Using CHECKUP, for example: instead of
typing the "WORD" command to run Microsoft
Word, create a batch file named "WRD.BAT"
that reads as follows:
CD \WORD
CHECKUP WORD.COM
IF ERRORLEVEL 1 GOTO EXIT
CHECKUP WORD_DCA.EXE
IF ERRORLEVEL 1 GOTO EXIT
CHECKUP MAKEPRD.EXE
IF ERRORLEVEL 1 GOTO EXIT
CHECKUP MERGEPRD.EXE
IF ERRORLEVEL 1 GOTO EXIT
CHECKUP MW.PGM
IF ERRORLEVEL 1 GOTO EXIT
CHECKUP SPELL-AM.EXE
IF ERRORLEVEL 1 GOTO EXIT
WORD
:EXIT
In the future, use the WRD command to invoke
Microsoft Word. CHECKUP will examine all of
Microsoft Word's executable files and will
allow them to run if (and only if) they pass
CHECKUP's scrutiny. Of course, unlike
Microsoft Word, many applications have only
one principal executable file to check,
greatly simplifying implementation of pre-run
checking through DOS batch files.
* Regularly check and log available disk space.
Aggressive viruses decrease storage space as
they spread throughout a system. This
activity can be identified through rigorous
monitoring.
The following commands, added to
AUTOEXEC.BAT, will track disk usage:
CD \
DIR >> DIR.LOG
TYPE DIR.LOG > PRN
* Observe the time it takes for programs to
load--infected files take longer. Programs
exhibiting longer than normal load times
might be infected (see next tip for related
information).
* Scrutinize disk accesses whenever possible.
Viruses can spend large amounts of time
scanning directories and executable files as
they search for new, uninfected host files.
Programs conducting longer than normal disk
I/O, especially during load-time, might be
infected.
* Periodically re-install applications from
their master disks. This overwrites
application files in use and any viruses
incubating within them.
* Once a week, use the SYS command to
re-install the system files onto your boot
disk(s). This eliminates viruses lurking in
the boot sectors.
* Use the DOS "SHELL" command to rename and
relocate COMMAND.COM to a directory other
than the root of your boot disk. Then place
a different copy of COMMAND.COM in the root
directory. This may divert viruses into
infecting the decoy copy instead of your
actual command processor. Refer to your DOS
reference manuals for information on the
SHELL command.
* Boot from a certified clean floppy disk copy
of your DOS master disks whenever possible.
This insures your system is running under an
uncorrupted operating system at all times.
* Change executable file attributes to
read-only. Poorly engineered viruses may not
be able to alter read-only files. Executable
files are those ending in a .BAT, .COM or
.EXE extension or loaded in CONFIG.SYS.
Many programs write to their master
executable file when saving configuration
information. If such a file has been
converted to read-only, the read-only
attribute must be removed before
re-configuring and reset afterward.
There are many utilities that can reset file
attributes, including ATTR.COM, available for
downloading from the PC-Magazine Network on
CompuServe. CompuServe users can "GO
PCMAGNET" to download ATTR.COM. If you own
the Norton Utilities, use Norton's FA.EXE to
change attributes of COMMAND.COM to read-only
using Norton's FA, enter:
FA COMMAND.COM /R+
Some versions of DOS provide an ATTRIB (or
similar) command. Check your DOS reference
manuals for more information on modifying
file attributes.
* Use extreme caution when working with FAT and
directory editors, directory sorters, disk
optimizers, file movers, format-recovery
systems, partition-related tools, un-erasers
and other low-level DOS utilities. These
programs manipulate critical data and one bug
or errant keystroke can annihilate a disk.
Additionally, DOS shells should be treated
with care as they also handle critical disk
information.
Safe bets for low-level disk management are
the Norton Utilities, Advanced Edition, from
Peter Norton Computing, Inc.; PC-Tools from
Central Point Software and the Mace Utilities
from Paul Mace Software. Among DOS shells,
we recommend the Norton Commander, also from
Peter Norton Computing, Inc. These programs
are available at most computer retailers.
* Do not run files downloaded from public
access BBSes (bulletin board systems) that do
not validate users who upload. If the SysOp
of a bulletin board did not contact you
directly (by phone, mail or automatic
callback), you can be certain that other
users have not been validated. (SysOps: If
validating users is a burden, a practical
alternative is to validate them after they
upload their first file.)
* Do not run files downloaded from public
access BBSes where the SysOps do not test and
approve all files.
* Do not run files provided by shareware/public
domain disk distributors, including your
local users group, where the disk librarians
do not test and approve all files.
* Do not run self-extracting archives unless
they have been tested. Self-extracting
archives are a classic delivery method used
by bomb developers.
* Beware of suspicious-looking files. A 128
byte .COM file that un-archives without
documentation and whose description reads
"Great Word Processor" is suspect.
* Use a binary file-viewing utility (like the
one included in the Norton Commander) to
examine executable code. Look for suspicious
comments and messages embedded in the code.
* Do not run programs unaccompanied by
well-written documentation prepared by the
program's author.
* Do not run programs that do not include the
name, address and telephone number(s) of the
author within the documentation or
executable(s).
* Call program authors and verify the version
number, time and date stamps, file sizes and
archive contents of files you have received.
!? Ask authors where you can get certified clean
copies of their programs, then discard the
copies you have and get the certified copies.
* Download shareware direct from the author's
BBS. Most professional shareware authors
provide support BBSes for their products.
You are guaranteed uncorrupted programs when
you download them directly from their
authors.
* Do not use hacked or pirated software.
Software pirates have the skill and the tools
needed to create bombs and viruses. Many
reported incidents of viral infections have
been associated with software piracy. In
fact, some of the deadliest Trojans have been
modified copies of well-known applications.
* Back-up your system regularly! No system
exists in a vacuum, nor is any anti-virus or
anti-Trojan technique foolproof. Back-up on
a daily, weekly and monthly basis. When
disaster strikes, users who have regularly
backed-up their systems will have the last
laugh (and their data)!
If you are not using a virus detection system or you
are using a less-than-perfect virus detection system, how
can you tell if a virus has landed on your system and begun
eating away at your precious data? The following
guidelines, also excerpted from CHECKUP's documentation,
will help you identify the viral warning signs:
1. Computer operations seem sluggish.
2. Programs take longer to load.
3. Programs access multiple disk drives when
loading where they didn't before.
4. Programs conduct disk accesses at unusual
times or with increased frequency.
5. Available disk space decreases rapidly.
6. The number of bad disk sectors steadily
increases.
7. Memory maps reveal new TSR programs of
unknown origin.
8. Normally well-behaved programs act abnormally
or crash without reason.
9. Programs encounter errors where they didn't
before.
10. Programs generate undocumented messages.
11. Files mysteriously disappear.
12. Names, extensions, dates, attributes or data
changes on files that have not been modified
by users.
13. Data files or directories of unknown origin
appear.
14. CHECKUP (or another reliable virus detection
system) detects changes to static objects
(files). Changes detected to dynamic objects
are not an indication of viral alterations.
Rest assured that neither you nor anyone you know will
suffer a major data loss from a viral attack if
safe-computing measures are implemented religiously. When
and if a viral infection is discovered, turn your computer
off and contact a good viral diagnostician for eradication
advice. Do not use your computer or any floppy disks
associated with your computer until your system has been
thoroughly cleansed. Above all, however, enjoy computing
and the thousands of quality public domain and shareware
programs at your disposal. Take comfort in the knowledge
that safe-computing techniques, employed properly, will
serve to protect your data from harm.
|
|
