Computer Virus Myths
Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg Page 1 of 8
Computer Virus Myths
(8th Edition, March 1992)
by Rob Rosenberger
with Ross M. Greenberg
A number of myths have surfaced about the threat of computer "viruses".
There are myths about how widespread they are, how dangerous they are, and
even myths about what a computer virus really is. We'd like the facts to
be known.
The first thing to learn is that a virus is a malicious programming tech-
nique in the realm of "Trojan horses." All viruses are Trojan horses, but
few Trojan horses can be called a virus.
That having been said, it's time to go over the terminology we use when we
lecture:
BBS Bulletin Board System. If you have a modem, you can call
a BBS and leave messages, transfer computer files back &
forth, and learn a lot about computers. (What you're
reading right now, for example, most likely came to you
from a BBS.)
Bug an accidental flaw in the logic of a program which makes
it do things it shouldn't really be doing. Programmers
don't mean to put bugs in their program, but they always
creep in. Programmers tend to spend more time debugging
their programs than they do writing them in the first
place. Inadvertent bugs have caused more data loss than
all the viruses combined.
Hacker someone who really loves computers and who wants to push
them to the limit. Hackers have a healthy sense of curi-
osity: they try doorknobs just to see if they're locked,
and they tinker with a piece of equipment until it's "just
right." The computer revolution itself is a result of
hackers.
Shareware a distribution method for quality software available on a
"try before you buy" basis. You pay for the program only
if you find it useful. Shareware programs can be down-
loaded from BBSs and you are encouraged to give evaluation
copies to friends. Many shareware applications rival the
power of off-the-shelf counterparts, at just a fraction of
the price. (You must pay for the shareware you continue
to use -- otherwise you're stealing software.)
Trojan horse a generic term describing a set of computer instructions
purposely hidden inside a program. Trojan horses tell a
program to do things you don't expect it to do. The term
comes from a legendary battle in which the ancient city of
Computer Virus Myths Page 2 of 8
Troy received the gift of a large wooden horse. The
"gift" secretly held soldiers in its belly, and when the
Trojans rolled it into their fortified city....
Virus a term for a very specialized Trojan horse which spreads
to other computers by secretly "infecting" programs with a
copy of itself. A virus is the only type of Trojan horse
which is contagious, like the common cold. If it doesn't
meet this definition, then it isn't a virus.
Worm a term similar to a Trojan horse, but there is no "gift"
involved. If the Trojans had left that wooden horse out-
side the city, they wouldn't have been attacked. Worms,
on the other hand, can bypass your defenses without having
to deceive you into dropping your guard. An example is a
program designed to spread itself by exploiting bugs in a
network software package. Worms are usually released by
someone who has normal access to a computer or network.
Wormers the name given to the people who unleash destructive
Trojan horses. Let's face it, these people aren't angels.
What they do hurts us. They deserve our disrespect.
Viruses, like all Trojan horses, purposely make a program do things you
don't expect it to do. Some viruses are just an annoyance, perhaps only
displaying a "Peace on earth" greeting. The viruses we're worried about
are designed to destroy your data (the most valuable asset of your com-
puter!) and waste your valuable time in recovering from an attack.
Now you know the difference between a virus and a Trojan horse and a bug.
Let's get into some of the myths:
"All purposely destructive code comes as a virus."
Wrong. Remember, "Trojan horse" is the general term for purposely
destructive code. Very few Trojan horses actually qualify as viruses. Few
newspaper or magazine reporters have a real understand of computer crimes,
so they tend to call almost anything a virus.
"Viruses and Trojan horses are a recent phenomenon."
Trojan horses have been around since the first days of the computer;
hackers toyed with viruses in the early 1960s as a form of amusement. Many
different Trojan horse techniques emerged over the years to embezzle money,
destroy data, etc. The general public didn't know of this problem until
the IBM PC revolution brought it into the spotlight. Banks still hush up
computerized embezzlements (as they did during the 1980s) because they
believe customers will lose faith in their computer systems if the word
gets out.
"Viruses are written by hackers."
Yes, hackers have purposely unleashed viruses, but so has a computer
magazine publisher. And according to one trusted military publication, the
U.S. Defense Department develops them as weapons. Middle-aged men wearing
business suits created Trojan horses for decades before the advent of com-
Computer Virus Myths Page 3 of 8
puter viruses. We call people "wormers" when they abuse their knowledge of
computers. You shouldn't fear hackers just because they know how to write
viruses. This is an ethics issue, not a technology issue. Hackers know a
lot about computers; wormers abuse their knowledge. Hackers (as a whole)
got a bum rap when the mass media corrupted the term.
"Viruses infect 25% of all IBM PCs every month."
If 25% suffer an infection every month, then 100% would have a virus
every four months assuming the user took no preventive measures -- in other
words, every IBM PC would suffer an infection three times per year. This
astronomical estimate surfaced after virus expert (and antivirus vendor)
Dr. Peter Tippett published "The Kinetics of Computer Virus Replication," a
complex thesis on how viruses might spread in the future. Computer viruses
exist all over the planet, yes -- but they won't take over the world. Only
about 400 different viruses exist at this time and some of them have been
completely eliminated "from the wild." (Of course, virus experts retain
copies even of "extinct" viruses in their archives.) You can easily reduce
your exposure to viruses with a few simple precautions. Yes, it's still
safe to turn on your computer!
"Only 400 different viruses? But most experts talk about them in the thou-
sands."
The virus experts who "originate" these numbers tend tto work for
antivirus firms. They count even the most insignificant variations of
viruses as part of the grand total for advertising purposes. When the
Marijuana virus first appeared, for example, it displayed the word
"legalise," but a miscreant later modified it to read "legalize." Any pro-
gram capable of detecting the original virus will detect the version with
one letter changed -- but antivirus companies count them as "two" viruses.
Such obscure differentiations quickly add up.
"Viruses could destroy all the files on my disks."
Yes, and a spilled cup of coffee will do the same thing. If you have
adequate backup copies of your data, you can recover from any virus or
coffee problem. Backups mean the difference between a nuisance and
a disaster. It is safe to presume there has been more accidental loss of
data than loss by viruses and Trojan horses.
"Viruses have been documented on over 300,000 computers (1988)."
"Viruses have been documented on over 400,000 computers (1989)."
"Viruses have been estimated on over 5,000,000 computers (1992)."
These numbers come from John McAfee, a self-styled virus fighter who
craves attention and media recognition. If we assume it took him a mere
five minutes to adequately document each viral infection, it would have
taken four man-years of effort to document a problem only two years old by
1989. We further assume McAfee's statements include every floppy disk ever
infected up to that time by a virus, as well as all of the computers
participating in the Christmas and InterNet worm attacks. (Worms cannot be
included in virus infection statistics.)
McAfee prefers to "estimate" his totals these days. Let's assume we
have about 100 million computers of all types & models in use around the
world. McAfee's estimate means 1 out of every 20 computers on the planet
supposedly has a virus. It sounds like a pretty astronomical number to
most other virus experts.
Computer Virus Myths Page 4 of 8
"Viruses can hide inside a data file."
Data files can't wreak havoc on your computer -- only an executable pro-
gram file can do that (including the one that runs when you first turn on
your computer). If a virus infected a data file, it would be a wasted
effort. But let's be realistic: what you think is 'data' may actually be
an executable program file. For example, a "batch file" qualifies as text
on an IBM PC, yet the MS-DOS operating system treats it just like a pro-
gram.
"BBSs and shareware programs spread viruses."
Here's another scary myth drummed up in the big virus panic, this one
spouted as gospel by many "experts" who claim to know how viruses spread.
"The truth," says PC Magazine publisher Bill Machrone, "is that all major
viruses to date were transmitted by [retail] packages and private mail sys-
tems, often in universities." (PC Magazine, October 11, 1988.) Machrone
said this back in 1988 and it still applies to this day. Almost 50 retail
companies so far have admitted spreading infected master disks to tens of
thousands of customers since 1988 -- compared to only five shareware
authors who have spread viruses on master disks to less than 100 customers.
Machrone goes on to say "bulletin boards and shareware authors work extra-
ordinarily hard at policing themselves to keep viruses out." Reputable
sysops check every file for Trojan horses; nationwide sysop networks help
spread the word about dangerous files. Yes, you should beware of the soft-
ware you get from BBSs and shareware authors, but you should also beware of
the retail software you find on store shelves. (By the way, many stores
now have software return policies. Do you know for sure you were the only
one who used those master disks?)
"My computer could be infected if I call an infected BBS."
BBSs can't write information on your disks -- the communications soft-
ware you use performs this task. You can only transfer a dangerous file to
your computer if you let your software do it. And there is no "300bps sub-
carrier" that lets a virus slip through a high speed modem. A joker named
Mike RoChenle (IBM's "micro channel" PS/2 architecture, get it?) started
the 300bps myth when he left a techy-joke message on a public BBS. Unfor-
tunately, a few highly respected journalists were taken in by the joke.
"So-called 'boot sector' viruses travel primarily in software downloaded
from BBSs."
This common myth -- touted as gospel even by Australia's Computer Virus
Information Group -- expounds on the mythical role computer bulletin boards
play in spreading viruses. Boot sector viruses can only spread by direct
contact and "booting" the computer from an infected disk. BBSs deal exclu-
sively in program files and have no need to pass along copies of disk boot
sectors. Bulletin board users therefore have a natural immunity to boot-
sector viruses when they download software.
We should make a special note about "dropper" programs developed by
virus researchers as an easy way to transfer boot sector viruses among
themselves. Since they don't replicate, "dropper" programs don't qualify
as a virus in and of themselves. Such programs have never been discovered
on any BBS to date and have no real use other than to transfer infected
boot sectors.
Computer Virus Myths Page 5 of 8
"My files are damaged, so it must have been a virus attack."
It also could have happened because of a power flux, or static elec-
tricity, or a fingerprint on a floppy disk, or a bug in your software, or
perhaps a simple error on your part. Power failures and spilled cups of
coffee have destroyed more data than all viruses combined.
"Donald Burleson was convicted of releasing a virus."
Newspapers all over the country hailed a Texas computer crime trial as a
"virus" trial. The defendent, Donald Burleson, was in a position to
release a destructive Trojan horse on his employer's mainframe computer.
This particular software couldn't spread to other computers, so it couldn't
possibly have qualified as a virus. Davis McCown, the prosecuting attor-
ney, claims he "never brought up the word virus" during the trial. So why
did the media call it one?
1. David Kinney, an expert witness testifying for the defense, claimed
Burleson had unleashed a virus. The prosecuting attorney didn't argue
the point and we don't blame him -- Kinney's bizarre claim probably
helped sway the jury to convict Burleson, and it was the defense's
fault for letting him testify.
2. McCown gave reporters the facts behind the case and let them come up
with their own definitions. The Associated Press and USA Today, among
others, used such vague definitions that any program would have
qualified as a virus. If we applied their definitions to the medical
world, we could safely label penicillin as a biological virus (which
is, of course, absurd).
3. McCown claims many quotes attributed to him were "misleading or fab-
ricated" and identified one in particular which "is total fiction."
Reporters sometimes print a quote out of context, and McCown appar-
ently fell victim to it. (It's possible a few bizarre quotes from
David Kinney or John McAfee were accidentally attributed to McCown.)
"Robert Morris Jr. released a benign virus on a defense network."
It may have been benign but it wasn't a virus. Morris, the son of a
chief computer scientist at the U.S. National Security Agency, decided one
day to take advantage of a bug in the Defense Department's networking soft-
ware. This tiny bug let him send a worm through the network. Among other
things, Morris's "InterNet" worm sent copies of itself to other computers
in the network. Unfortunately, the network clogged up in a matter of hours
due to some bugs in the worm module itself. The press originally called it
a "virus," like it called the Christmas worm a virus, because it spread to
other computers. Yet Morris's programs didn't infect any computers. A
few notes:
1. Reporters finally started calling it a worm a year after the fact, but
only because lawyers in the case constantly referred to it as a worm.
2. The worm operated only on Sun-3 & Vax computers which employ a UNIX
operating system and were specifically linked into the InterNet net-
work at the time.
3. The 6,200 affected computers cannot be counted in virus infection
statistics (since they weren't infected).
4. It cost way less than $98 million to clean up the attack. An official
Cornell University report claims John McAfee, the man behind this wild
estimate, "was probably serving [him]self" in an effort to drum
up business. People familiar with the case estimated the final figure
at under $1 million.
Computer Virus Myths Page 6 of 8
5. Yes, Morris could easily have added some infection code to make it a
worm/virus if he'd had the urge.
6. The network bug exploited in the attack has since been fixed.
7. Morris went to trial for launching the InterNet worm and received a
federal conviction. The Supreme Court refused to hear the case, so
his conviction stands.
"The U.S. government planted a virus in Iraq military computers during the
Gulf War."
U.S. News & World Report published a story in early 1992 accusing the
National Security Agency of replacing a computer chip in a printer bound
for Iraq just before the Gulf War with a secret computer chip containing a
virus. The magazine cited "two unidentified senior U.S. officials" as
their source, saying "once the virus was in the [Iraqi computer] system,
...each time an Iraqi technician opened a 'window' on his computer screen
to access information, the contents of the screen simply vanished." How-
ever, the USN&WR story shows amazing similarities to a 1991 April Fool's
story published by InfoWorld magazine. Most computer experts dismiss the
USN&WR story as a hoax -- an "urban legend" innocently created by the Info-
World joke. Some notes:
1. USN&WR has refused to retract the story, but it did issue a "clarifi-
cation" stating "it could not be confirmed that the [virus] was ulti-
mately successful." The editors broke with tradition and refused to
publish any of the numerous letters readers submitted about the virus
story.
2. Ted Koppel, a well-known American news anchor, opened one of his
"Nightline" broadcasts with a report on the alleged virus. Koppel's
staff politely refers people to talk with USN&WR about the story's
validity.
3. InfoWorld didn't label their story as fiction, but the last paragraph
identified it as an April Fool's joke.
"Viruses can spread to all sorts of computers."
All Trojan horses are limited to a family of computers, and this is
especially true for viruses. A virus designed to spread on IBM PCs cannot
infect an IBM 4300 series mainframe, nor can it infect a Commodore C64, nor
can it infect an Apple Macintosh.
"My backups will be worthless if I back up a virus."
No, they won't. Let's suppose a virus does get backed up with your
files. You can restore important documents and databases -- your valuable
data -- without restoring an infected program. You just reinstall programs
from master disks. It's tedious work, but not as hard as some people
claim.
"Antivirus software will protect me from viruses."
There is no such thing as a foolproof antivirus program. Trojan horses
and viruses can be (and have been) designed to bypass them. Antivirus
products themselves can be tricky to use at times, and they occasionally
have bugs. Always use a good set of backups as your first line of defense;
rely on antivirus software as a second line of defense.
Computer Virus Myths Page 7 of 8
"Read-only files are safe from virus infections."
This common myth among IBM PC users has been printed even in some com-
puter magazines. Supposedly, you can protect yourself by using the DOS
ATTRIB command to set the read-only attribute on program files. However,
ATTRIB is software -- and what it can do, a virus can undo. The ATTRIB
command seldom halts the spread of viruses.
"Viruses can infect files on write-protected disks."
Here's another common IBM PC myth. If viruses can modify read-only
files, people assume they can modify write-protected floppies. However,
the disk drive itself knows when a floppy is protected and refuses to write
to it. You can physically disable an IBM PC drive's write-protect sensor,
but you can't override it with a software command.
We hope this dispels the many computer virus myths. Viruses DO exist, they
ARE out there, they WANT to spread to other computers, and they CAN cause
you problems. But you can defend yourself with a cool head and a good set
of backups.
The following guidelines can shield you from Trojan horses and viruses.
They will lower your chances of being infected and raise your chances of
recovering from an attack.
1. Implement a procedure to regularly back up your files and follow it
religiously. Consider purchasing a user-friendly program to take the
drudgery out of this task. (There are plenty to choose from.)
2. Rotate between at least two sets of backups for better security (use
set #1, then set #2, then set #1...). The more sets you use, the
better protected you are. Many people take a "master" backup of their
entire hard disk, then take "incremental" backups of those files which
changed since the last time they backed up. Incremental backups might
only require five minutes of your time each day.
3. Download files only from reputable BBSs where the sysop checks every
program for Trojan horses. If you're still afraid, consider getting
programs from a BBS or "disk vendor" company which gets them direct
from the authors.
4. Let newly uploaded files "mature" on a BBS for one or two weeks before
you download it (others will put it through its paces).
5. Consider using a program that searches, or "scans," disks for known
viruses. Almost all infections to date involved viruses known to
antivirus companies. A recent copy of any "scanning" program will in
all probability identify a virus before it gets the chance to infect
your computer -- and as they say, "an ounce of prevention is worth a
pound of cure." A "scanning" program can dramatically lower your
chaces of getting infected by a computer virus in the first place.
(But remember: there is no perfect antivirus defense.)
6. Consider using a program that creates a unique "signature" of all the
programs on your computer. Run this program once in awhile to see if
any of your software applications have been modified -- either by a
virus or by a fingerprint on a floppy disk or perhaps even by a stray
gamma ray.
Computer Virus Myths Page 8 of 8
7. DON'T PANIC if your computer starts acting weird. It may be a virus,
but then again maybe not. Immediately turn off all power to your com-
puter and disconnect it from any local area networks. Reboot from a
write-protected copy of your master DOS disk. Do NOT run any programs
on a "regular" disk (you might activate a Trojan horse). If you don't
have adequate backups, try to bring them up to date. Yes, you might
back up a virus as well, but it can't hurt you if you don't use your
normal programs. Set your backups off to the side. Only then can you
safely hunt for problems.
8. If you can't figure out what's wrong and you aren't sure what to do
next, turn off your computer and call for help. Consider calling a
local computer group before you call for an expert. If you need a
professional, consider a regular computer consultant first. Some
"virus removal experts" charge prices far beyond their actual value.
9. [Consider this ONLY as a last resort.] If you can't figure out what's
wrong and you are sure of yourself, execute both a low-level and a
high-level format on all your regular disks. Next, carefully re-
install all software from the master disks (not from the backups).
Make sure the master disks have write-protect tabs! Then, carefully
restore only the data files (not the program files) from your backup
disks.
We'd appreciate it if you would mail us a copy of any Trojan horse or virus
you discover. (Be careful you don't damage the data on your disks while
trying to do this!) Include as much information as you can and put a label
on the disk saying it contains a malicious program. Send it to Ross M.
Greenberg, P.O. Box 908, Margaretville, NY 12254. Thank you.
Ross M. Greenberg is the author of both shareware and retail virus
detection programs. Rob Rosenberger is the author of various phone
productivity applications. (Products are not mentioned by name because
this isn't the place for advertisements.) They each write for national
computer magazines. These men communicated entirely by modem while
writing this treatise.
Copyright 1988,92 by Rob Rosenberger & Ross M. Greenberg
Rosenberger can be reached electronically on CompuServe as [74017,1344], on
GEnie as R.ROSENBERGE, on InterNet as `74017.1344@compuserve.com', and on
various national BBS linkups. Greenberg can be reached on MCI and BIX as
`greenber', on UseNet as `c-rossgr@microsoft.com', and on CompuServe as
[72461,3212].
You may give copies of this treatise to anyone if you pass it along in its
entirety. Publications may reprint it at no charge if they give due credit
to the authors and send two copies to: Rob Rosenberger, P.O. Box 643,
O'Fallon, IL 62269.
Comments
Post a Comment