A History Of Computer Viruses

internetdangersIt’s interesting to look back on the history of computer viruses and see just how far things have progressed in the computer security field.  Take this excerpt for example.

People didn’t believe that computer viruses even existed back then – they were like a mythical unicorn.

Computer viruses are real. But to paraphrase Mark Twain, reports of their existence may be greatly exaggerated.

Stories about them have circulated since at least the 1970s. Back then they were known as worms, programs that insinuated themselves into the operating system of a mainframe or minicomputer, hiding in memory and waiting until a predetermined time to strike.

They often struck in the form of a “gotcha”–a humorous and relatively harmless message that suddenly appears on the screen in the middle of a program and forces the user to press a key to regain control of the system. Worms were sometimes thought to have been inserted by disgruntled data-processing employees, or by custom-software designers as a way of ensuring that they would be paid or later called in to fix the bug.

Now the stories have reappeared. This time the worms are called viruses and they infest software, networks, online information services, and microcomputers. Some viruses replicate, according to the stories, by copying themselves into DOS’s COMMAND.COM or .SYS files. Then, after a certain number of replications, the virus can delete all the files on the disk or scramble the file-allocation tables.

Viruses have reportedly infected networks at both IBM and the Internal Revenue Service, although both organizations deny it. No major companies have stepped forward to admit their networks have been infected.

Actual viruses have been found, however, on college campuses both in the United States and in the Middle East. “It’s a major problem,” says David Lutz, software specialist at the University of Toledo, which has been infected by a virus called Brain, allegedly developed in Pakistan by a hacker playing a practical joke on a friend.

Brain, according to Professor of Marketing Alan Flaschner, who first discovered the infection, spreads when a PC that has been started up by an infected disk reads the directory of an uninfected disk. At that time, the virus copies itself into the COMMAND.COM file of the healthy disk. When a disk becomes infected, the Brain virus goes into attack mode and destroys tracks on the disk.

Flaschner uses microcomputer models to teach his students marketing strategy. The PC is supposed to be only a weapon in the marketer’s arsenal, he says, but because of the virus, “I’m spending more time teaching students about micros and the pitfalls of using them, which is taking time away from my basic course.”

The university has several computer centers where the infection has been reappearing since February, according to Lutz. He says that write-protect tabs are put on the computer center’s disks, the disks are regularly swept, and any infected disks are eradicated. But since students frequently come in with their own data disks, within two weeks about half the university’s computers are reinfected. Lutz says his only protection against the virus right now is to educate students in ways to recognize it on their own disks.

The University of Pittsburgh has had a similar problem with a virus, according to Shawn Hernan, a faculty computer consultant at the university. The university is trying to eliminate this virus, which erases the boot tracks of a disk, from its software library, Hernan says, but the virus remains in the user community.

He agrees with Lutz that the best defense against the virus is educating the user community about the dangers of spreading the virus and what precautions they can take.

Thus far, viruses have mostly appeared at universities, and those corporations surveyed for this article say they are concerned but have not instituted new policies to protect against possible viruses.

“We haven’t done much,” says one computer analyst at Allied Van Lines, who asked that her name not be used. “I think viruses are more of a problem if you share software or get software from bulletin boards,” both of which are discouraged by the company, she adds.

Ray Deaton, director of MIS at Cox Cable Communications in Atlanta, is even more doubtful. “I’ve been in this business for 17 years and I’ve never seen a virus.” He adds that all of the company’s software is either purchased or custom-developed, and users do not bring in their own packages.

While virus reports are widely circulated among computer users–one person has reported more than 30 viruses and Trojan-horse programs–their sources are notoriously difficult to pin down. Such reports often come from “a friend of a friend.”

Such third-party reports are a new form of urban legend, according to Linda Degh, professor of folklore at Indiana University. Urban legends are often related as true stories, and they reflect current societal concerns. The difficulty in finding original sources for these rumors, as well as the use of the “virus” nomenclature in this era of AIDS, makes these rumors excellent candidates for urban legends, Degh says. The fact that some viruses do exist gives teeth to the legend, she adds.

Another nonbeliever in computer viruses is Bob Ostrander, president of Public Brand Software (Indianapolis). Public Brand Software is the second-largest distributor of public domain software, the most common way in which viruses are said to spread.

“It’s hoopla,” Ostrander says. “I have looked at possibly more software than anyone else in the country over the past few years,” he says, “and I have yet to see anything.” By his own count, Ostrander reviews about 2,000 programs each year, many downloaded from bulletin boards or sent to him by the authors.”

 

Obviously the need for virus protection software like Norton 360 and spyware removal and protection programs such as Spyhunter 4 and others is very high these days given the amount of personal information that goes buzzing through the internet every day.  However things are looking up as people become more and more educated.

Not Just PCs

earlylinuxworkstationsNot just PCs can be infected by viruses – Macs can and have been infected by viruses and malware going back to their inceptions.  Here’s an excerpt from an article describing just that – an infection by a virus at NASA.

The virus, called the “scores” virus after a file it creates, infected NASA computers linked with an Appletalk network system. The machines were used for standard office automation applications, Lavery said. The NOAA systems also were used for ordinary office purposes, a NOAA spokesman said.

In operation, the scores virus checks the system files of all executed application programs for signs of infection. If the application programs are “clean,” the virus copies three different versions of itself into each of four system files. All 12 copies of the virus must be eliminated to disinfect the system.

The user inadvertently activates the virus when using an application. To minimize the likelihood of detection, the virus has a “patch” that ensures the user’s command is executed without delay after the virus is copied to any uninfected application. Lavery said the virus program is 7K bytes large and requires less than one-half second to replicate itself. It does not copy itself into data files, he said.

If the application program being executed already is infected, the virus will not reinfect it.

Lavery said the virus can be detected by examining the icons used in the note pad and scrapbook files of the system folder. If the icons resemble small Macintoshes, the software is clean. If the icons resemble documents, the software probably is infected.

If using the ResEdit utility reveals an invisible scores file in the system folder, the system definitely is infected, Lavery said.

Lavery said he and an Apple employee wrote a program to detect the virus’ presence. Apple was very helpful, Lavery said.

An Apple Computer Inc. spokeswoman, Cynthia Macon, said the company does not know the purpose of the virus. She said Apple did not plan to publish a software vaccine to protect against the virus, because that could start an “endless loop” of virus-vaccine-virus-vaccine.

Lavery said NASA discarded all infected floppy disks and reformatted all hard disks, rather than try to delete the virus code. Copies of previously unopened, shrink-wrapped software packages then were distributed to affected users. Lavery said that after two weeks, there still was no sign the virus had reappeared.

NOAA spokesman A. Joseph LaCovey said two stand-alone Macintoshes were infected at NOAA. His agency got rid of the virus, he said, but he would not say how the viruses were removed. “It was not that big a problem…. It was a minor inconvenience,” LaCovey said.

The virus caused few problems for the users, he said, although it interfered with printing because part of the virus code hid in the printer driver.

At NASA, Lavery said, the virus interfered with Apple MacDraw, Microsoft Excel and Digital Communications Associates’ MacIrma communications system, sometimes causing the systems to crash and the user to lose unsaved data.

Bulletin Board Source?

NASA and NOAA officials said they did not know how the virus entered their computers. However, Lavery said bulletin boards were a possible source of the virus.

The scores virus has also infected individual computers across the country. One Washington Mac user said he had seen the virus in Montana. Macon said the attacks seemed to be concentrated in the Washington, D.C., area and in Dallas.

Fewer than 15 computers were infected by the virus at Falcon Microsystems Inc. in Landover, Md., the authorized Apple dealer for federal agencies, said Tom Ellis, the company’s president. A sister company in Bethesda, Md., was not infected at all, he said.

Ellis said he had “absolutely no idea” where the virus came from, but he said some employees in the division where the virus first appeared were active users of bulletin boards. Ellis said the virus was “more of a nuisance” than a serious threat.

Ellis said he could not say for sure Falcon had no role in spreading the the virus, but he also said, “There is no evidence to show that Falcon Microsystems passed on the virus in any way, shape or form.” Lavery said NASA officials did not suspect Falcon Microsystems of being the source of the virus.

“We are part of the cure, not the problem,” Ellis said. He said Falcon will supply clean system files for owners of infected Macs even if the machines were not bought from Falcon.

He said the owners should send four diskettes and a stamped, self-addressed envelope to Falcon and a clean copy will be mailed back. Falcon’s address is 1801 McCormick Drive, Suite 250, Landover, Md. 20785.

Macon said Apple’s federal systems office in Reston, Va., also was hit by the virus. She said fewer than 10 computers there were affected. Relatively few Mac users nationwide have been affected by the virus, she said.

A National Bureau of Standards bulletin board provides information about viruses and some sample software intended to protect systems. The bulletin board number is 301-948-5717 or 301-948-5718.

Macon said the scores virus was not the first virus to affect a government computer system, although she could not cite any examples to substantiate her claim. “I know it is not the first time,” she said.

Ted Landberg, a National Bureau of Standards computer security analyst specializing in viruses, disagreed. He said he did not know of actual virus invasions before those at NASA and NOAA, adding, “I think there have been some scares.””

Of course it goes without saying that you should always always always protect your computer with adequate measures such as antivirus software.  If you suspect that your computer’s security has been compromised by spyware or you notice some strange “happenings” you can scan it with a spyware tool such as Spyhunter 4 (you can find a review of the software here).  A lot of people ask me if Spyhunter is a safe program and I can only respond that I’ve in fact used it myself, so what better proof is there?

It also goes without saying that you should ensure that you don’t patronize internet bad neighborhoods.  Those are areas of the internet where the likelihood of getting infected with a virus is very high.

A Note On ASYST Systems

Here are some notes on the areas of improvement for ASYST systems.  Clearly there are multiple things to consider here, but I’d like to focus on the most important first:

ASYST variables have to be named andgiven a number type (integer, real, or complex) and a structure (scalar or array) before they can be used in the program. New variables cannot be declared within and confined to a colon definition. This limitation is further exacerbated because a few ASYST words (for example, those for array partitioning) do not readily accept stack data as arguments but instead require either defined scalars or constants, or interactive input of data. The definition of such nonspecific global variables hampers the building of independent libraries of words because such words cannot be safely nested within other words that might also use and modify identical variables (11).

Symbolic stack manipulations are considerablymore difficult and less predictable than numeric stack calculations. This is because the symbolic stack combines strings and logical variables and apparent inconsistencies exist in the access to this stack. Whereas string commands selectively address string data, logical operations read a string as a sequence of logical variables. This can cause severe and hard-to-detect errors during program execution (runtime errors).

Perhaps the most attractive feature ofASYST is its comprehensive ensemble of preprogrammed words. Many numerical procedures such as matrix inversion, different entiation, polynomial solutions, and random-number generation could have been implemented with any one of several algorithms that have different utility, domains of validity, computational errors, and speed. The following examples illustrate the limited range of validity of two of the numerical algorithms of ASYST. First, the algorithm for the power function does not have a singular point for the negative power of zero (it gives 0(-1) = 0). Second, the variance

2 = n k=1 (X(k) – (x))2/n

Of an n-element column array (X(k)), where

(x) = n k=1 X(k)/n

is implemented as

2 = n k=1 x2k/n – 2x

and occasionally yields negative results dueto round-off errors. Where such results are not acceptable, other procedures should be used (12). Because it is not feasible to determine the full impact of an unknown algorithm by trial and error, the use of computationally intensive software such as ASYST requires a functional rather than only a numerical analysis of the computational errors and domain of validity of the programmed procedures. However, unlike other software packages (13), ASYST source code or details of the algorithms are not distributed. Although the documentation is quite extensive, it is insufficient for analyzing most of the algorithms. As a result the algorithms of ASYST cannot be fully assessed and procedures written in ASYST cannot be completely specified.

Because of its complex and highly interactivefeatures, ASYST contained many flaws in its early versions. A recent provocative article (14) noted that, “With software products, it is usual to find that the software has major “bugs’ and does not work reliably for some users. These problems may persist for several versions and sometimes worsen as the software is “improved’.’ Perhaps ASYST is an example of this phenomenon. There are difficulties that extend from documentation to more substantial problems in program development, compilation, and execution. Many of the earlier problems have been corrected (15), some still persist (16), and others have been introduced in the revisions. However, since the release of version 1.51 no documentation errors (17), and only a few software corrections were reported by the manufacturer (18). It is suggested here that mere correction of earlier versions is insufficient and that the responsibility of the publisher is to report such errors in detail. It is essential that calculations affected by errors be corrected and that new results be appropriately reported.

Error messages in ASYST are often difficultto decipher. A variety of errors (square root of a negative real or integer number, or an integer or real number overflow) cause a “system restarted’ message on the IBM PC-AT and an “illegal 8087 operation’ message on the IBM PC-XT (19). The first “is not really an error message’ according to the documentation. For the illegal 8087 co-processor operation, the manual simply states that the co-processor has encountered an unsuitable operand and that the square root of a negative number is a possible cause. Other possible causes for 8087 co-processor errors are not listed nor is the user directed to the appropriate literature for a list of conditions that would generate this error. Moreover, numerical underflows occasionally, but not always, cause 8087 errors (20). In addition, error messages in ASYST do not include information about the procedure that caused the error. This makes long programs very difficult to correct. Also, recurring errors often overflow the DOS stack. This invariably halts the computer and requires a complete reset.

Software upgrades of ASYST are thereforeessential; in fact, the developers have released new versions about twice a year. Still, experience with ASYST thus far appears to belie the developers’ claim that ASYST “provides a complete error trapping system with easy to understand error messages.'”

Hary, David, Koichi Oshio, and Steven D. Flanagan. “The ASYST software for scientific computing.” Science 236 (1987): 1128+