40Hex Number 7 Volume 2 Issue 3 File 001 WISHFUL THINKING WILL NOT MAKE PUBLICITY-SEEKING VIRUSES GO AWAY [Hmmmm, a publicity seeking virus. I had a virus like that. It infected my computer and called every news agency telling them what it had done.] By: Paul Melka for Infoworld 4/27 We have all heaved a collective sigh since March 6 came and went with little computer damage from the Michelangelo Virus. But this sense of relief obscures what I believe is a very important fact: Michelangelo was a turning point in the industry, as much as Microsoft's Windows 3.0 was. Prior to March 6, the trigger date for the virus, many people hours were spent in organizations large and small trying to prepare for attack. [Gimme a break. An 'attack'.] And when all said and done, PCs in the United States fared pretty well. Still everyone's memory of the Michelangleo virus has begun to fade, and the press - which thoroughly covered the looming threat - is now focused on how little damage was done or how much money virus-protection vendors made. That frustrates me. It misses a subtle yet more important aspect of viruses: With all the publicity that Michelangelo generated, it was the forerunner of more powerful and more destructive viruses. The publicity from Michelangelo threw down the gauntlet to virus writers to create newer and more destructive viruses. Gone are the days when letters simply fall to the bottom of your screen or you get prompted by messages asking for cookies or birthday greetings. The industry is just beginning to see the emergence of polymorphic viruses that change their signatures with each infection.(Already a working version of the self-mutating engine that creates polymorphic viruses is available on some bulletin boards, along with manuals.) And we are beginning to see viruses that are specifically designed to foil various detection applications. Finally there are shrink-wrapped applications infected with viruses; now there is no "safe" way to purchase software. The virus software authors also have an advantage over all antivirus authors in that they can see exactly what they are going against, while the antivirus developers still have to react to new, unknown viruses. What types of viruses are next? I don't know, and probably most of the experts don't know either. But you can certainly speculate on the various directions that could be taken in the very near future. We have already seen the evolution from file infecting viruses, boot sector viruses, and stealth viruses to polymorphic viruses. The increase in the number and occurences of viruses is real. Products less then a year old that search for "over 300 viruses" are almost laughed at today, as security specialists cite documentation of more than 1,000 different strains of viruses. The National Computer Security Association estimates that by the end of 1994, there will be almost 40,000 different virus strains. [A shame they will mostly be Tiny variants and Jerusalem Hacks] With that kind of explosion, new protection methods will be needed. Most of today's scanners would spent more time scanning each file for viruses than there are working hours in a day. We will see better and more efficient methods of detecting and preventing viruses that still allow full use of the computer. As a security analyst for a large utility company, I try to keep everyone educated on the dangers of viruses and how best to avoid them. I also try to keep myself and the company as up to date as possible on what is happening with viruses. But unless everyone realizes that viruses are real and takes reasonable action against them, there will come a time when a new "super virus" that cannot be detected by any of the existing packages is developed. [Wonder who is gonna write that one?] It will literally cripple some major corporations, while destroying other businesses completely. I don't advise going back to paper and pencil, but I do think that all PC users have to be vigilant about the threat of viruses, to educate themselves on the prevention of viruses, and to institute "safe" practices, including backing up data and using virus-protection software. The official patented 40-Hex rebuttal: Paul Melka seems to be fairly accurate. However, there are some things I feel are wrong. For example the estimation that there will be 40,000 virus strains by the end of 1994. Let's just say for example that it is about 2 years away. That would mean that there would be 53 viruses written a day, or 2.2 viruses written an hour! Jeez, we all have a shitload of work to do. Do you find this hard to believe? I do. Of course, the way the virus scene is heading, we are becoming like the warez scene. All the half-assed fools spreading stuff to other BBSs, not even seeing what they are, or if they are real. Ahh well, enough of my complaints. When Mr. Melka mentioned that there was no "safe" way of purchasing software, it got me thinking. He is definately correct. Of course, I feel that it is the responsibility of all software publishers to check their disks before packaging them. At first, he seemed to be very neutral, but as the article progressed, I noticed that even Mr. Melka seemed to fall down the endless pit of ignorance, and resorted to a scare tactic: a virus that nothing can detect or kill. He started off saying that he was speculating, but when he said "...there WILL come a time when a new 'super virus' that cannot be detected by any of the existing packages is developed. It will literally cripple some major corporations, while destroying other businesses completely." he said WILL. It bothers me that a member of the computer security community would be so close- minded. We are not trying to justify the writing of virii, mainly because we don't have to. It isn't illegal. Making it illegal can't be done; it takes away our rights. Of course, we want to distinguish that we don't spread our virii to anyone who doesn't know that they are virii. It is what they do from there that may be against the law. If you think it stopped here, here is a letter to the editor of Infoworld about the above article: Both Steve Gibson and Peer-to-Peer columnist Paul Melka have hit on the reason for the current explosion of viruses. The key is in the title to Mr. Melka's column: "Publicity-Seeking." Virus writers have the same mentality as chain mail writers: They like to see how far their viruses spread and they track the spread of their virus by its nickname. The glory from this spread would be greatly diminished if viruses were referred to by mundane serial numbers like 7B386621C rather than captivating nicknames like Michelangelo. I would like to lead a campaign [The Anti Virus Crusades! Ha! I love it!] on two fronts: First: Establish a no-nickname rule. The National Computer Security Association and other groups should start referring to viruses with nondescriptive serial numbers rather than glamorous nicknames. Second: Ask other readers to write representatives and demand legislation that would impose suitable penalties for malicious computer crimes. These penalties would include jail terms. [GULP!] In closing, I believe that this is a perfect opportunity for BIOS manufacturers to sell BIOS upgrades. Mr. Gibson's observation that the best defense mechanism for existing viruses lies in the ROM BIOS is absolutely correct. Seventy-four percent of virus infections could be eliminated by a simple BIOS change. I am part of a support center for more than 5,000 PCs; I have yet to detect a virus on those few PCs that boot only from the hard drive. Marvin Bullock [Buttock?] Nashville, TN Rebuttal part ][ ---------------- Ok, this guy I don't really respect. The no-nickname rule. W0W! What a concept. Because you take the name away from my program, I won't recognize when some one posts "Oh yeah, The virus 7XZ23576B upon activation a siren is heard as a ambulance is displayed across the screen." We'd never pick up on that. I also want to know where he got the 74% figure. It may be true, but it wasn't documented. I am not going to argue the anti-virus issue, as I can only speculate. Basically, it takes a twit to catch a virus. Watch what is put on your system. If you are a system administrator, don't allow standard write access to the network drives. If you do, expect a message like "Your computer is stoned". In reality, YOU should be. PS:Gibson's article refered to the Dark Avenger's MtE, worthwhile if you don't know about it, otherwise, it is pointless. ->GHeap +++++