First published: 18th August 1994
Risto Siilasmaa, President & CEO of Data Fellows Ltd. and
Allan G. Dyer, Head of F-PROT Technical Support, Yui Kee Co. Ltd.
At the Beijing International Computer Exhibition on the 12th August, Risto Siilasmaa from Finland and Allan Dyer from Hong Kong gave a popular seminar on computer viruses. Mr. Siilasmaa and Mr. Dyer are both closely connected with F-PROT Professional, an anti-virus product that was marketed for the first time in China at the exhibition. However, in their seminar they chose an educational approach, telling of the techniques used by viruses, their history, and practical steps to take against them.
Mr. Siilasmaa is the President and CEO of Data Fellows Ltd., a Finnish software development company founded in 1988 with subsidiaries in United States and Estonia. It specializes in professional software development and publishing into international markets. On its major business area - anti-virus software and groupware products - Data Fellows is one of the world's leading software publishers. Data Fellows publishes F-PROT in about 30 countries through a comprehensive distributor network.
Mr. Dyer is the Head of F-PROT Technical Support of Yui Kee Co. Ltd., a Hong Kong trading company founded in 1964. The Computing Division of Yui Kee became Data Fellows' distributor in the region in June 1993 and has already established F-PROT in the Hong Kong market with sales including a license for the Hong Kong University of Science and Technology, several banks and various manufacturers.
Mr. Siilasmaa and Mr. Dyer have kindly agreed to a summary of their seminar being printed here. Mr. Dyer spoke first, introducing the technical aspects:
An Introduction to Computer Viruses
Computer security has three aspects: Secrecy, Accuracy and Availability. Computer Viruses mostly have an impact on two of these: accuracy, a virus may modify you programs and data, and availability, your machine may not work when you require it.
A computer virus is a program that can infect other programs by modifying them to include a copy of itself. Viruses can take many routes to reach your organisation. Most people are familiar with how a virus can spread between one company and another via home machines, or between a college machine and home machines to other companies and organisations. However, viruses can also enter your organisation from purchased software or even blank, preformatted disks. If a software or disk manufacturer accidentally uses an infected master disk, all copies of that will be infected. It is therefore important to check ALL programs and disks entering your organisation.
What types of virus are there? Boot Sector viruses infect the Dos Boot Record or Master Boot Record (partition table) of disks. They include some of the commonest viruses: Brain, Stoned, Form, Michelangelo, Flame (also known as Torch or Stamford) and AntiCMOS.
File viruses (also known as parasitic viruses) infect executable files. Some examples are Jerusalem (also known as Israeli or Friday 13th), _1099, Ping Pong (also known as Bouncing Ball) and Vtech.
Link viruses (also called cluster viruses) modify the record of where files are stored in order to infect. There is one example, DIR II.
How do boot sector viruses work? All disks have a boot sector containing a short program to load the operating system. A boot sector virus replaces the normal boot sector contents with it's own code. Usually, it will write the original contents of the boot sector to an unused part of the disk. When a machine is booted from an infected diskette, the virus code is loaded and the virus will become resident in memory and infect the hard disk of the machine. Then, the virus will load the original boot sector so that the boot process complete normally, and the user probably does not notice the short delay. From then onwards, the virus will attempt to infect every disk used in the machine, spreading the virus further.
A simple file virus infects a program by writing its' own code at the end of the victim program. It then modifies the beginning of the program to point at the virus code. When an infected program is executed, the virus gets control first, and can do it's own work. When it has finished, it transfers control to the original program. The user, again, probably does not notice the small delay.
Viruses use various techniques to hide from users and increase the time they have to spread freely. Techniques where the virus tries to avoid being seen are referred to as Stealth. Other viruses try to avoid being recognised by anti-virus scanners by changing their appearance each time they infect a file, these are known as polymorphic viruses.
There are many clues that a virus might leave about its' existence, a stealth virus will try to obscure one or more of these. As we saw in the example of a simple file virus, many viruses increase the size of the files they infect, and an observant user might notice this. A stealth virus resident in memory can calculate the original size of the file, and report that instead of the modified size when a directory is displayed. Of course, the contents of the files have also changed. A scanner or checksumming program would recognise the virus or the change, but, if a stealth virus is resident in memory, it can disinfect the file as it is read from disk, so the anti-virus software only sees the clean file, and therefore reports that nothing is wrong.
A virus in memory must reserve space for its' own use, and it is fairly easy to recognise extra TSR's in the memory map. A stealth virus might modify the record of memory blocks in use so that the memory it is using is combined with the block used by another TSR. Of course, the amount of memory free will also be lower with a virus in memory, but a stealth virus might mis-report the size of free memory to conceal itself.
Polymorphic viruses are targeted at making signature scanners useless. Two samples of the same polymorphic virus will appear different, therefore a simple signature cannot be found. Detailed analysis of the virus can lead to an algorithmic detection method that recognises the structures common to all samples of a particular polymorphic virus.
A standard technique of polymorphic viruses is to encrypt the main part of the virus code with a variable key. The main part of the virus will thus be different in each infected file, but the short decryption routine can still be used to recognise the virus. A more sophisticated polymorphic virus would use multiple decryption routines, randomly choosing a routine each time it infected a file. In this case, two samples of the virus might have no common string of bytes. Another technique is to mix random "do nothing" instructions with the real code, basically doing operations that do not affect the algorithm being performed. The virus could also choose different instructions that give the same results, for example, MOV AX,0 and XOR AX,AX both result in the value 0 in AX, but have different opcodes. Alternatively, the virus could use the same algorithm with a different set of registers, again resulting in different opcodes, but a functionally equivalent program.
How, then, can we detect viruses? Three major methods are Signature Scanning, Heuristic Scanning and Change Detection. Signature scanning tries to recognise short sequences from a virus in executables. Its' advantages are that it identifies the virus detected, this information can be used to disinfect the file or boot sector, and speed of scanning. Its' disadvantage is that it detects only known viruses and therefore requires regular updates. Signature scanning can be improved several ways: Using multiple signatures has two effects, it improves the accuracy of identification and therefore makes disinfection safer, and, if a virus has been modified in the area of one signature, it is likely that the second signature will still detect it, and it can be reported as "probably a new version of" the known virus. The addition of algorithmic scaning, mentioned earlier, can also make possible the detection of polymorphic viruses.
Heuristic scanning, rather than searching for specific signatures, looks for techniques commonly used in viruses, but not commonly used in innocent programs. It can, therefore, detect entirely new viruses, however, there is also a chance of giving false positives on innocent programs that use unusual techniques.
Change detection is usually implemented as Checksumming, a formula is used to calculate a value from an executable file based on its' whole contents. Any change in the file is highly likely to change the checksum. The advantage of this is that it detects known and unknown viruses equally well. Its' disadvantages are that it must be installed on a clean system, and it reports every change made, including innocent changes. One class of viruses, the slow viruses, exploit this flaw by only infecting when an executable file is opened for a write operation, that is, when new software is being installed or when a program is being compiled. When the user is warned of the change by his checksumming program, he will 'OK' the change, because he believes it is entirely due to the change he made. Checksumming can be improved by heuristic techniques that report how likely it is that a particular change has been made by a virus.
Each of these methods can be used in two forms, passive and active. A passive search is run at intervals by the user, like many of today's popular scanners. Unfortunantly, users may forget to scan regularly, and the viruses can spread uncontrolled between scans. Active protection is loaded into memory and checks each program when it is executed, copied or written. This can detect infections at the earliest possible time, before they have spread. However, it occupies memory, which is particularly important in the limited DOS environment, and requires the machine to do extra processing, slowing it down. These speed and size limitations force a balance to be struck: a resident signature scanner that detects all viruses but also occupies all memory is a useless as one which is extremely small but detects virtually no viruses. Active protection utilities will usually lie between these two extremes.
Which protection method should you use? All of them! As we have seen, each method has advantages and disadvantages, so that a virus that avoids one detection method will often be caught by another. This defense in depth gives the best protection against all viruses, and a good anti-virus product will cover these methods, allowing them to be combined in an effective manner.
Mr Siilasmaa then talked about the History and Future of viruses:
History of viruses
Living programs were presented several times in science fiction during the 1970s. The most famous of these was John Brunner's "The Shockwave Rider". The book is about a disgruntled manager within a multinational company who decides to inflict mayhem upon the company's network with the aid of a "Tapeworm", a highly sophisticated self-replicating program which was capable of many things well known in today's viruses.
The first real computer virus was found in 1981. The Elk Cloner was a boot sector virus which flashed the screen and displayed mystic text messages.
The era of the computer viruses began in earnest in 1986 when two Pakistanian brothers wrote a boot sector virus that later became known as Brain. The Brain virus also contained stealth features and was able to display an image of a clean boot sector to any program trying to read the area.
After the Brain virus the number of viruses began growing extremely fast. In 1990 there were 400 known PC viruses. In 1991 the figure had grown to 800, in 1992 to 1200, in 1993 to 2200 and in the beginning of 1994 to 4000. At the moment there are close to 5000 viruses.
Who writes viruses?
Viruses are mostly written by people who are intrigued by the idea of living programs. Many think of writing viruses as a challenge which is enhanced by the constant battle between the virus authors and the anti-virus community.
Many virus writers operate under aliases i.e. they do not use their real names. In practise they try to make their aliases as famous as possible. One example is the Dark Avenger, whose alias is known all over the world.
Virus groups compete against each other for the dubious honor of writing the most difficult to detect virus or the most sophisticated virus development toolkit.
Some unsatisfied employees have also been known to write a virus to harass their ex-employer. Unfortunately military organisations have also expressed interest in viruses as a potential weapon in a crisis situation.
It might be interesting to note that all known virus writers are male. This might be taken to suggest the moral and intellectual superiority of woman.
How many viruses are there?
There is no single answer to the question. It all depends on how to calculate. The number 5000 mentioned before is reached at by counting variants of the same virus as separate viruses. If we decide to take a more conservative approach, a smaller number is reached.
How do we cope with the large number of viruses?
We might receive even more than 10 000 samples of viruses in one week. To cope with the fast growing numbers we have automated much of the process. We can easily eliminate known viruses and files containing garbage from a claimed collection of new viruses. With our heuristic analysis we can get pinpoint viruslike code in the remaining files.
F-PROT is the anti-virus product used currently by companies by Microsoft, Digital Equipment and Hewlett-Packard, to mention some of our most important IT customers. The product includes a DOS TSR, DOS scanner and DOS checksummer, full Windows version, two OS/2 versions and an NLM for Novell servers.
We pride ourselves on a quick turnaround. If a customer of ours is attacked by a previously unknown virus, we will not be satisfied if we cannot give him a new version of F-PROT within 24 hours. Normally we update F-PROT 12 times a year.
We also believe in automating the protection and administration. We have achieved a high level of automation by using scheduling and network features.
The seminar concluded with a question-and-answer session, followed by a less formal discussion as some of the members of the audience stayed to talk with the speakers. Mr. Dyer later commented that he was pleased with the response, saying, "There is certainly considerable interest in viruses here, and a good basic knowledge of the problems they cause. I am sure that we can co-operate to reduce the damage caused by viruses throughout China."