First published: 01st February 1995
By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS, Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Everyone knows that viruses spread, but what controls how fast a particular virus will spread, or if it will quietly die out?
Of the 5000+ known viruses, only about 200 have been observed spreading in the wild. The first reason for this is that many viruses are simply not released into the wild. The second reason is that many viruses are simply not very effective at spreading. Lets look at these more closely:
In the first case, the virus writer creates a virus, and then sends samples to the virus researchers, usually with a note along the lines of "Look how clever I am!". The publishers of anti-virus software then include detection and identification of this new virus in the next update of their package. It seems paradoxical that a virus writer do this, but it appears that many virus writers do it as a challenge, without the intention of causing harm or trouble to anyone. Unfortunately, their intentions are irrelevant, because their viruses are still studied by the anti-virus publishers, wasting their time, and they may be released later by someone who has obtained a sample. Virus writers who claim they do not intend harm are lying or naive, not considering the indirect effects of their actions.
So why do the anti-virus publishers bother including identification of hundreds of viruses that will probably never be seen in the wild? Simply because they cannot predict which ones will be released, the virus writer might also release the virus, or a less-ethical virus researcher might release it later.
What about the second case? Why would a virus be ineffective at spreading? To survive, each copy of a virus must on average produce one copy of itself before it "dies". If, on average, a virus produces more than one copy of itself before it "dies", it will spread epidemically (fig. 1). By "die", I mean, anything that stops it from working. This could be being detected and destroyed by anti-virus software, or the virus payload triggering and formatting the hard disk. As an extreme example, a virus that formats your hard disk the first time the computer is rebooted would not spread. A real example is the overwriting viruses, these, when they infect a file, overwrite the program rather than attaching themselves to it. The result is that the program no longer functions. A virus like this can do a lot of damage on one machine, but people soon notice that every time they run a program, it stops working. So, the virus is caught and destroyed before it spreads further. A successful virus, then, must stay hidden as long as possible and produce copies of itself rapidly. We saw, in an earlier article, how fast infectors, slow infectors and sparse infections try this in different ways.
However, the major determinant of how well a file virus spreads is not a characteristic of the virus, but whether it is mass-distributed. Normal infection methods spread file viruses slowly, but if a virus can be distributed to thousands of people, it will become an instant problem, and it will remain a problem for many months, if not years. This is because there will be a reservoir of infection in backups and on disks forgotten in desk drawers that will occasionally cause a new outbreak. How then, can a virus get this mass-distribution? Two major channels exist, commercial software distribution, and bulletin boards and equivalents. Commercial software includes shrink-wrapped packages, demo diskettes from exhibitions, and device driver diskettes included with hardware. In each case, you are trusting the quality control of the manufacturer if you install without scanning for viruses. In the second category, as just one example, the Kaos-4 virus was distributed world-wide via the alt.binaries.pictures.erotica news-group on Internet. This newsgroup is very popular, and an unknown number of people downloaded the supposedly erotic game that was posted and so became infected.
The evidence is that boot-sector viruses are better at spreading than file viruses. If a boot-sector virus is released, then it will become common. This reflects the difference between exchange of programs and exchange of diskettes. Some people exchange programs, but everyone exchanges data diskettes. To spread, a virus must move between machines, and a boot sector virus that can be carried on any diskette has a much better chance of doing this than a file virus that must be attached to a program. Of course, networks change this, data is transferred through the network rather than on diskette, but this has yet to change the relative effectiveness of file and boot-sector viruses. This may be because we are still only just entering the stage of networking between organisations, and diskettes are still very common.