NCSL BULLETIN
             Advising users on computer systems technology
                              August 1990

NCSL Bulletins are published by the National Computer Systems Laboratory
(NCSL) of the National Institute of Standards and Technology (NIST).  Each
bulletin presents an in-depth discussion of a single topic of significant
interest to the information systems community.  Bulletins are issued on an
as-needed basis and are available from NCSL Publications, National
Institute of Standards and Technology, B151, Technology Building,
Gaithersburg, MD  20899, telephone (301) 975-2821 or FTS 879-2821.  If you
wish to be placed on a mailing list to receive future bulletins, send your
name, organization, and address to this office.

The following bulletins are available:

      Data Encryption Standard, June 1990

      Guidance to Federal Agencies on the Use of Trusted Systems                 
       Technology, July 1990


Acknowledgements
John P. Wack, NIST, and Stanley A. Kurzban, IBM, are the principal authors
of this bulletin.  NIST appreciates the contribution of Mr. Kurzban, of
IBM's System Research Education Center, whose paper, "Computer Viruses and
Other Self-Copying Programs," is the basis for this bulletin.  Mr.
Kurzban's paper was based on an earlier, longer article [1].

This paper was developed in cooperation with the Computer and
Telecommunications Security Council, a technical group sponsored by NIST
to help identify and develop key issues affecting the computer security
community in both government and industry.  NIST acknowledges in
particular the efforts of William J. Murray and Donn Parker, who
contributed to earlier drafts of this paper.



COMPUTER VIRUS ATTACKS

by John P. Wack and Stanley A. Kurzban

INTRODUCTION

This paper discusses computer viruses and other related threats and their
impact on computing.  Much has already been written about computer viruses
and how to deal with them; this paper attempts to highlight some of the
issues surrounding the computer virus phenomenon that have been at times
overshadowed by the extensive media attention and reactive mode forced
upon many security professionals.  The main issue that this paper brings
forth is that despite current advice and controls, computer viruses may
continue to be a serious problem.  Larger, more complex issues regarding
computer security may have to be addressed if the situation is to get
better.

This paper is intended for management and those who need basic information
about computer viruses and related threats.  "Statement of the Problem" is
a brief overview of computer viruses and related threats, dealing mainly
with terminology.  "What Can Be Done Now" describes current
recommendations for preventing computer viruses.  "Problem Extent and
Future Impact" focuses on the extent to which viruses have affected
computing and whether current recommendations for dealing with viruses
will be adequate in the future.


STATEMENT OF THE PROBLEM

Computer viruses are program segments that copy versions of themselves
into programs (targets) and thereby convert the targets into vehicles for
further propagation.  Viruses usually spread from program to program
within a single system by thus reproducing every time any infected program
runs.  Moreover, they can spread from system to system whenever an
infected program is introduced into another system.

As society now employs an increasing number of microcomputers to perform
many complex and sensitive operations, it is interesting to note that all
computer viruses found outside of controlled experiments have run only on
microcomputers.  Several factors may be relevant:

      o     Computer viruses are attractive vehicles of malice or
            profitless harm, and many malicious people may be presumed to
            have more access to microcomputers than larger systems.

      o     The uses for microcomputers have become more varied and
            sensitive, yet their system architectures (and absence of
            security mechanisms) have not changed appreciably.  However,
            security measures have continued to evolve on larger systems,
            which are far more likely to be shared by many people.

      o     Users of microcomputers often view the need for measures that
            prevent or deter such things as viruses from program
            modification as unnecessary or inconvenient on single-user
            systems, whereas similar measures are usually embedded in
            larger systems.

      o     Microcomputers are often shared and serially reused in many
            environments without effective safeguards against viral
            infection.

      o     Sharing of program-containing media is far more common on
            microcomputers than on larger systems.

It should not be assumed that larger systems are immune to computer
viruses and related threats.  Rather, whatever actions a virus may effect
on a microcomputer could be possible on a larger system.

The term, "computer virus," has often been used imprecisely to refer to
Trojan horses, worms, and logic bombs.  More precise definitions of these
terms are:

A Trojan horse [2] is a program that conceals harmful code.  A Trojan
horse usually resembles an attractive or useful program that a user would
wish to execute.

A logic bomb [16] is code that checks for a certain set of conditions to
be present.  If these conditions are met, it may cause sudden and
widespread damage.  A time bomb is a logic bomb that is triggered by a
certain date or time.  Since a logic bomb is presumably something that a
person would not wish to execute, it is likely to be concealed, that is,
in a Trojan horse.

A worm [3] is a self-contained program that copies versions of itself
across electronically connected nodes.  The Internet worm [4] and the
CHRISTMA EXEC [5] are two examples of worms, not computer viruses
(however, the CHRISTMA EXEC required some user interaction to spread and
possessed aspects of a Trojan horse).

A virus [7] is code that plants a version of itself in any program it can
modify.  The virus may append or otherwise attach itself such that the
program executes after the virus code, making it appear as if the program
were functioning as usual, or the virus may overwrite the program such
that only the virus will function.  A Trojan horse program could initiate
the spread of a virus, as could a worm.

In addition to propagation mechanisms, viruses and worms have "missions,"
for example, to cause harm via a logic bomb.  Note that the existence of a
mission does not necessarily connote harm [6].  In theory, it could be
beneficial (the concept of a worm was introduced [3] in the context of a
useful application).  Since we deal here with "attacks," however, we
assume that every virus and every worm is harmful.

Note that the potential for harm from a computer virus is great because:

      o     Viruses can spread from program to program within systems and
            from system to system without limit.  (Worms can do the latter
            as well.)

      o     It is extremely difficult, if not impossible, to trace a virus
            back to its creator, so fear of punishment is unlikely to
            restrain anyone who looses a virus.

      o     A virus or worm or Trojan horse can contain virtually any type
            of harmful code, and such code can be extremely difficult to
            identify in advance as harmful.

      o     The only foolproof defense against them is to use no software
            with any function that is not thoroughly understood by the
            user.  However, that is not practical; use of programs whose
            working is not thoroughly understood is the very cornerstone
            of computers' value. 


WHAT CAN BE DONE NOW

The most important defense against any harm that software might do is
prudent acquisition and use of software.  Unfortunately, in the case of
computer viruses, one cannot fault most victims, as they simply trusted
that the software they used did not contain harmful code (unfortunately,
victims bear the onus of having been sloppy with regard to security, which
is not true in all cases).  As a consequence, the threat of viruses now
makes it prudent to avoid placing any degree of trust in software unless
one has been reasonably careful in acquiring it from a reliable source. 
At the same time, viruses have been found in shrink-wrapped diskettes and
the size or reputation of a software house is not a guarantee of
protection.

Anti-viral software may be of significant assistance in verifying whether
software is safe to use and preventing viruses and related threats from
causing damage.  There are three types [12] [13]:

      1.    Preventive software may prevent viruses from spreading within
            systems by placing barriers in the path of program
            modification.  The barriers might be controls such as common
            access control or encryption of programs or unbypassable
            messages to users whenever program modification is attempted.

      2.    Detective software monitors events in a computer and reports
            suspect ones to the user.  While program modification is one
            such event, so too are many others, like modification of
            system control blocks, that have been used by known viruses.

      3.    Virus-specific, or scanning software simply tests for the
            occurrence of signatures of known viruses (a signature being a
            string of bits known to occur in a virus and to be relatively
            unlikely to occur elsewhere by chance).

Some drawbacks associated with anti-viral software are (1) virus-specific
software may fail to detect viruses more recent than the software and (2)
detective software may fail to detect some viruses that are already
resident in memory when the software is loaded.  However, known viruses
have survived for many years and have infected systems in very widely
distributed systems; most damage that has been done to date has been done
by viruses that had first been detected and studied long before the damage
in question was done.  Thus, anti-viral software can protect systems from
this large body of known viruses, while at the same time providing a level
of deterrence against newer viruses.

The next step in defense lies in protection against damage that might be
caused by harmful code carried within viruses.  In its most simple form
this means regular backups of data; in more evolved forms it includes
system maintenance, physical security, risk analysis, contingency plans,
and teams of experts who can respond quickly to virus attacks.  Depending
on the environment, these measures can be employed in varying degrees,
with backup being the most important.

What is clear about viruses is that they have not so much created new
vulnerabilities as they have exposed and exploited long-standing ones,
with the arguable exception being modification of programs on personal
computers [14].  Thus, prudence in acquiring software combined with
measures such as described here can provide a significant level of
deterrence and thus protection from viruses and related threats.


PROBLEM EXTENT AND FUTURE IMPACT

While current measures for dealing with computer viruses have proven to be
effective, one should not be left with the impression that the problem of
viruses has been solved or that by using these measures one can eliminate
viruses.  Evidence shows that the numbers of new viruses and virus
incidents are increasing each year and that viruses are becoming more
sophisticated and malicious.  Moreover, most victims continue to be hit by
"older" viruses that are well understood and for which detectors and
vaccines have been developed.  Governmental and commercial organizations,
academia, and users have all responded in some form to the problem [8],
[9], [10], [11], however, specialized defenses are still in their infancy
[15].  This situation, combined with the factors of increased dependence
on computers and more variety and complexity in software (making its
quality and trustability more difficult to ascertain), could result in
well-orchestrated incidents of harmful software's wreaking havoc.

An unfortunate aspect of computer viruses is that they cannot be assumed
to have been eradicated until there are no suitable remaining "hosts"
(computers) for the software to infect.  The microcomputers in widespread
use do not contain built-in security measures such as those on larger
systems, thus the preventive measures for viruses and related threats
depend on users' willingness to purchase, install, and use them. 
Moreover, the process of educating users and helping them to be more aware
of the problem is slow, and people are, as in other things, prone to
lapses of good judgment where computer security is concerned. 
Consequently, there is no reason to assume that current defenses against
viruses will be generally more effective in the future than they are at
present.

Perhaps as part of the effort to develop better defense measures, we need
to change our attitudes towards the use and abuse of computer systems.  We
need to understand that computer crime is no different from theft, damage
to property, or fraud.  We need to understand that viruses alone are not
the problem, but rather the authors of viruses.  These individuals have
caused significant damage to systems and data, but they have possibly
caused more damage to the fabric of society's trust in the usefulness of
computing.  If people are unable to use programs without fear that those
programs may do more harm than good, then the entire foundation of useful
computing is undermined.  People who write viruses are doing a vast
disservice to the computing profession; they are not computer
professionals, hackers, or "whiz kids," they are at best criminals and
vandals.  We need to instill that message into the rest of society.

At the same time, computer users should continue to learn more about
viruses and how to prevent them.  We need to promote the use of current
defense methods and measures as applicable, and support efforts for
systems and measures that offer better security and integrity.  We need to
understand that the solution to the computer virus problem is complex,
involving many issues that fall under the broad category of computer
security.  With this attitude, we need to continue our use of computing
systems, given reasonable safeguards and protection, to accomplish
purposeful and useful aims.


REFERENCES

[1] Kurzban, Stanley A., "Viruses and Worms--What Can You Do?," ACM SIG
Security, Audit, & Control, Volume 7 Number 1, Spring 1989.

[2] Anderson, James P., "Computer Security Technology Planning Study,"
ESD-TR-73-51, Volumes I and II, USAF Electronic  Systems  Division,
Bedford,  Massachusetts, October 1972.

[3] Shoch, John F., and Jon A. Hupp, "The Worm Programs--Early Experience
with a Distributed Computation," Communications of the ACM Volume 25,
Number 3 (March 1982), Pages 172-180.

[4] Spafford, Eugene H., "The Internet Worm: An Analysis," Purdue
Technical Report CSD-TR-823, November 28, 1988.

[5] McLellan, Vin, "Computer Systems Under Siege," The New York Times,
January 17, 1988.

[6] Murray, William H., "Epidemiology Application to Computer Viruses,"
Computers and Security, Volume 7, Number 2, April 1988.

[7] Cohen, Fred, "Computer Viruses," Proceedings of the 7th DoD/NBS
Computer  Security Conference 1984, Pages 240-263.

[8] International Business Machines Corporation, "IBM Systems Security,"
Programming Announcement 289-581, October 24, 1989.

[9] White, Steve R., David M. Chess, and Chengi Jimmy Kuo, "Coping with
Computer Viruses and Related Problems," Research Report Number RC 14405,
International Business Machines Corporation, Yorktown Heights, New York,
1989; adapted and distributed as "Coping with Computer Viruses and Related
Problems," Form G320-9913, International Business Machines Corporation,
September 1989.

[10] National Computer Security Center, "Proceedings of the Virus
Post-Mortem Meeting," Fort George G. Meade, Maryland, November 8, 1988.

[11] Wack, John P., and Lisa J. Carnahan, "Computer Viruses and Related
Threats: A Management Guide,"  NIST Special Publication 500-166,  National
Institute of Standards and Technology, August, 1989.

[12] McAfee, John, "The Virus Cure," Datamation, Volume 35, Number 4,
February 15, 1989, Pages 29ff.

[13] Marc Adler, "Infection Protection: Antivirus Software" PC Magazine,
April 25, 1989, Pages 193ff.

[14] Denning, Peter J., "Computer Viruses," American Scientist, Volume 766
(May-June 1988), Pages 236-238.

[15] Pozzo, Maria M., and Terence E. Gray, "An Approach to Containing
Computer Viruses," Computers and Security, Volume 6, Number 4, August
1987.

[16] Spafford, Eugene H., Kathleen A. Heaphy, and David J. Ferbrache,
"Computer Viruses - Dealing with Electronic Vandalism and Programmed
Threats," ADAPSO Software Industry Division Report, 1989, Page 8.