- Email: [email protected]
Nuisance or corporate threat?
October 1989
Computer Fraud & Security Bulletin
COMPUTER VIRUSES NUISANCE THREAT?
OR CORPORATE
This is the first of a two part investigation by Dr Ken Wong of B/S Applied Systems UK. Introduction The main concern in data security is to prevent potential intruders and untrusted individuals form accessing out corporate data and cause problems to the data’s integrity, confidentiality or accessibility. Access control to systems and their data is enforced essentially to allow only those we trust to access the systems to do their work, whilst barring all others from getting through to the data. But illegal code such as a Trojan horse or a virus may be brought into a system unknowingly by trusted individuals. The system could be an application, system software (especially the operating system), or even an access control software package. The more we trust the individual, the more channels and opportunities the virus carrier would have to plant and propagate the illegal code, and the more widespread would be the viral infection before it becomes detected and the true source of origin unravelled. For instance, it may be difficult to impose company rules to forbid executives and programming staff to bring their work home. Indeed, home working as a practice is expected to be the norm for a majority of the programming work force in future. It would be even more difficult for companies to forbid an employee’s teenage children to use his or her home PC. If anything, the adult would tend to encourage such practice to get the younger generation to become more familiar with information technology. And it would be impossible to extend company rules to forbid such young
01989
people from using the employee’s home PC to play games or run programs obtained from dubious or bootleg sources.
Elsevier Science Publishers Ltd
If the latter contains a computer virus, soon it will find its way to the company’s computer systems. And traditional logical access control is powerless to stop the virus’s propagation in the employee’s valid system access domain in the company, eventually spreading to those of others sharing system access or common utilities. Forms of virus transmission The most common way is through an infected diskette, with the virus originating from an outside source. For instance, an oil company found several of their office Macintosh PCs infected with the nVlR virus which caused systems to crash and files to disappear. Judicious detective work and careful examination of disk sectors eventually traced the virus back to its outside origin. Apparently a programmer had introduced some game software containing the virus from a public domain electronic bulletin board onto his home PC’s hard disk. When he took an office diskette home to work on his programs, the virus was transferred to the diskette. By bringing the infected diskette back to his office, the virus then infected his office PC’s hard disk. Then a colleague borrowed the infected office PC to do some work and the virus entered his diskette and eventually another office PC, and so on. There have been other examples of virus transmission through a salesman bringing an infected demonstration diskette from outside into the office. This would be a software diskette returned by a customer, say after a trial, which becomes infected by the customers hard disk containing a virus, or through a service engineer introducing an infected diagnostic diskette to locate the company’s computer problems. In fact the infection process could go through a long chain, causing infection to any
7
October 1989
Comtwter Fraud & Security Bulletin
system involved in the chain. For example, a software distributor regularly evaluates
distributed processing, much of the programming work will be done on PCs or
software on diskettes supplied to him by software houses. On one occasion, one of these diskettes was unknowingly infected by a virus (this could be the deliberate effort of a
intelligent workstations and then transferred to files on the mainframe to update the central database or program library. Similarly with home working to support program
hacker posing as a potential customer to software suppliers by obtaining the diskette on trial and then infecting it with a virus before returning), which unfortunately infected the
maintenance, write new software or to provide remote diagnostics, mostly using PCs, a virus on the home or remote PC could well find its way to the mainframe computer.
distributor’s hard disk. A computer system supplier then had his system infected when he used one of the programs on the distributor’s infected disk. A freelance graphics designer bought an infected system from the system supplier which then infected his own application software. The application software was then sold to the BBC’s interactive TV unit and infected all the PCs in that unit. And everyone involved in the chain could potentially help the virus to propagate to affect other victims. And so it goes on.
Once introduced into the system, the longer is the dormant stage or incubation period of the virus before it manifests itself, the longer it would take to detect the ‘electronic graffiti’. By this time the virus would have plenty of opportunity to propagate and proliferate to other systems coming into contact with the infected system. If the infection becomes widespread then it would be increasingly difficult to eradicate the illegal code from all affected systems and backup media. Stages of infection
Another potential form of virus transmission is through the movement of media passing through an infected PC which is regularly utilized by staff from other business functions e.g. one with a laser printer installed. If the PC was infected by one of the diskettes introduced into the hard disk from one of the business users, then the infected PC will propagate the virus onto every diskette inserted into the PC afterwards. Increasingly organizations are going towards central distribution of system or application software to remote locations via the corporate network or a shared or public network, or the network support function wanting to download new communication software to remote nodes. A virus in the executable code could find its way to all recipients of the software through electronic communication. Taking this one stage further, one can conclude that mainframes cannot be immune from virus infection. With the trend to go for
8
The effort required to eliminate all traces of the virus from an infected PC system depends to a large extent on how extensive is the infection when the virus was detected. If the virus was detected after it has just entered the computer memory of the system from an infected diskette then only the program which was being executed would have been infected. In that case the virus could be easily removed by simply powering down the system and then rebooting with a clean system diskette. Also any diskette which had been introduced to the system since the virus was infected would also need to be examined and decontaminated if necessary. If the virus is allowed to go on unchecked, soon it will enter the local diskette or hard disk and will gradually infect more and more programs on that disk. To remove the virus requires the whole disk to be reformatted with a resultant partial or total loss of data stored on that disk. If the system was backed up prior
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
to the reformatting process, than all the backup program and data files would need to
diskette and backup cartridge in the Derby office was taken away for examination. This
be closely examined and treated accordingly to avoid the risk of reinfection through a subsequent file restore process using any of the contaminated backup media.
came to a total of 400 diskettes and 20 1O-Mbyte data cartridges. Several diskettes were found to have been infected. The source of infection was traced to the original diskette
So far the infection process is only confined to a single PC. If the infected PC is
from the software supplier containing the utilities for archiving program files using data compression and for restoring the compressed archive files.
connected to a local area network or to a system supporting a number of workstations, some or all of which share common program or data files on the system, then the virus could invade the system connecting various PCs or workstations.
so far can be put
into four categories:
If the infection is widespread, then all the shared file diskettes and other storage media would need to be reformatted along with the cleaning up of any of the workstations which have also been infected. An example of such infection was reported by British Rail in December 1988 when the PC users at its Derby engineering off ice were hit by the 1813 virus on their Novell local area network. The PCs were found to be running extremely slowly and bits of data were found missing when staff scrolled file data through their screens. Software such as SUPERCALC was suddenly found to be too big to fit into computer memory. The whole network at Derby had to be shut down and all executable files were banned from transmission between machines. All executable files were replaced with new copies from the original master disks. Every
Elsevier Science Publishers
The viruses discovered
the
Once the file server is infected, then every workstation on the local area network executing any one of the infected programs provided on the file server could become infected. In that case system recovery could be time consuming. Every one of the programs on the server would need to be examined for the presence of viruses. This includes any system utilities, compilers, editors, and all system and application software held on the file server nodes.
01989
Virus species
Ltd
*
boot infector;
*
system infector;
*
application
*
worm program for networks.
infector for PCs;
A boot infector attaches itself to the boot sector of a disk and takes control of the system when the PC is booted. It will remain resident in main memory to be in control of the system at all times. The virus will monitor the system’s activities by intercepting all system interrupts to look out for any insertion of diskettes into the disk drive to read, write or format the disk. Whenever a diskette is inserted and accessed the first time the virus will replicate itself to sector zero of the diskette thereby displacing the original bootstrap software held there, before allowing the I/O channel to be passed to the original disk utility. From then on any system which is booted from the infected diskette will cause the PC to be infected. Common examples of the boot infector virus include the Brain virus originating from Pakistan and the Italian or bouncing ball virus from Turin, Italy. The Brain virus infects by replacing the disk boot sector with its own program code together with an additional 2’/sK of code held in fake bad sectors of the disk. It will also insert a volume label ‘(C) BRAIN’ on
October 1989
Cornouter Fraud 8; Securitv Bulletin
the disk with a message “Welcome to the dungeon”. In the case of the Italian virus, the virus manifests itself in the form of a dot appearing on the screen. The dot will move in straight lines and bounce off the edges of the screen, or occasionally off the characters displayed. The dot only comes up occasionally and disappears when the system is rebooted. Since boot infectors do not infect executable programs, the virus may be removed by powering down the system and rebooting from the original system diskette. The operating system and the boot sector on all affected disks or diskettes will also have to be replaced. A system infector attaches itself to one or more modules of the operating system or to the system device driver. This could be the command line interpreter, system I/O routines or special purpose drivers for any nonstandard peripheral device. The virus will gain control after the system is booted, when the operating system is being initialized. From then on it will remain active at all times to watch out for the insertion of a system diskette into one of the PC’s disk drives. It will then replicate itself onto the systems files. An example of the system infector is the Lehigh virus which has damaged hundreds of disks in Lehigh University’s laboratory. The Lehigh virus has a delay mechanism built into itself to delay effecting damage to the system after initial infection. Every time the virus replicates itself onto a new system, the viral program counter in the virus code will be incremented by one. Once the counter reaches four, the virus will overwrite the first 50 sectors of the infected disk with zeros; by which time many other disks will also have been infected in the interim period. The application infector is the most widespread form of virus. It can infect virtually any application program and would gain control when an infected program is executed,
10
to scan the system for a replica of itself to be attached to any additional hosts on disk, before handing over control back to the application program. It attaches itself by replacing the initial instructions of the host program with a new instruction to branch to the virus code first. After the virus program is executed, control will then be passed back to the application for execution. The best known examples of application infectors are the 1813 or Hebrew University virus, the 1701 /1704 or Hailstorm virus and the nVlR virus. The Hebrew University virus is a dirty virus affecting ATM PCs and compatibles in that when it proliferates, it will not check to see whether the new host has already been infected. Thus a system could find the virus attaching itself again and again to its file whenever it comes into contact, resulting in rapid depletion of usable storage space. Also as the virus replicates, the system’s processing will be slowed down dramatically through system resource being channelled to support the replication process. This virus is widely thought to have carried a logic time bomb scheduled to go off on any black Friday (i.e Friday the 13th). So far we have no evidence of any victim’s files being corrupted on black Fridays. A virus called Datacrime has recently been detected and again is alleged to be carrying a logic time bomb and scheduled to format the hard disks of victims and destroy the data on the disks of IBM PCs and compatibles in the period between 12 October and 31 December in any year. The Hailstorm virus contains a random number generator which would occasionally trigger a ‘hailstorm.’ The characters on the screen behave as if someone is ungluing them from the monitor and would fall to the bottom of the screen in a heap, accompanied by appropriate sound effects from the computer. The temptation of the user would be to switch off the system and hence terminate the data entry or processing mid-stream. This could result in data loss or corruption. In actual fact
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
the virus is harmless and the file data has not been affected by the hailstorm, merely producing an audio-visual display on the screen. The nVlR virus had its source code published in a book in West Germany in 1988 and as a result a number of budding virus writers have cut their teeth on producing their own variants of the species. The virus causes loss of data and programs, and frequent system crashes. A worm program differs from a virus in the sense that the worm only replicates itself onto systems without causing data or program corruption to the host’s own system. On the other hand, as the worm replicates itself it will slow down the system. Thus, as more and more copies of the worm begin to overload the system or network by occupying otherwise useful storage space, other processing work is being squeezed out as the worms multiply and the system will crash in the end. The Internet worm in November 1988 and the IBM Christmas tree worm in December 1987 have been widely reported in the press. Both were exploiting weaknesses or loopholes in the system to cause the illegal program code to be transmitted via the electronic mail system to invade remote nodes of the networks. The former crashed 6000 DEC VAX computers and Sun workstations running under the Unix operating system and the latter jammed some 350 000 terminals in IBM’s private worldwide electronic mail network.
been invaded. If not, it would plant itself on the file directory and instruct the node to execute the worm program every 15 seconds to attack other nodes in the network, at the exclusion of doing otherwise useful work. At the same time the worm would report its own whereabouts to a node in Australia before moving on. DEC put a call trace on the network and eventually tracked down the source of the worm to the west coast of the USA. All the infected computers had to be cleaned up afterwards with individual service disruptions ranging from two days to a week for each node infected.
Ken Wong Ken Wong continues his investigation into the computer virus phenomenon in our November issue. Orders for the Computer Virus Handbook by Dr Harold Joseph Highland are being taken by: Ann Barnett, Elsevier Advanced Technology, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK. Price: f85/$153.
PREVENTING
VIRAL INFECTION
As you are reading this you are already taking the first steps to prevent a virus attack - you are giving the problem serious consideration. Prevention categories:
of attack can be split into two
business controls; and technical In January 1989, a hacker introduced a worm to DEC’s international engineering and maintenance network and affected some 6000 VAX computers worldwide, being 20% of the total of machines in the network. The worm was meant to be a prank to commence in the late afternoon of Friday 13 January and to stop the following Monday morning. Unfortunately an error on the input had meant the worm will only stop in the year 2089! The worm would attack a file called HICOM on a node to check if it has already
01989
Elsevier Science Publishers
Ltd
controls.
Proper consideration of each increases computer security. The usual and most productive route for you to prevent infection, and indeed generally increase your computer security, is first to consider how business controls can help you. You can then augment these with technical controls: it is better to have strength in depth. It is recommended which uses computers
that any organization should formulate a
11
Computer Fraud & Security Bulletin
COMPUTER VIRUSES NUISANCE THREAT?
OR CORPORATE
This is the first of a two part investigation by Dr Ken Wong of B/S Applied Systems UK. Introduction The main concern in data security is to prevent potential intruders and untrusted individuals form accessing out corporate data and cause problems to the data’s integrity, confidentiality or accessibility. Access control to systems and their data is enforced essentially to allow only those we trust to access the systems to do their work, whilst barring all others from getting through to the data. But illegal code such as a Trojan horse or a virus may be brought into a system unknowingly by trusted individuals. The system could be an application, system software (especially the operating system), or even an access control software package. The more we trust the individual, the more channels and opportunities the virus carrier would have to plant and propagate the illegal code, and the more widespread would be the viral infection before it becomes detected and the true source of origin unravelled. For instance, it may be difficult to impose company rules to forbid executives and programming staff to bring their work home. Indeed, home working as a practice is expected to be the norm for a majority of the programming work force in future. It would be even more difficult for companies to forbid an employee’s teenage children to use his or her home PC. If anything, the adult would tend to encourage such practice to get the younger generation to become more familiar with information technology. And it would be impossible to extend company rules to forbid such young
01989
people from using the employee’s home PC to play games or run programs obtained from dubious or bootleg sources.
Elsevier Science Publishers Ltd
If the latter contains a computer virus, soon it will find its way to the company’s computer systems. And traditional logical access control is powerless to stop the virus’s propagation in the employee’s valid system access domain in the company, eventually spreading to those of others sharing system access or common utilities. Forms of virus transmission The most common way is through an infected diskette, with the virus originating from an outside source. For instance, an oil company found several of their office Macintosh PCs infected with the nVlR virus which caused systems to crash and files to disappear. Judicious detective work and careful examination of disk sectors eventually traced the virus back to its outside origin. Apparently a programmer had introduced some game software containing the virus from a public domain electronic bulletin board onto his home PC’s hard disk. When he took an office diskette home to work on his programs, the virus was transferred to the diskette. By bringing the infected diskette back to his office, the virus then infected his office PC’s hard disk. Then a colleague borrowed the infected office PC to do some work and the virus entered his diskette and eventually another office PC, and so on. There have been other examples of virus transmission through a salesman bringing an infected demonstration diskette from outside into the office. This would be a software diskette returned by a customer, say after a trial, which becomes infected by the customers hard disk containing a virus, or through a service engineer introducing an infected diagnostic diskette to locate the company’s computer problems. In fact the infection process could go through a long chain, causing infection to any
7
October 1989
Comtwter Fraud & Security Bulletin
system involved in the chain. For example, a software distributor regularly evaluates
distributed processing, much of the programming work will be done on PCs or
software on diskettes supplied to him by software houses. On one occasion, one of these diskettes was unknowingly infected by a virus (this could be the deliberate effort of a
intelligent workstations and then transferred to files on the mainframe to update the central database or program library. Similarly with home working to support program
hacker posing as a potential customer to software suppliers by obtaining the diskette on trial and then infecting it with a virus before returning), which unfortunately infected the
maintenance, write new software or to provide remote diagnostics, mostly using PCs, a virus on the home or remote PC could well find its way to the mainframe computer.
distributor’s hard disk. A computer system supplier then had his system infected when he used one of the programs on the distributor’s infected disk. A freelance graphics designer bought an infected system from the system supplier which then infected his own application software. The application software was then sold to the BBC’s interactive TV unit and infected all the PCs in that unit. And everyone involved in the chain could potentially help the virus to propagate to affect other victims. And so it goes on.
Once introduced into the system, the longer is the dormant stage or incubation period of the virus before it manifests itself, the longer it would take to detect the ‘electronic graffiti’. By this time the virus would have plenty of opportunity to propagate and proliferate to other systems coming into contact with the infected system. If the infection becomes widespread then it would be increasingly difficult to eradicate the illegal code from all affected systems and backup media. Stages of infection
Another potential form of virus transmission is through the movement of media passing through an infected PC which is regularly utilized by staff from other business functions e.g. one with a laser printer installed. If the PC was infected by one of the diskettes introduced into the hard disk from one of the business users, then the infected PC will propagate the virus onto every diskette inserted into the PC afterwards. Increasingly organizations are going towards central distribution of system or application software to remote locations via the corporate network or a shared or public network, or the network support function wanting to download new communication software to remote nodes. A virus in the executable code could find its way to all recipients of the software through electronic communication. Taking this one stage further, one can conclude that mainframes cannot be immune from virus infection. With the trend to go for
8
The effort required to eliminate all traces of the virus from an infected PC system depends to a large extent on how extensive is the infection when the virus was detected. If the virus was detected after it has just entered the computer memory of the system from an infected diskette then only the program which was being executed would have been infected. In that case the virus could be easily removed by simply powering down the system and then rebooting with a clean system diskette. Also any diskette which had been introduced to the system since the virus was infected would also need to be examined and decontaminated if necessary. If the virus is allowed to go on unchecked, soon it will enter the local diskette or hard disk and will gradually infect more and more programs on that disk. To remove the virus requires the whole disk to be reformatted with a resultant partial or total loss of data stored on that disk. If the system was backed up prior
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
to the reformatting process, than all the backup program and data files would need to
diskette and backup cartridge in the Derby office was taken away for examination. This
be closely examined and treated accordingly to avoid the risk of reinfection through a subsequent file restore process using any of the contaminated backup media.
came to a total of 400 diskettes and 20 1O-Mbyte data cartridges. Several diskettes were found to have been infected. The source of infection was traced to the original diskette
So far the infection process is only confined to a single PC. If the infected PC is
from the software supplier containing the utilities for archiving program files using data compression and for restoring the compressed archive files.
connected to a local area network or to a system supporting a number of workstations, some or all of which share common program or data files on the system, then the virus could invade the system connecting various PCs or workstations.
so far can be put
into four categories:
If the infection is widespread, then all the shared file diskettes and other storage media would need to be reformatted along with the cleaning up of any of the workstations which have also been infected. An example of such infection was reported by British Rail in December 1988 when the PC users at its Derby engineering off ice were hit by the 1813 virus on their Novell local area network. The PCs were found to be running extremely slowly and bits of data were found missing when staff scrolled file data through their screens. Software such as SUPERCALC was suddenly found to be too big to fit into computer memory. The whole network at Derby had to be shut down and all executable files were banned from transmission between machines. All executable files were replaced with new copies from the original master disks. Every
Elsevier Science Publishers
The viruses discovered
the
Once the file server is infected, then every workstation on the local area network executing any one of the infected programs provided on the file server could become infected. In that case system recovery could be time consuming. Every one of the programs on the server would need to be examined for the presence of viruses. This includes any system utilities, compilers, editors, and all system and application software held on the file server nodes.
01989
Virus species
Ltd
*
boot infector;
*
system infector;
*
application
*
worm program for networks.
infector for PCs;
A boot infector attaches itself to the boot sector of a disk and takes control of the system when the PC is booted. It will remain resident in main memory to be in control of the system at all times. The virus will monitor the system’s activities by intercepting all system interrupts to look out for any insertion of diskettes into the disk drive to read, write or format the disk. Whenever a diskette is inserted and accessed the first time the virus will replicate itself to sector zero of the diskette thereby displacing the original bootstrap software held there, before allowing the I/O channel to be passed to the original disk utility. From then on any system which is booted from the infected diskette will cause the PC to be infected. Common examples of the boot infector virus include the Brain virus originating from Pakistan and the Italian or bouncing ball virus from Turin, Italy. The Brain virus infects by replacing the disk boot sector with its own program code together with an additional 2’/sK of code held in fake bad sectors of the disk. It will also insert a volume label ‘(C) BRAIN’ on
October 1989
Cornouter Fraud 8; Securitv Bulletin
the disk with a message “Welcome to the dungeon”. In the case of the Italian virus, the virus manifests itself in the form of a dot appearing on the screen. The dot will move in straight lines and bounce off the edges of the screen, or occasionally off the characters displayed. The dot only comes up occasionally and disappears when the system is rebooted. Since boot infectors do not infect executable programs, the virus may be removed by powering down the system and rebooting from the original system diskette. The operating system and the boot sector on all affected disks or diskettes will also have to be replaced. A system infector attaches itself to one or more modules of the operating system or to the system device driver. This could be the command line interpreter, system I/O routines or special purpose drivers for any nonstandard peripheral device. The virus will gain control after the system is booted, when the operating system is being initialized. From then on it will remain active at all times to watch out for the insertion of a system diskette into one of the PC’s disk drives. It will then replicate itself onto the systems files. An example of the system infector is the Lehigh virus which has damaged hundreds of disks in Lehigh University’s laboratory. The Lehigh virus has a delay mechanism built into itself to delay effecting damage to the system after initial infection. Every time the virus replicates itself onto a new system, the viral program counter in the virus code will be incremented by one. Once the counter reaches four, the virus will overwrite the first 50 sectors of the infected disk with zeros; by which time many other disks will also have been infected in the interim period. The application infector is the most widespread form of virus. It can infect virtually any application program and would gain control when an infected program is executed,
10
to scan the system for a replica of itself to be attached to any additional hosts on disk, before handing over control back to the application program. It attaches itself by replacing the initial instructions of the host program with a new instruction to branch to the virus code first. After the virus program is executed, control will then be passed back to the application for execution. The best known examples of application infectors are the 1813 or Hebrew University virus, the 1701 /1704 or Hailstorm virus and the nVlR virus. The Hebrew University virus is a dirty virus affecting ATM PCs and compatibles in that when it proliferates, it will not check to see whether the new host has already been infected. Thus a system could find the virus attaching itself again and again to its file whenever it comes into contact, resulting in rapid depletion of usable storage space. Also as the virus replicates, the system’s processing will be slowed down dramatically through system resource being channelled to support the replication process. This virus is widely thought to have carried a logic time bomb scheduled to go off on any black Friday (i.e Friday the 13th). So far we have no evidence of any victim’s files being corrupted on black Fridays. A virus called Datacrime has recently been detected and again is alleged to be carrying a logic time bomb and scheduled to format the hard disks of victims and destroy the data on the disks of IBM PCs and compatibles in the period between 12 October and 31 December in any year. The Hailstorm virus contains a random number generator which would occasionally trigger a ‘hailstorm.’ The characters on the screen behave as if someone is ungluing them from the monitor and would fall to the bottom of the screen in a heap, accompanied by appropriate sound effects from the computer. The temptation of the user would be to switch off the system and hence terminate the data entry or processing mid-stream. This could result in data loss or corruption. In actual fact
01989
Elsevier Science Publishers Ltd
October 1989
Computer Fraud & Security Bulletin
the virus is harmless and the file data has not been affected by the hailstorm, merely producing an audio-visual display on the screen. The nVlR virus had its source code published in a book in West Germany in 1988 and as a result a number of budding virus writers have cut their teeth on producing their own variants of the species. The virus causes loss of data and programs, and frequent system crashes. A worm program differs from a virus in the sense that the worm only replicates itself onto systems without causing data or program corruption to the host’s own system. On the other hand, as the worm replicates itself it will slow down the system. Thus, as more and more copies of the worm begin to overload the system or network by occupying otherwise useful storage space, other processing work is being squeezed out as the worms multiply and the system will crash in the end. The Internet worm in November 1988 and the IBM Christmas tree worm in December 1987 have been widely reported in the press. Both were exploiting weaknesses or loopholes in the system to cause the illegal program code to be transmitted via the electronic mail system to invade remote nodes of the networks. The former crashed 6000 DEC VAX computers and Sun workstations running under the Unix operating system and the latter jammed some 350 000 terminals in IBM’s private worldwide electronic mail network.
been invaded. If not, it would plant itself on the file directory and instruct the node to execute the worm program every 15 seconds to attack other nodes in the network, at the exclusion of doing otherwise useful work. At the same time the worm would report its own whereabouts to a node in Australia before moving on. DEC put a call trace on the network and eventually tracked down the source of the worm to the west coast of the USA. All the infected computers had to be cleaned up afterwards with individual service disruptions ranging from two days to a week for each node infected.
Ken Wong Ken Wong continues his investigation into the computer virus phenomenon in our November issue. Orders for the Computer Virus Handbook by Dr Harold Joseph Highland are being taken by: Ann Barnett, Elsevier Advanced Technology, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK. Price: f85/$153.
PREVENTING
VIRAL INFECTION
As you are reading this you are already taking the first steps to prevent a virus attack - you are giving the problem serious consideration. Prevention categories:
of attack can be split into two
business controls; and technical In January 1989, a hacker introduced a worm to DEC’s international engineering and maintenance network and affected some 6000 VAX computers worldwide, being 20% of the total of machines in the network. The worm was meant to be a prank to commence in the late afternoon of Friday 13 January and to stop the following Monday morning. Unfortunately an error on the input had meant the worm will only stop in the year 2089! The worm would attack a file called HICOM on a node to check if it has already
01989
Elsevier Science Publishers
Ltd
controls.
Proper consideration of each increases computer security. The usual and most productive route for you to prevent infection, and indeed generally increase your computer security, is first to consider how business controls can help you. You can then augment these with technical controls: it is better to have strength in depth. It is recommended which uses computers
that any organization should formulate a
11