[ Pobierz całość w formacie PDF ]
Computers & Security, 16 (1997) 412-415
A History Of Computer
Viruses -
Introduction
Harold Joseph Highland FICS, FACM
Editor-in-Chief
Emeritus
shall include
detailed
data about
a number
of viruses,
The
following
series
of articles
are taken
from
Harold’s
Computer
we
are
not
willing
to
‘put
into
print’
some
of
the
Virus
Handbook,
published
by Elsevier
Advanced
Technology
in
material
and
purported
research
reports
currently
1990.
Viruses
have
moved
on
a long
way
since
then,
but
the
available. So that the reader is better
able to understand
extracts
published
here
provide
a useful
background
in
virus
our
viewpoint,
we
shall
elaborate
on
some
of
the
development,
and
contain
much
information
that
is still relevant
problems
prior
to the
detailed
reports
about
specific
today.
It is also
interesting
to
note
that
Harold
introduces
the
viruses.
Macro
Virus
concept
a few
years
before
it became
more
widely
identified
as a major
problem.
A Matter of Definition
In this
section
we
shall present
detailed
information
about
a number
of computer
viruses, specifically
when
First, there is the question
of a definition
of a comput-
and where
the virus was found,
how
it behaved
and a
technical
report
on how
it works
as well as other
rel-
er virus. There
is currently
no agreement
in the com-
ative information.
We had hoped
to present
these
data
puter community.To
the general
reader differences
may
in historical
perspective.
However,
it is too
early
to
appear slight but to the technician
they are major.
prepare
a comprehensive
history
of computer
viruses.
There
are many
who
consider
computer
viruses
as
This
volume
is about
DOS
computer
viruses,
that
is
the offspring
of Dr. Frederick
B. Cohen.
He
created
computer
viruses that have been
found
in systems using
a virus,
as part
of his doctoral
thesis,
in an effort
to
either
IBM-DOS
or MS-DOS.
No
attempt
has been
find
ways
to
defend
computer
systems
from
self-replicating
programsThere
are others
who
claim
made to cover the many other
viruses that have surfaced
to infect
Macintosh
microcomputers.
Nor
are any of
that computer
viruses
existed
well before
1984
when
Dr.
Cohen
did
his
research.
The
debate
about
the
the VAX
viruses included.
Furthermore,
although
we
appearance
of the
first
virus
will
probably
continue
far into
the future.
Currently
it does
not appear
like-
ly that
computer
scientists
will
agree
upon
an ‘offi-
cial’ definition
of the term.
0 Compulit,
Inc., lY89. AU rights
reterved
412
3160167-4048/97$17.00 0 1997 Elsevier Science Ltd
Computers and Security, Vol. 16, No. 5
Dr. Cohen first made his research public at the 1984
National Computer
and see it in action,
we have steadfastly
refused
to
Security Conference.
He made his
accept unsupported
claims made by others.
findings known to an international
audience during his
presentation
that
same
year
at
the
International
For example, early in 1988 one of the anti-virus prod-
uct producers reported that he had found a new com-
puter virus that “destroyed” the hard disk. To obtain
additional information I spoke a few weeks later with
the individual who had reported the ‘virus’ to him.
The ‘virus’ had appeared several months earlier on her
system. What she found was that when backing up a
file to a floppy disk using the DOS COPY command
or even using her text editor, the backup copy was
sometimes incomplete - part of the copy just van-
ished. Having read about the producer’s appeal to
report computer viruses, she telephoned him. At his
request she sent him a copy of her hard disk.
Federation
for
Information
Processing
Computer
Security
Conference
in Toronto, Canada, IFIP/Sec
‘84.
That conference was sponsored by IFIP Technical
Committee 11 responsible for information processing
security. It was attended by several hundred computer
security specialists from all over the world. We often
tell our lecture
audiences
about
the reaction
to his
presentation
at that meeting.
Later in the day, after Dr. Cohen presented his paper,
we met with several computer security directors from
Europe and Asia. Most of them felt that Dr. Cohen’s
report was interesting but esoteric. One security direc-
tor from a major multinational corporation remarked
that it was most interesting to him that an American
university would provide a young man with a labora-
tory “to play games.” He could see no “practical”
application of the research and felt that it too would
disappear among the many “useless, academic studies.”
During our conversation she admitted that she had
not reformatted her disk and reloaded it with clean
programs. Almost five months after the press ran the
producer’s report she was still operating as before. She
still encountered
the difficulty at infrequent
intervals.
Because
the ‘virus’ was found only at one site and not
reported
elsewhere,
we filed
that report
for future
consideration.
Dr. Cohen’s reports, made in the United States and
Canada, received little, if any, coverage in the European
press. It was not until a presentation by Rudiger
Dierstein of the Deutsche Forschungs und
Versuchsanstalt fur Luft - und Raumfahrt [DFVLRl at
SECURICOM in Paris the next year that the European
press began to report about computer viruses.
Because we were busy with other viruses, we did not
find time to follow up that story for many months.
However, on November 14,1988, Dr. I? M. Adams of
the Computer Science Department of Nova
University [Florida] issued a research report,
“Hardware-Induced Data Virus: Floppy Diskette
Controller Design Flaw.” In it he explained that there
was a basic flaw in INTEL’s chip 8272A that had been
used on the floppy disk controller board in roughly 25
million microcomputers. According to Dr. Adams,
INTEL had sent a release on May 2, 1988 to its cus-
tomers stating:
Is It Really a virus?
We have followed a conservative approach to the
acceptance of computer virus claims. Unless we have
been able to obtain a copy of the virus, disassemble it
“It has been found that the 8272A cannot
detect a DMA underrun on the last byte of a
write operation to a sector. If the 8272A is pre-
empted during a DMA [l] transfer, and an
overrun occurs on the last byte of a sector, the
following occurs: the underrun flag does not
get set, the last byte written to the disk is made
equal to the previous byte written and CRC
[l] DMA is direct memory access, a techmque that allows peripheral
devices to gain direct access to the microcomputer’s main memory. This
causes the processor to stop all activity along a bus, a communications
line
along which the data are transmmed
-
HJH
[2] CRC
is cyclic redundancy
check a method
used for detectmg
errors in
121
the transfer of data -
HJH
413
H.J. Highland/A History Of Computer Viruses -
Introduction
For
example,
a virus
that will attack
all .COM
pro-
is generated
on the ALTERED
data.The
result
grams
except
COMMAND.COM
appears
in
an
is that INCORRECT
DATA
is WRITTEN
to
altered
form
so
that
even
COMMAND.COM
is
the disk andVALIDATED
by the 8272A.”
attacked.
Although
the modification
of the code
of
that virus is no more
difficult
than the change
of the
Although
we do not agree with
Dr.
Adams’s
use of the
label name,
this altered
form
is
different. The
action
term,
“hardware-induced
data virus,”
it appears
likely
of the virus has been
modified.
that the
earlier
reported
‘virus’ may well
have been
a
hardware
defect.
In any event
the so-called
virus
had
Similarly
if a virus that attacks
only 5 l/4-inch
flop-
not
destroyed
her hard disk.
py disks appears
so that
it is capable
of attacking
a
hard disk drive, do we consider
it to be a new virus?
The Numbers Game
We feel that so long
as any two viruses
have identical
An oft-repeated
question
by the press during
an inter-
code
and do not behave
differently,
they are variants
of
the original
virus. However,
if their
actions
have been
view
with
anyone
working
with
computer
viruses
is
“How
many
computer
viruses
are there?”
An answer
modified
they
should
be classed as a new form
of the
that we are not
certain
but we have
15 in our labora-
original
virus. We are not interested
in amassing
num-
tory, sends the interviewer
off to find a ‘better’
source.
bers.
However
we
feel
that
a
logical,
scientific
approach
to virus taxonomy
is needed.
There
appears
to
be
a
competition
among
some
working
in the
computer
virus
field
to
announce
a
Virus Identification
greater
number
than anyone
else. One
researcher
who
distributes
his findings
on a bulletin
board
announced
that
he
had
collected
and
examined
48
computer
Each
time
a virus appears
in a new location,
the find-
viruses.
Another
whom
we heard
at a conference
in
er often believes
he has a new virus. When
we received
the late spring
of 1989
told
the audience
that he had
a virus from an associate
in the Middle
East we accept-
already
collected
more
than
160.
It appears
that
the
ed the name
as the Ping-Pong
virus.
Our
first reports
more
computer
viruses
one
can
list, the
greater
an
from England
late in 1988
about
that virus called it the
authority
he is on the subject.
Italian
virus.
Later
some
researchers
there
renamed
it
as the “1803”
virus. Since
then
we have seen
it called
There
are viruses
and
there
are
often
mutations
of
the Bouncing
Ball virus and the Turin
virus.
these
viruses.
For
example,
one
attribute
of the Brain
virus
is to write
“Brain”
as the
label
on
an infected
The
virus specialist,
who
does not have a copy
of this
disk. If another
virus is found
that writes
“HA-HA”
as
virus and/or
is unable
to confirm
that the versions
are
but
is
identical
identical,
is too
often
misled.
He is likely
to consider
the
disk label
in every
other
respect,
does
one
count
this
as “a new”
virus?
The
code
of
counting
each
as a separate
virus.
Even
if he
goes
both
are the same but only five ASCII
characters
have
through
the
many
reports
from
the
different
centres
been
changed.
he might
not be fully informed.
Most
serious
researchers
have
called
for
a protocol
We deal with
these mutations
in a simple
way. So long
as critical
code
in the virus
has not
been
altered,
we
whereby
specialists
in different
parts of the worId
can
call the other
virus a variant
or mutant.
On
the other
compare
the viruses they have without
the need to send
hand,
many
researchers
have taken
an easier way out.
the actual virus and/or
its disassembled
code. Most
are
If
there
is any
change,
no
matter
how
slight,
they
reluctant
to send either
for fear of spreading
the virus.
count
the
other
as a new
virus. The
policy
we have
Making
source
code
or a copy
of a disk with
a virus
followed
thus far leads to some
problems.
available is dangerous.
It takes little effort
on the part of
a skilled
programmer
to
modify
the
trigger
and/or
414
Computers and Security, Vol.
16, No. 5
action portions of a virus once one has a workable copy
have included virus analysis in the following
few sec-
tions based on the following
sources:
There have been calls by researchers to establish a cen-
tral clearing house for computer viruses. In most cases
the researcher feels that his site should serve as that
center. We have long felt that there is need for a
method by which researchers can exchange informa-
tion without sending the actual virus and/or the dis-
assembled code. Charles M. Preston, a computer secu-
rity specialist and virus researcher in Anchorage
[Alaska] and we have discussed the need for creating a
computer
[l]
Computer viruses we have in our laboratory.
These viruses have been received f?om sites that
have been attacked as well as from associates in dif-
ferent parts of the world. In addition to our own
analysis we have supporting information
from Bill
Kenny, a highly-skilled
programmer
and analyst
with Digital Dispatch
Inc. of St. Paul [Minnesota]
and
Dr. Jon
David
of
Systems
Research
and
virus directory. That
directory
would pro-
Development
of Tappan
[New York]. We should
vide
specific
information
about
each
virus;
among
also acknowledge
the assistance from several com-
some of the data would be:
puter security
specialists in different
parts of the
world,
ranging
from
Australia
to
the
United
its size in number of bytes,
Kingdom
to Finland and Sweden.
the medium which it attacks,
[2] Substantiated reports from reliable researchers.
Although we have a number of computer virus-
es and mutations, we do not physically have
copies of all the viruses that have been found in
the
a hexadecimal
or ASCII
checksum
of its actual code,
the signature, if any, that the virus uses to avoid rein-
fection,
world.
Many
researcher
reports
cannot
be
confirmed
and others
have
analyses
of viruses
that
do not
conform
with
our
findings;
these
were not used.
a listing ofASCl1
strings in the viral code and their
location,
and
[3] Finally we should note that the material presented
in the section of laboratory viruses has come from
sources that cannot be publicly identified.
detailed
information
about
the replication
proce-
In each
dure, the trigger mechanism,
and action taken.
case, however, we have thoroughly
examined
the
Source of Virus Data
data and investigated the integrity
of the source.
In line with the conservative
policy we have followed
since the computer
virus explosion
in late 1987
we
415
[ Pobierz całość w formacie PDF ]