WPC3 2GBVNiZ3|kman7oC2co\  PCXPTimes RomanTimes Roman ItalicTimes Roman BoldHelveticaHelvetica BoldCourierTimes Roman Bold ItalicCdd88d8ddddCN8ddddY`(`lC2CC!CCCCCCCCCCd8YYYYYYzYzYzYzYC8C8C8C8ddddddddddYdddddodYYYYYYdzYzYzYzYdddddddCdCdCCCdNCdz8zCzCzCz8dddddCCCoNoNoNoNzCzCzCdddddzYzYKF2[dCYddddd7>xxdxdxx$YYdCCddooCYtqnnnxqyyy2Pn7c1Rn1znnsnHP LaserJet 4M (PostScript) [IINTX]HPLASIIN.PRSo\  PChhhh!ъXP24ytv~ 3'3'Standard6&6&StandardaserWriter IINTX+ +3|kheading14w*D #2PkCEP# #o\  PCcXP#2 fQImIheading240* #:s2PkC XP# # o\  PCcXP#Times RomanTimes Roman ItalicTimes Roman BoldHelveticaHelvetica BoldCourier"S^(1<xxdxdxx$YYdCCddooCYtqnnnxqyyy2Pn7c1Rn1znnsn2 Z1   ^ HP LaserJet 4M (PostScript) [IINTX]HPLASIIN.PRSXp\  PZuhhhh!ъXP+ 3'3'Standard6&6&StandardINTX]HPLASIIN.PRSXp\ + heading3GG 2  IpITitle*oD*X#2PkCT P# #o\  PCcXP#personal*q`'#]\  PC-P##]\  PC-P#"S^*8DSS888S^*8*.SSSSSSSSSS..^^^Jxooxf]xx8Axfxx]xo]fxxxxf8.8NS8JSJSJ8SS..S.SSSS8A.SSxSSJP!PZ8*888888888888S.xJxJxJxJxJooJfJfJfJfJ8.8.8.8.xSxSxSxSxSxSxSxSxSxSxJxSxSxSxSxS]SxJxJoJoJoJoJxSfJfJfJfJxSxSxSxSxSxSxS8S8S888SA8xSf.f8f8f8f.xSxSxSxSxSxo8o8o8]A]A]A]Af8f8f8xSxSxSxSxxSfJfJK:*LS8JSSSSS.4xxSxSxxJJS88SS]]8Jt^\\\x^eee*C\.wR)Ewn\1fy\r\`{v\r"S^*8FSS888Sq*8*.SSSSSSSSSS88qqqSffoxffxx8Jo]oxfxfS]xff]]A.AFS8SSJSJ.SS..J.xSSSSAA.SJoJJAC.CZ8*88x8888888888S.fSfSfSfSfSooJfJfJfJfJ8.8.8.8.oSxSxSxSxSxSxSxSxS]JfSxSxSxS]JxSfSfSfSoJoJoJoJxSfJfJfJfJxSxSxSxSxSxSxS8S8S888SJ8oJ].]8]8]8].oSoSoSxSxSofAfAfASASASASA]8]8]8xSxSxSxSo]J]A]AK:*WSASSSSSS.4xxSxSxx$]]S88SSSS8]tq\\\xqeee*C\.wR)Ewn\1fy\r\`{v\r2-4I^#Terminal''#d6X@C@##o\  PCcXP#"S^2CoddȧCCCdr2C28ddddddddddCCrrrdzNdzoȐC8CtdCdoYoYCdo8Co8odooYNCodddYO,OhC2CC!CCCCCCCCCCo8dddddȐYYYYYN8N8N8N8oddddooooddoddddzoddYYYYoYYYYdddddooNoNoNCNodCo8CCC8oooddȐYYYoNoNoNoNCCCooooȐdYYKF2ldCddddddxxdxdxx+oodCCddddCotnnnxyyy2Pn7c1Rn1znnsn25. %^'  I+"S^88Goo,CCNu8C88oooooooooo88uuuo˅z8dozz888^oCoodoo8oo,,d,ooooCd8oddddC4CuC8CC!CCCCCCCCCCz8oooooȲdoooo88888888ooooooooodoozodooooddddooooooooooooCzCzCC8zdCdo,oCoCoCo,oooooȽCCCddddzCzCzCoooodzdzdKF8koCzoooooJIxxoxoxx&CCoCCoodd,CȂ7oC2co\  PCXP y.]8*-]\  PCP<{,\8* k\*f9 xCX7tC2wt4  p(ACXLAYJ0T2PkC P>YJ:A2p}wC L9NA0E2PkCP6NA:qʙ2p}wCW!C(#AC\  PChP<5nC2 n*f9 xCXXL1sC80:s2PkCXP /xC8:!:x2p}wCXTr5dddId6X@C@"S^2NoddCCCdr2C28ddddddddddCCrrrdNdzzozzzC8CrdCddYdYCdo88d8odddNN8oYdYNF,FrC2CC!CCCCCCCCCCd8dddddYYYYYN8N8N8N8oddddoooozYddddzYdzdddYYYYdYYYYdddddooNdNdNCNddCdz8zCzCzCz8oooddNNNoNoNoNoNzCzCzCoooozYzNzNKF2ddNdddddd5YJ:A2p}wC L9NA0E2PkCP6NA:qʙ2p}wCW!C(#AC\  PChP<5nC2 n*f9 xCXX L1sC80:s2PkCXP /xC8:!:x2p}wCXTr5dddId6X@C@6pC2Q'p9 xICXxch def } bdef /_lod1 {currentpoint orntsv plen pwid 6 -1 roll restore save} /_lod2 {_bp 7 2 roll _ornt moveto} bdef /_unlod {currentpoint orntsv plen pwi X  hX - {M personal#]\  PC-P#Viruses on the Internet: Death by a Thousand Cuts?`f!"Oq`personal#o\  PCcXP#X1Í.X1Í.Ҋt a Network Security 1997 Conference ă  _ LaoDTitle#2PkCT P# Viruses on the Internet: Death by a Thousand Cuts?XTitle #o\  PCcXP#ۃ  X Copyright  Allan G. Dyer personal#]\  PC-P#MHKCS, MIAP, AIDPM, MSc. (tech), B.Sc.q`personal#o\  PCcXP# adyer@yuikee.com.hk Yui Kee Co. Ltd.  W Limited Permission is granted to print this document for personal use . wheading1  W #2PkCEP# Abstract|Dheading1 #o\  PCcXP# Viruses have been a threat for PC users for ten years, the prophecies of doom have not come true, but the claims that viruses are urban myths similar to the stories of alligators in the New York sewers are also false. What lessons can we learn from the last ten years, and how will the explosion in Internet use and technology affect the future? The talk looks at the state of the virus problem today, the costs of effective and ineffective protective measures and the impact of the upsurge in Internet use and new virus types on the threat level.   y /dddy wheading1  W #2PkCEP# IntroductionDheading1 #o\  PCcXP# Since the beginning of the virus problem, there have been many inaccurate claims and predictions: In 1988, Peter Norton claimed computer viruses were "an urban myth", similar to the stories of alligators in the New York sewers. We were warned about widespread destruction on Friday 13, 1988, and the end of computing as we knew it on March 6th 1992. Polymorphic viruses spelled doom for virus scanners in 1992. The end of the virus problem was predicted with the advent of new, secure 32 bit OS's. In August and September 1996, another disaster was predicted. All of these claims were found to be untrue, so people are, rightly, skeptical about media reports on viruses. However, one point is clear, viruses are not about to disappear, viruses are causing small problems on thousands of machines around the world, and that is likely to get worse. We now stand before another change. Just days before I wrote this paper, a new virus using new techniques was discovered. Already, one antivirus developer has made a press release warning about it. It might spread like wildfire, or it might prove to be of minor importance. We will consider the implications of this in detail later, but first, a brief recap on computer virus basics. wheading1  W,# #2PkCEP# Virus Basics Dheading1 #o\  PCcXP# Dr. Frederick Cohen made the definition, "A virus is a program that can 'infect' other  X& programs by modifying them to include a, possibly evolved, version of itself."0 11 ׍XFrederick B. Cohen, 'A Short Course on Computer Viruses', second edition, Chapter 1, John Wiley & Sons Inc., (1994). This  X& definition has practical flaws0 11 ׍X'Frequently Asked Questions on Virus-L/comp.virus', Release 2.00, section B1, maintained by Nick FitzGerald, (1995), so, for the purposes of this talk, a virus meets Dr. Cohen's definition, AND was deliberately designed to replicate. Viruses become common and die out, some viruses that were a major problem a few years ago are now (almost) never seen. This is not, I am afraid to say, because antivirus software has been successful at killing them off, but because the environment that allowed them to  Xg, spread has disappeared0 '11 ׍XSteve R. White, 'Computer Viruses: A Global Perspective', Proceedings of the Virus Bulletin Conference, pp165181 (1995). The Brain virus infected floppy disk boot sectors but not hard disks, it disappeared when hard disks became common and people stopped regularly booting from floppies. Many file viruses became less common when Windows became popular, because they could not infect the New Executable file format correctly, or they caused other"/311hh incompatibility problems in Windows. The Stoned virus has also declined, because it does not infect 3.5" diskettes correctly, so as 5.25" drives disappeared, so did Stoned. It is, therefore, useful to classify viruses by the environment they require, boot sector viruses require a PC/BIOS compatible machine, the old file viruses require DOS interrupt compatibility, the DIR II cluster virus requires a FAT partition. Does this mean that all viruses will die out as we move away from these old standards? Of course not, there are a few viruses for Windows executables and we have already seen the first Windows 95 virus. Most importantly, there are new environments that the virus writers can try to exploit. The Microsoft Word macro viruses are the most obvious example of this, and Microsoft's intention to make Visual Basic for Applications (VBA) a crossapplication language widens the possibilities for virus writers. 0heading2  P #:s2PkC XP# Viruses Spreading~heading2 # o\  PCcXP# In order for a virus to spread successfully, there must be a sufficiently large susceptible population, and a route for the virus to move between machines. Although it is technically possible to write an NLM virus, we do not expect one to cause a big problem because Netware administrators do not exchange NLM's frequently. In the DOS environment, conditions are excellent for the spread of viruses, there are millions of potential victims, and exchange of programs and diskettes is common. If we look at the same criteria for Word Macro viruses, the Word environment is very common, and people exchange Word documents far more than they exchange binary programs or diskettes. Clearly, the virus problem is negligible for Netware NLM's, very big for DOS and even bigger for Word Macro viruses. 0heading2  P #:s2PkC XP# Virus Writerslheading2 # o\  PCcXP# But, for there to be a virus problem in the first place, there must be people writing them. The number of virus writers for a particular environment can be related to the availability of the environment, and the availability of programming tools and information. There have been thousands of DOS file viruses written because every copy of DOS contains the basic tools required, DEBUG, and a great deal of information on DOS internals is cheaply available. Only a few native Windows viruses have been written, it is more expensive to get the tools to create Windows executables and difficult to get the internal details of Windows required. Word Macro viruses increase the potential number of virus writers. Everyone who has a copy of Word has the tools to create a macro virus, and they do not have to understand Assembler, they can use Basic. A wellintentioned IT Manager can inadvertently modify an existing Macro virus while attempting to see what it does. If viruses are seen as something that can  X" be toyed with at leisure, there is always a danger that the exploration might be taken too far. 11 ׍XSarah Gordon, 'The Generic Virus Writer II', Proceedings of the Virus Bulletin Conference, pp177188 (1996). wheading1  Wh$ #2PkCEP# The Internet.!Dheading1 #o\  PCcXP# We all know that the way we work is changing, we email documents instead of faxing or mailing them and exchange information faster, with more people than before. This, unfortunately, is another opportunity for viruses. If you read a fax or a letter on paper you will never infect your machine with a virus, but opening an attachment might. You no longer just share files between your office colleagues and your home, but with people all over the world. 0heading2  P, #:s2PkC XP# ShareFun#heading2 # o\  PCcXP# As mentioned in the introduction, there is a new virus using new techniques around. Actually, the techniques used have been discussed before by antivirus researchers in "Nightmare Sessions", but this is the first time we have seen a virus using them. The virus is^0311hh WordMacro/ShareFun.A, it is a Word Macro virus, similar to WordMacro/Wazzu. However, every time an infected file is opened, there is a 1/4 chance that the virus will activate. If Microsoft Mail is running, the virus attempts to send e-mail messages to three random people listed in the local MSMail alias list. The subject of the messages will be  r5v XTerminal#d6X@C @#You have GOT to see this!.'Terminal# o\  PCcXP#" The message will contain no text, only a file attachment called DOC1.DOC, which is infected by the virus. The document itself is the document that user happened to have open when the virus activated. If the receiver double-clicks on the attachment, he will get infected by the virus and will spread the infection further with his own MSMail. Thus, ShareFun can be considered to be mix between a macro virus and an automatic chain letter. Do notice that this is not an "e-mail virus". You do not get infected by just reading e-mail - you need to actively use an attachment file and you should always approach attachment files with caution. ShareFun also has code to protect itself. If a user tries to analyse a sample of the virus via Tools/Macro or File/Templates menus, the virus will execute and infect the NORMAL.DOT template. Consider some of the implications of this: 1.XInfected users of MSMail will spread the virus to their contacts very quickly. MSMail is a popular email program, so we could have a major epidemic in a very short time." 2.XThe virus sends copies of the document being used to random addresses from the alias list. The document could be confidential, and the alias could be for an outside contact or even a large distribution list." However, the virus only works with English Word and English MS Mail, and it does not work with MS Exchange. Of course, a new variant could change any of these. So far, ShareFun has not caused a major epidemic and I have had no reported incidents in Hong Kong. Probably, the diversity of email programs in use has prevented an explosion of incidents in the same way that a moderator in a nuclear reactor controls the chain reaction and prevents an explosion. However, it seems likely that we will see more of this type of virus in future. But the Internet problem does not stop there, one problem that has always faced virus writers is how they should distribute their creations. Just borrowing peoples machines and infecting them is slow and dangerous, someone might notice things started going wrong just after the virus writer's visit. Many of the most common viruses have benefitted from mass distribution, often a "lucky break", such as infecting the master diskette at a software distributor's factory. Once a virus has been widely distributed, it is likely to survive a long time in the wild. The Internet gives the virus writer another solution to this problem. Let's look at how this was done for the Hare virus. 0heading2/311hhԌ P #:s2PkC XP# Hare Virus1heading2 # o\  PCcXP# This virus achieved quite a bit of publicity last August and September because of it's activation dates. Unfortunately, locally the name was translated to Chinese as "wild rabbit", as in hare. The name given to the virus was supposed to be Hare, derived from texts in the virus "Hare Krsna, hare, hare...", but these translation confusions sometimes occur. The first variant of Hare was found in the USA in May 1996. Very shortly afterwards, there were reports worldwide. A second variant, Hare.7550 was found in June, and this was traced to faked posts in three newsgroups on the 26 June 1996. A third variant, Hare.7786, was found and traced to faked posts in the alt.crackers newsgroup on 29 June 1996. Most often, mass distributions of viruses on the Internet have been done via the news groups. It is relatively simple to create a newsgroup message and conceal your identity, a virus writer would do this and include his latest virus in the message. The message will then be distributed worldwide. Of course, the virus cannot do anything until it is unpacked and executed, so the message has to encourage the user to do this. Also, if the message is on a "forbidden" newsgroup, the virus can benefit from a reluctance of the victim to admit where he might have got it from, thus slowing down or preventing a warning being posted on the group. It looks like the virus author has tried to use this effect in his choice of newsgroups: alt.cracks and alt.crackers are underground technical discussions, and alt.sex is, obviously, an explicit sexual group. So the writer of Hare had everything set up for a large initial distribution in May and June followed by destructive activation on 22 of August and September. Did you notice a massive disaster on those dates? It did not happen, but why? One theory would be that, after the alarm was raised, the antivirus developers released an updated version that thousands of people used to avert the disaster. Yes, every antivirus developer released a new version (some released a free version, as a service to the community and an advert), and thousands of people downloaded them. By the 22 August, there had been more than 30000 recorded downloads from Data Fellows's European server alone, and other antivirus developers saw similar traffic. Presumably, most of those people checked their own machine, and maybe machines throughout their organisation. A few people reported finding and cleaning it before the activation, and, from reports collected from various antivirus  X developers, there were perhaps 16 activations worldwide. [ 11 ׍XCommunications on the FPROTPartnerTechForum mailing list, (22 August 28 August 1996). Even allowing for gross underreporting, Hare was not a common virus. On the second activation date, 22 September, even less was reported. It is doubtful if it will exist at all next year, though "Hare Day" might become a similar annual event to Michelangelo Day. There seem to be two factors involved in Hare's failure: 1.XReaders of the alt.cracks and alt.crackers newsgroups are quite technically aware, and also aware that other members of the group enjoy such dubious activities as pirating software and breaking into computers. They are probably mostly cautious about what they download and how they use it. The initial distribution, although worldwide, was probably a smaller number than expected." 2.XThe Hare virus had bugs and failed to replicate on many machines. This limited it's spread beyond the initial distribution." However, the risks still exist and another virus may do better by this method in the future. It is important to educate Internet users to be cautious when downloading files, includingT/311hh documents that might be infected with macro viruses. In other words, "Don't take sweets from strangers". 0heading2  P #:s2PkC XP# Problems that Aren't VirusesBheading2 # o\  PCcXP#  X Another problem with viruses from the Internet is, paradoxically, things that are not viruses!  Xv Specifically, hoax warnings about fictional virusesq. [ 11 ׍XHoax warnings on the run, http://www.datafellows.com/news/hoax.htm (1997)q. You have probably received the "Good Times" virus warning, but there are others, most recently "Join the Crew" which was originally posted on some newsgroups in February 1997. In general, these warnings contain false information that looks valid to an ordinary user, but usually is obviously fake to a technical person. The message explains how terrible the new virus is, and tells the user to forward the message to all his friends. The ordinary user often forwards it to his entire address book, and then calls up technical support for help. Thus, the hoax is perpetuated and everyone's time is wasted. The Good Times hoax has undoubtedly wasted more time than most viruses. It is difficult to prevent this sort of problem, but we can advise users to check warnings with a technical advisor before passing them on. wheading1  W4 #2PkCEP# Trust NoOneHGDheading1 #o\  PCcXP# One important concept is that there are different types of trust. I trust my bank with my money, and, when I am climbing, I trust the person on my safetyrope with my life. These types of trust are not interchangeable. The same is true in Computer Security, I might trust a business contact to make a multimillion dollar deal with them, and I might trust that the contract they send is from them because of the digital signature, but do I trust them to send the document without a virus? We need to understand ourselves who we are trusting with what, and we need to educate our users about the same issues. wheading1  Wo #2PkCEP# The Costs of VirusesvJDheading1 #o\  PCcXP# It is difficult to calculate the costs of viruses, there are so many things that can happen. Only the user concerned can put a value on the loss of a particular document or file. A virus might be sent to a business contact who then blames you and stops doing business, or the incident might become public and cause "negative publicity". A data diddling virus might cause unnoticed corruption in vital accounts data. Most virus incidents cause some lost working time and increased technical support time.  X# A recent survey by the Computer Security Institute. 11 ׍XSecond Annual Computer Crime and Security Survey, http://www.gocsi.com/preleas2.htm, (6 March 1997) in San Francisco put some figures on losses due to security breaches. They surveyed 563 US organisations, 75% reported losses, but only 59% of those could actually quantify them. The total losses quantified were US$100 million. Losses due to computer viruses were reported by 165 organisations, for a cost of US$12.5 million. Computer viruses are probably not your most important security problem, but, if you say they are unimportant, can I borrow $12.5 million from you? By using some actual incidents, we can estimate the costs of using no antivirus protection, ineffective protection and effective protection. The costs of antivirus software are based on undiscounted list prices for the first year. 0heading2,311hhԌ P #:s2PkC XP# Case 1: A small Solicitor's Office, no antivirus softwarePheading2 # o\  PCcXP# The office had 15 PC's and a server, with no internal support staff and no antivirus software. Users complained about being unable to save Word documents in selected directories (this is often the first symptom users notice when infected with a WordMacro virus). The office's dealer identified WordMacro/Concept and an antivirus technician was called in to clean all machines. This took three hours and over three hundred documents were disinfected. Subsequently, the office purchased and installed antivirus software. The calculable costs of that incident were three hours of antivirus technician at HK$500 per hour, HK$1500. Impossible to calculate is the time wasted by users as they found more and more problems when saving word documents until the problem was finally reported. Also, if they do not install antivirus software, reinfection will certainly occur, either from diskettes that were not available when the technician was present, or new infections brought in from outside contacts. We can estimate that, if antivirus software is not installed, the situation will reoccur once a month, on average. This makes the total cost annually HK$18000, or HK$1200 per machine, plus the lost working time. An efficient antivirus solution would cost about HK$8100 for the first year, saving almost HK$10000, plus working time. 0heading2  P #:s2PkC XP# Case 2: A large Organisation, poorly designed antivirus protection1Wheading2 # o\  PCcXP# The organisation has about 4500 PC's spread over the territory on many sites. They run a helpdesk and record approximately 50 virus incidents a week. These are mostly AntiCMOS and, increasingly, WordMacro/Concept. A lot of these incidents are reinfections: the PC is cleaned, and the next week, it has become infected again, probably, someone whose diskette was infected by the machine the first time has come back and used their diskette in the machine again. The existing antivirus protection was a combination of a custommade package, produced by their parent organisation, that could detect most of the viruses common in Hong Kong, but did not include an active component, and an old version of MSAV. When a virus was found by the check during bootup, the user would call the help desk and a technician would be dispatched to clean it. If it takes just one hour for the technician to reach the machine and clean it (probably an underestimate, considering travel in Hong Kong), then each incident is costing 2 man hours, the technician time and the time of the user who cannot use the PC. If wages are HK$100 per hour, this is HK$520000 annually, or HK$156 per machine. This is certainly a better situation than the first case, due to the use of cheaper inhouse technical support and because a virus could be on a machine for the maximum of a day before it was found during bootup. This prevents the buildup of a large number of infected documents and disks. However, within that day, there is still adequate opportunity for the virus to spread to diskettes that are missed by the technicians. This is demonstrated by the high number of reported reinfections. By moving to anti virus software that has active protection, the virus can be detected the first time a user accesses the diskette or file, the virus can be disinfected automatically or with a minimal amount of user interaction, and the cost in working time is, perhaps, a 5 minute call to the help desk to report the incident. By catching the virus when it first reaches the PC, it is prevented from spreading to other diskettes or files so the chance of reinfection is minimised, and the total number of virus incidents also falls. With these factors combined, the cost of dealing with viruses falls dramatically. If the incidents drop by 50% after the introduction of active antivirus protection, then the annual costs of the incidents is HK$21667. The cost of the new antivirus software is about HK$214000 for the first year,=0311hh for a total of about HK$236000, or HK$52 per machine. The saving is over a quarter of a million. 0heading2  P #:s2PkC XP# Efficient Protection~bheading2 # o\  PCcXP# So, for efficient protection, we require active detection. That is, files and diskettes are scanned when they are used. This means using a TSR in DOS, and a VxD (Virtual Device Driver) in Windows 3.1 and 95, and a VDD in Windows NT. We also need nearautomatic handling of routine incidents, sending out support staff is costly. Finally, users need simple instructions on what to do when an incident occurs, who to report to and what to tell whoever passed them the infected object. wheading1  W #2PkCEP# Hardware versus Software Antivirus Solutions8eDheading1 #o\  PCcXP# There do not seem to be any hardware devices in the market in Hong Kong, but the issue has been raised so it should be discussed. The problem with a hardware device is that it is difficult and expensive to upgrade, so most hardware antivirus devices come with the claim  X "never needs updating". This depends on the developer thinking about every possible virus attack method, and countering it. How does the developer make sure? An interesting question to ask such a developer is, was a modification required when macro viruses appeared? wheading1  W #2PkCEP# ConclusionYhDheading1 #o\  PCcXP# The virus problem has never been a major, worldwide disaster, but it is causing small disasters and general problems continuously. The problem is not going to disappear, it is going to get worse as complex programming tasks become simpler and the Internet continues to make global communications more efficient. Our task is to reduce the costs of viruses by efficient protection methods and user education. b311hh wheading1  W #2PkCEP# ReferencesjDheading1 #o\  PCcXP#