VIRUS-L Digest Wednesday, 1 Feb 1989 Volume 2 : Issue 33 Today's Topics: 'Virus' term usage Re: CP/M Viruses Re: Virus Terminology Re: Origin of the term `virus' Virus epidemics. Is the hype too much? Categorizing viruses --------------------------------------------------------------------------- Date: Tue, 31 Jan 89 10:02:08 EST From: Jefferson Ogata (me!) Subject: 'Virus' term usage One simple reason the term 'virus' wouldn't be used of code before 5 or so years ago is that until about 9 or 10 years ago, the general public wasn't all that familiar with the details of how a biological virus works. And those who did know probably wouldn't bother using the term, since few would understand why it would be appropriate. You'll also find that in the Middle Ages, not many people used the term even for biological viruses. :-) - - Jeff Ogata ------------------------------ Date: Tue, 31 Jan 89 10:22:13 EST From: Art Larky 215 Packard Building 19 Subject: Re: CP/M Viruses I don't know of any CP/M viruses and I suspect there were few or none. The current virus outbreaks are based upon a couple of things which weren't applicable to CP/M: (1) There wasn't as much trading of files and disks because there wasn't as many personal computers and Bulletin Boards around. (2) CP/M systems were not accessible at the hardware level to the same extent as PC's because everyone's hardware was different. My BIOS is similar to those of other persons, but the underlying ROM routines are ones that I wrote myself; the disk addresses were chosen by me; my screen display is similar to some, but not all CP/M systems. In fact, my screen display is different from the one I started with and I had to change my programs and my ROM because of it. (3) There weren't as many assembly language programmers out there because there weren't as many computers by a factor of 100,000 or 1,000,000 to 1. The more people who have computers to play with and know how to program, the greater the likelihood of there being a combination of weirdo and programming in one sicko. All of which supports what I said before, you can protect yourself from some viruses by making your system different; e.g., your own names for files like autoexec.bat and command.com. Art Larky CSEE Dept Lehigh University I know I'm not speaking for Lehigh University, there's no reason for you to think so either. ------------------------------ Date: Tue, 31 Jan 89 10:32:16 EST From: Jefferson Ogata (me!) Subject: Re: Virus Terminology J. Yeidel writes that 'virulent' is an inappropriate word for a virus that spreads rapidly within a system, and that 'extremely contagious' would be better. I must disagree with the second point, as 'extreme- ly contagious' implies that the virus spreads from system to system quickly. In fact, a virus's contagion depends on its contact with the outside world, which is usually dependent on human factors -- does a person swap disks often? etc. Regarding 'benign', I think most people use it in a relative sense; no one really means the virus does no damage, although viruses could exist that do no damage (even as far as destroying themselves to avoid wasting humans' time). However, 'benign' could be applied to the 'virulent' problem, in the sense it is used in describing tumors: namely, a 'benign' virus would be one that doesn't spread throughout a machine, and a 'malignant' virus would be one that does. At pres- ent, 'malignant' cannot be used easily because of its ambiguity in this regard. And a 'benign virus' may truly be a contradiction in terms, I suppose. However, a virus could be 'benign' under some circumstances and 'malignant' under others. 'Misimpressions'? Surely you mean 'false impressions'. :-) - - Jeff [Ed. I think that all of this points out yet again that there is *much* confusion over the terminology that's used - not only by the media, but us, the computer users/professionals. Developing a clearly defined set of terms and making everyone understand and use them would obviously be great, but would prove to be logistically impossible. If we're all careful in our use of the terminology, and we even explicitly define what we mean whenever using terms that could be misconstrued, then perhaps we could try to eliminate *some* of the confusion. Maybe it would be best to refrain from using such terms as "virulent", "benign", "virus", etc.? Suggestions?] ------------------------------ Date: Tue, 31 Jan 89 11:39:52 PST From: PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet Subject: Re: Origin of the term `virus' I remember 8 years ago coming across the term `worm' for the first time: it was a program (developed at Xerox, I believe) that soaked up spare cpu cycles on networked machines to perform some lengthy, non-critical task (disk defragmentation or computing pi); there was no derogatory connotation. Around the same time I read a book, "The Adolescence of P-1" (forget the author) about a program that took off across the network in much the same was as the RTM worm, although this one became sentient and altered technical specs for power supplies at IBM so that it could turn itself on, survive IPLs, etc, when the service rep installed the mod. Peter Scott (pjs@naif.jpl.nasa.gov) ------------------------------ Date: Tue, 31 Jan 89 12:26:33 PST From: (Commander Spock) Subject: Virus epidemics. Is the hype too much? I just wanted to throw up an interesting idea that other developers and myself have been talking about for the last few weeks. Our group theorized about the recent virus epidemics that are currently spreading around for both IBM as well as Macintosh computers. Theory: there is big money (currently) for writing ATNI-VIRUS software to "protect" users against the nasty 'ol viri, right? How do we know (users and developers alike) that these software makers of ANTI-VIRUS programs are not the true culprits behind the distribution (initially or re-distributed) of the various viri that's been creating havoc for the rest of the world (those affected). I admit though, it's jumping to conclusions. But has anyone else considered this possibility? How would we know if our software is "safe" anymore? The problem is, we cannot. Pleaase note that I did not infer *ANY* organizational names of any nature, just merely threw up the possibility that we may be cutting our throats by attempting to protect ourselves. Paranoia is the largest factor that causes viri to be passed around. Fear of contamination, fear of destruction; all of this creates a unique blend of craziness. Think it over before you purchase your next software package that guarantees that it's "safe" of any bugs or viri. Robert S. Radvanovsky California Polytechnic University Pomona, California P.S. I will be willing to discuss this with those who feel that this viri epidemic has gone a bit out of hand. Should you feel that you would like to contact me, please send appropriate mailings to: spock%calstate.bitnet@cunyvm.cuny.edu <- Internet spock@calstate.bitnet <- BITNET I've finally found out what our correct addresses are. Mind you, the views expressed here are "theories", nothing more. ------------------------------ Date: Wed, 1 Feb 89 07:58:18 est From: ubu!luken@lehi3b15.csee.lehigh.edu Subject: Categorizing viruses A while back (October 31, 1988 in log file VIRUS-L LOG8810E), Len Levine (len@EVAX.MILW.WISC.EDU) suggested denoting viruses which make use of features in an operating system as "Feature Exploiting Viruses", and viruses which make use of bugs as "Error Exploiting Viruses". I think that it could be a good idea to classify viruses in a manner such as this. However, I would like to expand on Professor Levine's idea a bit, if I may; viruses which use hardware (I use the term "hardware" very loosely - meaning anything which bypasses the operating system, including the BIOS) to propagate should be classified as "Hardware Exploiting Viruses". Hardware Exploiting Viruses (HEVs) would thus be isolated to PCs and other (expletive deleted) computers that have no sort of hardware protection in the form of, for example, privileged commands for accessing i/o devices. An example would be the Brain virus which uses ROM BIOS routines to write to the boot sector. This would not work if the hardware restricted BIOS/hardware access to the privileged instructions (callable only by the operating system), assuming the OS is functioning properly. These viruses could be stopped by adopting computer architectures which provide such hardware security. Error Exploiting Viruses (EEVs) would be caused by (presumably) bugs in the operating system, such as undocumented system calls or even documented system calls which perform in an unexpected (by the manufacturer) manner. A hypothetical example here might be a system call to write to disk which, when given "appropriate" parameters, allows the calling routine to write to the boot sector due to a programming error in the call. These viruses would probably be the toughest of the three to stop since the bugs would generally only become evident when programs like the Internet Worm bring them to light. The Internet Worm is a non-hypothetical example of an EEV. Extensive (read: costly) quality control in the form of testing could reduce the instances of EEVs. Finally, Feature Exploiting Viruses (FEVs) would take advantage of procedural shortcomings such as lax usage of file read/write permissions on a system which would allow data to move from one filespace to another. Such a virus could propagate even on a system which has the potential for neither HEVs nor EEVs. Rather, it would be up to the system administration to establish proper operating procedures, such as file permissions. An example of an FEV is the Lehigh Virus, which made use of MS-DOS operating system calls (INT 21H) to attach itself to COMMAND.COM files; this could be prevented by using the MS-DOS file attribute of READ-ONLY. It would, of course, be possible for a virus to be made up of a combination of HEV, EEV, and FEV code. The Internet Worm, for example, used several attack methods (sendmail bug, finger bug, etc.); it could well have been the case that these attack methods each fell into different categories. The Lehigh Virus could also fall into more than one category since it used MS-DOS to propagate, but used a lower level (Absolute Disk Write) routine to destroy disks. Why bother with categorizing viruses? To learn more about them and to be able to disseminate information (fixes, etc.) effectively. Of course, that's just my opinion... Anybody have anything to add or change? Ken van Wyk ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253