Date: Sun, 17 Mar 91 12:24 EST From: WHMurray@DOCKMASTER.NCSC.MIL Subject: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES" A NEW STRATEGY FOR COMPUTER VIRUSES William H. Murray Deloitte & Touche Wilton, Connecticut A New Strategy for Computer Viruses 1 PREFACE This presentation was prepared for and delivered to the "DPMA 4th Annual Virus and Security Conference" on March 14, 1991. Preface 2 ABSTRACT This presentation argues that it is time for a new strategy for dealing with computer viruses. It reviews the present strategy and suggests that it was adopted before we knew whether or not viruses would be successful. It points out that this strategy is essentially "clinical." That is, it treats the symptoms of the virus without directly dealing with its growth and spread. It presents evidence that at least two computer viruses, Jerusalem B and Stoned, are epidemic, that more copies are being created than are being killed. It argues that simply the growth of the viruses, without regard to their symptoms, is a problem. It argues that it is now time for an epidemiological approach to viruses. A keystone of such an approach will be the massive and pervasive use of vaccine programs. These programs are characterized by being resident, automatic, getting control early, and acting to resist the very execution of the virus program. The presentation notes that there is significant resistance to such a strategy and, specifically, to the use of such programs. It addresses many of the arguments used to justify this resistance. It concludes that we will ultimately be forced to such a strategy, but that, given the growth of the viruses and the resistance to stragtegy, we will not likely act on a timely basis. Abstract 3 STRATEGY It is time for a new strategy for dealing with computer viruses. The present strategy recommended by computer manufacturers, the National Institute of Standards and Technology (NIST), this author, and others is to: * Practice good computer hygiene * Keep clean copies of programs and data * Scan new programs, all programs periodically * Watch for symptoms * Purge when necessary * Restore programs and data from clean copies as required Because many of us believed that talking about viruses could only make the problem worse, there was also a "silence" component in the strategy. This strategy was developed more than three years ago. At that time, the potential for success of computer viruses was still unknown. The concern was for the potential for damage to individual users and systems and, to a lesser extent, to the health of the institution. Today there is no longer any doubt as to the success of computer viruses. There are more than four hundred viruses that have been identified and cataloged. Twenty-five of these are classified as "common." That is, they are so widespread as to be considered both successful and out of control. Another sixty-six are classified as "rare." What this really means is they are young, and their success is not yet demonstrated. However, there are a sufficient number of viruses in this class and copies of each of them that the future success of some of them is certain. One common virus, Jerusalem B, is estimated to have a hundred thousand copies. Since it is known to date from November 87, its rate of growth suggests that there may well be sixteen million copies by November 91 [TIPP]. Most large institutions have now seen one or more viruses. Many now report several infections a month. In some, infection is now so routine that they no longer bother to report. Given this success, it seems certain that all organizations will suffer from infection. It is no longer a question of whether or not, but only of when and how often. While the concern remains damage to user systems and data, this is no longer appropriate. The concern should be the epidemic growth, damage to the community, and potential damage to necessary trust. Dealing with viruses is now a cost of doing business. You Page 1 must pay. The only questions are whether you pay early or late, with disruption or without. Since viruses have demonstrated such rapid growth, they must be removed. If they are not removed, ultimately they will saturate the space. The requirement to remove them is independent of the symptoms that they manifest. That is, even if they did nothing other than make copies of themselves, you would still have to remove them. Thus, replication, all by itself, is a problem. [Some viruses are self-limiting.] In other words, while the symptoms of the virus may be problematic, mere replication is THE problem. Therefore, the strategy must be aimed at preventing replication and spread, not simply at limiting and repairing damage. In the face of the epidemic growth, the old strategy is the equivalent of trying to deal with smallpox by washing your hands and treating sores and fever. The old strategy was intended to be conservative. Indeed, when it was developed, it was conservative. In the light of what we know today, it is merely timid. However, we have restated it so many times that the timid are unable to abandon it. We were successful in eliminating smallpox from the face of the earth only after we had a cheap, effective, and safe vaccine. However, the existence and availability of the vaccine proved not to have been sufficient; we also had to have the will to apply it massively and pervasively. We now have computer software that is the equivalent of a number of broad spectrum vaccine. It is capable of preventing a specific computer from being infected. More important, it is capable of preventing the replication of the virus. It is characterized by the fact that it is resident and acts early. Some of it acts on the basis of detection of the signature of known viruses; some by recognizing trusted software. Its intended use is distinguished from that of earlier scanning software by the fact that it acts before, rather than after, the virus executes and replicates. It is distinguished from some resident programs by its intent to block execution, rather than to block writing. Some have suggested that there is nothing fundamentally different about this software. They assert that IBM Scan can do anything that this software can do. IBM insists that their advice for good hygiene includes the advice that you scan all new software BEFORE using. If you were to do that, then the effect would be the same as vaccination software. This argument fails to take into account how the viruses in question really spread. It assumes that viruses spread when people use new software that they know is new and that they intend to use. In reality viruses are spreading from machine to diskette and diskette to machine without any conscious intent to share software. The software that is Page 2 spreading the viruses are things like the loader in the diskette boot sector, the operating system (e.g. COMMAND.COM), TSRs (terminate-and-stay-RESIDENT programs), and the MacIntosh FINDER. These are programs that are beneath the level of notice or intent of most users and beyond the level of knowledge of many. In a typical scenario, a student enters a laboratory, picks a machine at random, inserts a diskette and presses Ctl-Alt-Del. With many of the successful viruses, if the diskette is infected, the machine becomes infected. If the machine was infected, the diskette becomes infected. When the diskette is inserted in another machine, that machine becomes infected. There was no intent to share software; nothing to trigger the use of IBM-Scan in the way that IBM recommends. Use of IBM-Scan in the manner that IBM recommends, requires both knowledge and intent on the part of the user. While it is sufficient to protect any particular user or machine, it has not been sufficient to resist the growth and spread of viruses. Many have resisted the use of such software on the basis that it would not be one hundred percent effective. Those vaccines that rely upon their ability to recognize the virus, would not be effective against new viruses. While this is true in principle, it does not matter much in practice. They are effective against the widespread viruses. They can be made effective against new viruses in less time than those viruses can spread widely, though this begs the question of timely distribution and maintenance. Those that rely upon restricting execution to software trusted by the user, are vulnerable to the user's being duped. While it will always be possible for a user to be baited into executing a virus, even in the presence of software intended to resist it, the present success of the viruses takes place in an environment in which there is no resistance at all. It is reasonable to assume that the software will be successful in resisting the execution of the virus much of the time, perhaps often enough to retard the epidemic growth. There are those who resist the use of vaccines on the basis that such use would simply encourage new and smarter viruses. These viruses would take advantage of knowledge of the vaccine to defeat it. This concern is based, in part, upon acceptance of the fact that, at least in theory, there is no perfect defense against a sufficiently smart virus. Of course, this is true about any security measure and any threat. Jake's Law asserts that "anything hit with a big enough hammer will fall to pieces." However, a security measure need not be one hundred percent effective for us to use it. We use those that are efficient; those that displace sufficient risk or damage to cover their cost. One hundred percent effective security measures have infinite cost. Therefore, we do not attempt to eliminate risk, but rather to limit it. It is not necessary to be one hundred Page 3 percent effective against all viruses all of the time in order to resist, limit, or even reverse the growth. Those who would tolerate today's viruses because resisting them might make tomorrow's viruses worse, embrace the strategy so thoroughly discredited at Munich. It is called "let sleeping dogs lie." Unfortunately these dogs, like those of war, are not sleeping, they are replicating. Some have suggested that we should ignore the dogs and worry about the dragon, the omniscient puissant virus. Of course, no one has seen the dragon, but the dogs are here now and their numbers are legion. "Oh, but" they say, "if you use your arrows on the dogs, you may provoke the dragon into existence. The dragon will be created to be specifically resistant to your arrows. It will include knowledge about your arrows and be so intelligent as to be able to overwhelm your compromised defenses." The intelligence of the virus is an issue only if it is successful in getting itself executed. The idea behind these vaccines is that they prevent the virus from getting control in the first place. Viruses are bad enough; we should not frighten ourselves into inaction with our own fantasies. While there are limits to the effectiveness of any defense against viruses, there are also limits to their power. All of the hype to the contrary notwithstanding, viruses cannot do magic. A virus must succeed in getting itself executed in order to do anything. In no circumstance can it make your PC levitate off the desk and smash against the wall. Part of the resistance appears to be rooted in a concern that one vaccine would be so successful and pervasive as to become a target for viruses. This would be unlikely in any case. It is particularly unlikely in the face of the number of candidates, the variety of strategies that they employ, and the success that each has already achieved. Some managers resist the use of this software because of cost. Most of these managers are responsible for large numbers of systems. When multiplied by these numbers of systems, the cost of the software rapidly escalates into the thousands of dollars. If there were some question about whether or not their systems would be infected, or if there were a limited cost to it, this resistance might make sense. As it is, it is almost a certainty that they will be infected. The only questions are when and how often. The cost of dealing with viruses is now a tax on the use of computers. Like other taxes, it is inevitable. You will pay. You may pay early with limited disruption, or late with unlimited disruption, but you will pay. The Jerusalem B virus may infect many of the systems on a LAN in hours. The number of copies of Jerusalem B in a LAN doubles in minutes to hours, depending upon user privileges. Page 4 If not removed promptly, it may saturate the LAN in days. It must be removed. At a minimum, removing it will require the scanning and/or purging of all the hard disks. If the systems on the LAN are not immunized before restarting the file server, then the LAN will be reinfected within hours. A few managers have purged a LAN twice. One or two have even done it three times. We know of no one that has done it four times. The cost of purging a hard drive once approaches the cost of the software. The cost is not avoidable. We are in the incipient phase of an epidemic. The viruses are multiplying at a significant rate. There are tens of them and they do not compete until you begin to run out of disk space. They are successful in spite of the best that we can expect from our present strategy. It is the growth of the virus, rather than its symptoms, that is the problem. We are rapidly running out of time to cope. We have a number of vaccines that are effective against all of the viruses that are patently successful, and most of the others. However, they must be applied to a system to protect that system. They must be applied massively and pervasively to be effective in halting or reversing the growth. The earlier the better. It is urgent that we begin now. It is time for a new strategy. The new strategy will continue to include good hygiene and backup copies of programs and other data. However, it must include rapid, massive, and pervasive vaccination of all business and academic systems, beginning with those that are shared by multiple users. It must include isolation and quarantine of unvaccinated systems. No, I am not proposing law or regulation, or even political pressure. I am proposing responsible behavior on the part of influential people. If you have influence over a large number of machines, you should vaccinate them. I am also proposing peer pressure; we must influence each other and support each other in responsible action. It will require courage. It is difficult to go against the conventional wisdom; it persists long after it ceases to be wise. I am certain that we will act; in the long run, I do not believe that there is a choice. I am not hopeful that we will act in time; the short run is all too short, and the resistance to change all too high. Page 5