pp1-20.qxd 11/30/00 11:02 AM Page 13

feature

the M-commerce site using encryption highly valuable back-end systems. This, security, none are insurmountable. Co- and certificates, and it is probable that coupled with the fact that handsets are operation among certification authori- people will expect the repository more easily lost or stolen than PCs ties, mobile operators, systems provider to verify the trustworthiness of makes it doubly important that the integrators and device manufacturers is the M-commerce site on their behalf, by handset does not become the weak link needed to ensure that mobile security is checking the validity of certificates, in the PKI. Ideally the handset should implemented properly, and that different before releasing personal data. Fledgling verify the identity of the user using a bio- implementations will be able interact. examples of this kind of online service metric measure, such as a fingerprint Uniform standards need to be estab- are only now arising — such as scan, although this may be some years lished and adhered to. Governments Microsoft Passport — and they are cer- away. In the interim, passwords and PIN and regulators must create legislation, tain to play an increasingly important numbers must be used but are never guidelines and practices that allow role in M-commerce. transmitted across the network in a PKI M-commerce to flourish. based system. Handsets, by their very Security can unlock the potential of The future nature, have the potential to transform M-commerce and M-business. It is an to the Personal Trusted Devices of the enabling rather than restrictive force that While the role of the handset in a PKI future. builds trusted relationships between may be limited to transferring short While M-commerce presents many businesses, their partners and consumers requests, these requests will unlock challenges to those implementing on the move.

Elk Cloner, which was reported in 1981. The Computer Virus — From The first IBM-PC virus appeared in 1986. This was the Brain virus, a boot sec- tor virus that remained resident. In 1987, There to Here. Brain was followed by Alameda (Yale), Cascade, Jerusalem, Lehigh, and Miami An Historical Perspective. (South African Friday the 13th). These viruses expanded the target executables to Berni Dwan include COM and EXE files and Cascade I was sitting at my desk in the Computer Centre of University College, Dublin, was encrypted to deter disassembly and checking my E-mail. Suddenly, from the corner of my right eye, I detected an arm detection. Variable encryption appeared swooping down towards my keyboard, like an axe about to fell a tree. This was an in 1989 with the 1260 virus. Stealth arm with a mission. It removed my hand, which was just about to press ‘receive’ on viruses, which employ various techniques an interesting looking E-mail involving a Christmas tree greeting. Of course, my bet- to avoid detection, also first appeared in ter-informed colleague knew that this was the Christma Exec virus, and that I would 1989, such as Zero Bug, Dark Avenger and not be doing myself, or anyone else, any favours by accepting and executing it. It was Frodo (4096 or 4K). In 1990, self-modify- December 1987, and my very first introduction to the computer virus. My love affair ing viruses, such as Whale were intro- with the subject has continued over the past thirteen years (although I do not claim duced. The year 1991 brought the GP1 to have a copy of The Little Black Book of Computer Viruses sitting on my book- virus, which is ‘network-sensitive’ and shelf!), and like myself, the computer virus has evolved into a more complex and attempts to steal Novell NetWare pass- sophisticated entity. words. While some of the most commonly The Christma Exec program spread to While probably the first newsworthy detected viruses vary according to conti- thousands of VM/CMS installations virus, it was by no means the first, and nent, Stoned, Brain, Cascade and members connected to EARN, BITNET and knowledge of the computer virus phe- of the Jerusalem family, have spread wide- IBM’s internal VNET, and would only nomenon had already been in existence ly and continue to appear. In fact, a disk spread if a recipient received and (albeit for several years. scanning ‘fest’ in any large organization unintentionally) executed it. More strictly The term ‘computer virus’ was formally could still encounter at least one of these. a worm than a virus, Christma Exec was a defined by Fred Cohen in 1983, while he This implies, according to Lawrence E. prophetic precursor to Melissa and performed academic experiments on a Bassham & W. Timothy Polk, that highly VBS/LoveLetter, utilizing the increased use Digital Equipment Corporation VAX sys- survivable viruses tend to be benign, repli- of networks and desktop connectivity to tem. The first computer viruses were cate many times before activation, or are the Internet, and sending a copy of itself developed in the early 1980s, the first somewhat innovative — utilizing some to all of the users’ listed correspondents. found in the wild was the Apple II virus, technique never used before in a virus.

13 pp1-20.qxd 11/30/00 11:02 AM Page 14

feature

Vagaries of location aside, the virus pay- to mind. We should see new threats with blocking the use of certain commands load also comes in different sizes. David every new development. Unlike the commonly used by malicious code. This Chess likens it to natural phenomena, 1988 Internet Worm victims, we do is a case of fighting the virus writers with “Small earth tremors are much more have a chance to develop methods that their own tools, since scripting languages common than large earthquakes. Slight can handle the majority of pandemic are also used by them to create viruses rises in the level of a river are much more virus outbreaks, even if only to a modest and Trojan Horses that run on a variety common than floods.” So, accepting the extent. There is also a bigger and more of platforms. Lemos quotes one consul- fact that small things happen often and established network of anti-virus experts tant who sees a weakness in the big things happen rarely, our manage- than there was in 1988. Despite the Symantec defence, observing that each ment of the smaller events is consequent- march of time, it is still hard to believe scripting language (e.g. JavaScript, Perl) ly better than our management of the that the main success of Melissa was that will need unique software. When you catastrophes, which, by their very nature it needed human intervention to propa- compare the number of scripting lan- and sometimes their unpredictability, are gate and spread. Just as if the clock had guages with the number of computer probably impossible to fully prepare for been turned back to December 1987, viruses, this argument dies a swift death. anyway. But accepting the infrequent there were still far too many unquestion- As Lemos points out, “keeping up with occurrence of the great unknown, and ing recipients of suspect E-mail. A the changes in scripting services could be with the knowledge that the probability simple user awareness campaign could far easier than keeping track of the more of large computer virus incidents have gone such a long way towards than 50 000 virus variants in the wild increases annually, there are less and less minimizing Melissa. today.” excuses to be caught totally unawares. Bearing this in mind, David Chess There is no doubting that the Melissa Unlike the victims of the 1988 Internet poses some appropriate questions, “How virus, while causing untold grief across Worm, which only God could have fore- will the continued growth of the Internet the world, was also a valuable wake-up seen, we are now in a much better posi- change the pattern of virus spread and call, in that while updating their anti- tion to postulate, prophesy and prepare. similar threats. Is our current paradigm of virus software against Melissa, users auto- Requiring no human intervention, the virus containment sufficient for the matically protected themselves from a Internet Worm’s automatic spread was future?” In 199,7 Chess foresaw integrat- host of other viruses that had not hit yet, facilitated by some Unix bugs and fea- ed mail systems and mobile code having some of which were actually more malev- tures that simply allowed it to hop from an impact on virus spread. There is no olent than Melissa. This was highlighted machine to machine, replicating and denying that this in fact has been the case, with the case of the Chernobyl strain CIH, executing in what seemed an unstop- and while ease of use and functionality is which hit at least 540 000 computers in pable demonic cycle. This is the type of paramount for the average Internet user, South Korea and Turkey in April 1999, automatic spread that can also be the technology used to achieve this is with a payload of reformatting hard dri- enabled by mobile code. There are facilitating the active spread of network- ves and in some instances, zapping a key enough analysts and anti-virus resources aware viruses. “We need to be prepared chip on the computer motherboard. out there to keep us aware of the threats for a world in which this sort of attack is Discovered in May 1998 and believed to and to advice us on practising 'safe com- common, by employing security systems have originated in Taiwan, it is aimed at puting'. There are enough uploads, that can deal with them routinely and Windows 95/98 platforms. The more downloads, updates, patches, free semi- automatically, reducing them to the level widespread variant strikes every 26th nars, bulletins, news alerts, 'in the wild' of ‘little tremors', so that we can free up April, the anniversary of the Chernobyl and hoax lists to give even the most our experts to deal with whatever ‘Big nuclear disaster, a lesser strain striking on lethargic of us some level of protection. Quakes’ are coming down the wire the 26th of every month while a third If we can understand the changing behind them.” strikes on 26th June. It would be true to technology we can understand and How does this practically manifest say that CIH wreaked a certain amount of appreciate the emerging threats, and be itself? Well, in 1997, Chess was talking havoc in both South Korea and Turkey, aware of the products that are attempt- about real-time detection and removal, but interestingly, nowhere else. The ing to circumvent them. Imbedded including analysis and interim action Korean Supreme Court had to delay some macros in Microsoft Word and Excel before the forwarding of data, and this rulings because evidence saved on com- documents (although the first macro has come to pass. A new development puters was lost. The article speculates why virus, WM/Concept.A has being doing was reported by Robert Lemos on CIH hit South Korea and Turkey in par- the rounds since 1995), mobile code in September 29th in ZDNet news whereby ticular. One theory is that the virus piggy- the form of Java, ActiveX and Visual Symantec Corp. have developed a tech- backed on pirated software which is quite Basic Script, and Trojan worms (with nology to stop viruses that use scripting common in Asia. Another theory suggests their many zipped and packed permuta- — to infect, manipulate and destroy that unlike the US, Asia was largely unaf- tions) are the obvious threats that spring programs and data on computers — by fected by the Melissa virus, thus they did

14 pp1-20.qxd 11/30/00 11:02 AM Page 15

feature

not benefit from the Melissa victims wake in the universe that can be fooled by them. may first be shocked at the figure, and up call. www.macafee.com have fifty nine hoaxes secondly, we may ask ourselves, how Melissa and VBS/LoveLetter apart, the listed on their site. It gets better with come my computer is not infected every virus hall of fame had many infamous Vmyths.com (www.vmyths.com), who other day if there is that amount of mali- members throughout the 1990’s, each have one hundred and eight virus hoaxes cious code working its way around cyber- responding or adapting in its own way to listed. space? the changes in computing environments, Sarah Gordon, in her paper Hoaxes and The terms I refer to are, 'In the Wild' machine types and operating systems. Hypes, likens the prevalence of the com- and 'Zoo', and you will perhaps be less Michelangelo got the award for hype and puter hoax to peoples' continued belief in familiar with the second. hysteria in 1992. Discovered in New corn circles, even though in 1991, two The phrase, 'In the Wild', was first Zealand in 1991, an infected system hoaxers admitted to creating them over a coined by David Chess in 1990/91 to would have parts of its hard disk overwrit- fifteen year period. describe real-world virus incidents or ten with random data if booted on the 6th She also cites the hoax carried out in those which pose an active threat to a real of March of any year. With such a poten- Australia in 1988 by Jose Luis Alvarez, world PC. tially damaging payload, the Michelangelo who claimed to be a channel for the spirit 'Zoo' viruses, while obviously existing, virus caught the attention of the media in Carlos. Again, when a Sixty Minutes pro- are not an active threat. When consider- the run up to 6th March 1992. gramme proved the feat to be a hoax, ing the effectiveness of anti-virus soft- Gordon points out that prior to this, the Disastrous predictions of doomsday ware, it is important to be aware of the Australian media had made no serious proportions were being flouted on televi- meaning of these terms, because it is the sion and print media. When the fateful efforts to check the accuracy of the story, product's ability to counteract the real day dawned, there were no horsemen to be even though there were some glaring world threat that you are interested in. seen riding across the sky. All was quiet on inconsistencies. If we did not have a de facto standard the north, south, east and western front. To this day, people still believe in corn like 'In the Wild', simply comparing White, Kephart and Chess even say that it circles and Carlos. In fact, the next time products by detection rates would be was difficult to find a verified incidence of you receive a virus hoax warning from a meaningless. As perhaps the product with destruction of data anywhere. friend or colleague, you might include in the higher detection rate might include But is this because the build up was mere your response your fears concerning the many 'Zoo' viruses, which are not a threat hype, or because the people caught up in spread of corn circles, and await their to us, and the product with the lower the hype ensured that they had the appro- reply! Among her reasons cited for buying detection rate might include most of the priate anti-virus software in place before into computer virus or other hoaxes are: 'In the Wild' viruses that we should be the trigger date, and/or many IT managers trust in authority, excitement, lack of concerned about. prevented the trigger date appearing on appropriate scientific skepticism, sense of According to Sarah Gordon, the their PCs? Like Melissa eight years later, it importance or belonging, and finally, fur- WildList represents the most organized provided the, by now passé, wakeup call to thering our own goals and self interests. the computer world. There are two important terms used in effort to catalogue those viruses which are Along with the hype, we also have the ‘virus speak’ and they need to be under- spreading, although it may not contain all hoaxes, and they have indeed become an stood, especially if we are to put the fig- 'In the Wild' viruses, and should more intrinsic part of the virus world. The hoax ures and statistics pertaining to computer appropriately considered as a subset of the payload is wasting peoples’ time and using 'In the Wild' viruses, albeit, a core set that up precious bandwidth. “the next time you receive every anti-virus product must be able to detect. Hoaxes depend upon ignorance and a virus hoax warning from innocence, as well as peoples’ enthusiasm In 2001 the computer virus will be for being good citizens and colleagues, by a friend or colleague, you twenty years old. We are now concerned passing on the dire warnings to as many might include in your with stealth, polymorphic and armoured people as they can. Their misplaced good viruses. deeds are merely playing into the hands of response your fears Dr. Fred Cohen's definitive definition those strange beings who instigate the concerning the spread of of the computer virus, “Any software hoaxes. which can modify other programs to HoaxKill (www.hoaxkill.com) currently corn circles, and await include a (possibly evolved) version of cites seven hoaxes on its active list and their reply!” itself,” still stands, but the complexity eight on its rare list. Some of these have which has ensued as a result of the con- been around for such a long time (It Takes viruses into a realistic perspective. If a stant battle of wits between the virus writ- Guts to Say 'Jesus' and Penpal Greetings) that newspaper article tells us that there are ers and the anti-virus software developers it is hard to believe that there is anyone left 50 000 computer viruses in existence, we may require an updated definition.

15 pp1-20.qxd 11/30/00 11:02 AM Page 16

feature

Medium and low risk viruses simply of bytes that identified a specific decryp- is looking forward itself, and is getting replicate or deliver an innocuous payload. tion routine. better at predicting new threats. High risk viruses, those that corrupt, In the case of that formidable adver- Carey Nachenberg predicts several even delete, reformat, crash or flood come in sary, the polymorphic virus, the more complex permutations of the poly- several guises. response of the anti-virus writers was to morphic virus. This is a constant chal- The three broad categories, system develop generic decryption techniques lenge for the anti-virus industry, but (boot record), file and multi-partite infec- that would trick it into decrypting and surely they have more technical resources tors still remain, but they increasingly uti- revealing itself. and man power than the virus writers? lize the stealth and polymorphic But it is the virus authors who lead the It is also the case of many against a few, approaches, rendering them far more dif- way, as the anti-virus industry treads the but hopefully this will always be enough ficult to trap and kill. Ferris wheel of reacting to their malicious to keep the birth rate of viruses down and So, how has the stealth and polymor- code. They will continue to challenge the the death rate up, thus avoiding too phic medley made life more difficult for anti-virus industry, although the industry many future epidemics. the anti-virus software industry? Polymorphic viruses have been crafted to Notes vary themselves when infecting new disks [12] Sarah Gordon, What is Wild? IBM or machines. One of their tricks is to [1] hreat Assessment of Malicious Code TJ Watson Research Centre imbed a do-nothing instruction in their and Human Threats, National [13] These attach themselves to the sys- own source code to prevent a virus scan- Institute of Standards and tem files stored on a disk. Any for- ner from looking for strings of code which Technology Computer Security matted disk can be infected. match known viruses. Division, 1994 Examples include Stealth viruses, The more sophisticated polymorphic [2] Only spread on 5.25 diskettes. Stoned and AntiCMOS viruses actually encrypt virus code with Introduction of 3.5 diskettes in the [14] Attach themselves to COM or EXE randomly generated numbers, and late 1980’s saw its demise. files. When infected files run, the decrypt the virus each time it is executed. [3] Improved technology helped to virus code executes first and infects This negates the traditional signature eliminate this, its conduit being other executables or makes itself matching approach of anti-virus software boot diskettes, which were increas- resident before continuing with and requires specially constructed search ingly replaced by hard disks from the actual program. This class engines, which can identify encryption the mid 1980’s. includes the Hitchcock, Shake, schemes. Programs known as mutation [4] Threat Assessment of Malicious Code and Dark Avenger viruses. engines allow almost any virus to be made and Human Threats, National [15] These infectors have been pro- into a polymorphic virus, the MtE muta- Institute of Standards and grammed to be able to infect both tion engine being the best known. Technology Computer Security files and boot records. Examples Stealth, on the other hand, is a technique Division, 1994 include the BootEXE and EXEBug employed by viruses to conceal themselves, [5] The Future of Viruses on the Internet viruses. rather than a virus type itself. Often, these — originally presented at the Virus [16] Created by Dark Avenger programs monitor disk accesses, and if a Bulletin International Conference, [17] Mark Hazen, Infection Detection, request is made to read the boot record, the San Francisco, October, 1997 Virus-Proofing Your LAN, Office of virus redirects the disk read to the original [6] The Future of Viruses on the Internet Information and Instruction tech- boot record, stored by the virus, negating – originally presented at the Virus nology, 1995. any attempts to spot an altered boot Bulletin International Conference, [18] PalmOS/Phage.963 record. The anti-virus workaround here is San Francisco, October, 1997 [19] Understanding and Monitoring that most of these viruses can be spotted by [7] Dan Schrader, Trend Micro Inc. Polymorphic Viruses, Carey checking to see if there are any of these ille- [8] Robert Lemos, ZDNet News, April Nachenberg, Symantec Enterprise gal ‘hooks’ into the interrupt used for disk 28, 1999 Papers, Volume XXX access. [9] Steve R White, Jeffrey O Kephart, [20] Understanding and Monitoring With the discovery of the first Palm OS David M Chess. Computer Viruses: Polymorphic Viruses, Carey virus this September, one can see the A Global Perspective, 1995 Nachenberg, Symantec Enterprise amphitheatre widening. [10] Sarah Gordon, Hoaxes and Hypes, Papers, Volume XXX The battle of wits continues. Simple 1997 [21] Explained in Steve R White, replicating viruses were caught by signa- [11] Sarah Gordon, What is Wild? IBM Jeffrey O Kephart, David M ture matching. Encrypted viruses that hid TJ Watson Research Centre Chess. Computer Viruses: A Global the fixed signature were caught by virus Perspective, 1995 scanners searching for tell tale sequences

16