In Proceedings of the th Virus Bulletin International Conference Boston September Virus Bulletin Ltd Abingdon England pp Computer Viruses A Global Persp ective Steve R White Jerey O Kephart and David M Chess High Integrity Computing Lab oratory IBM Thomas J Watson Research Center PO Box Yorktown Heights NY Intro duction Technical accounts of computer viruses usually fo cus on the microscopic details of individual viruses their structure their function the typ e of host programs they infect etc The media tends to fo cus on the so cial implications of isolated scares Such views of the virus problem are useful but limited in scop e One of the missions of IBMs High Integrity Computing Lab oratory is to understand the virus problem from a global p ersp ective and to apply that knowledge to the development of antivirus technology and measures We have employed two complementary approaches observational and theoretical virus epidemiology Observation of a large sample p opulation for six years has given us a go o d understanding of many asp ects of virus prevalence and virus trends while our theoretical work has b olstered this understanding by suggesting some of the mechanisms that govern the b ehavior that we have observed In this pap er we review some of the main ndings of our previous work In brief we show that while thousands of DOS viruses exist to day less than of these have actually b een seen in real virus incidents Viruses do not tend to spread wildly Rather it takes months or years for a virus to b ecome widespread and even the most common aect only a small p ercentage of all computers Theoretical mo dels based on biological epidemiology can explain these ma jor features of computer virus spread Then we demonstrate some interesting trends that have b ecome apparent recently We examine several curious features of viral prevalence over the past few years including remarkable p eaks in virus rep orts the rise of b o otsectorinfecting viruses to account for almost all incidents to day and the near extinction of leinfecting viruses We show that antivirus software can b e remarkably eective within a given organization but that it is not resp onsible for the ma jor changes in viral prevalence worldwide Instead our study suggests that changes in the computing environment in cluding changes in machine typ es and op erating systems are the most imp ortant eects inuencing what kinds of viruses b ecome prevalent and how their prevalence changes Finally we lo ok at current trends in op erating systems and networking and attempt to predict their eect on the nature and extent of the virus problem in the coming years The Status of the Virus Problem To day Over the past decade computer viruses have gone from an academic curiosity to a p ersistent worldwide problem Viruses can b e written for and spread on virtually any computing platform While there have b een a few largescale networkbased incidents to date the more signicant problem has b een on micro computers Viruses are an ongoing p ersistent worldwide problem on every p opular micro computing platform In this section we shall rst review briey our metho ds for monitoring several asp ects of computer virus prevalence in the world Then we shall present a numb er of the most interesting observations We will attempt to explain these observations in later sections of the pap er Measuring Computer Virus Prevalence We have learned much ab out the extent of the PCDOS virus problem by collecting virus incident statistics from a xed wellmonitored sample p opulation of several hundred thousand PCs for six years The sample p opulation is international but biased towards the United States It is b elieved to b e typical of Fortune companies except for the fact that central incident management is used to monitor and control virus incidents Briey the lo cation and date of each virus incident is recorded along with the numb er of infected PCs and diskettes and the identity of the virus From these statistics we obtain more than just an understanding of the virus problem within our sample p opulation we also can infer several asp ects of the virus problem worldwide Figure illustrates how this is p ossible From the p ersp ective of one of the organizations that comprises our sample p opulation the world is full of computer viruses that are continually trying to p enetrate the semip ermeable b oundary that segregates that organization from the external world At a rate dep ending on the numb er of computer virus infections in the world the numb er of machines in the organization and the p ermeability of the b oundary a computer virus will so oner or later make its way into the orga nization This marks the b eginning of a virus incident Assuming that the p ermeability of the b oundary remains constant the numb er of virus incidents p er unit time p er machine within the set of organizations that makes up our sample p opulation should b e prop ortional to the numb er of computer virus infections in the world during that time p erio d In fact our measure will lag the actual gure somewhat since incidents are not always discovered immediately Observations of Computer Virus Prevalence As shown in Figure there are thousands of DOS viruses to day During the past several years the rate at which they have app eared worldwide has crept upwards to its present value of new viruses a day on average see Fig Note that the numb er of new viruses is not increasing exp onentially as is often claimed The rate of app earance of new viruses in the collections of antivirus workers has b een increasing gradually for several years at roughly a linear rate Thus the numb er of known viruses is growing quadratically at worst In fact almost nothing at all ab out viruses is increasing exp onentially The problem is signicant and it is growing somewhat worse but prophets of do om in this eld have p o or track records While there are thousands of DOS viruses less than of them have b een seen in actual virus incidents within the p opulation that we monitor These are the viruses that actually constitute a problem for the general p opulation of PC users It is very imp ortant that antivirus software detect viruses that have b een observed in the wild The remainder are rarely seen outside of the collections of antivirus groups like ours Although many of them might never spread signicantly viruses that are not prevalent remain of interest to the antivirus community We must always b e prepared for the p ossibility that a lowprole virus will start to b ecome prevalent This requires us to b e familiar with all viruses prevalent or not and to incorp orate a knowledge of as many of them 1 Further details ab out our metho ds for collecting and interpreting statistics can b e found in several references Org. Org. Penetration World Internal Spread World Figure Computer virus spread from an organizations p ersp ective White circles represent uninfected machines black circles represent infected machines and gray circles represent machines in the pro cess of b eing infected Throughout the world computer viruses spread among PCs many of them b eing detected and eradicated eventually Left Occasionally a virus p enetrates the b oundary separating the organization from the rest of the world initiating a virus incident Right The infection has spread to other PCs within the organization The numb er of PCs that will b e infected by the time the incident is discovered and cleaned up is referred to as the size of the incident Number of Different PC±DOS Viruses 4500 4000 3500 3000 2500 2000 Total Viruses 1500 Known to IBM 1000 500 Observed 0 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1988 1989 1990 1991 1992 1993 1994 1995 Figure Cumulative numb er of viruses for which signatures have b een obtained by IBMs High Integrity Computing Lab oratory vs time There are thousands of viruses but only a few have b een seen in real incidents New PC±DOS Viruses Per Day 5 4 3 2 New Viruses Per Day 1 0 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1/1 7/1 1988 1989 1990 1991 1992 1993 1994 1995 Figure The numb er of new viruses app earing worldwide p er day has b een increasing steadily as p ossible into antivirus software We continue to monitor the prevalence of al l viruses regardless of how prevalent they are at present Out of the several hundred viruses that have ever b een observed in actual incidents a mere handful account for most of the problem Figure shows the relative fraction of incidents caused by the ten most prevalent viruses in the world in the past year These ten account for over two thirds of all incidents The one hundred other viruses that have b een seen in incidents in the past year account for less than a third of the incidents Most of these were seen in just a single incident Curiously the ten most prevalent viruses are all b o ot viruses Bo ot viruses infect b o ot sectors of diskettes and hard disks When a system is b o oted from an infected diskette its hard disk b ecomes infected Typically any nonwriteprotected diskette that is used in the system thereafter also b ecomes infected spreading the virus The dominance of b o ot viruses is esp ecially striking when one takes into account the fact that of the thousands of known DOS viruses only ab out are b o ot sector infectors Bo ot viruses have not always b een dominant Three years ago the second and third most prevalent viruses were le infectors as were of the top The total incident rates for b o ot infectors and le infectors