3   Founded By:    3 :  Network Information Access   : 3   Founded By:    3
 3 Guardian Of Time CD6            17APR90            GD4   Judge Dredd    3
          3           :            File 23            :           3
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          3           IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;           3
          @DDDDDDDDDDD6 Overview on Viruses & Threats :DDDDDDDDDDDY

  The  term computer  virus is  often  used in  a general  sense to
  indicate any software that can cause harm to systems or networks.

  However,  computer viruses are just one example of many different
  but related forms  of software that can act with  great speed and
  power to  cause extensive  damage -other  important examples  are
  Trojan horses  and network  worms.   In this series, I will discuss
  each.  This first file is a basic overview.

$_Trojan Horses

  A Trojan horse1 program is a  useful or apparently useful program
  or command procedure  containing hidden code that,  when invoked,
  performs some unwanted  function.   An author of  a Trojan  horse
  program might first create or gain access to the source code of a
  useful program that  is attractive to  other users, and then  add
  code  so  that the  program  performs  some  harmful function  in
  addition to its  useful function.   A simple example of  a Trojan
  horse  program  might  be  a  calculator  program  that  performs
  functions similar  to that of a  pocket calculator.  When  a user
  invokes the program, it appears to be performing calculations and
  nothing more, however it may also  be quietly deleting the user's
  files, or performing any  number of harmful actions.   An example
  of an even simpler Trojan horse program is one that performs only
  a  harmful  function, such  as a  program  that does  nothing but
  delete files.   However, it may appear to  be a useful program by
  having a name such as CALCULATOR  or something similar to promote

  Trojan  horse  programs  can  be  used  to  accomplish  functions
  indirectly  that  an  unauthorized   user  could  not  accomplish
  directly.  For example, a user  of a multi-user system who wishes
  to gain access to  other users' files could create a Trojan horse
  program to circumvent the users' file  security mechanisms.   The
  Trojan horse program, when run,  changes the invoking user's file
  permissions so  that the files  are readable  by any  user.   The
  author could then induce users to run  this program by placing it
  in a  common directory and naming  it such that users  will think
  the program is a useful utility.  After a user runs  the program,
  the author can then  access the information in the  user's files,
  which  in  this  example  could be  important  work  or  personal
  information.  Affected users may not  notice the changes for long
  periods of time unless they are very observant.

  An example of a Trojan horse program that would be very difficult
  to  detect would be  a compiler on  a multi-user system  that has
  been modified to insert additional  code into certain programs as
  they are  compiled, such as a login program.   The code creates a
  trap door in the  login program which permits the  Trojan horse's
  author to log onto the system using a special password.  Whenever
  the  login program is recompiled, the compiler will always insert
  the trap  door code into the program,  thus the Trojan horse code
  can never  be discovered  by reading  the login  program's source

  Trojan horse  programs are introduced  into systems in  two ways:

    they are initially  planted, and unsuspecting users copy  and run
    them.  They are planted in software repositories that many people
    can  access,  such  as  on  personal  computer  network  servers,
    publicly-accessible directories in  a multi-user environment, and
    software bulletin boards.  Users are then  essentially duped into

    copying  Trojan   horse  programs   to  their   own  systems   or
    directories.   If  a  Trojan  horse  program  performs  a  useful
    function and causes  no immediate or  obvious damage, a user  may
    continue to spread it  by sharing the program with  other friends
    and co-workers.  The  compiler that copies hidden code to a login
    program might  be  an example  of a  deliberately planted  Trojan
    horse that could be  planted by an  authorized user of a  system,
    such as a user assigned to maintain compilers and software tools.

$_Computer Viruses

  Computer viruses, like  Trojan horses, are programs  that contain
  hidden  code  which  performs  some  usually  unwanted  function.
  Whereas  the  hidden code  in  a  Trojan horse  program  has been
  deliberately placed by the program's author, the hidden code in a
  computer  virus program has  been added by  another program, that
  program itself being  a computer  virus or Trojan  horse.   Thus,
  computer  viruses are  programs that  copy their  hidden code  to
  other programs, thereby infecting them.  Once infected, a program
  may  continue to  infect  even more  programs.   In  due time,  a
  computer could be completely  overrun as the viruses spread  in a
  geometric manner.

   An example illustrating  how a computer  virus works might be  an
   operating system  program for  a personal computer,  in which  an
   infected  version of the  operating system  exists on  a diskette
   that contains an attractive game.   For the game to operate,  the
   diskette must be used to boot the computer, regardless of whether
   the  computer  contains a  hard  disk with  its  own copy  of the
   (uninfected)  operating  system program.    When the  computer is
    booted  using the diskette,  the infected program  is loaded into
    memory and  begins to  run.   It immediately  searches for  other
    copies of the operating system program, and finds one on the hard
    disk.  It then copies its hidden code  to the program on the hard
    disk.   This happens so quickly that the  user may not notice the
    slight delay before his game is run.  Later, when the computer is
    booted using the  hard disk,  the newly infected  version of  the
    operating system  will be  loaded into memory.   It will  in turn
    look  for copies  to infect.   However, it  may also  perform any
    number  of  very   destructive  actions,  such  as   deleting  or
    scrambling all the files on the disk.

    A  computer virus exhibits  three characteristics:  a replication
    mechanism,  an  activation  mechanism,  and  an objective.    The
    replication mechanism performs the following functions:

       -  searches for other programs to infect

       -  when it finds  a program, possibly determines  whether
          the program has been previously infected by checking a

       -  inserts  the  hidden  instructions  somewhere  in  the

       -  modifies  the  execution  sequence  of  the  program's
          instructions  such  that  the  hidden   code  will  be
          executed whenever the program is invoked

       -  possibly creates a  flag to indicate that  the program
          has been infected

    The flag may be  necessary because without it, programs  could be
    repeatedly infected and  grow noticeably large.   The replication
    mechanism could  also perform  other functions  to help  disguise
    that the file  has been infected,  such as resetting the  program
    file's modification date to  its previous value, and  storing the
    hidden code within the program so that the program's size remains
    the same.

    The activation mechanism checks for the occurrence of some event.
    When the event occurs, the computer virus executes its objective,
    which  is  generally  some  unwanted,  harmful action.    If  the
    activation mechanism checks  for a specific  date or time  before
    executing its objective, it  is said to contain a time  bomb.  If
    it  checks for a certain  action, such as  if an infected program
    has been executed a preset number of times, it is said to contain
    a logic bomb.   There may be  any number of variations,  or there
    may be no activation  mechanism other than the  initial execution
    of the infected program.

    As mentioned, the  objective is  usually some unwanted,  possibly
    destructive event.   Previous examples  of computer viruses  have
    varied widely in  their objectives, with some  causing irritating
    but harmless displays  to appear, whereas  others have erased  or
    modified files or  caused system hardware to  behave differently.

    Generally, the objective consists of  whatever actions the author
    has designed into the virus.

    As with Trojan horse programs, computer viruses can be introduced
    into  systems  deliberately  and  by  unsuspecting  users.    For
    example, a Trojan horse program whose  purpose is to infect other
    programs  could be  planted  on a  software  bulletin board  that
    permits  users  to upload  and download  programs.   When  a user
    downloads the program and then executes it,  the program proceeds
    to infect  other programs in the user's  system.  If the computer
    virus  hides itself well,  the user may continue  to spread it by
    copying the infected  program to other  disks, by backing it  up,
    and  by  sharing it  with other  users.   Other  examples  of how
    computer   viruses  are   introduced  include   situations  where
    authorized users  of systems  deliberately  plant viruses,  often
    with  a time bomb mechanism.   The virus may then activate itself
    at some later point in time, perhaps when the user is  not logged
    onto  the  system  or  perhaps  after   the  user  has  left  the

$_Network Worms

     Network  worm  programs use  network  connections to  spread from
     system  to system,  thus network  worms  attack systems  that are
     linked via communications lines.  Once  active within a system, a
     network worm can behave as a computer  virus, or it could implant
     Trojan  horse programs  or perform  any  number of  disruptive or
     destructive actions.  In a sense, network worms are like computer
     viruses with the ability to infect other systems as well as other
     programs.  Some people use the term virus to include both cases.

     To replicate themselves,  network worms use some  sort of network
     vehicle, depending on the type of  network and systems.  Examples
     of network vehicles include (a) a network mail facility, in which
     a  worm can mail  a copy  of itself to  other systems, or  (b), a
     remote execution capability, in  which a worm can execute  a copy
     of itself on  another system, or  (c) a remote login  capability,
     whereby  a worm can log  into a remote system as  a user and then
     use commands to  copy itself from one  system to the other.   The
     new copy of  the network worm is  then run on the  remote system,
     where it may continue to spread to more systems in a like manner.
     Depending on the size of a network, a network worm can  spread to
     many  systems  in a  relatively short  amount  of time,  thus the
     damage it can cause to one system is multiplied by the  number of
     systems to which it can spread.

     A network  worm exhibits the  same characteristics as  a computer
     virus: a replication mechanism, possibly an activation mechanism,
     and an objective.   The replication mechanism  generally performs
     the following functions:

          -  searches for other systems to infect by examining host
             tables  or  similar  repositories  of  remote   system

          -  establishes  a   connection  with  a   remote  system,
             possibly by  logging in  as a  user  or using  a  mail
             facility or remote execution capability

          -  copies itself to the remote system and causes the copy
             to be run

     The network worm may  also attempt to determine whether  a system
     has previously been infected before copying itself to the system.

     In a multi-tasking computer, it may also disguise its presence by
     naming  itself as a system process  or using some other name that
     may not be noticed by a system operator.

     The activation mechanism might use a  time bomb or logic bomb  or
     any number of variations to activate itself.  Its objective, like
     all  malicious software, is whatever the author has designed into
     it.  Some network worms have been designed  for a useful purpose,
     such as to perform general "house-cleaning" on networked systems,
     or  to  use extra  machine  cycles  on each  networked  system to
     system.  A network worm with a harmful objective could perform  a
     wide  range of destructive  functions, such as  deleting files on
     each affected computer, or by implanting Trojan horse programs or
     computer viruses.

     Two examples of  actual network  worms are presented  here.   The
     first  involved a Trojan horse program that displayed a Christmas
     tree  and  a message  of  good  cheer (this  happened  during the
     Christmas  season).    When  a user  executed  this  program,  it
     examined   network  information  files  which  listed  the  other
     personal computers that could  receive mail from this user.   The
     program then mailed itself to those  systems.  Users who received
     this message  were  invited to  run  the Christmas  tree  program
     themselves, which they did.   The network worm thus  continued to
     spread to  other systems until  the network was  nearly saturated
     with traffic.   The network  worm did not  cause any  destructive
     action other than disrupting communications and causing a loss in

     The second example concerns the  incident whereby a network  worm
     used the collection of  networks known as the Internet  to spread
     itself to several  thousands of computers located  throughout the
     United States.  This worm  spread itself automatically, employing
     somewhat  sophisticated  techniques  for bypassing  the  systems'
     security mechanisms.   The worm's replication  mechanism accessed
     the systems by using one of three methods:

          -  it employed  password cracking, in  which it attempted
             to log into systems using  usernames for passwords, as
             well as using words from an on-line dictionary

          -  it exploited a  trap door  mechanism in mail  programs
             which  permitted  it  to  send  commands to  a  remote
             system's command interpreter

          -  it exploited a  bug in  a network information  program
             which permitted it to access a remote system's command

     By using a  combination of  these methods, the  network worm  was
     able to copy itself  to different brands of computers  which used
     similar versions of a widely-used operating  system.  Many system
     managers were  unable to  detect its  presence in their  systems,
     thus  it  spread  very quickly,  affecting  several  thousands of
     computers  within  two  days.    Recovery efforts  were  hampered
     because  many  sites  disconnected from  the  network  to prevent
     further infections,  thus preventing those  sites from  receiving
     network mail that explained how to correct the problems.

     It was unclear  what the network worm's objective was,  as it did
     not destroy  information, steal  passwords, or  plant viruses  or
     Trojan horses.  The  potential for destruction was very  high, as
     the  worm  could have  contained  code  to effect  many  forms of
     damage, such as  to destroy all files  on each system.

$_Other Related Software Threats

     The  number of variations of Trojan horses, computer viruses, and
     network worms is apparently endless.   Some have names, such as a
     rabbit, whose objective is to spread wildly within or among other
     systems  and  disrupt  network  traffic,  or a  bacterium,  whose
     objective is to  replicate within a  system and eat up  processor
     time  until computer  throughput is  halted.   It  is
     likely  that  many new  forms  will  be  created, employing  more
     sophisticated techniques for spreading and causing damage.

$_The Threat of Unauthorized Use

     In  that computer viruses and related forms of malicious software
     are intriguing  issues  in themselves,  it  is important  not  to
     overlook that they are created by people, and are fundamentally a
     people problem.   In essence, examples of malicious  software are
     tools that  people use  to extend  and enhance  their ability  to
     create mischief and various other forms of damage.  Such software
     can do  things that  the interactive user  often cannot  directly
     effect,  such  as  working  with   great  speed,  or  maintaining
     anonymity,  or  doing  things that  require  programmatic  system
     calls.   But  in general,  malicious  software exploits  the same
     vulnerabilities  as  can knowledgeable  users.   Thus,  any steps
     taken to  reduce the likelihood  of attack by  malicious software
     should address  the likelihood  of unauthorized  use by  computer