Computer Viruses and Trojan Horses; A Guide to Protecting Your Computer by Ted Landberg 3/8/88 This bulletin discusses software called viruses and trojan horses and what precautionary steps you should take to prevent harm to your computer based information. Introduction Recent newspaper and magazine articles have publicized several incidences of malicious software known as computer viruses and trojan horses. Serious questions are being raised about how computer-based information can be protected from this type of software. Presently, there are no absolute safeguards from this malicious software short of isolating your computers, however adequate protection can be achieved by employing a combination of traditional safeguards and some common sense about where and who you get software from. What is a virus? A computer virus has been described as a set of "extra" computer instructions capable of replicating itself into other files, usually programs. This self-replicating code is hidden in a "host" program, referred to as a trojan horse. When the "host" program is executed, so are the "extra instructions. A program can be a trojan horse i.e. have "extra" instructions that may or may not be a virus (self-replicating). Trojan horses and viruses can be malicious. Examples of malicious action include deleting data files, or rendering computer systems unavailable by modifying software libraries. This type of software presents a distinct threat to the integrity of computer systems. How do these virus programs enter a computer system? Generally, viruses enter a computer system by using an appealing program as a 'host' to harbor the self replicating computer instructions. The host can be one of the operating system tools such as compilers, editors, file utilities or one of the embedded macro languages found in spreadsheets or data base management software, and sometimes even in games. 1 Computer Viruses Distribution of malicious software depends on getting an unsuspecting user to accept a program where visual inspection of the product is difficult, and the author or source can remain anonymous. Public or private conferencing systems, timesharing networks and electronic bulletin boards as well as user group software exchanges and computer "flea markets" meet these requirements. What should I do to protect myself? Isolating the computer system from contact with outside sources of software is the best way to insure the integrity of the system. This is very difficult for multi-user systems and not a particularly attractive solution if the computer is going to continue be useful over time. One alternative approach is to detect the existence of malicious or self replicating computer instructions. This requires some knowledge of the target of the attack and the means used by a virus to self replicate. A generic solution is difficult, but several programs have been developed for identifying certain types of computer instructions that could present risks. These programs check for extraneous file operations including opens, closes, reads and writes that bypass operating system functions. A partial list of available software products is found in Appendix A. Another solution is to stop the virus from replication by preventing the rewriting of 'infected' files. Confining programs to libraries on storage devices with 'write disable' hardware is one approach. Many large scale computer peripheral devices have such a switch, however these features are rarely found on desktop computers. An alternative to a hardware 'write disable' switch is a software 'read only' feature. Unfortunately, these options are found only on mini and mainframe computer operating systems. The "read-only" attribute in MS-DOS is not an effective protection mechanism because File Allocation Tables (FAT) can be changed from user written programs. Popular microcomputer operating systems allow execution of computer instructions that can directly address and operate storage devices bypassing normal operating system calls. Thus there is a constant exposure of disk storage devices and their file directories to destruction or modification. 2 Computer Viruses A Five Point Program There is no single set of solutions. Each installation must assemble its own procedures for containing the problem. However this 5 step process is suggested. 1. Education All users of computers should be told about the existence of Trojan Horses and Computer Viruses, what they are and how to tell whether their system has been infected. Be frank when discussing the threat of computer viruses. 2. Backup and recovery procedures. Develop easy procedures for routine backup of important computer files. Make backup hardware (i.e. tape units) readily available to all users. Users connected to LANs should use automatic backup features. Suggest file organization structures that facilitate backup and recovery of disks that have been ruined by computer viruses. 3. Isolate Software Libraries On larger computer systems, consolidate libraries into 'Read Only' directories. In general system or shared software should have limited update and write attribute privileges. 4. Implement Software Library Management Procedures Enforce program testing, version control, and quality assurance checking for all software libraries. Use software library management tools to control and audit programs. Assign responsibility for testing public domain software and providing "approved" copies of that kind of software. Known source of software, inspect distribution media and documentation for tapering, and develop a "master copy" system. 5. Develop an Virus Alert Procedure Getting the word out about potential or known viruses can contain or minimize the eventual spread and harmful effects of a computer virus. Notices, telephone trees to ADP coordinators, phone or electronic mail are all good vehicle. Procedures for containment and eradication should be thought out before hand. These procedures usually require shutting system down, reformatting disk or tape storage media and re-building software libraries with a known uninfected copies. 3 Computer Viruses Appendix A Virus Detection Tools All Software Listed below is in the Public Domain and available off of the NBS/ICST Security Bulletin Board (301) 948-5717 or 5718. CHK4BOMB Checks for "write" instructions to absolute disk sectors. BOMBSQUAD A memory resident program that intercepts read, write and verifies to floppy or hard disks. Sends message on suspected operations. FLUSHOT3 Monitors COMMAND.COM file for writes and updates. Will not allow a write to the COMMAND.COM file. Note: some earlier versions of this program had their own virus in it. HDSENTRY Protects hard disks from malicious writes during testing of uncertified software. EARLY Checks programs for incidence of use of OUT instruction, INT 13H and DOS INT 26H. 4 Computer Viruses