steinauer@ECF.NCSL.NIST.GOV ("STEINAUER, DENNIS") (09/23/89)
FOR IMMEDIATE RELEASE: Jan Kosko
Sept. 22, 1989 301/975-2762
TN-XXXX
COMPUTER SECURITY EXPERTS ADVISE STEPS
TO REDUCE THE RISK OF VIRUS ATTACKS
To reduce the risk of damage from potentially serious
computer viruses, including one called "Columbus Day," experts at
the National Institute of Standards and Technology (NIST), the
National Computer Security Center (NCSC), and the Software
Engineering Institute (SEI) are recommending several measures plus
commonsense computing practices.
"This advice is being offered to encourage effective yet calm
response to recent reports of a new variety of computer virus,"
says Dennis Steinauer, manager of the computer security management
and evaluation group at NIST.
While incidents of malicious software attacks are relatively
few, they have been increasing. Most recently, a potentially
serious personal computer virus has been reported. The virus is
known by several names, including "Columbus Day," Datacrime and
"Friday the 13th." In infected machines it is designed to attack
the hard-disk data-storage devices of IBM-compatible personal
computers on or after October 13. The virus is designed to
destroy disk file directory information, making the disk's
contents inaccessible. (A fact sheet on this virus is attached
and includes precautionary measures to help prevent damage.)
While the Columbus Day virus has been identified in both the
United States and Europe, there is no evidence that it has spread
extensively in this country or that it is inherently any more
threatening than other viruses, say the computer security experts.
"Computer virus" is a term often used to indicate any self-
replicating software that can, under certain circumstances,
destroy information in computers or disrupt networks. Other
examples of malicious software are "Trojan horses" and "network
worms." Viruses can spread quickly and can cause extensive
damage. They pose a larger risk for personal computers which tend
to have fewer protection features and are often used by non-
technically-oriented people. Viruses often are written to
masquerade as useful programs so that users are duped into copying
them and sharing them with friends and work colleagues.
Routinely using good computing practices can reduce the
likelihood of contracting and spreading any virus and can minimize
its effects if one does strike. Advice from the experts includes:
* Make frequent backups of your data, and keep several
versions.
* Use only software obtained from reputable and reliable
sources. Be very cautious of software from public sources,
such as software bulletin boards, or sent across personal
computer networks.
* Don't let others use your computer without your consent.
* Use care when exchanging software between computers at work
or between your home computer and your office computer.
* Back up new software immediately after installation and use
the backup copy whenever you need to restore. Retain
original distribution diskettes in a safe location.
* Learn about your computer and the software you use and be
able to distinguish between normal and abnormal system
activity.
* If you suspect your system contains a virus, stop using it
and get assistance from a knowledgeable individual.
In general, educating users is one of the best, most cost-
effective steps to take, says Steinauer. Users should know about
malicious software in general and the risks that it poses, how to
use technical controls, monitor their systems and software for
abnormal activity, and what to do to contain a problem or recover
from an attack. "An educated user is the best defense most
organizations have," he says.
A number of commercial organizations sell software or
services that may help detect or remove some types of viruses,
including the Columbus Day virus. But, says Steinauer, there are
many types of viruses, and new ones can appear at any time. "No
product can guarantee to identify all viruses," he adds.
To help deal with various types of computer security threats,
including malicious software, NIST and others are forming a
network of computer security response and information centers.
These centers are being modeled after the SEI's Computer Emergency
Response Team Coordination Center, often called CERT, established
by the Defense Advanced Research Projects Agency (DARPA). The
centers will serve as sources of information and guidance on
viruses and related threats and will respond to computer security
incidents.
In addition, NIST recently has issued guidelines for
controlling viruses in various computer environments including
personal computers and networks.
NIST develops security standards for federal agencies and
security guidelines for unclassified computer systems. NCSC, a
component of the National Security Agency, develops guidelines for
protecting classified (national security) systems. SEI, a
research organization funded by DARPA, is located at Carnegie
Mellon University in Pittsburgh.
-30-
NOTE: Computer Viruses and Related Threats: A Management Guide
(NIST Special Publication 500-166) is available from
Superintendent of Documents, U.S. Government Printing Office,
Washington, D.C. 20402. Order by stock no. 003-003-02955-6 for
$2.50 prepaid. Editors and reporters can get a copy from the NIST
Public Information Division, 301/975-2762.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sept. 22, 1989
FACT SHEET
Columbus Day Computer Virus
Several reports of a new computer virus recently have been
published in the media and throughout the data processing
community. This virus has been referred to as "Columbus Day,"
"Friday the 13th," as well as "Datacrime I" or "Datacrime II." It
attacks IBM-compatible personal computers running the MS-DOS/PC-
DOS operating system. If activated, the virus will destroy disk
file directory information, making files and their contents
inaccessible. The following information has been compiled by
NIST, NCSC, and SEI from several sources and is being made
available for system managers to use in taking precautionary
measures.
NOTE: As with many viruses, there may be other, yet unidentified,
variants with different characteristics. Therefore, this
information is not guaranteed to be complete and accurate for all
possible variants.
NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II
EFFECT: Performs a low-level format of cylinder zero of the
hard disk on the target machine, thereby destroying the boot
sector and File Allocation Table (FAT) information. Upon
activation it may display a message similar to the following:
DATACRIME VIRUS RELEASED:1 MARCH 1989
TRIGGER: The virus is triggered by a system date 13 October or
later. (Note that 13 October 1989 is a Friday.)
CHARACTERISTICS: Several characteristics have been identified:.
1. The virus, depending on its variant, appends itself to .COM
files (except for COMMAND.COM), increasing the .COM file by
either 1168 or 1280 bytes. In addition, the Datacrime II variant
can infect .EXE files, increasing their size by 1514 bytes.
2. The 1168 byte version contains the hex string EB00B40ECD21B4.
3. The 1280 byte version contains the hex string
00568DB43005CD21.
This virus reportedly was released on 1 March 1989 in Europe. It
is unlikely that significant propagation could occur between the
release date and mid-October; therefore, U.S. systems should be
at a low risk for infection. If safe computing practices have
been followed, the risk should be practically nil. However,
managers believing their site may be at risk should consider
taking precautionary measures, including one or more of the
following actions:
1. Take full back-ups of all hard disks. If the disks are later
found to have been infected and attacked by the virus, lost data
can be recovered from the back-ups. Operating system and
application software can be restored from original media. A full
low-level disk format should be performed on the infected hard
disk prior to restoration procedures.
2. Consider using a commercial utility that can assist in
restoration of a disk directory and recovery of data. There are
a number of such utilities on the market. Note that these
utilities normally must be run prior to data loss to enable disk
and file restoration.
3. Avoid setting the system date to 13 October or later until
the systems have been checked for virus presence.
4. Attempt to determine if the virus is present in one or more
files through one of the following techniques:
a. If original file sizes are known, check for increased
sizes as noted above.
b. Use DEBUG or other utility to scan .COM and .EXE files
for the characteristic hexadecimal strings noted
earlier.
c. Copy all software to an isolated system and set the
system date to 13 October or later and run several
programs to see if the virus is triggered. If
activation occurs, all other systems will require virus
identification and removal.
d. Use a virus-detection tool to determine if this (or
another) virus is present.
Commercial products intended to detect or remove various computer
viruses are available from several sources. However, these
products are not formally reviewed or evaluated; thus, they are
not listed here. The decision to use such products is the
responsibility of each user or organization.
- 30 -
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A
Suggested Readings List for Computer Viruses and Related
Problems:
Prepared by: John Wack
National Institute of Standards and Technology
September 22, 1989
ABSTRACT
This document provides a list of suggested readings for obtaining
information about computer viruses and other related threats to
computer security. The primary intended audience is management
as well as other technically-oriented individuals who wish to
learn more about the nature of computer viruses and techniques
that can be used to reduce their potential threat. The suggested
readings may range from general discussions on the nature of
viruses and related threats, to technical articles which explore
the details of various viruses, the mechanisms they attack, and
methods for controlling these threats to computer security.
BASIC TERMS
The following list provides general definitions for basic terms
that are commonly used throughout the applicable literature.
Some of the terms are relatively new and their definitions are
not widely agreed upon, thus they may be used differently
elsewhere.
Computer Virus: A name for a class of programs that contain
software that has been written to cause some form(s) of damage to
a computing system's integrity, confidentiality, or availability.
Computer viruses typically copy their instructions to other
programs; the other programs may continue to copy the
instructions to more programs. Depending on the author's
motives, the instructions may cause many different forms of
damage, such as deleting files or crashing the system. Computer
viruses are so named because of their functional similarity to
biological viruses, in that they can spread rapidly throughout a
system. The term is sometimes used in a general sense to cover
many different types of harmful software, such as trojan horses
or network worms.
Network Worm: A name for a program or command file that uses a
computer network as a means for adversely affecting a system's
integrity, reliability, or availability. From one system, a
network worm may attack a second system by first establishing a
network connection with the second system. The worm may then
spread to other systems in the same manner. A network worm is
similar to a computer virus in that its instructions can cause
many different forms of damage. However a worm is generally a
self-contained program that spreads to other systems, as opposed
to other files.
Malicious Software: A general term for computer viruses, network
worms, trojan horses, and other software designed to deliberately
circumvent established security mechanisms or codes of ethical
conduct or both, to adversely affect the confidentiality,
integrity, and availability of computer systems and networks.
The software may be composed of machine-language executable
instructions, or could be in the form of command files.
Unauthorized User(s): A user who knowingly uses a system in a
non-legitimate manner. The user may or may not be an authorized
user of the system.
The actions of the user violate established security mechanisms
or policies, or codes of ethical conduct, or both.
Trojan Horse: A name for a program that disguises its harmful
intent by purporting to accomplish some harmless and possibly
useful function. For example, a trojan horse program could be
advertised as a calculator, but it may actually perform some
other function when executed such as modifying files or security
mechanisms. A computer virus could be one form of a trojan
horse.
Back Door: An entry point to a program or system that is hidden
or disguised, often created by the software's author for
maintenance or other convenience reasons. For example, an
operating system's password mechanism may contain a back door
such that a certain sequence of control characters may permit
access to the system manager account. Once a back door becomes
known, it can be used by unauthorized users or malicious software
to gain entry and cause damage.
Time Bomb, Logic Bomb: Mechanisms used by some examples of
malicious software to cause damage after a predetermined event.
In the case of a time bomb, the event is a certain system date,
whereas for a logic bomb, the event may vary. For example, a
computer virus may infect other programs, yet cause no other
immediate damage. If the virus contains a time bomb mechanism,
the infected programs would routinely check the system date or
time and compare it with a preset value. When the actual date or
time matches the preset value, the destructive aspects of the
virus code would be executed. If the virus contains a logic
bomb, the triggering event may be a certain sequence of key
strokes, or the value of a counter.
Anti-Virus Software: Software designed to detect the occurrence
of a virus. Often sold as commercial products, anti-virus
programs generally monitor a system's behavior and raise alarms
when activity occurs that is typical of certain types of computer
viruses.
Isolated System: A system that has been specially configured for
determining whether applicable programs contain viruses or other
types of malicious software. The system is generally
disconnected from any computer networks or linked systems, and
contains test data or data that can be restored if damaged. The
system may use anti-virus or other monitoring software to detect
the presence of malicious software.
Computer Security: The technological safeguards and management
procedures that can be applied to computer hardware, programs,
data, and facilities to assure the availability, integrity, and
confidentiality of computer based resources and to assure that
intended functions are performed without harmful side effects.
SUGGESTED READINGS
Brenner, Aaron; LAN Security; LAN Magazine, Aug 1989.
Bunzel, Rick; Flu Season; Connect, Summer 1988.
Cohen, Fred; Computer Viruses, Theory and Experiments; 7th
Security Conference, DOD/NBS Sept 1984.
Computer Viruses - Proceedings of an Invitational Symposium, Oct
10/11, 1988; Deloitte, Haskins, and Sells; 1989
Denning, Peter J.; Computer Viruses; American Scientist, Vol 76,
May-June, 1988.
Denning, Peter J.; The Internet Worm; American Scientist, Vol 77,
March-April, 1989.
Dvorak, John; Virus Wars: A Serious Warning; PC Magazine; Feb 29,
1988.
Federal Information Processing Standards Publication 83,
Guideline on User Authentication Techniques for Computer Network
Access Control; National Bureau of Standards, Sept, 1980.
Federal Information Processing Standards Publication 73,
Guidelines for Security of Computer Applications; National Bureau
of Standards, June, 1980.
Federal Information Processing Standards Publication 112,
Password Usage; National Bureau of Standards, May, 1985.
Federal Information Processing Standards Publication 87,
Guidelines for ADP Contingency Planning; National Bureau of
Standards, March, 1981.
Fiedler, David and Hunter, Bruce M.; Unix System Administration;
Hayden Books, 1987
Fitzgerald, Jerry; Business Data Communications: Basic Concepts,
Security, and Design; John Wiley and Sons, Inc., 1984
Gasser, Morrie; Building a Secure Computer System; Van Nostrand
Reinhold, New York, 1988.
Grampp, F. T. and Morris, R. H.; UNIX Operating System Security;
AT&T Bell Laboratories Technical Journal, Oct 1984.
Highland, Harold J.; From the Editor -- Computer Viruses;
Computers & Security; Aug 1987.
Longley, Dennis and Shain, Michael; Data and Computer Security
McAfee, John; The Virus Cure; Datamation, Feb 15, 1989.
NBS Special Publication 500-120; Security of Personal Computer
Systems: A Management Guide; National Bureau of Standards, Jan
1985.
NIST Special Publication 500-166; Computer Viruses and Related
Threats: A Management Guide; National Institute of Standards and
Technology, Aug 1989.
Parker, T.; Public domain software review: Trojans revisited,
CROBOTS, and ATC; Computer Language; April 1987.
Schnaidt, Patricia; Fasten Your Safety Belt; LAN Magazine, Oct
1987.
Shoch, J. F. and Hupp, J. A.; The Worm Programs: Early Experience
with a Distributed Computation; Comm of ACM, Mar 1982.
Spafford, Eugene H.; The Internet Worm Program: An Analysis;
Purdue Technical Report CSD-TR-823, Nov 28, 1988.
Thompson, Ken; Reflections on Trusting Trust (Deliberate Software
Bugs); Communications of the ACM, Vol 27, Aug 1984.
Tinto, Mario; Computer Viruses: Prevention, Detection, and
Treatment; National Computer Security Center C1 Tech. Rpt. C1-
001-89, June 1989.
White, Stephen and Chess, David; Coping with Computer Viruses and
Related Problems; IBM Research Report RC 14405 (#64367), Jan
1989.
Witten, I. H.; Computer (In)security: infiltrating open systems;
Abacus (USA) Summer 1987.