PH461A04@VAX1.UMKC.EDU (Jonathan E. Oberg) (05/18/91)
Without getting into a philosophic discussion about what constitutes life, and whether viruses (biologic or electronic) are alive, let me define a virus that has had limited detection in the public - what has been refered to here as a research virus - as a "dead" virus and a virus that continues to be detected in the public to a signficant degree as a "live" virus. QUESTION: Will new live viruses spread effectively without new techniques?? The observation may be a bit naive, but in regard to the discussion of research viruses vs viruses in the environment, have we not minimized the risk of a new virus propogating by known means (for example, boot sector stealth viruses) with any success?? Few sites do not have *some* protection/ detection available. Further, the infrastructure for distributing notices of new viruses symptoms, detection methods/signitures, et cetera is now well defined and used (this forum for example.) Has anyone studied the rate of introduction of successful viruses?? My guess would be a strict decline. Is this far off others' experiences? On a strickly biological model, viruses must have some time X necessary to propogate from one system to another. We are unconcerned with propogation on one system, as this will be a factor in how long the virus takes to move from system to system. With the increase of scan/resident/other virus programs, and a significant decrease in the time between when a virus is detected and the information on that virus is published, the time a virus has available to spread is shortened, perhaps below the critical level necessary for success. The WDEF virus on the mac, for example, was an example of a new viral technique. It became widespread. Successors however, have faired poorly: CDEF, MDEF, LDEF?? Once the technique is known, detection/prevention effectively kills these viruses. Call this the smallpox syndrome; once we know how to detect, remove, and innoculize against these strains, we effectively erradicate them as successful viruses. Is the stoned virus, for example, so prevelent because it is well designed and/or defeats virus detection, or because it proceded the large increase in sites with virus detection programs. Does not, in fact, a unique (defeats currect programs) and successful (infects "large" number of sites) virus *drive* the acceptance of virus detection/prevention programs. The question is important in considering the commercial aspect of virus protection. Without discarding the deeply appreciated efforts of frisk, et al, virus protection has become big business. I cannot imagine Symantic for example, advertising NAV as "Catches 100% of live viruses." To be commercially competitive, they *have* to advertise they catch *at least* as many viruses as their competitors, even though 99% of these viruses are never seen outside "virus labs." Without a continual influx of successful viruses, that is new techniques, the only marketable force behind upgrades and/or market share are dead viruses. Jonathan Oberg 76100.1254@compuserve.com
CHESS@YKTVMV.BITNET (David.M.Chess) (05/21/91)
"Jonathan E. Oberg" <PH461A04@VAX1.UMKC.EDU> asks whether or not new viruses can still become widespread in the real world, given that there are lots of detectors out there, and lots of channels by which information about new viruses can travel. I'm afraid the answer is probably "yes, definitely", although I'd love to be wrong! While the people who read VIRUS-L, and probably all their friends, are well aware of viruses and how to defend against them, I think the average machine out there, and possibly still the average company, is not at all well protected. The Joshi virus, for instance, is now quite widespread, but it has not been around that long; certainly it doesn't date from before we knew about stealthed boot viruses! The world still seems to contain a critical mass of unprotected, sufficiently connected machines, dense enough for viruses to thrive in. If a virus gets lucky (gets shipped with 10,000+ pre-configured machines from some random source, say), it's still the case that it has a very good chance of getting thoroughly embedded in the populace... *Boy*, would I like to be wrong this time! *8) DC
ccx020@cck.coventry.ac.uk (James Nash) (05/21/91)
Jonathan E. Oberg wrote: > QUESTION: Will new live viruses spread effectively without new > techniques?? > [lots of good stuff deleted for space] > With the increase of scan/resident/other virus programs, and a > significant decrease in the time between when a virus is detected and > the information on that virus is published, the time a virus has > available to spread is shortened, perhaps below the critical level > necessary for success. I agree. Everyone fears a "great plague" type of virus but we won't get one. When the Black Death swept across Europe, medical science was still throwing leeches at problems. We are beyond the "leech" stage and will effectively combat any hyper-virus. Worth remembering when using the medical analogy for viruses that humans have created these binary beasts (: not nature. Everyone has now become a virus "expert". I have heard tales (from my own department) of a one-byte hyper-code self-extracting virus. If I ever find it, I'm going to analyse it and make a fortune in data compression routines! The point I want to make is that while people like ourselves stay restrained, others like to panic and this panic causes a lot more damage than most viruses. In that sense, a virus that gets a lot of media attention but causes little actual damage could be called successful because of mental damage. Also, people lose their jobs over one case of Stoned; now that's REAL damage :-< > Is the stoned virus, for example, so prevelent because it is well > designed and/or defeats virus detection, or because it proceded the > large increase in sites with virus detection programs. Does not, in I would say that Stoned is so successful because it exploits a flaw in the PC architecture which is also our main ally in the fight against viruses - booting from floppy. How many times have you seen a student put their disk in the PC then switch it on? I do it by mistake myself sometimes. Whether the author was a great visionary(!) or got lucky doesn't matter, he was the first(?) to use the technique. I doubt that we will see too many original techniques because we (not I!) know about every aspect of the PC, unlike the human body. > Without a continual influx of successful viruses, that is new > techniques, the only marketable force behind upgrades and/or market > share are dead viruses. Cruel. Perhaps virus fighters ought to remember that their ultimate goal, like doctors, is to make themselves redundant. - -- James Nash, Computing Services, Coventry Polytechnic, England
frisk@rhi.hi.is (Fridrik Skulason) (05/21/91)
PH461A04@VAX1.UMKC.EDU (Jonathan E. Oberg) writes: >QUESTION: Will new live viruses spread effectively without new >techniques?? Yes - just consider viruses like Telecom (stealth/boot sector), Azusa (stealth/boot sector) and Tequila (steaLth/program) - all of which are quite recent, use no radical innovations, although they are all quite intersting from a technical point of view, and spreading quite rapidly. However, around 90% of all new viruses no not spread much, if at all. My opinion is that... ...The number of new virus variants is growing exponentially. ...The number of new virus families is also growing exponentially, but at a much slower rate. ...The number of "successful" new viruses has been constant for a while, or growing very slowly - I don't think that more than 5 "successful" viruses appear per month, even though the number of the number of new variants is nof 60-100 per month. ...The number of virus infections is more-or-less stable - no significant increase, despite all those new viruses. >With the increase of scan/resident/other virus programs, and a >significant decrease in the time between when a virus is detected and >the information on that virus is published, the time a virus has >available to spread is shortened, perhaps below the critical level >necessary for success. One problem - people will often use outdated anti-virus software. Here in Iceland anti-virus software has been sold on 10-20% of all MS-DOS machines, and probably pirated on additional 30-40%. As a result, infection reports had practically stopped. Last month, however, Asuza arrived here and has been spreading considerably, often on sites which obtained anti-virus programs two years ago, and have not bothered to update them since. >Is the stoned virus, for example, so prevelent because it is well >designed and/or defeats virus detection, or because it proceded the >large increase in sites with virus detection programs. The second explanation - no doubt. The same applies to Jerusalem, and a few other "old" viruses. >Without a continual influx of successful viruses, that is new >techniques, the only marketable force behind upgrades and/or market >share are dead viruses. Well, there are always occasional "successful" viruses - but the success often depends on how the viruses are distributed initially. If the author just uploads the virus to McAfee's BBS or sends is anonymously to me or some other anti-virus author, the virus will not spread much - not unless it "escapes" from the virusv-research community. If, as in the case of Tequila, the author systematically uploads an infected, popular game to BBSes all over Europe, the virus may get a significant initial distribution, before anti-virus programs have been updated to detect it. - -frisk
mrs@netcom.com (Morgan Schweers) (05/29/91)
Greetings, >> Is the stoned virus, for example, so prevelent because it is well >> designed and/or defeats virus detection, or because it proceded the >> large increase in sites with virus detection programs. Does not, in > >I would say that Stoned is so successful because it exploits a flaw in >the PC architecture which is also our main ally in the fight against >viruses - booting from floppy. How many times have you seen a student >put their disk in the PC then switch it on? I do it by mistake myself >sometimes. Whether the author was a great visionary(!) or got lucky >doesn't matter, he was the first(?) to use the technique. Nope. The major reason the Stoned spreads is two-fold. 1) It's been around for a LONG LONG time. However, the Brain has been around just as long, so that can't be all of it. 2) It infects HD's. When it *HAS* infected an HD, it infects every single disk that passes through it. THAT is what makes it such a successful virus. The Brain didn't infect HD's, and is now reduced greatly in population. (Interestingly, though, I feel sure that there are more people infected with the Brain than are reported, since it *IS* the first stealth virus, and does a good job of hiding.) >> Without a continual influx of successful viruses, that is new ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I'd put 'successful' viruses at about one every month or so, recently. Those are viruses which were spread by someone with a knowledge of the dynamics of spreading these things. The kind of virus that hits a few thousand people in the first few weeks of it's life. A large percentage of those people aren't going to realize it's there. They'll be the 'typhoid PC' in that area, spreading it more and more. It also includes new viruses being spread by companies shipping software or hardware. ('getting lucky' in some folks terms.) These are viruses that the marketplace can expect to live with, because they weren't caught early enough to nip their spread. >> techniques, the only marketable force behind upgrades and/or market >> share are dead viruses. > >Cruel. Perhaps virus fighters ought to remember that their ultimate >goal, like doctors, is to make themselves redundant. A very important point. I hope one day to put myself out of this crazy business, and write a book about the insanity all over the field. Goodness, the personality conflicts alone would make for an wonderful novel, then we add in the hysterics of the commercial side of the business... Of course, a fictional bar scene with all the principal players would be...frightening. I picture these ten people suddenly realizing who else is at the bar, and the temperature dropping twenty to thirty degrees suddenly. *grin* Other patrons diving for cover, and huddling behind tables suddenly. Yupyup... For an industry this size, there's been a lot of backstabbing and slandering, etc. If people could RELAX it would be good. 'Course there's money in them thar PC's, and that changes some folks. Anyone care to make guesses on how long the Virus problem will be around? I'm still looking forward to writing that book. *grin* (A side and sad note... It is not us, the anti-viral researchers, who will kill the viruses once and for all. It's the OS writers who will finally produce an OS which supports the protections a machine needs. It's the users who will finally leave this damned MS/DOS troublemaker behind. THAT is when viruses will vanish, slowly but surely, and then we can all have a beer together and laugh about the nonsense of having to clean up behind Microsoft.) -- Morgan Schweers - -- "My tongue is firmly stuck in my cheek, and I'm rarely ever serious. One of my first quotes on the job was, 'So my job is to put myself out of a job, right? No problem!' I like to think that most AV folks share the opinion." -- mrs@netcom.com
padgett%tccslr.dnet@mmc.com (Padgett Peterson) (05/29/91)
>From: mrs@netcom.com (Morgan Schweers) >Of course, a fictional bar scene with all the >principal players would be...frightening. I picture these ten people >suddenly realizing who else is at the bar, and the temperature >dropping twenty to thirty degrees suddenly. Doubt it, I recall a bar in SEA in which automatic weapons had to be checked at the door, handguns were OK. > (A side and sad note... It is not us, the anti-viral researchers, >who will kill the viruses once and for all. It's the OS writers who >will finally produce an OS which supports the protections a machine >needs. It's the users who will finally leave this damned MS/DOS >troublemaker behind. THAT is when viruses will vanish, slowly but >surely, and then we can all have a beer together and laugh about the >nonsense of having to clean up behind Microsoft.) Unlikely that DOS will disappear, it is too much a part of the culture, just like the English language and SAE screw threads. However, nothing is stopping DOS from introducing anti-viral measures and self-checking boot sectors & MBRs. The key is in preservation of the applications and hardware. It is just not going to be in 5.0. Warmly, Padgett
c-rossgr@uunet.uu.net (05/31/91)
>From: mrs@netcom.com (Morgan Schweers) > > Goodness, the personality conflicts alone [in the AV field] >would make for an >wonderful novel, then we add in the hysterics of the commercial side >of the business... Of course, a fictional bar scene with all the >principal players would be...frightening. I picture these ten people >suddenly realizing who else is at the bar, and the temperature >dropping twenty to thirty degrees suddenly. *grin* Other patrons >diving for cover, and huddling behind tables suddenly. Yupyup... For >an industry this size, there's been a lot of backstabbing and >slandering, etc. Morgan, your drinks are on me at this bar! You've certainly said a mouthful. I'm amazed at the animosity between the various people in the field. To our credit, the majority of "outsiders" think we're all good buddies. Ross