CHESS@YKTVMV.BITNET (David.M.Chess) (05/08/91)
This is an open note to other folks in the anti-virus field, to see if
some (potentially significant) things that we've noticed about
(primarily PC-DOS) viruses look the same from other people's
perspectives. Some informal questions to individuals suggest that
these are reasonably common observations; is there anyone out there
who would disagree with them? (Or have other comments, for that
matter?)
1) Most viruses in the collections of anti-virus workers
have, as far as anyone knows, never been found on an
end-user system. (We, for instance, have a few hundred
viruses, but know of only about 50 that have ever
bothered an end user.)
2) When a virus shows up on an end-user system ("in the
wild", as we say) that has never been seen on an
end-user system before, it's usually a brand-new virus,
rather than a virus that's previously been in collectors'
collections. That is, it's very rare for a virus
from the "collectors only" category to move into
the "in the wild" category.
Do these two things match the experience of other anti-virus workers?
Can anyone give some examples of viruses that were at one time thought
to be "collector only", but later showed up in the wild? (Very
isolated incidents, such as the rather obvious direct 'seeding' of an
end-user machine with a stupid virus like the Whale, don't really
count.)
As a sort of a spot-check, has anyone ever seen any of the
"Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they
are; something like that) infecting an end-user machine? (I ask about
these just because they're sort of prototypical "collector-only"
viruses; rather stupid, and seemingly unlikely to spread.)
DCpadgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (05/09/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> >1) Most viruses in the collections of anti-virus worker have, as far as > anyone knows, never been found on an end-user system. True, most of the 500+ viruses are too stupid or blatent to spread very far on their own. Like any emerging industry (did you know that in the early 1900's there were over 2000 mamufacturers of Automobiles in the US ?), there are a large number of attempts before an effective "product" is found. However, what we are seeing now are refinements of the "best" of the first generation products, the dead ends are obvious to anyone who seriously reviews the literature. >2) That is, it's very rare for a virus from the "collectors only" category > to move into the "in the wild" category. Probably true for now, but only demonstrates the poor "quality" of most viruses. - ------------------------------ Date: Thu, 9 May 91 12:36:41 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: Virii (sic) in Factory Software >From: "William Walker C60223 x4570" <walker@AEDC-VAX.AF.MIL> >In both of these instances, the manufacturers took full responsibility >and made efforts to remedy the situation, once they were informed of >the problem. Am glad to find that some manufacturers (Aldus, Bitcom) take their responsibilities seriously. I'm still bothered that infected disks were sent out in the first place, however up through 1989 such ignorance was excusable. In 1991 IT IS NOT. >Also, how do you know they're NOT checking the disks? Suppose they're using >VIRUSCAN V74, which won't find Azusa. Or worse, suppose they're using Norton >Antivirus. Then they are worse than negligent, they are stupid ! (personal opinion). A manufacturer should know what every byte on their distribution disks should be and use this for comparison, not generic commercial signature checkers that contain disclaimers that only known viruses will be detected. ANY change from what is supposed to be on the disks should be detected. One would expect any effective statistical QA procedure to include this. I can see coming shortly, large users requiring from manufacturers/distributers certification that their distributions are free from any malicious software. Govenmental organizations will probably be first. Warmly, Padgett
c-rossgr@uunet.uu.net (05/10/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> > >Do these two things match the experience of other anti-virus workers? >Can anyone give some examples of viruses that were at one time thought >to be "collector only", but later showed up in the wild? (Very >isolated incidents, such as the rather obvious direct 'seeding' of an >end-user machine with a stupid virus like the Whale, don't really >count.) >As a sort of a spot-check, has anyone ever seen any of the >"Anti-Pascal" viruses (AP-400, -440, -480, -529, -605, I think they >are; something like that) infecting an end-user machine? (I ask about >these just because they're sort of prototypical "collector-only" >viruses; rather stupid, and seemingly unlikely to spread.) Dave: A telling anecdote: at the Trenton Computer Fair last month, about 100 people crammed into a room to hear about some of the new virues. When asked who had been infected with a virus, about 80% of the people raised their hands. I asked those infected with Jerusalum, Stoned and Ping-Pong to drop their hands. One hand was left. Cascade. This loud cry for protection against research-only viruses is quite quite bothersome -- the numbers game we have to play (as a vendor) in order to counter "my scanner can beat up your scanner" type of games is sorta foolish -- yet we must play the game. Ross
CHESS@YKTVMV.BITNET (David.M.Chess) (05/13/91)
>From: microsoft!c-rossgr@uunet.uu.net > >This loud cry for protection against research-only viruses is quite >quite bothersome -- the numbers game we have to play (as a vendor) in >order to counter "my scanner can beat up your scanner" type of games >is sorta foolish -- yet we must play the game. Must we? Or rather, given that we must at the moment, must we always? Is there any hope that the anti-virus community might band together (for a moment, at least!) and decide that the numbers game shall be played ONLY with viruses that have appeared in reliably-confirmed real-world incidents? I'm not sure; the hope that we might is part of why I asked those questions. It would mean restraining ourselves in advertising and in talking to the press, getting publications like the Virus Bulletin (and others less respectable) to stop using 300+ viruses, including losers like the Anti-Pascals, in their evaluations, and so on. It might be marketingly impossible, of course. On the other hand, is it possible that eventually people making buying decisions will get tired of "We Detect 100 More Viruses Than Our Competitors!!!" sorts of claims, and be more impressed by "We Detect Every Virus Known To Have Caused A Real Infection, and We're <faster, cheaper, easier to use, etc>"? DC
c-rossgr@uunet.uu.net (05/15/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> > > Must we? [play the numbers game in scanners] Or rather, given that > we must at the moment, must we always? Remember that we can't even get the user community (the folks who spend their hard earned money to buy my products!) to make backups to protect themselves. They seem to prefer that somebody do that protection for them. Obviously if an ad indicates that Product A protects against 400 viruses -- and it might even be true -- that's going to offer 25% (or 33%) more protection than one that scans for "only" 300 viruses. Do you think the public is going to respond favorably to a condom that protects against the AIDS virus 99% of the time as compared to one that protects against it 99.9% of the time -- even when your odds of getting "hit" with the AIDS virus are pretty slim to begin with. Maximal Protection! That's what the market seems to clamour for. And the marketing dudes I work with closely at Microcom tell me what we can lose a site license because of and where our strong points are: I recall one site license potential that was lost on our not catching the Whale Virus in an early cut of our code. You know how difficult it is to get the Whale Virus to infect something without crashing your system, right? Well, the site license didn't and that cost a bunch-o-bucks. Now, of course, we catch the Whale Virus. The next time a site license asks we can put on our best Grey Poupon voice and say "Of course. Of course." >Is there any hope that the anti-virus community might band together >(for a moment, at least!) and decide that the numbers game shall be >played ONLY with viruses that have appeared in reliably-confirmed >real-world incidents? Speaking on my own behalf, I hope so. Speaking on behalf of Microcom (which I can't do in any case), marketing has to stay competitive. So, when one of our competitors says "Yes, but do you want to risk even the slightest chance of getting infected with this virus if it escapes into the wild.", my marketing can respond "Ha! We already protect you against that nasty virus!". > I'm not sure; the hope that we might is part of >why I asked those questions. It would mean restraining ourselves in >advertising and in talking to the press, getting publications like the >Virus Bulletin (and others less respectable) to stop using 300+ >viruses, including losers like the Anti-Pascals, in their evaluations, >and so on. As long as the advertising works (and is used by the competition) it would be suicide to drop out of the numbers game -- see my new release blurb below for an example of why we must continually play the damned game. Yes, I picked up a bunch-o new strings for this cut of the code. More important to me, though, are the minor enhancements that make the code easier to use. >It might be marketingly impossible, of course. On the other hand, is >it possible that eventually people making buying decisions will get >tired of "We Detect 100 More Viruses Than Our Competitors!!!" sorts of >claims, and be more impressed by "We Detect Every Virus Known To Have >Caused A Real Infection, and We're <faster, cheaper, easier to use, >etc>"? Hear, hear! I would love to be able to impress that upon people rather than the numbers game. The first people to convince would be in MIS, though: now how do you convince them that your second point is more important than the numbers games? Until then, I have to provide the marketing dudes at Microcom with ammunition for winning on both points you make. Ross
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (05/16/91)
>From: microsoft!c-rossgr@uunet.uu.net >Remember that we can't even get the user community (the folks who >spend their hard earned money to buy my products!) to make backups to >protect themselves. Partly our fault: we have never taught good hygene to people. I generally back up my data files as they are created. Since my program disk is fixed, it is backed up as part of my weekly defrag. True, most people who have not had losses do not understand backing up - one reason why we are looking at things like Bernoulli Transportables as part of out weekly maintenance and CD-ROMS for standardised software, and have an annual computer security briefing that emphasizes such things as backups & how to recognize unusual behaviour. >Maximal Protection! That's what the market seems to clamour for. Because part of the education we have failed to provide is what the risks really are. My opinion is that a good regimen (screening & briefings) plus an integrity routine that will detect anomalies is what the general population needs. Detecting intrusion immediately reduces risks to the point that even quarterly updates (as a scanner would require) cannot be justified. A linited number of scanners for the techs and administrators are justifiable both from a maintenance and a training standpoint. For large corporations, the cost of a site license can be lost in the noise compared to the cost of trying to administer several thousand updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3 manyears not to mention the distribution nightmare). Much easier to take a one-time installation hit plus automatic installation at the warehouse as part of the distribution process. >And the marketing dudes I work with closely at Microcom tell me what >we can lose a site license because of and where our strong points are: So be the first to offer BIOS level checking & authenticated paths as part of the boot process. >So, when one of our competitors says "Yes, but do you want to risk >even the slightest chance of getting infected with this virus if it >escapes into the wild.", my marketing can respond "Ha! We already >protect you against that nasty virus!". How about "There are only x ways a virus can get into a system, if it is a virus we have seen, we will identify it. If it is something else, we will detect the change and warn the user immediately. Nothing can identify an unknown virus, but its activity can be detected." Of course the biggest problem is elimination of false positives but a dollup of AI should permit the program to learn who is permitted to do odd things. In my experience, most corporate environments are stable enough to make the learning period short. In the last year we installed such a package on many thousands of PCs with nearly every known program and every OS from DOS 2.x to beta versions of DOS 5 and the major problems (development machines, Zeniths writing to boot sectors, word processor quirks) were annoying but relatively easy to solve. Today, when a user gets a warning screen, it is usually a virus or other "anomaly" that we needed to know about anyway. As far as what the user wants, quantum economics applies. There are certain things that are automatic disqualifiers: noticably degraded performance, insufficient free memory to run programs, excessive false alarms, failure to detect well known viruses. Only once these step functions are satisfied will relative merits/demerits such as cost (no. 1), ease of installation, documentation, & support come into play on a linear decision basis. Today, the sheer diversity of anti-viral products demonstrates that, as in pointing devices and user interfaces, the One True Answer has yet to be found. Warmly, Padgett everything herein my own opinion & may or may not have any relation to reality
c-rossgr@uunet.uu.net (05/18/91)
>From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) >.... part of the education we have failed to provide is what the >risks really are. My opinion is that a good regimen (screening & >briefings) plus an integrity routine that will detect anomalies is >what the general population needs. With all due respect, everybody has always been taught that if an ounce of prevention is worth a pound of cure, then two ounces of prevention must be even better. If my code merely did integrity checks, instead of doing integrity checks *and* known signature scanning, I'd lose out to somebody who offers both. That's because *their* marketing people have a single mission in life (as do *my* marketing people): to sell as much code as possible. I've probably hobbled the marketing guys at Microcom (who are quite good, btw, and I recommend the group I deal with to anyone with other types of code) by requiring them to be completely honest in their claims. That honesty is costing marketshare, I bet. >For large corporations, the cost of a site license can be lost in the >noise compared to the cost of trying to administer several thousand >updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3 >manyears not to mention the distribution nightmare). Much easier to >take a one-time installation hit plus automatic installation at the >warehouse as part of the distribution process. I agree...to a point. I would think that updating 5000 PC's for a new scanner that differs from the previous one in a bunch of new viral strings for a bunch of "research only" viruses is a waste of time. In the case of my last update, though, some problem areas were worked on, the code was made faster and more reliable, networking is better, etc. Yet, in this climate, if I had merely released code with those enhancements (the ones that I really care about) and not upped the virus count from about 350 to about 420, people would not have downlaoded the code: they seem to have seen the "two ounces" mentioned above as more important then the enhancements. I can't simply say "Yo! *NOBODY* gets the Whale Virus, so why do you care?" >>And the marketing dudes I work with closely at Microcom tell me what >>we can lose a site license because of and where our strong points are: >So be the first to offer BIOS level checking & authenticated paths as >part of the boot process. We do that through the DOS level now, but you raise a good point. I'll incorporate that into the next cut of the code, given time. >Today, the sheer diversity of anti-viral products demonstrates that, >as in pointing devices and user interfaces, the One True Answer has >yet to be found. Unle$$, of cour$e, you buy my code. <grin> Ross
rebill02%ULKYVX.BITNET@jade.Berkeley.EDU (Russell E. Billings) (05/21/91)
microsoft!c-rossgr@uunet.uu.net writes: >Dave: A telling anecdote: at the Trenton Computer Fair last month, >about 100 people crammed into a room to hear about some of the new >virues. When asked who had been infected with a virus, about 80% of >the people raised their hands. I asked those infected with Jerusalum, >Stoned and Ping-Pong to drop their hands. One hand was left. Cascade. I'm curious, did you tell the ones who had been hit by those three to drop their hands, or did you ask that those who had *ONLY* been hit by those three to drop their hands? A subtle difference, but an important one, nonetheless. Russell - -- BITNET: rebill02@ulkyvx.bitnet UUCP: ...psuvax1!ulkyvx.bitnet!rebill02
c-rossgr@uunet.uu.net (05/23/91)
>From: rebill02%ULKYVX.BITNET@jade.Berkeley.EDU (Russell E. Billings) >I'm curious, did you tell the ones [at the Trenton Computer Fest] >who had been hit by those three to >drop their hands, or did you ask that those who had *ONLY* been hit by >those three to drop their hands? A subtle difference, but an >important one, nonetheless. I had asked them to keep their hands up until all the viruses they had been hit with were accounted for. I believe that only one person in the audience had been hit with more than one virus. Ross