Pandora's Pests Had Nothing On These
The Age
Monday September 12, 1994
The destructive creations of virus-makers like the Dark Avenger menace the entire computer world, but keep boffins busy building antidotes and vaccines. John Wilke reports.
DEEP inside a locked laboratory, secured by infrared motion-sensors and a padlocked steel bar, a plain beige filing cabinet safeguards IBM's huge collection of computer viruses.
``This is some of the most dangerous software in the world," says Jeffrey Kephart, an IBM researcher. ``We don't want anything to escape."
The lab is located in Hawthorne, New York, and its collection of computer viruses has grown sharply in the past year to more than 2500.
As many as two or three new viruses are now written every day, outpacing the ability of antivirus companies to keep up.
The rising use of corporate networks, e-mail, software agents and the Internet provide fertile breeding grounds for new strains. Indeed, in an increasingly wired world, the current crop of commercial virus- killers will soon become obsolete.
The rising threat has given new urgency to efforts to protect software and networks from intruders. The most striking new approach comes from International Business Machines, which is working on an ``immunisation" system that would automatically identify and create digital antibodies to any new viruses detected and would then send a ``kill" signal to other computers in the network, inoculating them and halting the spread of the virus.
This buildup in defensive armor is necessitated by the increasing variety and complexity of viruses. Creators of viruses share new techniques on electronic bulletin boards - for example, PC Computing magazine recently reported that the legendary Bulgarian hacker, Dark Avenger, is circulating a wicked software tool kit called Mutation Engine which helps pranksters mass-produce bugs that can change shape as they spread.
One new virus - a sort of letter bomb - struck software maker Lotus Development Corp. recently, crippling a computer network at a company- sponsored conference.
The saboteur sent infected messages to scores of people at the meeting. Each time one was opened it caused the network's hub, or server, to crash.
``If you turn your back for a minute, people will try to get inside the system," says Frank da Cruz, a communications-software manager at Columbia University. While Columbia hasn't had a serious break-in or virus attack in three years, ``we have to be vigilant all the time," he said.
Students are cautioned not to divulge their network passwords, share disks or run unknown software on their personal computers.
Viruses come in all varieties. One, known as `Ripper', randomly swaps pairs of numbers, creating havoc in spreadsheets.
`Syslock' pokes through files and changes each mention of Microsoft to Macrosoft.
Others seem whimsically good-natured, playing pieces like `The Blue Danube' or Mozart's `Jupiter' symphony through the PC speaker.
The `Sunday Virus' hits only on Sundays, of course, idling the PC and ordering workaholics to go out and have some fun.
Viruses come and go like seasonal flu strains. An elusive new virus named `Natas' - Satan spelled backward - is becoming rampant in Mexico though it's still rare in the United States, virus sleuths say.
`Stoned,' perhaps the best-known computer plague, was made to spread on 5.25-inch floppy disks, which are being supplanted by higher- capacity 3.5inch disks and is now starting to die out. It stalls the machine and declares ``your PC is now stoned," Recently a new entrant, the `Form' virus, became No. 1, according to IBM counts of viral attacks. Form's only overt effect is to send a click to the PC speaker with each keystroke - and, inexplicably, it does this only on the 18th of each month. But deep within the virus code is a message intended only for those who take it apart: ``The Form virus sends greetings to everyone reading this text. Don't panic.
Form doesn't destroy data." It then concludes with a cryptic and obscene reference to someone named Corinne.
At IBM, the person who usually uncovers these adolescent gems is 34- year-old David Chess. Wearing a beard, T-shirt and sandals, he has a disheveled intensity and looks more like one of the hackers he tries to foil than an IBM employee with virtuoso programming skills.
While Chess is a hands-on codebreaker, his colleague at IBM, Dr Kephart, takes a more theoretical approach.
A physicist by training, he is fascinated by genetics and epidemiology, and he embraces models of population dynamics when trying to decipher how viruses sweep through a group.
For example, the much-publicised `Michelangelo' virus scare in 1992 turned out to be mostly a false alarm, with few infections, but it persuded hundreds of companies to install antiviral software. In turn this reduced the incidence of all other viruses, as more PCs got protection.
Using a huge sample of customers, Dr Kephart estimates that virus incidents after Michelangelo dropped sharply, from 1.5 per 1000 PCs per quarter, to just under one incident per 1000 computers today.
Dr Kephart devised the biologically inspired immune-system approach for IBM and hopes the new method eventually will replace the current cumbersome process in which a software vaccine must be developed for each new strain.
IBM also is working with neural-net technology - in which software ``learns" from events - and is using it to automate part of the virus-detection process in IBM's antiviral software.
On a recent afternoon, IBM's virus-busting team was analysing a fresh crop of nearly 1000 suspicious code fragments sent by another antiviral maker. It's a kind of automated triage process, in which each new suspected virus is exposed to a decoy program, or ``goat", to assess how damaging or contagious it might be in the real world.
William Arnold, another virus engineer, watches a battered old PC fly through the test routines. Suddenly it stops dead, as one of the new viruses seizes control and chokes the life from the machine.
``Oops," he says, tapping at the keyboard, trying to find out what went wrong. ``That was a nasty one."
Here be warnings: Following are some current, frequently occurring viruses: Form - Makes a clicking sound with each keystroke, but only on the 18th of the month. Has a hidden, obscene reference to someone named Corinne.
Joshi - Freezes the PC once a year, on Jan 5, until the phrase ``Happy Birthday Joshi" is typed in.
Stoned - Once the most common virus, it sometimes displays on- screen ``Your PC is now Stoned."
Cansu - Once in every eight times the PC is switched on, it displays a V-shaped symbol on the screen.
Michelangelo - Very nasty. It wipes out most of your data on March 6, the artist's birthday.
Monkey - Mysterious. Hides in memory and infects every disk it contacts, making some unusable.
Green Caterpillar - Most effective in color, it unleashes a little worm that crawls around the screen rearranging characters, changing their color.
-- Wall Street Journal
© 1994 The Age