Internet commentary

Internet commentary

Keywords: Computer virus, Trojan horse, Worm

Abstract An early reference to a program having virus-like behaviour is discussed. The distinctions between viruses, Trojan horses, and worms are reviewed, along with possibilities for spread of infection by e-mail. Use of anti-virus software is described with reference to a specific instance of infection and attention is drawn to the intensity of the battle between virus writers and providers of the means of combating them.

The unknown glitch

An early reference to something in the nature of a computer virus is made by Brand (1974). He quotes a report that, on the PDP-1 computer in MIT, someone installed a program that would unpredictably become active and would print: “I am the Unknown Glitch. Catch me if you can”. It would then relocate itself somewhere else in core memory, set a clock interrupt, and go back to sleep. Because of its capacity for unpredictable relocation it was almost impossible to find it without clearing the computer memory entirely. This was in the lively days of the development of Project MAC (Multi-Access Computing) when many of the foundations of AI and modern computing were laid down.

The emergence of something of this sort was probably inevitable, given that programs and data are stored in the same way in a computer, and that therefore a program can be written to modify or relocate or generate other programs. The comparison with biological viruses is nontrivial. Strictly, the Unknown Glitch program should not be termed a virus because, as described, it does not proliferate. In modern terminology it might be called a “Trojan horse”. Presumably a very small modification of the program would have enabled it to make multiple copies of itself each time it became active, and it would then have been the first computer virus and would eventually have brought everything else running on the PDP-1 to a stop.

The Glitch was restricted to one machine, unless by chance it was included in a transfer of programs or data on punched paper tape. With the coming of the Internet, viruses can spread readily among machines and are well known to have become a serious menace, far beyond the light-hearted “student prank” character of the Glitch.

Variations on the virus theme are termed Trojan horses or worms. The Unknown Glitch is not precisely what is usually meant by a Trojan horse, since the term is used to refer to a program that is run because it produces some desired result, but that has deleterious hidden side effects. A worm is a program that proliferates by making copies of itself in the same machine and whose bad effect is slowing of the machine and the rendering unavailable of storage space.

Computer viruses

There would probably have been no trouble, or almost no trouble, with computer viruses and the like if Internet communication had been restricted to text only, or text and graphics. The trouble comes when e-mail attachments, or files downloaded from websites, are allowed to contain what amount to, and may be explicitly, autonomous programs. It is usual to assume that viruses cannot be conveyed by text-only e-mail messages, and a recent discussion in an Internet Tourbus (Vol. 7, no. 46, by Bob Rankin, on 29th January 2002) confirms that this is substantially but not totally correct. The qualification is needed because there can be an entry for certain troublesome “worms” if the Internet software is not up-to-date. Early versions of Outlook Express were susceptible to worms called N-I-M-B-A and K-A-K, but patches to remedy this were made available by Microsoft in good time and later issues of the software are safe from the start.

I have followed Bob Rankin's example in placing hyphens in the virus names, which are correct without them. Without the hyphens there would be a remote chance that the names might be recognised by oversensitive anti-virus software, and the message deleted or an alarm given, when either his Tourbus or this Commentary is transmitted over the Internet.

The motivation to produce viruses seems to be mainly malice and a response to a technological challenge, but some are profit-related. Viruses have been devised that report back to a certain website about the activity of the user of the computer on which the virus is established. Others can introduce new links in web pages browsed, so as to direct attention to advertising sites, perhaps pornographic. The terms “Spyware” and “Scumware” have been used to refer to these devices. They are discussed in a free Internet newsletter, similar to the Tourbus, termed the LangaList after its author Fred Langa, in its issue for 28th January 2002. (The LangaList and some other valuable free newsletters will be described in a forthcoming Commentary. Information on it can be found at: http://www.langa.com/info.htm, and on the Tourbus at http://www.tourbus.com).

Anti-virus software

Software is available to detect and combat virus infections, and in some form is usually part of the software supplied with a new computer. It can fairly quickly become outdated as the virus creators bring more and more ingenuity to bear. One of the messages of the Tourbus discussion is that infection can often be avoided by taking simple precautions, without the need for expensive special software. The main thing is to be wary of opening e-mail attachments and to seek confirmation from the sender that the attachment (and in fact the e-mail as a whole, which can have been produced by a virus) are sound before doing so. There are also some telltale signs that should arouse suspicion.

I am pleased to say that I recently spotted such a sign when the subject of a message began with the double prefix “Re:Re:”. The prefix “Re:” is added by Outlook Express in forming its suggested subject line for a reply message, and similarly it adds “Fw:” when a message is forwarded. The action of a particular virus is to generate messages that have plausible subject lines because the subject of an incoming message is taken and the prefix “Re:” added. Outlook Express is so arranged that it never forms a double prefix, and I was correct in supposing that the double prefix betrayed the involvement of the virus.

Another telltale sign is a double extension on a file name, and I regret to say that although I knew this I attempted to open an e-mail attachment with the file name “HUMOR.MP3.scr”. Nothing appeared on the screen, but there was a good deal of activity of the hard disc, and although the operation of the computer did not seem to be affected, it was pretty certain that a virus had entered. The fact that there was no apparent immediate effect was no guarantee that trouble would not arise later, since many viruses have delayed action or respond to some trigger.

A scan with the Norton anti-virus software that came with the computer detected nothing amiss, but the result was different when the latest version was installed. Three different viruses were detected, all of them relatively benign and easily eliminated. One of them was automatically removed during the scan, and the other two were reported and the files containing them were “quarantined”. To find how to eliminate them it was necessary to consult an online virus encyclopaedia to which registered users of the software have access. One of the viruses was named “Badtrans” and its encyclopaedia entry confirmed that HUMOR was one of the file names it used in propagating itself through e-mail attachments.

Details of Norton anti-virus software can be found at the website: http://www.symantec.com/avcenter and alternatives are available from other companies. The Norton version comes with associated software for security against intrusion of hackers, constituting a “firewall”. Purchase of the combined package, and registration as a user, gives access to the virus encyclopaedia already mentioned and the right to transmit details of problem viruses to Symantec for investigation and advice. It also provides automatic updating of the list of virus definitions held in the user's computer, as new viruses are detected and remedies devised. The magnitude of this effort is impressive, and the number of virus definitions in my installation at the time of writing (March 2002) is no less than 59064.

As well as all this, it is claimed that the software includes a device called “Bloodhound” that will even detect previously-unknown viruses, and will respond to virus-like activity of programs in Javascript or Visual Basic. The website offers a list of the most recently discovered viruses, with the dates of their discovery and the date, often the same one, on which remedial action was taken. A research centre operated by Symantec works around the clock. The need for this, and the enormous number of virus definitions listed, reveal the intensity of the ongoing digital battle between the virus originators and the forces of law and order.

Just one snag

When used with its recommended settings, the anti-virus software automatically checks for viruses in all incoming material, whether as e-mail or web content, and also checks all outgoing messages. I found that the checking of outgoing messages could have an unfortunate side effect, whereby an occasional message was not transmitted although it was transferred to the “sent” folder of Outlook Express. This presumably happened when the modem connection was somehow broken before the anti-virus checking was complete.

I have not seen this side effect mentioned anywhere, and my reaction was to alter the setting of the software so that outgoing messages are not checked. Where all incoming material is checked, and the entire memory contents are regularly scanned, it is easy to feel that the checking of outgoing messages is something of an overkill. On the other hand, faced with the fiendish ingenuity of virus writers, it is a pity to abandon any line of protection, especially where the potential victims are the recipients of messages. An alternative would be to continue the checking but to ensure that a transmission failure would be detected. This could be done either by asking for a “carbon copy” of each message to go to the sender's (my) address, or by using the facility offered in the Tools menu of Outlook Express for requesting a read receipt.

Alex M. Andrew

ReferenceBrand, Stewart (1974), Two Cybernetic Frontiers, Random House, New York, 62 pp.