4.4. Viruses For Sale
In many countries the intentional infection of somebody's machine
without the authorisation of the owner of the machine is a criminal
act. However, providing a virus to somebody while informing him about
the fact that this is a virus is usually not considered illegal. The
problems here are closely related to the free virus writing and virus
exchange mentioned above. And, what is not illegal, should be
permitted, right? So, why not the selling of viruses?
From the economical point of view, there is only one main question -
is there enough market for viruses? Unfortunately, the answer to this
question is often "yes" [Solomon93a]. So, who needs to buy viruses?
It seems that the obvious answer would be criminals or disgruntled
employees, who need a virus to attack a particular system. However,
they could easily obtain a virus for free from many of the existing
virus exchange BBSes. Actually, such a virus exchange BBS even used
to be run by the US Government - the department of Treasury.
However, the contents of these BBSes is usually a horrible mess
([Bontchev93a]). They contain viruses, corrupted or partially
infected files, which somebody's scanner has declared to be viruses,
virus construction tools, trojan horses, virus sources, virus
disassemblies, raw outputs of a disassembler (usually Sourcer from V
Communications) when run on an infected file, virus-related electronic
newsletters, etc. There are many duplicated files, different viruses
under one and the same name, one and the same viruses under different
names, non-working viruses, programs written with the intent to write
a virus, but so buggy that they could never replicate, etc. Often
there are even perfectly legitimate programs like FORMAT, etc.
Very few virus collections are well-organized. At the same time,
there are people, who feel to have the legitimate need for a
well-organized virus collection. Those are companies who decide to
enter the anti-virus business. For reasons explained elsewhere in
this paper, it is almost impossible for a new company to successfully
establish itself in this business. But most people who are not well
enough aquainted with the virus situation, do not know this fact. And
since it is almost impossible to get a large virus collection from the
self-respecting anti-virus researchers, newcomers in the anti-virus
business are often tempted to obtain the viruses they need for their
product via semi-legal means. If somebody appears, providing a
well-organized (or even a not so well-organized) rich virus collection
for sale, it is quite probable that he will find customers.
Other prospective customers could be evaluators of anti-virus products
for the different computer magazines. They often feel the need of a
large virus collection in order to verify the claims of the authors of
anti-virus products to detect "all known and unknown viruses".
In fact, there have been virus collections on sale before. This will
probably happen again. What can be done about it?
The main solution is human education and appropriate legislation.
People must know that the possession of a large virus collection does
not guarantee the creation of a successful anti-virus product. Only
qualified and commercially unbiased anti-virus experts should be
consulted to evaluate the anti-virus software. At last, people should
be aware that according to the laws of some countries (e.g., the UK),
selling viruses could be considered as an incitement to commit a crime
(i.e., to spread the virus) and is therefore illegal. Perhaps more
countries should pass similar laws.
4.5. Viruses Used as Weapons
Several countries are reportedly researching into the possibilities to
use viruses as a weapon against an enemy. However, it is unlikely
that the outcome of such research will be positive - computer viruses
are too difficult to aim towards a particular target. They could be
used much more successfully in a terrorist attack - when the attacker
does not know and does not care how much and which particular targets
will be hit.
The countries which are more vulnerable to this kind of attack are the
most developed ones - the ones which are widely relying on computers
in their economics. A virus attack could be even more successful if
performed on a cluster of highly networked computers, especially if
the virus used knows and uses the security holes in the network to
spread itself faster. Actually, this could be a combination of a worm
and a multi-partite (or multi-platform) virus.
Probably the widest set of computers networked together is the
Internet. Many of the computers there are using similar operating
systems - usually a variation of Unix. The particular implementations
often have widely known security holes and/or are maintained by people
who are new to the system administrator's job - or even people for
whom this is not their main job. These people are mainly interested
in keeping the computer working - not in converting it into an
electronic variant of Fort Knox. Hence, many of the computers on the
Internet are believed to be insecure and vulnerable to hacker attacks.
We have already witnessed several attacks on a net-wide basis. The
most famous of them is probably the notorious Internet worm. Others
include the WANK/OILZ worms, the Father Christmas worm, the CHRISTMA
EXEC chain letter and its variants, and so on.
Most computers on the Internet belong to educational institutions and
are not very tempting as victims of a terrorist virus attack.
However, more and more companies connect their computers to the
Internet too - in order to use its capabilities of electronic
conferencing, electronic mail, anonymous ftp, and so on. Therefore,
the number of victims suitable for attack steadily increases.
In order to diminish the danger, all system administrators of the
machines that are attached to the Internet should be educated in
maintaining security of their sites to an acceptable level. Whenever
possible, the process of enhancing the security should be automated.
Tools like Cops and Tripwire should be widely used. Whenever
possible, encryption should be used to protect the communications
between the sites and public-key authentication should be used to
authenticate each site. Kerberos is one of the most suitable tools
for this purpose, but due to some legal problems its full version is
not exportable outside the USA.
5. Conclusion
The computer virus problem is not going to disappear soon. It is
going to be with us in the years to come and it is going to become
even worse. Those people who have accepted the duty to fight it
should carefully examine the possible methods of attack that are
likely to be used by the virus authors in the future and take some
steps to counter them. Take them now, while there is still time.