Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next 8-5Assessing and Eliminating Virus Threats in Distributed Networks FRANK HORWITZ Technically speaking, a computer virus is similar to a biological virus: it wants to reproduce itself. A virus does not necessarily inflict any damage. Industry experts define viruses differently. A virus can be described as a piece of code that attaches itself to a file, critical disk sector, or memory location for the purpose of replicating. Another definition describes a virus as a program designed to replicate and spread, generally with the victim being oblivious to its existence. A more complete definition says that a virus is a program that replicates itself, attaches itself to other programs, and performs unsolicited, if not malicious, actions. By any definition, reproduction is the common theme. Unless it is deflected or killed, a virus usually spells difficulty and expense for network administrators, whose task is to eliminate them. This chapter provides practical information for preventing, discovering, and eliminating viruses. HOW PERVASIVE IS THE VIRAL THREAT? One of the most damaging effects a virus can have on a corporate LAN or WAN is a drain on system resources. A very destructive virus, such as the Byway Virus, can reproduce rapidly enough to fill a multi-gigabyte hard drive overnight and can cause an entire system to crash. Others, such as Junkie Virus, fill memory and cause system response times to slow drastically. In either situation, the best case is a loss of productivity; the worst case is the systemwide loss of data. Loss of data is another specter of the viral threat. One of the most common DOS viruses, Jerusalem, is designed to erase any program executed using the DOS execute program call. All of the programs users try to run suddenly cease to exist. A variant of this virus (known as the 1704-Format), when activated, attempts to reformat part of the hard drive. Another common virus, Disk Killer, attempts to scramble all data on an infected disk or diskette. These and many other viruses can cost days of clean-up and restoration in a well-maintained network, or wipe out months of productivity in a poorly backed-up network. Another problem created by viruses is the cost of cleaning them off infected systems. A survey of corporations with more than 1,000 PCs reported that the average cost of clean up can be as high as $254,000, a figure that includes only the direct labor expense for system recovery and data back-up. The indirect expense of lost productivity is much higher. One estimate states that viruses cost American businesses $2.7 billion in 1994. In addition, the average recovery time required to clean up an organization having more than 25 PCs is four days. Even worse, 25% of those experiencing a virus attack suffered a reinfection by the same virus within 30 days. Even one virus incident can potentially cost a company millions of dollars. Although budgets often place computer security low on the priority list, the cost of prevention seems almost negligible when compared to the potential loss of time and money. The odds of being infected with a virus are getting worse every day. Consider this progression of averages: •  In 1986, one new virus came into existence every one and a half months (there were eight known viruses; four of them existed only in computer laboratories). •  In 1989, one new virus came into existence every week. •  In 1990, one new virus came into existence every two days. •  In 1991, six new viruses came into existence every day. •  In 1994, approximately 7,000 known viruses existed. •  In 1995, approximately 15,000 known viruses existed. Currently, the number of viruses doubles every eight to eight and a half months. Hackers and virus authors are working cooperatively. Electronic bulletin boards allow them to share not only new viruses, but virus-creating engines. A would-be virus author can learn from books, virus kits, the Internet, and even CD-ROM. However, antivirus companies, in order to maintain profitability, work alone, unwilling to share source code. The result is that there are 1,200 known virus authors but only 200 virus researchers. At that 6:1 ratio, the virus authors are getting more done than the researchers. Only 38% of corporate users consistently apply workstation anti-virus products. As a result, more than 40% of all networks have viruses. HOW VIRUSES INFECT SYSTEMS Usually, a virus enters a system through an intrusion point such as floppy drives on user workstations. On a network, intrusion points include E-mail, modem pools, and gateways to other networks. Approximately 87% of viruses enter systems from floppies, and 43% of those are brought from home by unsuspecting users. Once on a system, a virus usually either attaches itself to an executable file so that whenever that file is executed, the virus is too, or the virus infects the boot sector of the PC so that from there it can travel to other floppies or logical disks. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.