Anti-Virus Software\nCopyright (c) Lohkee 2003\nAll rights reserved\n\n\nAccording to industry experts, there are more than sixty thousand viruses\nlurking in the shadows waiting to victimize you, and each passing month adds\nseveral more to the list. Reveling in the mathematics of exponential\npropagation and dire predictions for those foolish enough to ignore this\npotentially devastating threat, some have even gone so far as to compare\nthese irritating little programs with the biological virus responsible for\nAIDS! Not too surprisingly, many of these same experts just happen to be in\nthe business of selling anti-virus software or related services!\n\n\n\nIt is a given that computer viruses can destroy hardware, software, or\nmassive amounts of information in the blink of an eye. Computer viruses have\nalso repeatedly demonstrated their ability to span the globe within minutes\noften causing thousands of servers to crash in the process. During these\nattacks, the news media rarely misses an opportunity to inform us that our\nelectronic world is teetering on the brink of destruction. What they\ngenerally neglect to mention is that the success of these programs was not\ndue to any particular genius on the part of their creators; rather an\namazing lack of concern for security within a great many organizations. The\nsimple truth is that most, if not all, computer viruses are designed to take\nadvantage of well known and easily patched vulnerabilities or require their\ntargets to be "wide open" in order to survive and multiply. A virus is like\nany other computer program. It must have access to those resources that it\ndepends on to run.\n\n\n\nPerhaps the most insidious threat posed by computer viruses, particularly\nthose designed to spread via email, is that of confidential information\nbeing indiscriminately scattered to the wind during the program's\nreplication process. Melissa, for example, spread like wildfire and was\nresponsible for the mass-disclosure of thousands, if not millions, of\nextremely sensitive documents. My personal collection of unsolicited email\ncourtesy of this virus included, among other things, rental applications,\nemployee evaluations, letters of reprimand, miscellaneous financial\ninformation, a pretty dismal prognosis for a woman with breast cancer, an\nincredibly hot love letter (complete with nude photos), legal\ncorresp0ndence, and a rather long-winded but very detailed network security\nassessment. It is truly amazing how many people are willing to connect\nsystems containing sensitive information to an unsecured public network via\nwide-open protocols using operating systems that are widely known to be\nsubstandard with regard to security. Probably the most remarkable aspect of\nthe Melissa fiasco was the deafening silence within the legal profession in\nthe days that followed (one can only assume they were far too busy cleaning\nup their own systems to notice what should have been a veritable gold mine).\nWhatever the reason, many organizations managed to escape accountability for\ntheir cavalier approach to security and safeguarding confidential\ninformation and yours may have even been one of them. Unfortunately, this\ndoes not change the undeniable fact that the wrong file, sent to the wrong\nperson, could very easily lead to embarrassment, loss of confidence in the\norganization, and a significant financial liability. The question is, how\nmany times are you willing to spin the cylinder and then pull the trigger?\n\n\n\nThe professional security community is generally more than happy to point\nout that it only takes one virus to create serious problems for an\norganization and strongly recommends the use of anti-virus software to\nprotect against this threat. Some even recommend using multiple anti-virus\nproducts. That it only takes one virus to cause problems is certainly a true\nstatement; however, it also one that happens to argue strongly (albeit\nbriefly) against the use of these products. History has shown time and time\ngain that anti-virus software can only offer reliable protection against\nknown viruses (assuming that you actually take the time to update it\nwhenever a new virus is discovered). Did your favorite brand of anti-virus\nsoftware stop Melissa, Code Red, Nimda, Anna Kornikova, or the Love Bug from\ninfecting your systems; or did you download virus signature updates after\nthe fact only to discover that you had a real mess on your hands? The\nproblem here, and it is a big one, is that people who create and unleash\nviruses, worms, and other types of nasty software, seldom take the time to\nnotify the anti-virus vendor establishment beforehand. Even after a virus\nhas been unleashed it is unlikely that your anti-virus vendor will find out\nabout it until it has gained some momentum which means two things: You are a\nsitting duck until they do and; the chances of your anti-virus software ever\nbeing able to detect a well-written program designed to strike a single\ntarget are about zero! As you read this it is entirely possible someone has\nalready installed a "back door" into your system that your anti-virus\nsoftware will never know about. When it comes right down to it, the use of\nanti-virus software is analogous to going into a gunfight wearing a\nblindfold and then letting your opponent take the first shot. That anyone\nwould actually embrace, let alone actively promote as an "industry standard\nbest practice" such an inherently self-destructive paradigm, is simply\nbeyond belief.\n\n\n\nAdding insult to injury, embracing this suicidal paradigm represents an\nindefinite commitment on your part to download and rollout updated signature\nfiles on an almost daily basis. The outrageous initial cost of a\nsite-license for this software notwithstanding, how long do you think it is\ngoing to be before someone in marketing gets the bright idea to initiate a\nsubscription charge for these updates? Depending on how such a fee is\nstructured and the size of your organization this could easily turn out to\nbe a considerable additional expense over the lifetime of whatever product\nyou have chosen. Think about this for a minute. Not only do you get to go\ninto a gunfight wearing a blindfold and let your opponent take the first\nshot; you also get to pay a small fortune for the privilege of doing so. And\nthis is a good idea how?\n\n\n\nI am not suggesting that you ignore the menace posed by computer viruses. On\nthe contrary, these programs pose an extremely serious threat to society and\nthe individual; one which has been grossly underestimated by the government\nand those within the professional security community. To date, most viruses\nhave been relatively benign. Seldom do they make any meaningful attempt to\nhide as they propagate or cause real damage to the target and, in this\nsense, the digital word has been very fortunate. It has yet to experience\nthe effective use of a virus as a weapon. It is only a matter of time before\nthis changes. The Naval War College, along with numerous experts from\nvarious industries, conducted a three-day "war game" to explore the effects\nof "cyber-terrorism" against energy grids, telecommunications systems, and\nfinancial institutions. Collectively, they came to the conclusion that an\nattacker would need about 200 million dollars, extensive intelligence, and\nyears of preparation to significantly disrupt the country's critical\ninfrastructures. I disagree.\n\n\n\nThe Internet makes it possible for anyone to disseminate information to\nmillions of people in the blink of an eye anonymously. Unfortunately, bad\ninformation does not go away for a very long time (just look at the number\nof tired old hoaxes that manage to get resurrected year after year after\nyear). In a society trained to forsake critical thinking and rely on\nthirty-second sound bites to make important split-second decisions, the\npossibilities for mischief are endless. More importantly, an attacker does\nnot need 200 million dollars to commence hostilities. The price of a\ncappuccino at any Internet café will suffice. Sufficient intelligence to\nlaunch an attack is easy obtained while you enjoy your beverage via any of\nthe popular search engines. Go to [URL="http://www.sec.gov"]www.sec.gov[/URL] and rummage through the\ndocuments found on their website. Collectively, these files provide an\nextensive correspondence course on document preparation and government lingo\ncomplete with a treasure trove of names, telephone numbers, and email\naddresses (their website, by the way, offers a very nice graphic of that\nagency's official seal). A quick search of the Usenet archives will reveal\nto whom people at the SEC are talking to and what they are talking about. If\nvirus writers can consistently dupe people into clicking on e-mail\nattachments from unknown sources with grammatically incorrect nonsensical\nsubject lines, how hard do you think it would be to trick someone into doing\nthis if they were to receive an e-mail message from somebody they "know" or\nwho is trying to help them with a problem? I suppose it could takes years\nsome techno-peasant to orchestrate a viable attack, but it is also true that\nalmost any computer literate kid with a little programming skill could\neasily cobble together some fairly sophisticated code designed to attack a\nspecific target within a week or two; the anti-virus industry depends on\nthis for its very survival. Simply stated, the resources needed to launch a\nsuccessful attack against society are minimal and easily obtained by anyone\nwith Internet access.\n\n\n\nMany businesses, such as the airline industry, operate on tight margins. It\ndoes not take much to send them into a financial tailspin, and when they\nsuffer, a lot of other industries suffer right along with them. Stock\nmarkets are extremely sensitive to mood swings. Even the most naive investor\nknows what happens to the stock of a company that comes under investigation\nby the Securities and Exchange Commission. One negative press release can\nsend a company's stock plummeting within a matter of minutes. On the other\nhand, a stock can soar to dizzying heights based on nothing more than the\nmere illusion of some pending breakthrough in the treatment for cancer. Why\nbother to attack Wall Street's computers (which is illegal) when it is so\nmuch easier to manipulate its investors? If you think this is far-fetched or\ncould not happen easily, think again; it already has. In one case, a young\nman by the name of Jonathan Lebed, aged 15, successfully influenced the\nstock market and made over 0,000 by simply posting poorly penned "expert"\nopinions of various stocks to the Internet. More importantly, he is not\nserving time; he is spending money. The social and political arena is\nperhaps even more volatile. A single inappropriate email or unintentional\nslip of the tongue has effectively destroyed more than one otherwise\npromising career.\n\n\n\nThe key to launching a successful attack is creativity (this is where the\nNaval War College, in my opinion, missed the boat entirely). Attacking\nhardware is not that difficult a task. Most modern BIOS chips use flash\nmemory thus enabling users to download and install updates across the\nInternet. It would not be too difficult for a competent assembly language\nprogrammer to create a virus that erased BIOS chips as it moved from system\nto system. Such an attack could leave millions of computers in a completely\nunusable state for a considerable period of time and would undoubtedly have\ncatastrophic consequences for many of those affected. The overall economic\nimpact caused by an attack of this type could be staggering.\n\nPreventing this type of an attack, however, is as easy as setting the BIOS\nwrite-protect switch on the system's motherboard. The question is why would\nan attacker want to mess around with attacking hardware when manipulating\npeople is so much easier? Destroying people's faith in the systems and\ninstitutions that affect their daily lives can be far more devastating than\nsimply blowing up some building.\n\n\n\nWriting a program that will monitor a workstation, generate an email message\nwhen a specific user logs on, and then self-destruct without leaving a trace\nimmediately afterward is child's play. Such a program would not even need\nany special "permissions" or system-level access to run. More importantly,\nany subsequent investigation would be hard pressed to show that the sender\nwas, in fact, a victim. Getting the email addresses for leaders within the\nbusiness, government or political communities is also a fairly trivial task.\nConsider the consequences of an email from one politician to another\nexpressing racist views two or three days before an election. How about a\nmemo (complete with official seal) from the chairman of the SEC ordering an\ninvestigation into serious criminal conduct by the executives of a major\ncorporation? There is also the possibility of a few emails sent between\nemployees of a major airline expressing concern about the safety of their\naircraft and a subsequent cover-up my management - something about wrongful\ndeath suites being cheaper than fixing the problem. How would it effect\nsociety if these things were happening at the rate of about one a week over\na sustained period of time? What effect would it have on the economy? The\nonly real problem, from the attacker's point of view, is getting the program\nto run on the targeted system. The only thing standing in his way, for the\nmost part, is anti-virus software. Software that has proven itself over and\nover again to be completely ineffective when dealing with anything that it\ndoes not already "know" about. There are many ways to prevent an anonymous\noutsider from running malicious code on your systems. Anti-virus software is\nnot one of them.\n\nLohkee!