The following article was published in a local electronic mag at the
beginning of the year, and also posted onto the FidoNet virus echos. I am
posting it here as it has some relevance to the debate about good and bad
viruses.

                           Unarmed and Dangerous
                           =====================
                           (c) Ian Douglas  1994

There is a myth going around that, if a computer virus does not have a
payload, then it is not dangerous, and is in fact harmless. Some people
even refer to these as toys. I want to examine this in more detail, and
show why it is a myth, but we first need to do a short history of warfare.

Once upon a time, a long time ago, Og woke up to find Gonta playing rather
closely with Sheema, who was what we would call Og's wife. Og got rather
upset, and punched Gonta. Unfortunately Gonta was rather larger than Og,
and puched him back, knocking him out, before turning his attention once
again to Sheema.

When Og woke up, he made a plan. He went outside the cave, and climbed up
above it. When Gonta came out, Og dropped a large rock on Gonta's head,
killing him. And thus was born the principle of *long range violence* -
whereby a person can inflict violence on another with little or no danger
to themselves.

As time went by, improvements were made in the methodology  - spears, bows
and arrows, catapults, guns, bombs, missiles. While most of these were used
in conventional warfare, a new breed of Ogs arose - the terrorist. They
use long range violence against innocent people, with little care about WHO
actually gets hurt. Their favourite tool is the time bomb.
Then came computers, and a new twist for the terrorists: computer viruses
and trojans.
                         ------------------------

The term 'virus writer' needs clarification.

There are three groups of people who might write viruses:
1) a computer scientist working for a company developing a new operating
system, and who has to test just how secure the operating system is.
2) a programmer working for the military, who has to develop programs
designed to knock out enemy computer systems. (Although I can't see HOW
they will (a) introduce it to the enemy systems; (b) expect it to remain
undetected; and (c) activate all copies at the same time (except by
time/date))

These two groups work in carefully controlled labs, and their creations do
not get out, and thus do not bother the rest of us. While people in both
these groups can be described as 'virus writers', they are not the cause of
the current computer virus problem.

3) the underground and people of similar mindset, who think it is 'cute',
'neat', 'k00l', 'fun', or whatever the current slang phrase is, to write
and distribute computer viruses and other rogue code (trojans, ansi bombs
etc). To avoid confusion when referring to this group as opposed to the
other two above, I have coined a new word - compterr (computer terrorist)
- - to refer to such people. The plural is compterrs, not compterri.

                    ------------------------

Now, to the subject of the 'harmless' computer virus.
There are basically four types of computer viruses: file infectors, boot
record infectors, companion infectors, and FAT infectors. Let us look at
each of these in turn.

File infectors: assume that a 'harmless' file infector exists. It has no
payload, i.e. it has no code specifically written to do damage, like
formatting C:. It infects .com and .exe files perfectly - the host program
should always run after infection. Surely this virus is 'harmless'?

No.
(1) On a purely non-physical level, it harmful in two ways:
Firstly, it is unethical to modify someone elses programs without
permission. Secondly, it destroys the trust that the user has in his
machine and the software on it. Now he is never sure if running a program
will result in a virus spreading or activating. Remember, the user does not
know that the virus has no payload. And even if he did, do you suppose that
he really wants all the files on his disk infected? The situation is that
people have more implicit trust in a $5 calculator than in a $2000
computer.

(2) On the physical level, there is also damage. Firstly, the virus has to
alter the code of the infected host, to ensure that the virus is executed.
Viruses usually change the beginning of the host to allow the virus code to
be executed first, before returning control to the host. So, the original
file is damaged. Even running an anti-virus repair program is unlikely to
restore the program to its original state.

(3) Then there are legal implications. Altering a program may be in
violation of copyright. It may also invalidate the warranty on a program.
Some programs which check themselves before running will refuse to run if
infected by a virus. The user is denied the use of the programs for which
he paid.

(4) Then there is the matter of trespassing. A hard disk is private property.
You decide what you want to store on it. A virus removes that choice from
you, and just invades.

(5) Consider the implications for a company which gives it's clients
diskettes which have infected files on. The client detects the virus. Now
do they still trust their supplier? A vital relationship has been damaged.

(6) The user has the inconvenience of checking every file and disk
that he receives, and the hassle of cleaning the virus off of his system.
This is wasteful of both time and money.

(7) Computer viruses waste disk space with useless code.

(8) Computer viruses slow the machine down with useless code.

(9) Memory resident viruses waste memory.

Some analogies to put the matter in perspective:
You have a letterbox. Everytime you get a letter, you also get an invisible
letter with it. You remove the visible letter, but not the invisible
letter. Pretty soon, your letterbox is full of invisible letters, and there
is no space for your legitimate normal mail.

Or I come into your bedroom and spraypaint graffitti (Iron Maiden Rulez!)
all over the walls. According to the compterrs, I have not damaged your
walls - the original walls are still there, under the graffitti. Anyone
agree that the walls are not damaged? How about if the original of the Mona
Lisa was hanging on the wall at the time?

Or I come into your room, remove the blankets from your bed, place them
under your bed, and put a small black suitcase on your bed. The compterrs
say that the bed is not damaged, just rearranged. Time for you to go to
bed. How do you? You have no way of knowing if the suitcase contains
pressure-sensitive explosives or not. I have denied you access to your bed.

Some of the examples used about file damage also apply to the other forms
of virus infection.

Boot sector infectors: Assume that a perfect boot sector infector exists.
It does not matter whether it is a Main Boot Record (Partition Table) or
DOS Boot Record infector - the operation is similar. The virus will move
the original boot sector elsewhere, and insert itself where the boot sector
was. Let us assume that the virus is well written and does not accidently
put the moved boot sector over the directory table or the FAT. Surely such
a virus is harmless?

No. See points (1), (4), (5), (6), (7), (8) and (9) above. In addition, the
boot sector is no longer where it should be. The user might do certain
operations assuming that it WAS still there, with disasterous consequences.
In addition, some Main Boot Record viruses use that part of the first
sector reserved for the partition table. If a user booted off a diskette,
his hard drive would be inaccessible to DOS. Also, most boot sector viruses
manage to wreck part of the FAT or directory tables on diskettes.

Analogy: I come into your room, move your bed out into the passageway, and
put a camping bed in its place. Now when you want to go to bed, you find
your bed is not what you thought it was.

Companion Virus infectors: These viruses create matching, usually hidden,
com files with the same name as .exe files. The .com files contain the
virus code. Since DOS executes filename.com before filename.exe, the virus
gets executed first. Now assume that a perfect such virus exists, with no
malicious code. Is it harmless?

No. See points (1), (4), (5), (6), (7) and (8) above. In addition, this
method of infection wastes more disk space than normal file infectors,
since it creates new files. This clogs up the directory table with junk,
and, since viruses are usually short, leads to lots of small files. For
example, assume the virus is around 1000 bytes long, and your hard disk has
allocation units of 2048 bytes. This is the minimum amount of space that
DOS will allocate to a file, even if it is smaller. So for every copy of
the virus, around 1k is totally wasted space. Now if you had 100 infected
files on your hard disk...you lose 200k, half of which is empty..

Analogy: same as boot sector viruses.

File Allocation Table / Directory infectors: These are a variant of
companion infectors. The difference is that instead of using DOS to execute
the virus, the virus creates a copy of itself, and alters the pointers to a
real executable to point to the virus instead. So when you execute
filename.exe, you actually execute the virus, which replicates, and then
passes control to filename.exe.

Again, assume such a perfect virus exists. It is harmless?

No. All points raised in the discussion about companion infectors also
apply. Worse, cleaning up such a virus is often a nightmare, and can result
in major data loss. This is because the virus manipulates the FAT directly,
totally destroying what was there before.

Conclusion: there is no such thing as a 'harmless' virus.

The second bottom line: Viruses destroy time.

Users have to waste time checking all files and disks, and cleaning up
after an infection. Remember too that time costs money...

The bottom line: Viruses destroy money.

Users are forced into taking expensive security measures, which costs
money: the cost of the product, the cost of obtaining the product, cost of
training, cost of cleaning up after an infection, cost of liability
insurance. This money could have been put to more productive use. The cost
is recovered by increasing the price of goods and services to the consumer.
In the end, the consumer in the street (YOU!) ends up paying for the virus
problem...

Cheers, Ian

